reports: delete 'published' fields
Set the published date from the git history instead.
For golang/vulndb#50434
Change-Id: Ifb3bf55292cbd39b35227c7536fadc0fc54c9e07
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/376615
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
diff --git a/reports/GO-2020-0001.yaml b/reports/GO-2020-0001.yaml
index e5a89ab..4024c14 100644
--- a/reports/GO-2020-0001.yaml
+++ b/reports/GO-2020-0001.yaml
@@ -5,7 +5,6 @@
The default Formatter for the Logger middleware (LoggerConfig.Formatter),
which is included in the Default engine, allows attackers to inject arbitrary
log entries by manipulating the request path.
-published: 2021-04-14T12:00:00Z
credit: "@thinkerou <thinkerou@gmail.com>"
symbols:
- defaultLogFormatter
diff --git a/reports/GO-2020-0002.yaml b/reports/GO-2020-0002.yaml
index 96d59a2..465c82a 100644
--- a/reports/GO-2020-0002.yaml
+++ b/reports/GO-2020-0002.yaml
@@ -5,7 +5,6 @@
The Data, Context, or Key finalizers might run during or before GPGME
operations. This will release the C structures that are still in use, leading
to crashes and potentially code execution through a use-after-free.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-8945
credit: Ulrich Obergfell <uobergfe@redhat.com>
diff --git a/reports/GO-2020-0003.yaml b/reports/GO-2020-0003.yaml
index 367b020..55d412c 100644
--- a/reports/GO-2020-0003.yaml
+++ b/reports/GO-2020-0003.yaml
@@ -5,7 +5,6 @@
An attacker can cause an application that accepts slice parameters
(https://revel.github.io/manual/parameters.html#slices) to allocate large
amounts of memory and crash through manipulating the request query sent to the application.
-published: 2021-04-14T12:00:00Z
credit: "@SYM01"
links:
pr: https://github.com/revel/revel/pull/1427
diff --git a/reports/GO-2020-0004.yaml b/reports/GO-2020-0004.yaml
index 9fb536c..a298629 100644
--- a/reports/GO-2020-0004.yaml
+++ b/reports/GO-2020-0004.yaml
@@ -9,7 +9,6 @@
Also, a minor timing side channel was present allowing attackers with
very low latency and able to make a lot of requests to potentially
recover the token.
-published: 2021-04-14T12:00:00Z
credit: "@bouk"
symbols:
- Auth.ServerHTTP
diff --git a/reports/GO-2020-0005.yaml b/reports/GO-2020-0005.yaml
index 93b5450..27673c6 100644
--- a/reports/GO-2020-0005.yaml
+++ b/reports/GO-2020-0005.yaml
@@ -6,7 +6,6 @@
Malformed WALs can be constructed such that WAL.ReadAll can cause attempted
out of bounds reads, or creation of arbitrarily sized slices, which may be used as
a DoS vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-15106
- CVE-2020-15112
diff --git a/reports/GO-2020-0006.yaml b/reports/GO-2020-0006.yaml
index e16204b..1f521cc 100644
--- a/reports/GO-2020-0006.yaml
+++ b/reports/GO-2020-0006.yaml
@@ -5,7 +5,6 @@
An attacker may prevent TCP connections to a Server by opening
a connection and leaving it idle, until the connection is closed by
the server no other connections will be accepted.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2017-15133
credit: Pedro Sampaio
diff --git a/reports/GO-2020-0007.yaml b/reports/GO-2020-0007.yaml
index d245620..2514916 100644
--- a/reports/GO-2020-0007.yaml
+++ b/reports/GO-2020-0007.yaml
@@ -7,7 +7,6 @@
any of the arguments (AND is used rather than OR). These filters can be
bypassed by only specifying a subset of the arguments due to this
behavior.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2017-18367
credit: "@ihac"
diff --git a/reports/GO-2020-0008.yaml b/reports/GO-2020-0008.yaml
index a9a79af..ec36d2a 100644
--- a/reports/GO-2020-0008.yaml
+++ b/reports/GO-2020-0008.yaml
@@ -5,7 +5,6 @@
DNS message transaction IDs are generated using math/rand which
makes them relatively predictable. This reduces the complexity
of response spoofing attacks against DNS clients.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2019-19794
symbols:
diff --git a/reports/GO-2020-0009.yaml b/reports/GO-2020-0009.yaml
index 88db2dc..e5e6653 100644
--- a/reports/GO-2020-0009.yaml
+++ b/reports/GO-2020-0009.yaml
@@ -12,7 +12,6 @@
with HMAC such that they can control how large the input buffer is when computing
the HMAC authentication tag. This can can allow a manipulated ciphertext to be
verified as authentic, opening the door for padding oracle attacks.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2016-9123
credit: Quan Nguyen from Google's Information Security Engineering Team
diff --git a/reports/GO-2020-0010.yaml b/reports/GO-2020-0010.yaml
index b2372cf..5bf3452 100644
--- a/reports/GO-2020-0010.yaml
+++ b/reports/GO-2020-0010.yaml
@@ -10,7 +10,6 @@
When using ECDH-ES an attacker can mount an invalid curve attack during
decryption as the supplied public key is not checked to be on the same
curve as the receivers private key.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2016-9121
credit: Quan Nguyen from Google's Information Security Engineering Team
diff --git a/reports/GO-2020-0011.yaml b/reports/GO-2020-0011.yaml
index 7cbd802..f86ce76 100644
--- a/reports/GO-2020-0011.yaml
+++ b/reports/GO-2020-0011.yaml
@@ -7,7 +7,6 @@
and Verify methods do not indicate which recipient or signature was
valid. This may lead a caller to rely on protected headers from an
invalid recipient or signature.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2016-9122
credit: Quan Nguyen from Google's Information Security Engineering Team
diff --git a/reports/GO-2020-0012.yaml b/reports/GO-2020-0012.yaml
index d07f59a..162228d 100644
--- a/reports/GO-2020-0012.yaml
+++ b/reports/GO-2020-0012.yaml
@@ -7,7 +7,6 @@
key, such that the library will panic when trying to verify a signature
with it. If verifying signatures using user supplied public keys, this
may be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-9283
credit: Alex Gaynor, Fish in a Barrel
diff --git a/reports/GO-2020-0013.yaml b/reports/GO-2020-0013.yaml
index 19589ee..ea36426 100644
--- a/reports/GO-2020-0013.yaml
+++ b/reports/GO-2020-0013.yaml
@@ -6,7 +6,6 @@
By default host key verification is disabled which allows for
man-in-the-middle attacks against SSH clients if
ClientConfig.HostKeyCallback is not set.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2017-3204
credit: Phil Pennock
diff --git a/reports/GO-2020-0014.yaml b/reports/GO-2020-0014.yaml
index 3076d83..10344ae 100644
--- a/reports/GO-2020-0014.yaml
+++ b/reports/GO-2020-0014.yaml
@@ -6,7 +6,6 @@
html.Parse does not properly handle "select" tags, which can lead
to an infinite loop. If parsing user supplied input, this may be used
as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2018-17846
credit: '@tr3ee'
diff --git a/reports/GO-2020-0015.yaml b/reports/GO-2020-0015.yaml
index 22a7103..72ee7ff 100644
--- a/reports/GO-2020-0015.yaml
+++ b/reports/GO-2020-0015.yaml
@@ -15,7 +15,6 @@
the Decoder is called, or the Decoder is passed to transform.String.
If used to parse user supplied input, this may be used as a denial of service
vector.
-published: 2021-04-14T12:00:00Z
last_modified: 2021-06-07T12:00:00Z
cves:
- CVE-2020-14040
diff --git a/reports/GO-2020-0016.yaml b/reports/GO-2020-0016.yaml
index cde6d2a..411d20e 100644
--- a/reports/GO-2020-0016.yaml
+++ b/reports/GO-2020-0016.yaml
@@ -6,7 +6,6 @@
Reader.Read on the bytes could cause an infinite loop. If
parsing user supplied input, this may be used as a denial of
service vector.
-published: 2021-04-14T12:00:00Z
credit: "@0xdecaf"
cves:
- CVE-2021-29482
diff --git a/reports/GO-2020-0017.yaml b/reports/GO-2020-0017.yaml
index 01450a1..f195509 100644
--- a/reports/GO-2020-0017.yaml
+++ b/reports/GO-2020-0017.yaml
@@ -12,7 +12,6 @@
than a single string, and MapClaims.VerifyAudience is called with
req set to false, then audience verification will be bypassed,
allowing an invalid set of audiences to be provided.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-26160
credit: "@christopher-wong"
diff --git a/reports/GO-2020-0018.yaml b/reports/GO-2020-0018.yaml
index f522876..1aa3eb2 100644
--- a/reports/GO-2020-0018.yaml
+++ b/reports/GO-2020-0018.yaml
@@ -5,7 +5,6 @@
UUIDs generated using NewV1 and NewV4 may not read the expected
number of random bytes. These UUIDs may contain a significantly smaller
amount of entropy than expected, possibly leading to collisions.
-published: 2021-04-14T12:00:00Z
credit: "@josselin-c"
cves:
- CVE-2021-3538
diff --git a/reports/GO-2020-0019.yaml b/reports/GO-2020-0019.yaml
index e61682c..37183d1 100644
--- a/reports/GO-2020-0019.yaml
+++ b/reports/GO-2020-0019.yaml
@@ -6,7 +6,6 @@
overflow in a variable which tracks the number of bytes remaining. This
may cause the server or client to get stuck attempting to read frames
in a loop, which can be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-27813
credit: Max Justicz
diff --git a/reports/GO-2020-0020.yaml b/reports/GO-2020-0020.yaml
index 421c45b..fd02c03 100644
--- a/reports/GO-2020-0020.yaml
+++ b/reports/GO-2020-0020.yaml
@@ -5,7 +5,6 @@
Usage of the CORS handler may apply improper CORS headers, allowing
the requester to explicitly control the value of the Access-Control-Allow-Origin
header, which bypasses the expected behavior of the Same Origin Policy.
-published: 2021-04-14T12:00:00Z
credit: Evan J Johnson
symbols:
- cors.ServeHTTP
diff --git a/reports/GO-2020-0021.yaml b/reports/GO-2020-0021.yaml
index 685ee4e..61767e1 100644
--- a/reports/GO-2020-0021.yaml
+++ b/reports/GO-2020-0021.yaml
@@ -5,7 +5,6 @@
Due to improper santization of user input, a number of methods are
vulnerable to SQL injection if used with user input that has not
been santized by the caller.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2014-8681
credit: Pascal Turbing and Jiahua (Joe) Chen
diff --git a/reports/GO-2020-0022.yaml b/reports/GO-2020-0022.yaml
index 2d93d8b..19a98f0 100644
--- a/reports/GO-2020-0022.yaml
+++ b/reports/GO-2020-0022.yaml
@@ -5,7 +5,6 @@
LZ4 bindings use a deprecated C API that is vulnerable to
memory corruption, which could lead to arbitrary code execution
if called with untrusted user input.
-published: 2021-04-14T12:00:00Z
credit: Yann Collet
symbols:
- Uncompress
diff --git a/reports/GO-2020-0023.yaml b/reports/GO-2020-0023.yaml
index 34ba025..9e7c525 100644
--- a/reports/GO-2020-0023.yaml
+++ b/reports/GO-2020-0023.yaml
@@ -6,7 +6,6 @@
during HMAC comparison. With a large enough number of requests
over a low latency connection, an attacker may use this to determine
the expected HMAC.
-published: 2021-04-14T12:00:00Z
symbols:
- Algorithm.validateSignature
links:
diff --git a/reports/GO-2020-0024.yaml b/reports/GO-2020-0024.yaml
index 99f37be..b5290ef 100644
--- a/reports/GO-2020-0024.yaml
+++ b/reports/GO-2020-0024.yaml
@@ -14,7 +14,6 @@
The RemoteAddr and LocalAddr methods on the returned net.Conn may
call themselves, leading to an infinite loop which will crash the
program due to a stack overflow.
-published: 2021-04-14T12:00:00Z
symbols:
- proxiedConn.LocalAddr
- proxiedConn.RemoteAddr
diff --git a/reports/GO-2020-0025.yaml b/reports/GO-2020-0025.yaml
index 5c216a0..f1f5f3b 100644
--- a/reports/GO-2020-0025.yaml
+++ b/reports/GO-2020-0025.yaml
@@ -12,7 +12,6 @@
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
-published: 2021-04-14T12:00:00Z
symbols:
- tgzExtractor.Extract
- zipExtractor.Extract
diff --git a/reports/GO-2020-0026.yaml b/reports/GO-2020-0026.yaml
index f9fec0a..e425124 100644
--- a/reports/GO-2020-0026.yaml
+++ b/reports/GO-2020-0026.yaml
@@ -6,7 +6,6 @@
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2018-1103
symbols:
diff --git a/reports/GO-2020-0027.yaml b/reports/GO-2020-0027.yaml
index 92fe3ba..fcb4bf7 100644
--- a/reports/GO-2020-0027.yaml
+++ b/reports/GO-2020-0027.yaml
@@ -11,7 +11,6 @@
After dropping and then elevating process privileges euid, guid, and groups
are not properly restored to their original values, allowing an unprivileged
user to gain membership in the root group.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2018-6558
symbols:
diff --git a/reports/GO-2020-0028.yaml b/reports/GO-2020-0028.yaml
index b0a46dc..77e49bf 100644
--- a/reports/GO-2020-0028.yaml
+++ b/reports/GO-2020-0028.yaml
@@ -5,7 +5,6 @@
Due to a nil pointer dereference, parsing a malformed zone file
containing TA records may cause a panic. If parsing user supplied
input, this may be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2018-17419
credit: "@tr3ee"
diff --git a/reports/GO-2020-0029.yaml b/reports/GO-2020-0029.yaml
index 7023c26..971d6c7 100644
--- a/reports/GO-2020-0029.yaml
+++ b/reports/GO-2020-0029.yaml
@@ -5,7 +5,6 @@
Due to improper HTTP header santization, a malicious user can spoof their
source IP address by setting the X-Forwarded-For header. This may allow
a user to bypass IP based restrictions, or obfuscate their true source.
-published: 2021-04-14T12:00:00Z
credit: "@nl5887"
symbols:
- Context.ClientIP
diff --git a/reports/GO-2020-0031.yaml b/reports/GO-2020-0031.yaml
index 5e20542..91f7131 100644
--- a/reports/GO-2020-0031.yaml
+++ b/reports/GO-2020-0031.yaml
@@ -4,7 +4,6 @@
description: |
Due to improper setting of finalizers, memory passed to C may be freed before it is used,
leading to crashes due to memory corruption or possible code execution.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-8945
links:
diff --git a/reports/GO-2020-0032.yaml b/reports/GO-2020-0032.yaml
index 48159ad..5bf2026 100644
--- a/reports/GO-2020-0032.yaml
+++ b/reports/GO-2020-0032.yaml
@@ -16,7 +16,6 @@
Due to improper santization of user input, Controller.FileHandler allows
for directory traversal, allowing an attacker to read files outside of
the target directory that the server has permission to read.
-published: 2021-04-14T12:00:00Z
credit: "@christi3k"
symbols:
- Controller.FileHandler
diff --git a/reports/GO-2020-0033.yaml b/reports/GO-2020-0033.yaml
index d22189c..4b51882 100644
--- a/reports/GO-2020-0033.yaml
+++ b/reports/GO-2020-0033.yaml
@@ -5,7 +5,6 @@
Due to improper santization of user input, HTTPEngine.Handle allows
for directory traversal, allowing an attacker to read files outside of
the target directory that the server has permission to read.
-published: 2021-04-14T12:00:00Z
credit: "@snyff"
symbols:
- HTTPEngine.Handle
diff --git a/reports/GO-2020-0034.yaml b/reports/GO-2020-0034.yaml
index ef74643..386085e 100644
--- a/reports/GO-2020-0034.yaml
+++ b/reports/GO-2020-0034.yaml
@@ -5,7 +5,6 @@
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
-published: 2021-04-14T12:00:00Z
symbols:
- Unzip.Extract
links:
diff --git a/reports/GO-2020-0035.yaml b/reports/GO-2020-0035.yaml
index 9fa679b..29a500e 100644
--- a/reports/GO-2020-0035.yaml
+++ b/reports/GO-2020-0035.yaml
@@ -5,7 +5,6 @@
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
-published: 2021-04-14T12:00:00Z
symbols:
- Unzip.Extract
links:
diff --git a/reports/GO-2020-0036.yaml b/reports/GO-2020-0036.yaml
index ec6d8b2..bf56969 100644
--- a/reports/GO-2020-0036.yaml
+++ b/reports/GO-2020-0036.yaml
@@ -11,7 +11,6 @@
Due to unbounded aliasing, a crafted YAML file can cause consumption
of significant system resources. If parsing user supplied input, this
may be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2019-11254
symbols:
diff --git a/reports/GO-2020-0037.yaml b/reports/GO-2020-0037.yaml
index 6b38fc6..1dd3b21 100644
--- a/reports/GO-2020-0037.yaml
+++ b/reports/GO-2020-0037.yaml
@@ -7,7 +7,6 @@
as a lack of limiting response body sizes, a malicious server
can cause a client to consume a significant amount of system
resources, which may be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
credit: "@guagualvcha"
symbols:
- makeHTTPClient
diff --git a/reports/GO-2020-0038.yaml b/reports/GO-2020-0038.yaml
index 4746cfe..b27d3db 100644
--- a/reports/GO-2020-0038.yaml
+++ b/reports/GO-2020-0038.yaml
@@ -6,7 +6,6 @@
application data are accepted after the initial handshake. This allows
an attacker to inject arbitrary data which the client/server believes
was encrypted, despite not knowing the session key.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2019-20786
symbols:
diff --git a/reports/GO-2020-0039.yaml b/reports/GO-2020-0039.yaml
index 8c2ab16..bd0f474 100644
--- a/reports/GO-2020-0039.yaml
+++ b/reports/GO-2020-0039.yaml
@@ -5,7 +5,6 @@
Due to improper request santization, a specifically crafted URL
can cause the static file handler to redirect to an attacker chosen
URL, allowing for open redirect attacks.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-12666
credit: "@ev0A"
diff --git a/reports/GO-2020-0040.yaml b/reports/GO-2020-0040.yaml
index 3527139..b7a786c 100644
--- a/reports/GO-2020-0040.yaml
+++ b/reports/GO-2020-0040.yaml
@@ -2,7 +2,6 @@
description: |
Due to unchecked type assertions, maliciously crafted messages can
cause panics, which may be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
credit: "@hMihaiDavid"
links:
context:
diff --git a/reports/GO-2020-0041.yaml b/reports/GO-2020-0041.yaml
index 987a46b..db9d878 100644
--- a/reports/GO-2020-0041.yaml
+++ b/reports/GO-2020-0041.yaml
@@ -15,7 +15,6 @@
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-7668
symbols:
diff --git a/reports/GO-2020-0042.yaml b/reports/GO-2020-0042.yaml
index 19fe76c..eff7f51 100644
--- a/reports/GO-2020-0042.yaml
+++ b/reports/GO-2020-0042.yaml
@@ -6,7 +6,6 @@
Due to improper path santization, RPMs containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-7667
symbols:
diff --git a/reports/GO-2020-0043.yaml b/reports/GO-2020-0043.yaml
index e839db1..05ade3e 100644
--- a/reports/GO-2020-0043.yaml
+++ b/reports/GO-2020-0043.yaml
@@ -7,7 +7,6 @@
SNIs, an attacker may bypass TLS client authentication by indicating
an SNI during the TLS handshake that is different from the name in
the HTTP Host header.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2018-21246
symbols:
diff --git a/reports/GO-2020-0045.yaml b/reports/GO-2020-0045.yaml
index 09fad5d..acf05bb 100644
--- a/reports/GO-2020-0045.yaml
+++ b/reports/GO-2020-0045.yaml
@@ -5,7 +5,6 @@
CSRF tokens are generated using math/rand, which is not a cryptographically secure
rander number generation, making predicting their values relatively trivial and
allowing an attacker to bypass CSRF protections which relatively few requests.
-published: 2021-04-14T12:00:00Z
credit: "@elithrar"
symbols:
- randomBytes
diff --git a/reports/GO-2020-0046.yaml b/reports/GO-2020-0046.yaml
index d522a60..c6f3e57 100644
--- a/reports/GO-2020-0046.yaml
+++ b/reports/GO-2020-0046.yaml
@@ -11,7 +11,6 @@
Due to a nil pointer dereference, a malformed XML Digital Signature
can cause a panic during validation. If user supplied signatures are
being validated, this may be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-7711
credit: "@stevenjohnstone"
diff --git a/reports/GO-2020-0047.yaml b/reports/GO-2020-0047.yaml
index f1c8481..ec804e0 100644
--- a/reports/GO-2020-0047.yaml
+++ b/reports/GO-2020-0047.yaml
@@ -3,7 +3,6 @@
XML Digital Signatures generated and validated using this package use
SHA-1, which may allow an attacker to craft inputs which cause hash
collisions depending on their control over the input.
-published: 2021-04-14T12:00:00Z
symbols:
- AuthnRequest.Validate
- NewAuthnRequest
diff --git a/reports/GO-2020-0048.yaml b/reports/GO-2020-0048.yaml
index f8c8cba..cc2e11d 100644
--- a/reports/GO-2020-0048.yaml
+++ b/reports/GO-2020-0048.yaml
@@ -6,7 +6,6 @@
which can cause a panic due to nil pointer deference if the loaded
resource is not XML. If user supplied URLs are loaded, this may be
used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-25614
credit: "@dwisiswant0"
diff --git a/reports/GO-2020-0049.yaml b/reports/GO-2020-0049.yaml
index 4b98b30..5fc8523 100644
--- a/reports/GO-2020-0049.yaml
+++ b/reports/GO-2020-0049.yaml
@@ -5,7 +5,6 @@
Due to improper validation of caller input, validation is silently disabled
if the provided expected token is malformed, causing any user supplied token
to be considered valid.
-published: 2021-04-14T12:00:00Z
credit: "@aeneasr"
symbols:
- VerifyToken
diff --git a/reports/GO-2020-0050.yaml b/reports/GO-2020-0050.yaml
index 0839876..937610b 100644
--- a/reports/GO-2020-0050.yaml
+++ b/reports/GO-2020-0050.yaml
@@ -5,7 +5,6 @@
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
unsigned document to appear signed.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-15216
credit: "@jupenur"
diff --git a/reports/GO-2021-0051.yaml b/reports/GO-2021-0051.yaml
index 209f9a4..390d43b 100644
--- a/reports/GO-2021-0051.yaml
+++ b/reports/GO-2021-0051.yaml
@@ -5,7 +5,6 @@
Due to improper santization of user input on Windows, the static file handler
allows for directory traversal, allowing an attacker to read files outside of
the target directory that the server has permission to read.
-published: 2021-04-14T12:00:00Z
credit: "@little-cui (Apache ServiceComb)"
symbols:
- common.static
diff --git a/reports/GO-2021-0052.yaml b/reports/GO-2021-0052.yaml
index f34a828..f1f2b20 100644
--- a/reports/GO-2021-0052.yaml
+++ b/reports/GO-2021-0052.yaml
@@ -3,7 +3,6 @@
Due to improper HTTP header santization, a malicious user can spoof their
source IP address by setting the X-Forwarded-For header. This may allow
a user to bypass IP based restrictions, or obfuscate their true source.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-28483
credit: "@sorenh"
diff --git a/reports/GO-2021-0053.yaml b/reports/GO-2021-0053.yaml
index c41eb7e..3c3ee99 100644
--- a/reports/GO-2021-0053.yaml
+++ b/reports/GO-2021-0053.yaml
@@ -5,7 +5,6 @@
Due to improper bounds checking, maliciously crafted input to generated
Unmarshal methods can cause an out-of-bounds panic. If parsing messages
from untrusted parties, this may be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2021-3121
links:
diff --git a/reports/GO-2021-0054.yaml b/reports/GO-2021-0054.yaml
index 1fb8931..6bbb699 100644
--- a/reports/GO-2021-0054.yaml
+++ b/reports/GO-2021-0054.yaml
@@ -5,7 +5,6 @@
Due to improper bounds checking, maliciously crafted JSON objects
can cause an out-of-bounds panic. If parsing user input, this may
be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-36067
credit: "@toptotu"
diff --git a/reports/GO-2021-0056.yaml b/reports/GO-2021-0056.yaml
index c88f0f9..e01f66d 100644
--- a/reports/GO-2021-0056.yaml
+++ b/reports/GO-2021-0056.yaml
@@ -6,7 +6,6 @@
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
unsigned document to appear signed.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-15216
credit: Juho Nurminen (Mattermost)
diff --git a/reports/GO-2021-0057.yaml b/reports/GO-2021-0057.yaml
index e8dd492..bc2d900 100644
--- a/reports/GO-2021-0057.yaml
+++ b/reports/GO-2021-0057.yaml
@@ -5,7 +5,6 @@
Due to improper bounds checking, maliciously crafted JSON objects
can cause an out-of-bounds panic. If parsing user input, this may
be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-35381
credit: "@toptotu"
diff --git a/reports/GO-2021-0058.yaml b/reports/GO-2021-0058.yaml
index 4b4c565..fbdf88f 100644
--- a/reports/GO-2021-0058.yaml
+++ b/reports/GO-2021-0058.yaml
@@ -14,7 +14,6 @@
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
unsigned document to appear signed.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-27846
symbols:
diff --git a/reports/GO-2021-0059.yaml b/reports/GO-2021-0059.yaml
index ac4a20a..cf8bea5 100644
--- a/reports/GO-2021-0059.yaml
+++ b/reports/GO-2021-0059.yaml
@@ -5,7 +5,6 @@
Due to improper bounds checking, maliciously crafted JSON objects
can cause an out-of-bounds panic. If parsing user input, this may
be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-35380
credit: "@toptotu"
diff --git a/reports/GO-2021-0060.yaml b/reports/GO-2021-0060.yaml
index d40af68..8696462 100644
--- a/reports/GO-2021-0060.yaml
+++ b/reports/GO-2021-0060.yaml
@@ -5,7 +5,6 @@
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
unsigned document to appear signed.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-29509
credit: Juho Nurminen
diff --git a/reports/GO-2021-0061.yaml b/reports/GO-2021-0061.yaml
index af187e4..c390f1b 100644
--- a/reports/GO-2021-0061.yaml
+++ b/reports/GO-2021-0061.yaml
@@ -11,7 +11,6 @@
Due to unbounded alias chasing, a maliciously crafted YAML file
can cause the system to consume significant system resources. If
parsing user input, this may be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
credit: "@simonferquel"
symbols:
- decoder.unmarshal
diff --git a/reports/GO-2021-0063.yaml b/reports/GO-2021-0063.yaml
index ff53bcc..d784e26 100644
--- a/reports/GO-2021-0063.yaml
+++ b/reports/GO-2021-0063.yaml
@@ -6,7 +6,6 @@
Due to a nil pointer dereference, a malicously crafted RPC message
can cause a panic. If handling RPC messages from untrusted clients,
this may be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-26264
credit: "@zsfelfoldi"
diff --git a/reports/GO-2021-0064.yaml b/reports/GO-2021-0064.yaml
index 3a6b343..b4fdab2 100644
--- a/reports/GO-2021-0064.yaml
+++ b/reports/GO-2021-0064.yaml
@@ -12,7 +12,6 @@
description: |
Authorization tokens may be inappropriately logged if the verbosity
level is set to a debug level.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-8565
credit: "@sfowl"
diff --git a/reports/GO-2021-0065.yaml b/reports/GO-2021-0065.yaml
index 2b9374c..049a6ba 100644
--- a/reports/GO-2021-0065.yaml
+++ b/reports/GO-2021-0065.yaml
@@ -12,7 +12,6 @@
description: |
Authorization tokens may be inappropriately logged if the verbosity
level is set to a debug level.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2019-11250
symbols:
diff --git a/reports/GO-2021-0066.yaml b/reports/GO-2021-0066.yaml
index aeb2180..3661234 100644
--- a/reports/GO-2021-0066.yaml
+++ b/reports/GO-2021-0066.yaml
@@ -5,7 +5,6 @@
description: |
Attempting to read a malformed .dockercfg may cause secrets to be
inappropriately logged.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-8564
credit: "@sfowl"
diff --git a/reports/GO-2021-0067.yaml b/reports/GO-2021-0067.yaml
index b2db7b9..1e120d0 100644
--- a/reports/GO-2021-0067.yaml
+++ b/reports/GO-2021-0067.yaml
@@ -8,7 +8,6 @@
prefixed by "../" will cause a panic due to a stack overflow.
If parsing user supplied archives, this may be used as a
denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2021-27919
symbols:
diff --git a/reports/GO-2021-0068.yaml b/reports/GO-2021-0068.yaml
index 538ceae..233a62d 100644
--- a/reports/GO-2021-0068.yaml
+++ b/reports/GO-2021-0068.yaml
@@ -8,7 +8,6 @@
The go command may execute arbitrary code at build time when using cgo on Windows.
This can be triggered by running go get on a malicious module, or any other time
the code is built.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2021-3115
credit: RyotaK
diff --git a/reports/GO-2021-0069.yaml b/reports/GO-2021-0069.yaml
index 88a6fc8..ee5bf98 100644
--- a/reports/GO-2021-0069.yaml
+++ b/reports/GO-2021-0069.yaml
@@ -8,7 +8,6 @@
description: |
A number of math/big.Int methods can panic when provided large inputs due
to a flawed division method.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-28362
symbols:
diff --git a/reports/GO-2021-0070.yaml b/reports/GO-2021-0070.yaml
index 66f49bf..4575ce2 100644
--- a/reports/GO-2021-0070.yaml
+++ b/reports/GO-2021-0070.yaml
@@ -7,7 +7,6 @@
improperly interpred numeric UIDs as usernames. If the method is used without
verify usernames are formatted as expected, it may allow a user to gain unexpected
privileges.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2016-3697
symbols:
diff --git a/reports/GO-2021-0071.yaml b/reports/GO-2021-0071.yaml
index 35eb03e..9cd5a99 100644
--- a/reports/GO-2021-0071.yaml
+++ b/reports/GO-2021-0071.yaml
@@ -7,7 +7,6 @@
filesystem shift may allow a user who can modify the filesystem to
chmod an arbitrary path of their choice, rather than the expected
path.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2015-1340
credit: Seth Arnold
diff --git a/reports/GO-2021-0072.yaml b/reports/GO-2021-0072.yaml
index daa0098..fa65447 100644
--- a/reports/GO-2021-0072.yaml
+++ b/reports/GO-2021-0072.yaml
@@ -13,7 +13,6 @@
Various storage methods do not impose limits on how much content is accepted
from user requests, allowing a malicious user to force the caller to allocate
an arbitrary amount of memory.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2017-11468
symbols:
diff --git a/reports/GO-2021-0073.yaml b/reports/GO-2021-0073.yaml
index d03b39a..ce372c2 100644
--- a/reports/GO-2021-0073.yaml
+++ b/reports/GO-2021-0073.yaml
@@ -6,7 +6,6 @@
Arbitrary command execution can be triggered by improperly
sanitized SSH URLs in LFS configuration files. This can be
triggered by cloning a malicious repository.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2017-17831
symbols:
diff --git a/reports/GO-2021-0075.yaml b/reports/GO-2021-0075.yaml
index 0b23ec0..b190072 100644
--- a/reports/GO-2021-0075.yaml
+++ b/reports/GO-2021-0075.yaml
@@ -5,7 +5,6 @@
description: |
Due to improper argument validation in RPC messages, a maliciously crafted
message can cause a panic, leading to denial of service.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2018-12018
symbols:
diff --git a/reports/GO-2021-0076.yaml b/reports/GO-2021-0076.yaml
index 9d2f31a..9c6d954 100644
--- a/reports/GO-2021-0076.yaml
+++ b/reports/GO-2021-0076.yaml
@@ -5,7 +5,6 @@
A malicious JSON patch can cause a panic due to an out-of-bounds
write attempt. This can be used as a denial of service vector if
exposed to arbitrary user input.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2018-14632
symbols:
diff --git a/reports/GO-2021-0077.yaml b/reports/GO-2021-0077.yaml
index 0dab107..9f4aae3 100644
--- a/reports/GO-2021-0077.yaml
+++ b/reports/GO-2021-0077.yaml
@@ -7,7 +7,6 @@
valid RBAC username to authenticate themselves as that user, despite lacking the
required credentials. This may allow authentication bypass, but requires a certificate
that is issued by a CA trusted by the server.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2018-16886
symbols:
diff --git a/reports/GO-2021-0078.yaml b/reports/GO-2021-0078.yaml
index 460f03d..3aeed72 100644
--- a/reports/GO-2021-0078.yaml
+++ b/reports/GO-2021-0078.yaml
@@ -6,7 +6,6 @@
The HTML parser does not properly handle "in frameset" insertion mode, and can be made
to panic when operating on malformed HTML that contains <template> tags. If operating
on user input, this may be a vector for a denial of service attack.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2018-17075
credit: Kunpei Sakai
diff --git a/reports/GO-2021-0079.yaml b/reports/GO-2021-0079.yaml
index d72525c..9a5ee9d 100644
--- a/reports/GO-2021-0079.yaml
+++ b/reports/GO-2021-0079.yaml
@@ -7,7 +7,6 @@
validation of arguments. If processing queries from untrusted
parties, this may be used as a vector for denial of service
attacks.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2018-18206
credit: "@yahtoo"
diff --git a/reports/GO-2021-0081.yaml b/reports/GO-2021-0081.yaml
index 5432086..c772927 100644
--- a/reports/GO-2021-0081.yaml
+++ b/reports/GO-2021-0081.yaml
@@ -6,7 +6,6 @@
The HTTP client used to connect to the container registry authorization
service explicitly disables TLS verification, allowing an attacker that
is able to MITM the connection to steal credentials.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2019-10214
symbols:
diff --git a/reports/GO-2021-0082.yaml b/reports/GO-2021-0082.yaml
index 8d49d36..7472eab 100644
--- a/reports/GO-2021-0082.yaml
+++ b/reports/GO-2021-0082.yaml
@@ -8,7 +8,6 @@
send messages that declare that they are significantly larger than they
actually are, allowing them to force the server to allocate significant
amounts of memory. This can be used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2019-11939
links:
diff --git a/reports/GO-2021-0083.yaml b/reports/GO-2021-0083.yaml
index cfffcd1..13f86d0 100644
--- a/reports/GO-2021-0083.yaml
+++ b/reports/GO-2021-0083.yaml
@@ -6,7 +6,6 @@
TLS certificate verification is skipped when connecting to a MQTT server.
This allows an attacker who can MITM the connection to read, or forge,
messages passed between the client and server.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2019-12496
symbols:
diff --git a/reports/GO-2021-0084.yaml b/reports/GO-2021-0084.yaml
index 1644ee7..35a9d2e 100644
--- a/reports/GO-2021-0084.yaml
+++ b/reports/GO-2021-0084.yaml
@@ -5,7 +5,6 @@
description: |
Session data is stored using permissive permissions, allowing local users
with filesystem access to read arbitrary data.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2019-16354
credit: "@nicowaisman"
diff --git a/reports/GO-2021-0085.yaml b/reports/GO-2021-0085.yaml
index 4113eff..0b8d301 100644
--- a/reports/GO-2021-0085.yaml
+++ b/reports/GO-2021-0085.yaml
@@ -10,7 +10,6 @@
description: |
AppArmor restrictions may be bypassed due to improper validation of mount
targets, allowing a malicious image to mount volumes over e.g. /proc.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2019-16884
credit: Leopold Schabel
diff --git a/reports/GO-2021-0086.yaml b/reports/GO-2021-0086.yaml
index 5aa763a..8f30be9 100644
--- a/reports/GO-2021-0086.yaml
+++ b/reports/GO-2021-0086.yaml
@@ -5,7 +5,6 @@
description: |
HTML content in markdown is not santized during rendering, possibly allowing
XSS if used to render untrusted user input.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2019-19619
symbols:
diff --git a/reports/GO-2021-0087.yaml b/reports/GO-2021-0087.yaml
index b48e2f9..ff19dcd 100644
--- a/reports/GO-2021-0087.yaml
+++ b/reports/GO-2021-0087.yaml
@@ -6,7 +6,6 @@
A race while mounting volumes allows a possible symlink-exchange
attack, allowing a user whom can start multiple containers with
custom volume mount configurations to escape the container.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2019-19921
credit: Leopold Schabel
diff --git a/reports/GO-2021-0088.yaml b/reports/GO-2021-0088.yaml
index 0f05f23..e1c6a46 100644
--- a/reports/GO-2021-0088.yaml
+++ b/reports/GO-2021-0088.yaml
@@ -7,7 +7,6 @@
messages with unknown fields which can take significant resources to parse. If a
server accepts messages from an untrusted user, it may be used as a denial of service
vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2019-3564
symbols:
diff --git a/reports/GO-2021-0089.yaml b/reports/GO-2021-0089.yaml
index 7ee8b26..caeee99 100644
--- a/reports/GO-2021-0089.yaml
+++ b/reports/GO-2021-0089.yaml
@@ -5,7 +5,6 @@
Parsing malformed JSON which contain opening brackets, but not closing brackets,
leads to an infinite loop. If operating on untrusted user input this can be
used as a denial of service vector.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-10675
credit: Cong Wang
diff --git a/reports/GO-2021-0090.yaml b/reports/GO-2021-0090.yaml
index 97fc828..9f58875 100644
--- a/reports/GO-2021-0090.yaml
+++ b/reports/GO-2021-0090.yaml
@@ -7,7 +7,6 @@
Proposed commits may contain signatures for blocks not contained within the commit. Instead of skipping
these signatures, they cause failure during verification. A malicious proposer can use this to force
consensus failures.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-15091
credit: Neeraj Murarka
diff --git a/reports/GO-2021-0091.yaml b/reports/GO-2021-0091.yaml
index 2207f57..f929af9 100644
--- a/reports/GO-2021-0091.yaml
+++ b/reports/GO-2021-0091.yaml
@@ -5,7 +5,6 @@
Due to improper input validation when uploading a file, a malicious user may
force the server to return arbitrary HTTP headers when the uploaded
file is downloaded.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-15111
credit: Hasibul Hasan and Abdullah Shaleh
diff --git a/reports/GO-2021-0092.yaml b/reports/GO-2021-0092.yaml
index 17f460d..46cfa47 100644
--- a/reports/GO-2021-0092.yaml
+++ b/reports/GO-2021-0092.yaml
@@ -4,7 +4,6 @@
description: |
Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
replayed.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-15222
symbols:
diff --git a/reports/GO-2021-0094.yaml b/reports/GO-2021-0094.yaml
index db43ee1..db90638 100644
--- a/reports/GO-2021-0094.yaml
+++ b/reports/GO-2021-0094.yaml
@@ -8,7 +8,6 @@
directory. Additionally if the attacker is able to read extracted files
they may create symbolic links to arbitrary files on the system which the
unpacker has permissions to read.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-29529
symbols:
diff --git a/reports/GO-2021-0095.yaml b/reports/GO-2021-0095.yaml
index f000a11..a5b1072 100644
--- a/reports/GO-2021-0095.yaml
+++ b/reports/GO-2021-0095.yaml
@@ -6,7 +6,6 @@
Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport
is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,
allowing them to use the created key.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-8918
credit: Chris Fenner
diff --git a/reports/GO-2021-0096.yaml b/reports/GO-2021-0096.yaml
index ca9a08d..ad656b4 100644
--- a/reports/GO-2021-0096.yaml
+++ b/reports/GO-2021-0096.yaml
@@ -4,7 +4,6 @@
description: |
Due to improper setting of finalizers, memory passed to C may be freed before it is used,
leading to crashes due to memory corruption or possible code execution.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-8945
credit: Ulrich Obergfell
diff --git a/reports/GO-2021-0097.yaml b/reports/GO-2021-0097.yaml
index 739df37..98b69a9 100644
--- a/reports/GO-2021-0097.yaml
+++ b/reports/GO-2021-0097.yaml
@@ -5,7 +5,6 @@
Due to improper bounds checking, a number of methods can trigger a panic due to attempted
out-of-bounds reads. If the package is used to parse user supplied input, this may be
used as a vector for a denial of service attack.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2020-29242
- CVE-2020-29243
diff --git a/reports/GO-2021-0098.yaml b/reports/GO-2021-0098.yaml
index 2f0d04e..6ed99fa 100644
--- a/reports/GO-2021-0098.yaml
+++ b/reports/GO-2021-0098.yaml
@@ -25,7 +25,6 @@
description: |
Due to the standard library behavior of exec.LookPath on Windows a number of methods may
result in arbitrary code execution when cloning or operating on untrusted Git repositories.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2021-21237
credit: "@Ry0taK"
diff --git a/reports/GO-2021-0099.yaml b/reports/GO-2021-0099.yaml
index 7d280e2..f060230 100644
--- a/reports/GO-2021-0099.yaml
+++ b/reports/GO-2021-0099.yaml
@@ -6,7 +6,6 @@
Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore
content store may result in directory traversal during archive extraction, allowing a
malicious archive to write paths to arbitrary paths that the process can write to.
-published: 2021-04-14T12:00:00Z
cves:
- CVE-2021-21272
credit: Chris Smowton
diff --git a/reports/GO-2021-0100.yaml b/reports/GO-2021-0100.yaml
index 4ea061b..836e22d 100644
--- a/reports/GO-2021-0100.yaml
+++ b/reports/GO-2021-0100.yaml
@@ -7,7 +7,6 @@
on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker
can use this to cause denial of service if they are able to cause the caller to attempt to
decompress an archive they control.
-published: 2021-07-28T12:00:00Z
cves:
- CVE-2021-20291
credit: Aviv Sasson (Palo Alto Networks)
diff --git a/reports/GO-2021-0101.yaml b/reports/GO-2021-0101.yaml
index ce4e941..b7bdd1b 100644
--- a/reports/GO-2021-0101.yaml
+++ b/reports/GO-2021-0101.yaml
@@ -11,7 +11,6 @@
- CVE-2019-0210
symbols:
- TSimpleJSONProtocol.safePeekContains
-published: 2021-07-28T12:00:00Z
links:
commit: https://github.com/apache/thrift/commit/264a3f318ed3e9e51573f67f963c8509786bcec2
context:
diff --git a/reports/GO-2021-0102.yaml b/reports/GO-2021-0102.yaml
index 7a0ee42..80c3b34 100644
--- a/reports/GO-2021-0102.yaml
+++ b/reports/GO-2021-0102.yaml
@@ -17,7 +17,6 @@
- CVE-2019-11289
symbols:
- AesGCM.Decrypt
-published: 2021-07-28T12:00:00Z
links:
commit: https://github.com/cloudfoundry/gorouter/commit/b1b5c44e050f73b399b379ca63a42a2c5780a83f
context:
diff --git a/reports/GO-2021-0103.yaml b/reports/GO-2021-0103.yaml
index 2436732..097e8dd 100644
--- a/reports/GO-2021-0103.yaml
+++ b/reports/GO-2021-0103.yaml
@@ -11,7 +11,6 @@
credit: Dima Stebaev
symbols:
- udivrem
-published: 2021-07-28T12:00:00Z
links:
commit: https://github.com/holiman/uint256/commit/6785da6e3eea403260a5760029e722aa4ff1716d
pr: https://github.com/holiman/uint256/pull/80
diff --git a/reports/GO-2021-0104.yaml b/reports/GO-2021-0104.yaml
index dcfc101..9bf9df6 100644
--- a/reports/GO-2021-0104.yaml
+++ b/reports/GO-2021-0104.yaml
@@ -11,7 +11,6 @@
credit: Gaukas Wang (@Gaukas)
symbols:
- DTLSTransport.Start
-published: 2021-07-28T12:00:00Z
links:
commit: https://github.com/pion/webrtc/commit/545613dcdeb5dedb01cce94175f40bcbe045df2e
pr: https://github.com/pion/webrtc/pull/1709
diff --git a/reports/GO-2021-0105.yaml b/reports/GO-2021-0105.yaml
index 476e1bc..c769476 100644
--- a/reports/GO-2021-0105.yaml
+++ b/reports/GO-2021-0105.yaml
@@ -11,7 +11,6 @@
credit: John Youngseok Yang (Software Platform Lab)
symbols:
- StateDB.createObject
-published: 2021-07-28T12:00:00Z
links:
commit: https://github.com/ethereum/go-ethereum/commit/87c0ba92136a75db0ab2aba1046d4a9860375d6a
pr: https://github.com/ethereum/go-ethereum/pull/21080
diff --git a/reports/GO-2021-0106.yaml b/reports/GO-2021-0106.yaml
index acb9de9..d65de68 100644
--- a/reports/GO-2021-0106.yaml
+++ b/reports/GO-2021-0106.yaml
@@ -7,7 +7,6 @@
target directory.
symbols:
- Extractor.outputPath
-published: 2021-07-28T12:00:00Z
links:
commit: https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227
context:
diff --git a/reports/GO-2021-0107.yaml b/reports/GO-2021-0107.yaml
index 7b7f25e..8c8c13c 100644
--- a/reports/GO-2021-0107.yaml
+++ b/reports/GO-2021-0107.yaml
@@ -7,7 +7,6 @@
authentication bypass.
symbols:
- Server.socketHandler
-published: 2021-07-28T12:00:00Z
links:
commit: https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
context:
diff --git a/reports/GO-2021-0108.yaml b/reports/GO-2021-0108.yaml
index 9407743..e9dcd67 100644
--- a/reports/GO-2021-0108.yaml
+++ b/reports/GO-2021-0108.yaml
@@ -10,7 +10,6 @@
credit: Hasibul Hasan and Abdullah Shaleh
symbols:
- Ctx.Attachment
-published: 2021-07-28T12:00:00Z
links:
commit: https://github.com/gofiber/fiber/commit/f698b5d5066cfe594102ae252cd58a1fe57cf56f
pr: https://github.com/gofiber/fiber/pull/579
diff --git a/reports/GO-2021-0109.yaml b/reports/GO-2021-0109.yaml
index e594263..7bb59d1 100644
--- a/reports/GO-2021-0109.yaml
+++ b/reports/GO-2021-0109.yaml
@@ -5,7 +5,6 @@
Due to improper error handling, an error with the underlying token storage may cause a user
to believe a token has been successfully revoked when it is in fact still valid. An attackers
ability to exploit this relies on an ability to trigger errors in the underlying storage.
-published: 2021-07-28T12:00:00Z
cves:
- CVE-2020-15223
symbols:
diff --git a/reports/GO-2021-0110.yaml b/reports/GO-2021-0110.yaml
index 4c4951e..46cfa47 100644
--- a/reports/GO-2021-0110.yaml
+++ b/reports/GO-2021-0110.yaml
@@ -4,7 +4,6 @@
description: |
Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
replayed.
-published: 2021-07-28T12:00:00Z
cves:
- CVE-2020-15222
symbols:
diff --git a/reports/GO-2021-0111.yaml b/reports/GO-2021-0111.yaml
index 297e9e9..a56e002 100644
--- a/reports/GO-2021-0111.yaml
+++ b/reports/GO-2021-0111.yaml
@@ -10,7 +10,6 @@
- CVE-2021-20329
symbols:
- valueWriter.writeElementHeader
-published: 2021-07-28T12:00:00Z
links:
commit: https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca
pr: https://github.com/mongodb/mongo-go-driver/pull/622
diff --git a/reports/GO-2021-0112.yaml b/reports/GO-2021-0112.yaml
index a78fb26..befddf1 100644
--- a/reports/GO-2021-0112.yaml
+++ b/reports/GO-2021-0112.yaml
@@ -11,7 +11,6 @@
symbols:
- AppendHeader
- AppendRegex
-published: 2021-07-28T12:00:00Z
links:
commit: https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca
pr: https://github.com/mongodb/mongo-go-driver/pull/622
diff --git a/reports/GO-2021-0113.yaml b/reports/GO-2021-0113.yaml
index 87495dc..9df798c 100644
--- a/reports/GO-2021-0113.yaml
+++ b/reports/GO-2021-0113.yaml
@@ -11,7 +11,6 @@
credit: Guido Vranken
symbols:
- Parse
-published: 2021-10-06T12:00:00Z
links:
commit: https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f
pr: https://go-review.googlesource.com/c/text/+/340830
diff --git a/reports/GO-2021-0140.yaml b/reports/GO-2021-0140.yaml
index 8252eb7..a2b0cd1 100644
--- a/reports/GO-2021-0140.yaml
+++ b/reports/GO-2021-0140.yaml
@@ -6,7 +6,6 @@
description: |
X509 Certificate verification does not validate KeyUsages EKU
requirements on Windows if VerifyOptions.Roots is nil.
-published: 2020-07-17T12:00:00Z
cves:
- CVE-2020-14039
credit: Niall Newman
diff --git a/reports/GO-2021-0141.yaml b/reports/GO-2021-0141.yaml
index 2694aba..5f5da5f 100644
--- a/reports/GO-2021-0141.yaml
+++ b/reports/GO-2021-0141.yaml
@@ -7,7 +7,6 @@
A Go HTTP server which reads from the request body while
simultaneously writing a response can panic when clients
send a "Expect: 100-continue" header.
-published: 2021-07-17T12:00:00Z
cves:
- CVE-2020-15586
credit: Mikael Manukyan
diff --git a/reports/GO-2021-0159.yaml b/reports/GO-2021-0159.yaml
index 7c3eb13..38a5762 100644
--- a/reports/GO-2021-0159.yaml
+++ b/reports/GO-2021-0159.yaml
@@ -32,4 +32,3 @@
- https://go.googlesource.com/go/+/300d9a21583e7cf0149a778a0611e76ff7c6680f
- https://go.googlesource.com/go/+/c2db5f4ccc61ba7df96a747e268a277b802cbb87
- https://groups.google.com/g/golang-announce/c/iSIyW4lM4hY/m/ADuQR4DiDwAJ
-published: 2021-12-31T12:31:00Z
diff --git a/reports/GO-2021-0160.yaml b/reports/GO-2021-0160.yaml
index e78f98f..045796f 100644
--- a/reports/GO-2021-0160.yaml
+++ b/reports/GO-2021-0160.yaml
@@ -37,4 +37,3 @@
- https://go.dev/cl/17672
- https://go.dev/issue/13515
- https://groups.google.com/g/golang-announce/c/MEATuOi_ei4
-published: 2022-01-04T12:31:00Z
diff --git a/reports/GO-2021-0163.yaml b/reports/GO-2021-0163.yaml
index e785c23..a59cd16 100644
--- a/reports/GO-2021-0163.yaml
+++ b/reports/GO-2021-0163.yaml
@@ -17,4 +17,3 @@
context:
- https://go.dev/issue/14959
- https://groups.google.com/g/golang-announce/c/9eqIHqaWvck
-published: 2022-01-04T12:46:00Z