data/reports/GO-2021-0102.yaml

modules:
  - module: code.cloudfoundry.org/gorouter
    versions:
      - fixed: 0.0.0-20191101214924-b1b5c44e050f
    vulnerable_at: 0.0.0-20191101214739-a658664ae1e3
    packages:
      - package: code.cloudfoundry.org/gorouter/common/secure
        symbols:
          - AesGCM.Decrypt
  - module: github.com/cloudfoundry/gorouter
    versions:
      - fixed: 0.0.0-20191101214924-b1b5c44e050f
    vulnerable_at: 0.0.0-20191101214739-a658664ae1e3
    packages:
      - package: github.com/cloudfoundry/gorouter/common/secure
        symbols:
          - AesGCM.Decrypt
description: |
    Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect
    nonce size. If this package is used to decrypt user supplied messages without checking the size of
    supplied nonces, this may be used as a vector for a denial of service attack.
published: 2021-07-28T18:08:05Z
cves:
  - CVE-2019-11289
ghsas:
  - GHSA-5796-p3m6-9qj4
references:
  - fix: https://github.com/cloudfoundry/gorouter/commit/b1b5c44e050f73b399b379ca63a42a2c5780a83f
  - web: https://www.cloudfoundry.org/blog/cve-2019-11289/