data/reports: force run fix on corpus to canonicalize newline breaks
Change-Id: Iff91cbeea68486393b95032f85549547aebd193e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576676
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/reports/GO-2023-2399.yaml b/data/reports/GO-2023-2399.yaml
index 8b3df7a..7d1bfc4 100644
--- a/data/reports/GO-2023-2399.yaml
+++ b/data/reports/GO-2023-2399.yaml
@@ -47,9 +47,8 @@
skip_fix: 'TODO: module github.com/hashicorp/vault must be updated with go get github.com/hashicorp/vault/sdk@v0.10.2 to reproduce.'
summary: Denial of service via memory exhaustion in github.com/hashicorp/vault
description: |-
- Unauthenticated and authenticated HTTP requests from a client
- will be attempted to be mapped to memory.
- Large requests may result in the exhaustion of available
+ Unauthenticated and authenticated HTTP requests from a client will be attempted
+ to be mapped to memory. Large requests may result in the exhaustion of available
memory on the host, which may cause crashes and denial of service.
cves:
- CVE-2023-6337
diff --git a/data/reports/GO-2023-2400.yaml b/data/reports/GO-2023-2400.yaml
index b161e68..54c3934 100644
--- a/data/reports/GO-2023-2400.yaml
+++ b/data/reports/GO-2023-2400.yaml
@@ -23,8 +23,8 @@
- TokenFlows.ClientCredentials
summary: Escalation of privileges in github.com/sap/cloud-security-client-go
description: |-
- An unauthenticated attacker can obtain arbitrary permissions
- within the application under certain conditions.
+ An unauthenticated attacker can obtain arbitrary permissions within the
+ application under certain conditions.
cves:
- CVE-2023-50424
ghsas:
diff --git a/data/reports/GO-2023-2409.yaml b/data/reports/GO-2023-2409.yaml
index fa5b21a..4cb020d 100644
--- a/data/reports/GO-2023-2409.yaml
+++ b/data/reports/GO-2023-2409.yaml
@@ -17,10 +17,12 @@
- DecodeBytes
- Encrypt
- EncryptBytes
-summary: Denial of service when decrypting attack controlled input in github.com/dvsekhvalnov/jose2go
+summary: |-
+ Denial of service when decrypting attack controlled input in
+ github.com/dvsekhvalnov/jose2go
description: |-
- An attacker controlled input of a PBES2 encrypted JWE blob can have a very
- large p2c value that, when decrypted, produces a denial-of-service.
+ An attacker controlled input of a PBES2 encrypted JWE blob can have a very large
+ p2c value that, when decrypted, produces a denial-of-service.
ghsas:
- GHSA-mhpq-9638-x6pw
credits:
diff --git a/data/reports/GO-2024-2454.yaml b/data/reports/GO-2024-2454.yaml
index 5b3a0e3..c2e095b 100644
--- a/data/reports/GO-2024-2454.yaml
+++ b/data/reports/GO-2024-2454.yaml
@@ -3,7 +3,7 @@
- module: github.com/lestrrat-go/jwx
versions:
- introduced: 1.0.8
- - fixed: 1.2.28
+ fixed: 1.2.28
vulnerable_at: 1.2.27
packages:
- package: github.com/lestrrat-go/jwx/jws
diff --git a/data/reports/GO-2024-2490.yaml b/data/reports/GO-2024-2490.yaml
index cf617af..4ce511a 100644
--- a/data/reports/GO-2024-2490.yaml
+++ b/data/reports/GO-2024-2490.yaml
@@ -12,9 +12,9 @@
- https://github.com/anchore/stereoscope/commit/09dacab4d9ee65ee8bc7af8ebf4aa7b5aaa36204
summary: Path traversal in github.com/anchore/stereoscope
description: |-
- It is possible to craft an OCI tar archive that, when stereoscope
- attempts to unarchive the contents, will result in writing to paths outside of
- the unarchive temporary directory.
+ It is possible to craft an OCI tar archive that, when stereoscope attempts to
+ unarchive the contents, will result in writing to paths outside of the unarchive
+ temporary directory.
cves:
- CVE-2024-24579
ghsas:
diff --git a/data/reports/GO-2024-2492.yaml b/data/reports/GO-2024-2492.yaml
index 8e31d50..d2c9e9b 100644
--- a/data/reports/GO-2024-2492.yaml
+++ b/data/reports/GO-2024-2492.yaml
@@ -45,8 +45,8 @@
- https://github.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c
summary: Panic in github.com/moby/buildkit
description: |-
- A malicious BuildKit client or frontend could craft a request that
- could lead to a BuildKit daemon crashing with a panic.
+ A malicious BuildKit client or frontend could craft a request that could lead to
+ a BuildKit daemon crashing with a panic.
cves:
- CVE-2024-23650
ghsas:
diff --git a/data/reports/GO-2024-2493.yaml b/data/reports/GO-2024-2493.yaml
index 928c04c..eeb460f 100644
--- a/data/reports/GO-2024-2493.yaml
+++ b/data/reports/GO-2024-2493.yaml
@@ -19,9 +19,9 @@
- https://github.com/moby/buildkit/commit/f781267af1acb688e94740e1fdc22c1bf587d7fd
summary: Host system file access in github.com/moby/buildkit
description: |-
- Two malicious build steps running in parallel sharing the same cache
- mounts with subpaths could cause a race condition that can lead to files from
- the host system being accessible to the build container.
+ Two malicious build steps running in parallel sharing the same cache mounts with
+ subpaths could cause a race condition that can lead to files from the host
+ system being accessible to the build container.
cves:
- CVE-2024-23651
ghsas:
diff --git a/data/reports/GO-2024-2494.yaml b/data/reports/GO-2024-2494.yaml
index 55d3ff8..217cfda 100644
--- a/data/reports/GO-2024-2494.yaml
+++ b/data/reports/GO-2024-2494.yaml
@@ -8,13 +8,13 @@
- package: github.com/moby/buildkit/executor
symbols:
- MountStubsCleaner
- fix_links:
+ fix_links:
- https://github.com/moby/buildkit/commit/00fe637d43aba66f0937f5bdf4b9fc96991794fd
summary: Host system modification in github.com/moby/buildkit
description: |-
- A malicious BuildKit frontend or Dockerfile using RUN --mount could trick
- the feature that removes empty files created for the mountpoints into
- removing a file outside the container, from the host system.
+ A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the
+ feature that removes empty files created for the mountpoints into removing a
+ file outside the container, from the host system.
cves:
- CVE-2024-23652
ghsas:
diff --git a/data/reports/GO-2024-2497.yaml b/data/reports/GO-2024-2497.yaml
index 615cdb3..4cdbfc5 100644
--- a/data/reports/GO-2024-2497.yaml
+++ b/data/reports/GO-2024-2497.yaml
@@ -37,8 +37,8 @@
BuildKit provides APIs for running interactive containers based on built images.
It was possible to use these APIs to ask BuildKit to run a container with
elevated privileges. Normally, running such containers is only allowed if
- special security.insecure entitlement is enabled both by buildkitd
- configuration and allowed by the user initializing the build request.
+ special security.insecure entitlement is enabled both by buildkitd configuration
+ and allowed by the user initializing the build request.
cves:
- CVE-2024-23653
ghsas:
diff --git a/data/reports/GO-2024-2602.yaml b/data/reports/GO-2024-2602.yaml
index f3b8377..19ef88d 100644
--- a/data/reports/GO-2024-2602.yaml
+++ b/data/reports/GO-2024-2602.yaml
@@ -23,11 +23,11 @@
summary: Incorrect email domain verification in github.com/coder/coder
description: |-
A vulnerability in Coder's OIDC authentication could allow an attacker to bypass
- the CODER_OIDC_EMAIL_DOMAIN verification and create an account with an email
- not in the allowlist. Deployments are only affected if the OIDC provider allows
+ the CODER_OIDC_EMAIL_DOMAIN verification and create an account with an email not
+ in the allowlist. Deployments are only affected if the OIDC provider allows
users to create accounts on the provider (such as public providers like
- google.com). During OIDC registration, the user's email was improperly
- validated against the allowed CODER_OIDC_EMAIL_DOMAINs.
+ google.com). During OIDC registration, the user's email was improperly validated
+ against the allowed CODER_OIDC_EMAIL_DOMAINs.
cves:
- CVE-2024-27918
ghsas:
diff --git a/data/reports/GO-2024-2608.yaml b/data/reports/GO-2024-2608.yaml
index f504c85..173a234 100644
--- a/data/reports/GO-2024-2608.yaml
+++ b/data/reports/GO-2024-2608.yaml
@@ -27,8 +27,8 @@
as the user has valid credentials and a provider, they can set the repo
owner/name to any value they want and the server will return information on this
repo. DeleteRepositoryByName uses the same query and a user can delete another
- user's repo using this technique. The GetArtifactByName endpoint also uses
- this DB query.
+ user's repo using this technique. The GetArtifactByName endpoint also uses this
+ DB query.
cves:
- CVE-2024-27916
ghsas:
diff --git a/data/reports/GO-2024-2643.yaml b/data/reports/GO-2024-2643.yaml
index aab7263..f3ca4db 100644
--- a/data/reports/GO-2024-2643.yaml
+++ b/data/reports/GO-2024-2643.yaml
@@ -24,9 +24,9 @@
- Server.Create
summary: Bypass manifest during application creation in github.com/argoproj/argo-cd/v2
description: |-
- An improper validation bug allows users who have create privileges
- to sync a local manifest during application creation. This allows for bypassing
- the restriction that the manifests come from some approved git/Helm/OCI source.
+ An improper validation bug allows users who have create privileges to sync a
+ local manifest during application creation. This allows for bypassing the
+ restriction that the manifests come from some approved git/Helm/OCI source.
cves:
- CVE-2023-50726
ghsas:
diff --git a/data/reports/GO-2024-2668.yaml b/data/reports/GO-2024-2668.yaml
index 369f9cf..267ce6e 100644
--- a/data/reports/GO-2024-2668.yaml
+++ b/data/reports/GO-2024-2668.yaml
@@ -10,16 +10,15 @@
- PostUserLogin
summary: Login username enumeration in github.com/IceWhaleTech/CasaOS-UserService
description: |-
- The Casa OS Login page has a username enumeration vulnerability in the
- login page that was patched in Casa OS v0.4.7. The issue exists because
- the application response differs depending on whether the username or
- password is incorrect, allowing an attacker to enumerate usernames by
- observing the application response. For example, if the username is
- incorrect, the application returns "User does not exist" with return
- code "10006", while if the password is incorrect, it returns
- "User does not exist or password is invalid" with return code "10013".
- This allows an attacker to determine if a username exists without knowing
- the password.
+ The Casa OS Login page has a username enumeration vulnerability in the login
+ page that was patched in Casa OS v0.4.7. The issue exists because the
+ application response differs depending on whether the username or password is
+ incorrect, allowing an attacker to enumerate usernames by observing the
+ application response. For example, if the username is incorrect, the application
+ returns "User does not exist" with return code "10006", while if the password is
+ incorrect, it returns "User does not exist or password is invalid" with return
+ code "10013". This allows an attacker to determine if a username exists without
+ knowing the password.
cves:
- CVE-2024-28232
ghsas:
