data/reports: update GO-2023-2328.yaml
Add missing GHSA.
Aliases: CVE-2023-45286, GHSA-xwh9-gc39-5298
Updates golang/vulndb#2328
Fixes golang/vulndb#2357
Change-Id: Ie4b7593cc7bb3251d5919db76ddfe99a4fdeff15
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/547980
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/data/osv/GO-2023-2328.json b/data/osv/GO-2023-2328.json
index 750f76a..f9287f0 100644
--- a/data/osv/GO-2023-2328.json
+++ b/data/osv/GO-2023-2328.json
@@ -4,7 +4,8 @@
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
- "CVE-2023-45286"
+ "CVE-2023-45286",
+ "GHSA-xwh9-gc39-5298"
],
"summary": "HTTP request body disclosure in github.com/go-resty/resty/v2",
"details": "A race condition in go-resty can result in HTTP request body disclosure across requests.\n\nThis condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request.\n\nThe sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.",
diff --git a/data/reports/GO-2023-2328.yaml b/data/reports/GO-2023-2328.yaml
index 50e6a62..d0b5473 100644
--- a/data/reports/GO-2023-2328.yaml
+++ b/data/reports/GO-2023-2328.yaml
@@ -33,6 +33,8 @@
The sync.Pool in question is defined at package level scope, so a completely
unrelated server could receive the request body.
+ghsas:
+ - GHSA-xwh9-gc39-5298
credits:
- Logan Attwood (@lattwood)
references:
