Update GO-2025-3765 with fixed version
- GHSA-h4h6-vccr-44h2 noted fixed version as 1.2.15
- Addresses golang/vulndb#3876
Change-Id: Id5e811cb3706a1a5470cf57f534256a01b279f36
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/696215
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Markus Kusano <kusano@google.com>
Auto-Submit: Ethan Lee <ethanalee@google.com>
diff --git a/data/osv/GO-2025-3765.json b/data/osv/GO-2025-3765.json
index 3c888fc..e763e71 100644
--- a/data/osv/GO-2025-3765.json
+++ b/data/osv/GO-2025-3765.json
@@ -21,6 +21,9 @@
"events": [
{
"introduced": "0"
+ },
+ {
+ "fixed": "1.2.15"
}
]
}
diff --git a/data/reports/GO-2025-3765.yaml b/data/reports/GO-2025-3765.yaml
index 64ec45e..6cf5f99 100644
--- a/data/reports/GO-2025-3765.yaml
+++ b/data/reports/GO-2025-3765.yaml
@@ -1,6 +1,8 @@
id: GO-2025-3765
modules:
- module: github.com/uptrace/bun/driver/pgdriver
+ versions:
+ - fixed: 1.2.15
vulnerable_at: 1.2.14
summary: SQL injection vulnerability in github.com/uptrace/bun/driver/pgdriver
cves:
@@ -13,8 +15,6 @@
- web: https://github.com/uptrace/bun/tree/master/driver/pgdriver
- web: https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn%27t%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
- web: https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw
-notes:
- - No known fix commit.
source:
id: GHSA-h4h6-vccr-44h2
created: 2025-07-16T11:06:35.100738-04:00
