data/reports: fix GO-2021-0076.yaml
Add vulnerable_at and incompatible versions
Aliases: CVE-2018-14632
Updates golang/vulndb#76
Change-Id: I30d6ba338b1560080b374fc3c8062fa2ff7bf275
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/462620
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Auto-Submit: Tatiana Bradley <tatiana@golang.org>
diff --git a/data/osv/GO-2021-0076.json b/data/osv/GO-2021-0076.json
index 6dc4f70..015df8c 100644
--- a/data/osv/GO-2021-0076.json
+++ b/data/osv/GO-2021-0076.json
@@ -21,6 +21,12 @@
},
{
"fixed": "0.5.2"
+ },
+ {
+ "introduced": "3.0.0"
+ },
+ {
+ "fixed": "3.0.1-0.20180525145409-4c9aadca8f89"
}
]
}
@@ -33,6 +39,8 @@
{
"path": "github.com/evanphx/json-patch",
"symbols": [
+ "Patch.Apply",
+ "Patch.ApplyIndent",
"partialArray.add"
]
}
diff --git a/data/reports/GO-2021-0076.yaml b/data/reports/GO-2021-0076.yaml
index 21f283d..731be81 100644
--- a/data/reports/GO-2021-0076.yaml
+++ b/data/reports/GO-2021-0076.yaml
@@ -2,10 +2,16 @@
- module: github.com/evanphx/json-patch
versions:
- fixed: 0.5.2
+ - introduced: 3.0.0+incompatible
+ fixed: 3.0.1-0.20180525145409-4c9aadca8f89+incompatible
+ vulnerable_at: 3.0.1-0.20180510154552-9f095e073247+incompatible
packages:
- package: github.com/evanphx/json-patch
symbols:
- partialArray.add
+ derived_symbols:
+ - Patch.Apply
+ - Patch.ApplyIndent
description: |
A malicious JSON patch can cause a panic due to an out-of-bounds
write attempt. This can be used as a denial of service vector if
