x/vulndb: add reports/GO-2022-0414.yaml for CVE-2022-21235
Fixes golang/vulndb#0414
Change-Id: I39825d545365d21db9f89006035d91bad93842e4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/414816
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
diff --git a/reports/GO-2022-0414.yaml b/reports/GO-2022-0414.yaml
new file mode 100644
index 0000000..269e67b
--- /dev/null
+++ b/reports/GO-2022-0414.yaml
@@ -0,0 +1,38 @@
+packages:
+ - module: github.com/Masterminds/vcs
+ symbols:
+ - BzrRepo.Get
+ - BzrRepo.Init
+ - BzrRepo.Ping
+ - BzrRepo.ExportDir
+ - GitRepo.Get
+ - GitRepo.Init
+ - GitRepo.Update
+ - HgRepo.Get
+ - HgRepo.Init
+ - HgRepo.Ping
+ - HgRepo.ExportDir
+ - NewSvnRepo
+ - SvnRepo.Get
+ - SvnRepo.Ping
+ - SvnRepo.ExportDir
+ derived_symbols:
+ - NewRepo
+ versions:
+ - fixed: 1.13.3
+ vulnerable_at: 1.13.1
+description: |
+ Passing untrusted inputs to VCS functions can permit an attacker
+ to execute arbitrary commands.
+
+ The vcs package executes version control commands with
+ user-provided arguments. These arguments can be interpreted
+ as command-line flags, which can be used to perform command
+ injection.
+cves:
+ - CVE-2022-21235
+ghsas:
+ - GHSA-6635-c626-vj4r
+credit: Alessio Della Libera of Snyk Research Team
+links:
+ pr: https://github.com/Masterminds/vcs/pull/105
