data/reports/GO-2023-2334: add GHSA reference
For golang/vulndb#2334
Change-Id: I8065e0afe2c2aa26db5e6977e491777d2000a707
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545955
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tim King <taking@google.com>
diff --git a/data/osv/GO-2023-2334.json b/data/osv/GO-2023-2334.json
index e84293d..4b24640 100644
--- a/data/osv/GO-2023-2334.json
+++ b/data/osv/GO-2023-2334.json
@@ -3,6 +3,9 @@
"id": "GO-2023-2334",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-2c7c-3mj9-8fqh"
+ ],
"summary": "Decryption of malicious PBES2 JWE objects can consume unbounded system resources",
"details": "The go-jose package is subject to a \"billion hashes attack\" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.",
"affected": [
diff --git a/data/reports/GO-2023-2334.yaml b/data/reports/GO-2023-2334.yaml
index db04a88..7f5f411 100644
--- a/data/reports/GO-2023-2334.yaml
+++ b/data/reports/GO-2023-2334.yaml
@@ -26,6 +26,8 @@
denial-of-service when decrypting JWE inputs. This occurs when an attacker can
provide a PBES2 encrypted JWE blob with a very large p2c value that, when
decrypted, produces a denial-of-service.
+ghsas:
+ - GHSA-2c7c-3mj9-8fqh
references:
- fix: https://github.com/go-jose/go-jose/commit/65351c27657d58960c2e6c9fbb2b00f818e50568
- report: https://github.com/go-jose/go-jose/issues/64
