data/reports: add GO-2023-2334.yaml
Fixes golang/vulndb#2334
Change-Id: I90ec0b8e0bcc8566e50c984f5b3db9e915c6faf1
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/544075
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2023-2334.json b/data/osv/GO-2023-2334.json
new file mode 100644
index 0000000..e84293d
--- /dev/null
+++ b/data/osv/GO-2023-2334.json
@@ -0,0 +1,82 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2023-2334",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "summary": "Decryption of malicious PBES2 JWE objects can consume unbounded system resources",
+ "details": "The go-jose package is subject to a \"billion hashes attack\" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/go-jose/go-jose/v3",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.0.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/go-jose/go-jose/v3",
+ "symbols": [
+ "JSONWebEncryption.Decrypt",
+ "JSONWebEncryption.DecryptMulti",
+ "symmetricKeyCipher.decryptKey"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "github.com/square/go-jose",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/square/go-jose",
+ "symbols": [
+ "JSONWebEncryption.Decrypt",
+ "JSONWebEncryption.DecryptMulti",
+ "symmetricKeyCipher.decryptKey"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "FIX",
+ "url": "https://github.com/go-jose/go-jose/commit/65351c27657d58960c2e6c9fbb2b00f818e50568"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/go-jose/go-jose/issues/64"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2023-2334"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2023-2334.yaml b/data/reports/GO-2023-2334.yaml
new file mode 100644
index 0000000..db04a88
--- /dev/null
+++ b/data/reports/GO-2023-2334.yaml
@@ -0,0 +1,31 @@
+id: GO-2023-2334
+modules:
+ - module: github.com/go-jose/go-jose/v3
+ versions:
+ - fixed: 3.0.1
+ vulnerable_at: 3.0.0
+ packages:
+ - package: github.com/go-jose/go-jose/v3
+ symbols:
+ - symmetricKeyCipher.decryptKey
+ derived_symbols:
+ - JSONWebEncryption.Decrypt
+ - JSONWebEncryption.DecryptMulti
+ - module: github.com/square/go-jose
+ vulnerable_at: 2.6.0+incompatible
+ packages:
+ - package: github.com/square/go-jose
+ symbols:
+ - symmetricKeyCipher.decryptKey
+ derived_symbols:
+ - JSONWebEncryption.Decrypt
+ - JSONWebEncryption.DecryptMulti
+summary: Decryption of malicious PBES2 JWE objects can consume unbounded system resources
+description: |-
+ The go-jose package is subject to a "billion hashes attack" causing
+ denial-of-service when decrypting JWE inputs. This occurs when an attacker can
+ provide a PBES2 encrypted JWE blob with a very large p2c value that, when
+ decrypted, produces a denial-of-service.
+references:
+ - fix: https://github.com/go-jose/go-jose/commit/65351c27657d58960c2e6c9fbb2b00f818e50568
+ - report: https://github.com/go-jose/go-jose/issues/64