data/osv/GO-2022-0470.json - vulndb - Git at Google

 {
   "id": "GO-2022-0470",
   "published": "2022-07-15T23:29:55Z",
   "modified": "0001-01-01T00:00:00Z",
   "aliases": [
     "CVE-2022-31022",
     "GHSA-9w9f-6mg8-jp7w"
   ],
   "details": "HTTP handlers provide unauthenticated access to the local filesystem.\n\nThe Bleve http package is intended for demonstration purposes and contains no authentication, authorization, or validation of user inputs. Exposing handlers from this package can permit attackers to create files and delete directories.",
   "affected": [
     {
       "package": {
         "name": "github.com/blevesearch/bleve",
         "ecosystem": "Go"
       },
       "ranges": [
         {
           "type": "SEMVER",
           "events": [
             {
               "introduced": "0"
             }
           ]
         }
       ],
       "database_specific": {
         "url": "https://pkg.go.dev/vuln/GO-2022-0470"
       },
       "ecosystem_specific": {
         "imports": [
           {
             "path": "github.com/blevesearch/bleve/http",
             "symbols": [
               "AliasHandler.ServeHTTP",
               "CreateIndexHandler.ServeHTTP",
               "DebugDocumentHandler.ServeHTTP",
               "DeleteIndexHandler.ServeHTTP",
               "DocCountHandler.ServeHTTP",
               "DocDeleteHandler.ServeHTTP",
               "DocGetHandler.ServeHTTP",
               "DocIndexHandler.ServeHTTP",
               "GetIndexHandler.ServeHTTP",
               "ListFieldsHandler.ServeHTTP",
               "SearchHandler.ServeHTTP"
             ]
           }
         ]
       }
     },
     {
       "package": {
         "name": "github.com/blevesearch/bleve/v2",
         "ecosystem": "Go"
       },
       "ranges": [
         {
           "type": "SEMVER",
           "events": [
             {
               "introduced": "0"
             }
           ]
         }
       ],
       "database_specific": {
         "url": "https://pkg.go.dev/vuln/GO-2022-0470"
       },
       "ecosystem_specific": {
         "imports": [
           {
             "path": "github.com/blevesearch/bleve/v2/http",
             "symbols": [
               "AliasHandler.ServeHTTP",
               "CreateIndexHandler.ServeHTTP",
               "DebugDocumentHandler.ServeHTTP",
               "DeleteIndexHandler.ServeHTTP",
               "DocCountHandler.ServeHTTP",
               "DocDeleteHandler.ServeHTTP",
               "DocGetHandler.ServeHTTP",
               "DocIndexHandler.ServeHTTP",
               "GetIndexHandler.ServeHTTP",
               "ListFieldsHandler.ServeHTTP",
               "SearchHandler.ServeHTTP"
             ]
           }
         ]
       }
     }
   ],
   "references": [
     {
       "type": "FIX",
       "url": "https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff"
     }
   ],
   "schema_version": "1.3.1"
 }
	{
	"id": "GO-2022-0470",
	"published": "2022-07-15T23:29:55Z",
	"modified": "0001-01-01T00:00:00Z",
	"aliases": [
	"CVE-2022-31022",
	"GHSA-9w9f-6mg8-jp7w"
	],
	"details": "HTTP handlers provide unauthenticated access to the local filesystem.\n\nThe Bleve http package is intended for demonstration purposes and contains no authentication, authorization, or validation of user inputs. Exposing handlers from this package can permit attackers to create files and delete directories.",
	"affected": [
	{
	"package": {
	"name": "github.com/blevesearch/bleve",
	"ecosystem": "Go"
	},
	"ranges": [
	{
	"type": "SEMVER",
	"events": [
	{
	"introduced": "0"
	}
	]
	}
	],
	"database_specific": {
	"url": "https://pkg.go.dev/vuln/GO-2022-0470"
	},
	"ecosystem_specific": {
	"imports": [
	{
	"path": "github.com/blevesearch/bleve/http",
	"symbols": [
	"AliasHandler.ServeHTTP",
	"CreateIndexHandler.ServeHTTP",
	"DebugDocumentHandler.ServeHTTP",
	"DeleteIndexHandler.ServeHTTP",
	"DocCountHandler.ServeHTTP",
	"DocDeleteHandler.ServeHTTP",
	"DocGetHandler.ServeHTTP",
	"DocIndexHandler.ServeHTTP",
	"GetIndexHandler.ServeHTTP",
	"ListFieldsHandler.ServeHTTP",
	"SearchHandler.ServeHTTP"
	]
	}
	]
	}
	},
	{
	"package": {
	"name": "github.com/blevesearch/bleve/v2",
	"ecosystem": "Go"
	},
	"ranges": [
	{
	"type": "SEMVER",
	"events": [
	{
	"introduced": "0"
	}
	]
	}
	],
	"database_specific": {
	"url": "https://pkg.go.dev/vuln/GO-2022-0470"
	},
	"ecosystem_specific": {
	"imports": [
	{
	"path": "github.com/blevesearch/bleve/v2/http",
	"symbols": [
	"AliasHandler.ServeHTTP",
	"CreateIndexHandler.ServeHTTP",
	"DebugDocumentHandler.ServeHTTP",
	"DeleteIndexHandler.ServeHTTP",
	"DocCountHandler.ServeHTTP",
	"DocDeleteHandler.ServeHTTP",
	"DocGetHandler.ServeHTTP",
	"DocIndexHandler.ServeHTTP",
	"GetIndexHandler.ServeHTTP",
	"ListFieldsHandler.ServeHTTP",
	"SearchHandler.ServeHTTP"
	]
	}
	]
	}
	}
	],
	"references": [
	{
	"type": "FIX",
	"url": "https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff"
	}
	],
	"schema_version": "1.3.1"
	}