all: refactor report packages into a list
Combine the Report.{Module,Package,...} fields with the
Report.AdditionalPackages field into a single Report.Packages
field with a list of affected packages.
Fixes #52836.
Change-Id: I84432f242fdbdac5d8609f0406d1f12f925108be
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/405574
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
diff --git a/cmd/vulnreport/exported_functions_test.go b/cmd/vulnreport/exported_functions_test.go
index 863dfe7..22294a4 100644
--- a/cmd/vulnreport/exported_functions_test.go
+++ b/cmd/vulnreport/exported_functions_test.go
@@ -35,9 +35,11 @@
defer e.Cleanup()
rc := newReportClient(&report.Report{
- Module: "example.com/m",
- Package: "example.com/m/p",
- Symbols: []string{"vuln"},
+ Packages: []report.Package{{
+ Module: "example.com/m",
+ Package: "example.com/m/p",
+ Symbols: []string{"vuln"},
+ }},
})
pkgs, err := loadPackage(e.Config, path.Join(e.Temp(), "m/p"))
if err != nil {
diff --git a/cmd/vulnreport/main.go b/cmd/vulnreport/main.go
index daee923..e2f31ee 100644
--- a/cmd/vulnreport/main.go
+++ b/cmd/vulnreport/main.go
@@ -166,11 +166,22 @@
// addTODOs adds "TODO" comments to unfilled fields of r.
func addTODOs(r *report.Report) {
- if r.Module == "" && !stdlib.Contains(r.Module) {
- r.Module = todo
- }
- if r.Package == "" {
- r.Package = todo
+ for _, p := range r.Packages {
+ if p.Module == "" && !stdlib.Contains(p.Module) {
+ p.Module = todo
+ }
+ if p.Package == "" {
+ p.Package = todo
+ }
+ if len(p.Versions) == 0 {
+ p.Versions = []report.VersionRange{{
+ Introduced: todo,
+ Fixed: todo,
+ }}
+ }
+ if len(p.Symbols) == 0 {
+ p.Symbols = []string{todo}
+ }
}
if r.Description == "" {
r.Description = todo
@@ -190,15 +201,6 @@
if len(r.Links.Context) == 0 {
r.Links.Context = []string{todo}
}
- if len(r.Versions) == 0 {
- r.Versions = []report.VersionRange{{
- Introduced: todo,
- Fixed: todo,
- }}
- }
- if len(r.Symbols) == 0 {
- r.Symbols = []string{todo}
- }
}
func lint(filename string) (err error) {
@@ -237,31 +239,23 @@
}
func addExportedReportSymbols(r *report.Report) (bool, error) {
- if r.Module == "" || len(r.Symbols) == 0 {
- return false, nil
- }
if len(r.OS) > 0 || len(r.Arch) > 0 {
return false, errors.New("specific GOOS/GOARCH not yet implemented")
}
rc := newReportClient(r)
added := false
- syms, err := findExportedSymbols(r.Module, r.Package, rc)
- if err != nil {
- return false, err
- }
- if len(syms) > 0 {
- added = true
- r.DerivedSymbols = syms
- }
- for i, ap := range r.AdditionalPackages {
- syms, err := findExportedSymbols(ap.Module, ap.Package, rc)
+ for i, p := range r.Packages {
+ if len(p.Symbols) == 0 {
+ continue
+ }
+ syms, err := findExportedSymbols(p.Module, p.Package, rc)
if err != nil {
return false, err
}
if len(syms) > 0 {
added = true
- // Need to start from r because r.AdditionalPackages is a slice of values.
- r.AdditionalPackages[i].DerivedSymbols = syms
+ // Need to start from r because r.Packages is a slice of values.
+ r.Packages[i].DerivedSymbols = syms
}
}
return added, nil
diff --git a/internal/database/generate.go b/internal/database/generate.go
index f4670df..715f005 100644
--- a/internal/database/generate.go
+++ b/internal/database/generate.go
@@ -155,16 +155,6 @@
// takes the ID for the vuln and a URL that will point to the entry in the vuln DB.
// It returns the osv.Entry and a list of module paths that the vuln affects.
func GenerateOSVEntry(id, url string, r report.Report) (osv.Entry, []string) {
- importPath := r.Module
- if r.Package != "" {
- importPath = r.Package
- }
- moduleMap := make(map[string]bool)
- if stdlib.Contains(r.Module) {
- moduleMap["stdlib"] = true
- } else {
- moduleMap[r.Module] = true
- }
lastModified := r.Published
if r.LastModified != nil {
lastModified = *r.LastModified
@@ -175,18 +165,20 @@
Modified: lastModified,
Withdrawn: r.Withdrawn,
Details: r.Description,
- Affected: []osv.Affected{generateAffected(importPath, r.Versions, r.OS, r.Arch, r.AllSymbols(), url)},
}
- for _, additional := range r.AdditionalPackages {
- additionalPath := additional.Module
- if additional.Package != "" {
- additionalPath = additional.Package
+ moduleMap := make(map[string]bool)
+ for _, p := range r.Packages {
+ importPath := p.Module
+ if p.Package != "" {
+ importPath = p.Package
}
- if !stdlib.Contains(r.Module) {
- moduleMap[additional.Module] = true
+ if stdlib.Contains(p.Module) {
+ moduleMap["stdlib"] = true
+ } else {
+ moduleMap[p.Module] = true
}
- entry.Affected = append(entry.Affected, generateAffected(additionalPath, additional.Versions, r.OS, r.Arch, additional.AllSymbols(), url))
+ entry.Affected = append(entry.Affected, generateAffected(importPath, p.Versions, r.OS, r.Arch, p.AllSymbols(), url))
}
if r.Links.PR != "" {
diff --git a/internal/database/generate_test.go b/internal/database/generate_test.go
index 90e0700..86d0922 100644
--- a/internal/database/generate_test.go
+++ b/internal/database/generate_test.go
@@ -17,8 +17,17 @@
func TestGenerate(t *testing.T) {
r := report.Report{
- Module: "example.com/vulnerable/v2",
- AdditionalPackages: []report.Additional{
+ Packages: []report.Package{
+ {
+ Module: "example.com/vulnerable/v2",
+ Versions: []report.VersionRange{
+ {Fixed: "v2.1.1"},
+ {Introduced: "v2.3.4", Fixed: "v2.3.5"},
+ {Introduced: "v2.5.0"},
+ },
+ Symbols: []string{"A", "B.b"},
+ DerivedSymbols: []string{"D"},
+ },
{
Module: "vanity.host/vulnerable",
Package: "vanity.host/vulnerable/package",
@@ -38,18 +47,11 @@
},
},
},
- Versions: []report.VersionRange{
- {Fixed: "v2.1.1"},
- {Introduced: "v2.3.4", Fixed: "v2.3.5"},
- {Introduced: "v2.5.0"},
- },
- Description: "It's a real bad one, I'll tell you that",
- CVEs: []string{"CVE-0000-0000"},
- Credit: "ignored",
- Symbols: []string{"A", "B.b"},
- DerivedSymbols: []string{"D"},
- OS: []string{"windows"},
- Arch: []string{"arm64"},
+ Description: "It's a real bad one, I'll tell you that",
+ CVEs: []string{"CVE-0000-0000"},
+ Credit: "ignored",
+ OS: []string{"windows"},
+ Arch: []string{"arm64"},
Links: report.Links{
PR: "pr",
Commit: "commit",
diff --git a/internal/report/cve.go b/internal/report/cve.go
index c48c846..55890db 100644
--- a/internal/report/cve.go
+++ b/internal/report/cve.go
@@ -63,34 +63,16 @@
},
},
},
-
- Affects: cveschema.Affects{
- Vendor: cveschema.Vendor{
- Data: []cveschema.VendorDataItem{
- {
- VendorName: "n/a", // ???
- Product: cveschema.Product{
- Data: []cveschema.ProductDataItem{
- {
- ProductName: r.Package,
- Version: versionToVersion(r.Versions),
- },
- },
- },
- },
- },
- },
- },
}
- for _, additional := range r.AdditionalPackages {
+ for _, p := range r.Packages {
c.Affects.Vendor.Data = append(c.Affects.Vendor.Data, cveschema.VendorDataItem{
- VendorName: "n/a",
+ VendorName: "n/a", // ???
Product: cveschema.Product{
Data: []cveschema.ProductDataItem{
{
- ProductName: additional.Package,
- Version: versionToVersion(additional.Versions),
+ ProductName: p.Package,
+ Version: versionToVersion(p.Versions),
},
},
},
@@ -164,8 +146,10 @@
}
}
r := &Report{
- Module: modulePath,
- Package: pkgPath,
+ Packages: []Package{{
+ Module: modulePath,
+ Package: pkgPath,
+ }},
Description: description,
CVEs: []string{c.Metadata.ID},
Credit: credit,
@@ -176,11 +160,11 @@
},
}
if !strings.Contains(modulePath, ".") {
- r.Module = stdlib.ModulePath
- r.Package = modulePath
+ r.Packages[0].Module = stdlib.ModulePath
+ r.Packages[0].Package = modulePath
}
- if stdlib.Contains(r.Module) && r.Package == "" {
- r.Package = modulePath
+ if stdlib.Contains(r.Packages[0].Module) && r.Packages[0].Package == "" {
+ r.Packages[0].Package = modulePath
}
r.Fix()
return r
diff --git a/internal/report/ghsa.go b/internal/report/ghsa.go
index 8825529..1658a1e 100644
--- a/internal/report/ghsa.go
+++ b/internal/report/ghsa.go
@@ -15,7 +15,6 @@
func GHSAToReport(sa *ghsa.SecurityAdvisory, modulePath string) *Report {
u := sa.UpdatedAt
r := &Report{
- Module: modulePath,
Description: sa.Description,
Published: sa.PublishedAt,
LastModified: &u,
@@ -32,16 +31,15 @@
}
r.CVEs = cves
r.GHSAs = ghsas
- if len(sa.Vulns) == 0 {
- return r
- }
- r.Package = sa.Vulns[0].Package
- r.Versions = versions(sa.Vulns[0].EarliestFixedVersion, sa.Vulns[0].VulnerableVersionRange)
- for _, v := range sa.Vulns[1:] {
- var a Additional
- a.Package = v.Package
- a.Versions = versions(v.EarliestFixedVersion, v.VulnerableVersionRange)
- r.AdditionalPackages = append(r.AdditionalPackages, a)
+ for i, v := range sa.Vulns {
+ p := Package{
+ Package: v.Package,
+ Versions: versions(v.EarliestFixedVersion, v.VulnerableVersionRange),
+ }
+ if i == 0 {
+ p.Module = modulePath
+ }
+ r.Packages = append(r.Packages, p)
}
r.Fix()
return r
diff --git a/internal/report/ghsa_test.go b/internal/report/ghsa_test.go
index d94f454..13d0f57 100644
--- a/internal/report/ghsa_test.go
+++ b/internal/report/ghsa_test.go
@@ -28,11 +28,13 @@
}
got := GHSAToReport(sa, "aModule")
want := &Report{
- Module: "aModule",
- Package: "aPackage",
- Versions: []VersionRange{
- {Fixed: "v1.2.3"},
- },
+ Packages: []Package{{
+ Module: "aModule",
+ Package: "aPackage",
+ Versions: []VersionRange{
+ {Fixed: "v1.2.3"},
+ },
+ }},
LastModified: &updatedTime,
Description: "a description",
GHSAs: []string{"G1"},
diff --git a/internal/report/lint.go b/internal/report/lint.go
index 02e1384..0e7d068 100644
--- a/internal/report/lint.go
+++ b/internal/report/lint.go
@@ -173,75 +173,58 @@
issues = append(issues, iss)
}
- var importPath string
- if !stdlib.Contains(r.Module) {
- if r.Module == "" {
- addIssue("missing module")
- }
- if r.Module != "" && r.Package == r.Module {
- addIssue("package is redundant and can be removed")
- }
- if r.Package != "" && !strings.HasPrefix(r.Package, r.Module) {
- addIssue("module must be a prefix of package")
- }
- if r.Package == "" {
- importPath = r.Module
- } else {
- importPath = r.Package
- }
- if r.Module != "" && importPath != "" {
- if err := checkModVersions(r.Module, r.Versions); err != nil {
- addIssue(err.Error())
- }
-
- if err := module.CheckImportPath(importPath); err != nil {
- addIssue(err.Error())
- }
- }
- for _, v := range r.Versions {
- if v.Introduced != "" && !strings.HasPrefix(v.Introduced, "v") {
- addIssue(fmt.Sprintf("invalid semantic version: %q", v.Introduced))
- }
- if v.Fixed != "" && !strings.HasPrefix(v.Fixed, "v") {
- addIssue(fmt.Sprintf("invalid semantic version: %q", v.Fixed))
- }
- }
- } else {
- if r.Package == "" {
- addIssue("missing package")
- }
- for _, v := range r.Versions {
- if v.Introduced != "" && !strings.HasPrefix(v.Introduced, "go") {
- addIssue(fmt.Sprintf("invalid Go version: %q", v.Introduced))
- }
- if v.Fixed != "" && !strings.HasPrefix(v.Fixed, "go") {
- addIssue(fmt.Sprintf("invalid Go version: %q", v.Fixed))
- }
- }
+ if len(r.Packages) == 0 {
+ addIssue("no packages")
}
- for _, additionalPackage := range r.AdditionalPackages {
- var additionalImportPath string
- if additionalPackage.Module == "" {
- addIssue("missing additional_package.module")
+ for i, p := range r.Packages {
+ addPkgIssue := func(iss string) {
+ issues = append(issues, fmt.Sprintf("packages[%v]: %v", i, iss))
}
- if additionalPackage.Package == additionalPackage.Module {
- addIssue("package is redundant and can be removed")
- }
- if !stdlib.Contains(additionalPackage.Module) && additionalPackage.Package != "" && !strings.HasPrefix(additionalPackage.Package, additionalPackage.Module) {
- addIssue("additional_package.module must be a prefix of additional_package.package")
- }
- if additionalPackage.Package == "" {
- additionalImportPath = additionalPackage.Module
+ if !stdlib.Contains(p.Module) {
+ if p.Module == "" {
+ addPkgIssue("missing module")
+ }
+ if p.Module != "" && p.Package == p.Module {
+ addPkgIssue("package is redundant and can be removed")
+ }
+ if p.Package != "" && !strings.HasPrefix(p.Package, p.Module) {
+ addPkgIssue("module must be a prefix of package")
+ }
+ var importPath string
+ if p.Package == "" {
+ importPath = p.Module
+ } else {
+ importPath = p.Package
+ }
+ if p.Module != "" && importPath != "" {
+ if err := checkModVersions(p.Module, p.Versions); err != nil {
+ addPkgIssue(err.Error())
+ }
+
+ if err := module.CheckImportPath(importPath); err != nil {
+ addPkgIssue(err.Error())
+ }
+ }
+ for _, v := range p.Versions {
+ if v.Introduced != "" && !strings.HasPrefix(v.Introduced, "v") {
+ addPkgIssue(fmt.Sprintf("invalid semantic version: %q", v.Introduced))
+ }
+ if v.Fixed != "" && !strings.HasPrefix(v.Fixed, "v") {
+ addPkgIssue(fmt.Sprintf("invalid semantic version: %q", v.Fixed))
+ }
+ }
} else {
- additionalImportPath = additionalPackage.Package
- }
- if err := module.CheckImportPath(additionalImportPath); err != nil {
- addIssue(err.Error())
- }
- if !stdlib.Contains(r.Module) {
- if err := checkModVersions(additionalPackage.Module, additionalPackage.Versions); err != nil {
- addIssue(err.Error())
+ if p.Package == "" {
+ addPkgIssue("missing package")
+ }
+ for _, v := range p.Versions {
+ if v.Introduced != "" && !strings.HasPrefix(v.Introduced, "go") {
+ addPkgIssue(fmt.Sprintf("invalid Go version: %q", v.Introduced))
+ }
+ if v.Fixed != "" && !strings.HasPrefix(v.Fixed, "go") {
+ addPkgIssue(fmt.Sprintf("invalid Go version: %q", v.Fixed))
+ }
}
}
}
diff --git a/internal/report/report.go b/internal/report/report.go
index 2f48343..6816b76 100644
--- a/internal/report/report.go
+++ b/internal/report/report.go
@@ -22,7 +22,7 @@
Fixed string `yaml:"fixed,omitempty"`
}
-type Additional struct {
+type Package struct {
Module string `yaml:",omitempty"`
Package string `yaml:",omitempty"`
// Symbols originally identified as vulnerable.
@@ -46,20 +46,14 @@
}
type Report struct {
- Module string `yaml:",omitempty"`
- Package string `yaml:",omitempty"`
// TODO: could also be GoToolchain, but we might want
// this for other things?
//
// could we also automate this by just looking for
// things prefixed with cmd/go?
DoNotExport bool `yaml:"do_not_export,omitempty"`
- // TODO: the most common usage of additional package should
- // really be replaced with 'aliases', we'll still need
- // additional packages for some cases, but it's too heavy
- // for most
- AdditionalPackages []Additional `yaml:"additional_packages,omitempty"`
- Versions []VersionRange `yaml:"versions,omitempty"`
+
+ Packages []Package `yaml:"packages,omitempty"`
// Description is the CVE description from an existing CVE. If we are
// assigning a CVE ID ourselves, use CVEMetadata.Description instead.
@@ -75,15 +69,10 @@
// the above CVEs.
GHSAs []string `yaml:",omitempty"`
- Credit string `yaml:",omitempty"`
- // Symbols originally identified as vulnerable.
- Symbols []string `yaml:",omitempty"`
- // Additional vulnerable symbols, computed from Symbols via static analysis
- // or other technique.
- DerivedSymbols []string `yaml:"derived_symbols,omitempty"`
- OS []string `yaml:",omitempty"`
- Arch []string `yaml:",omitempty"`
- Links Links `yaml:",omitempty"`
+ Credit string `yaml:",omitempty"`
+ OS []string `yaml:",omitempty"`
+ Arch []string `yaml:",omitempty"`
+ Links Links `yaml:",omitempty"`
// CVEMetdata is used to capture CVE information when we want to assign a
// CVE ourselves. If a CVE already exists for an issue, use the CVE field
@@ -92,12 +81,7 @@
}
// AllSymbols returns both original and derived symbols.
-func (r *Report) AllSymbols() []string {
- return append(append([]string(nil), r.Symbols...), r.DerivedSymbols...)
-}
-
-// AllSymbols returns both original and derived symbols.
-func (a *Additional) AllSymbols() []string {
+func (a *Package) AllSymbols() []string {
return append(append([]string(nil), a.Symbols...), a.DerivedSymbols...)
}
diff --git a/internal/report/testdata/report.yaml b/internal/report/testdata/report.yaml
index 7c53d62..977bc36 100644
--- a/internal/report/testdata/report.yaml
+++ b/internal/report/testdata/report.yaml
@@ -1,13 +1,14 @@
-module: github.com/gin-gonic/gin
-versions:
- - fixed: v1.6.0
+packages:
+ - module: github.com/gin-gonic/gin
+ symbols:
+ - defaultLogFormatter
+ versions:
+ - fixed: v1.6.0
description: |
The default Formatter for the Logger middleware (LoggerConfig.Formatter),
which is included in the Default engine, allows attackers to inject arbitrary
log entries by manipulating the request path.
credit: '@thinkerou <thinkerou@gmail.com>'
-symbols:
- - defaultLogFormatter
links:
pr: https://github.com/gin-gonic/gin/pull/2237
commit: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
diff --git a/internal/worker/worker_test.go b/internal/worker/worker_test.go
index a036f9d..51671d6 100644
--- a/internal/worker/worker_test.go
+++ b/internal/worker/worker_test.go
@@ -232,7 +232,8 @@
See [doc/triage.md](https://github.com/golang/vulndb/blob/master/doc/triage.md) for instructions on how to triage this report.
` + "```" + `
-module: a.Module
+packages:
+ - module: a.Module
description: |
a description
cves:
@@ -271,9 +272,10 @@
See [doc/triage.md](https://github.com/golang/vulndb/blob/master/doc/triage.md) for instructions on how to triage this report.
` + "```" + `
-package: aPackage
-versions:
- - fixed: v1.2.3
+packages:
+ - package: aPackage
+ versions:
+ - fixed: v1.2.3
description: a description
ghsas:
- G1
diff --git a/reports/GO-2020-0001.yaml b/reports/GO-2020-0001.yaml
index 89be8e3..c69d861 100644
--- a/reports/GO-2020-0001.yaml
+++ b/reports/GO-2020-0001.yaml
@@ -1,14 +1,15 @@
-module: github.com/gin-gonic/gin
-versions:
- - fixed: v1.6.0
+packages:
+ - module: github.com/gin-gonic/gin
+ symbols:
+ - defaultLogFormatter
+ versions:
+ - fixed: v1.6.0
description: |
The default Formatter for the Logger middleware (LoggerConfig.Formatter),
which is included in the Default engine, allows attackers to inject arbitrary
log entries by manipulating the request path.
published: 2021-04-14T20:04:52Z
credit: '@thinkerou <thinkerou@gmail.com>'
-symbols:
- - defaultLogFormatter
links:
pr: https://github.com/gin-gonic/gin/pull/2237
commit: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
diff --git a/reports/GO-2020-0002.yaml b/reports/GO-2020-0002.yaml
index 095e645..670eccc 100644
--- a/reports/GO-2020-0002.yaml
+++ b/reports/GO-2020-0002.yaml
@@ -1,6 +1,7 @@
-module: github.com/proglottis/gpgme
-versions:
- - fixed: v0.1.1
+packages:
+ - module: github.com/proglottis/gpgme
+ versions:
+ - fixed: v0.1.1
description: |
The Data, Context, or Key finalizers might run during or before GPGME
operations. This will release the C structures that are still in use, leading
diff --git a/reports/GO-2020-0003.yaml b/reports/GO-2020-0003.yaml
index 44cadff..d673b4a 100644
--- a/reports/GO-2020-0003.yaml
+++ b/reports/GO-2020-0003.yaml
@@ -1,6 +1,7 @@
-module: github.com/revel/revel
-versions:
- - fixed: v1.0.0
+packages:
+ - module: github.com/revel/revel
+ versions:
+ - fixed: v1.0.0
description: |
An attacker can cause an application that accepts slice parameters
(https://revel.github.io/manual/parameters.html#slices) to allocate large
diff --git a/reports/GO-2020-0004.yaml b/reports/GO-2020-0004.yaml
index 56b83a9..687f06b 100644
--- a/reports/GO-2020-0004.yaml
+++ b/reports/GO-2020-0004.yaml
@@ -1,7 +1,15 @@
-module: github.com/nanobox-io/golang-nanoauth
-versions:
- - introduced: v0.0.0-20160722212129-ac0cc4484ad4
- fixed: v0.0.0-20200131131040-063a3fb69896
+packages:
+ - module: github.com/nanobox-io/golang-nanoauth
+ symbols:
+ - Auth.ServerHTTP
+ - Auth.ListenAndServeTLS
+ - Auth.ListenAndServe
+ derived_symbols:
+ - ListenAndServe
+ - ListenAndServeTLS
+ versions:
+ - introduced: v0.0.0-20160722212129-ac0cc4484ad4
+ fixed: v0.0.0-20200131131040-063a3fb69896
description: |
If any of the ListenAndServe functions are called with an empty token,
token authentication is disabled globally for all listeners.
@@ -11,13 +19,6 @@
recover the token.
published: 2021-04-14T20:04:52Z
credit: '@bouk'
-symbols:
- - Auth.ServerHTTP
- - Auth.ListenAndServeTLS
- - Auth.ListenAndServe
-derived_symbols:
- - ListenAndServe
- - ListenAndServeTLS
links:
pr: https://github.com/nanobox-io/golang-nanoauth/pull/5
commit: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
diff --git a/reports/GO-2020-0005.yaml b/reports/GO-2020-0005.yaml
index c4384d0..8899eca 100644
--- a/reports/GO-2020-0005.yaml
+++ b/reports/GO-2020-0005.yaml
@@ -1,7 +1,11 @@
-module: go.etcd.io/etcd
-package: go.etcd.io/etcd/wal
-versions:
- - fixed: v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4
+packages:
+ - module: go.etcd.io/etcd
+ package: go.etcd.io/etcd/wal
+ symbols:
+ - WAL.ReadAll
+ - decoder.decodeRecord
+ versions:
+ - fixed: v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4
description: |
Malformed WALs can be constructed such that WAL.ReadAll can cause attempted
out of bounds reads, or creation of arbitrarily sized slices, which may be used as
@@ -11,9 +15,6 @@
- CVE-2020-15106
- CVE-2020-15112
credit: Trail of Bits
-symbols:
- - WAL.ReadAll
- - decoder.decodeRecord
links:
pr: https://github.com/etcd-io/etcd/pull/11793
commit: https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07
diff --git a/reports/GO-2020-0006.yaml b/reports/GO-2020-0006.yaml
index 5de9bb4..30702b0 100644
--- a/reports/GO-2020-0006.yaml
+++ b/reports/GO-2020-0006.yaml
@@ -1,6 +1,15 @@
-module: github.com/miekg/dns
-versions:
- - fixed: v1.0.4-0.20180125103619-43913f2f4fbd
+packages:
+ - module: github.com/miekg/dns
+ symbols:
+ - Server.serveTCP
+ derived_symbols:
+ - ActivateAndServe
+ - ListenAndServe
+ - ListenAndServeTLS
+ - Server.ActivateAndServe
+ - Server.ListenAndServe
+ versions:
+ - fixed: v1.0.4-0.20180125103619-43913f2f4fbd
description: |
An attacker may prevent TCP connections to a Server by opening
a connection and leaving it idle, until the connection is closed by
@@ -11,14 +20,6 @@
ghsas:
- GHSA-p55x-7x9v-q8m4
credit: Pedro Sampaio
-symbols:
- - Server.serveTCP
-derived_symbols:
- - ActivateAndServe
- - ListenAndServe
- - ListenAndServeTLS
- - Server.ActivateAndServe
- - Server.ListenAndServe
links:
pr: https://github.com/miekg/dns/pull/631
commit: https://github.com/miekg/dns/commit/43913f2f4fbd7dcff930b8a809e709591e4dd79e
diff --git a/reports/GO-2020-0007.yaml b/reports/GO-2020-0007.yaml
index 8fff122..ff72395 100644
--- a/reports/GO-2020-0007.yaml
+++ b/reports/GO-2020-0007.yaml
@@ -1,6 +1,14 @@
-module: github.com/seccomp/libseccomp-golang
-versions:
- - fixed: v0.9.1-0.20170424173420-06e7a29f36a3
+packages:
+ - module: github.com/seccomp/libseccomp-golang
+ symbols:
+ - ScmpFilter.addRuleGeneric
+ derived_symbols:
+ - ScmpFilter.AddRule
+ - ScmpFilter.AddRuleConditional
+ - ScmpFilter.AddRuleConditionalExact
+ - ScmpFilter.AddRuleExact
+ versions:
+ - fixed: v0.9.1-0.20170424173420-06e7a29f36a3
description: |
Filters containing rules with multiple syscall arguments are improperly
constructed, such that all arguments are required to match rather than
@@ -13,12 +21,5 @@
ghsas:
- GHSA-58v3-j75h-xr49
credit: '@ihac'
-symbols:
- - ScmpFilter.addRuleGeneric
-derived_symbols:
- - ScmpFilter.AddRule
- - ScmpFilter.AddRuleConditional
- - ScmpFilter.AddRuleConditionalExact
- - ScmpFilter.AddRuleExact
links:
commit: https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e
diff --git a/reports/GO-2020-0008.yaml b/reports/GO-2020-0008.yaml
index 62f8480..03107c0 100644
--- a/reports/GO-2020-0008.yaml
+++ b/reports/GO-2020-0008.yaml
@@ -1,6 +1,15 @@
-module: github.com/miekg/dns
-versions:
- - fixed: v1.1.25-0.20191211073109-8ebf2e419df7
+packages:
+ - module: github.com/miekg/dns
+ symbols:
+ - id
+ derived_symbols:
+ - Msg.SetAxfr
+ - Msg.SetIxfr
+ - Msg.SetNotify
+ - Msg.SetQuestion
+ - Msg.SetUpdate
+ versions:
+ - fixed: v1.1.25-0.20191211073109-8ebf2e419df7
description: |
DNS message transaction IDs are generated using math/rand which
makes them relatively predictable. This reduces the complexity
@@ -10,14 +19,6 @@
- CVE-2019-19794
ghsas:
- GHSA-44r7-7p62-q3fr
-symbols:
- - id
-derived_symbols:
- - Msg.SetAxfr
- - Msg.SetIxfr
- - Msg.SetNotify
- - Msg.SetQuestion
- - Msg.SetUpdate
links:
pr: https://github.com/miekg/dns/pull/1044
commit: https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33
diff --git a/reports/GO-2020-0009.yaml b/reports/GO-2020-0009.yaml
index aa62830..d2f4cab 100644
--- a/reports/GO-2020-0009.yaml
+++ b/reports/GO-2020-0009.yaml
@@ -1,12 +1,14 @@
-module: github.com/square/go-jose
-package: github.com/square/go-jose/cipher
-additional_packages:
+packages:
+ - module: github.com/square/go-jose
+ package: github.com/square/go-jose/cipher
+ symbols:
+ - cbcAEAD.computeAuthTag
+ versions:
+ - fixed: v0.0.0-20160903044734-789a4c4bd4c1
- module: github.com/square/go-jose
symbols:
- JsonWebEncryption.Decrypt
- JsonWebEncryption.DecryptMulti
-versions:
- - fixed: v0.0.0-20160903044734-789a4c4bd4c1
description: |
On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC
with HMAC such that they can control how large the input buffer is when computing
@@ -18,8 +20,6 @@
ghsas:
- GHSA-3fx4-7f69-5mmg
credit: Quan Nguyen from Google's Information Security Engineering Team
-symbols:
- - cbcAEAD.computeAuthTag
arch:
- "386"
- arm
diff --git a/reports/GO-2020-0010.yaml b/reports/GO-2020-0010.yaml
index a9f5b67..b00ab4f 100644
--- a/reports/GO-2020-0010.yaml
+++ b/reports/GO-2020-0010.yaml
@@ -1,11 +1,15 @@
-module: github.com/square/go-jose
-package: github.com/square/go-jose/cipher
-additional_packages:
+packages:
+ - module: github.com/square/go-jose
+ package: github.com/square/go-jose/cipher
+ symbols:
+ - DeriveECDHES
+ - ecDecrypterSigner.decryptKey
+ - rawJsonWebKey.ecPublicKey
+ versions:
+ - fixed: v0.0.0-20160831185616-c7581939a365
- module: github.com/square/go-jose
symbols:
- JsonWebEncryption.Decrypt
-versions:
- - fixed: v0.0.0-20160831185616-c7581939a365
description: |
When using ECDH-ES an attacker can mount an invalid curve attack during
decryption as the supplied public key is not checked to be on the same
@@ -16,10 +20,6 @@
ghsas:
- GHSA-86r9-39j9-99wp
credit: Quan Nguyen from Google's Information Security Engineering Team
-symbols:
- - DeriveECDHES
- - ecDecrypterSigner.decryptKey
- - rawJsonWebKey.ecPublicKey
links:
commit: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
context:
diff --git a/reports/GO-2020-0011.yaml b/reports/GO-2020-0011.yaml
index c82ccf7..00bfbcf 100644
--- a/reports/GO-2020-0011.yaml
+++ b/reports/GO-2020-0011.yaml
@@ -1,6 +1,10 @@
-module: github.com/square/go-jose
-versions:
- - fixed: v0.0.0-20160922232413-2c5656adca99
+packages:
+ - module: github.com/square/go-jose
+ symbols:
+ - JsonWebEncryption.Decrypt
+ - JsonWebSignature.Verify
+ versions:
+ - fixed: v0.0.0-20160922232413-2c5656adca99
description: |
When decrypting JsonWebEncryption objects with multiple recipients
or JsonWebSignature objects with multiple signatures the Decrypt
@@ -13,9 +17,6 @@
ghsas:
- GHSA-77gc-fj98-665h
credit: Quan Nguyen from Google's Information Security Engineering Team
-symbols:
- - JsonWebEncryption.Decrypt
- - JsonWebSignature.Verify
links:
commit: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
context:
diff --git a/reports/GO-2020-0012.yaml b/reports/GO-2020-0012.yaml
index 9bd2b4e..5810e6c 100644
--- a/reports/GO-2020-0012.yaml
+++ b/reports/GO-2020-0012.yaml
@@ -1,7 +1,14 @@
-module: golang.org/x/crypto
-package: golang.org/x/crypto/ssh
-versions:
- - fixed: v0.0.0-20200220183623-bac4c82f6975
+packages:
+ - module: golang.org/x/crypto
+ package: golang.org/x/crypto/ssh
+ symbols:
+ - parseED25519
+ - ed25519PublicKey.Verify
+ - parseSKEd25519
+ - skEd25519PublicKey.Verify
+ - NewPublicKey
+ versions:
+ - fixed: v0.0.0-20200220183623-bac4c82f6975
description: |
An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
key, such that the library will panic when trying to verify a signature
@@ -13,12 +20,6 @@
ghsas:
- GHSA-ffhg-7mh4-33c4
credit: Alex Gaynor, Fish in a Barrel
-symbols:
- - parseED25519
- - ed25519PublicKey.Verify
- - parseSKEd25519
- - skEd25519PublicKey.Verify
- - NewPublicKey
links:
pr: https://go-review.googlesource.com/c/crypto/+/220357
commit: https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236
diff --git a/reports/GO-2020-0013.yaml b/reports/GO-2020-0013.yaml
index 1b5ba6f..ae9a823 100644
--- a/reports/GO-2020-0013.yaml
+++ b/reports/GO-2020-0013.yaml
@@ -1,7 +1,10 @@
-module: golang.org/x/crypto
-package: golang.org/x/crypto/ssh
-versions:
- - fixed: v0.0.0-20170330155735-e4e2799dd7aa
+packages:
+ - module: golang.org/x/crypto
+ package: golang.org/x/crypto/ssh
+ symbols:
+ - NewClientConn
+ versions:
+ - fixed: v0.0.0-20170330155735-e4e2799dd7aa
description: |
By default host key verification is disabled which allows for
man-in-the-middle attacks against SSH clients if
@@ -10,8 +13,6 @@
cves:
- CVE-2017-3204
credit: Phil Pennock
-symbols:
- - NewClientConn
links:
pr: https://go-review.googlesource.com/38701
commit: https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
diff --git a/reports/GO-2020-0014.yaml b/reports/GO-2020-0014.yaml
index ee3741e..eb13d8a 100644
--- a/reports/GO-2020-0014.yaml
+++ b/reports/GO-2020-0014.yaml
@@ -1,7 +1,11 @@
-module: golang.org/x/net
-package: golang.org/x/net/html
-versions:
- - fixed: v0.0.0-20190125091013-d26f9f9a57f3
+packages:
+ - module: golang.org/x/net
+ package: golang.org/x/net/html
+ symbols:
+ - inSelectIM
+ - inSelectInTableIM
+ versions:
+ - fixed: v0.0.0-20190125091013-d26f9f9a57f3
description: |
html.Parse does not properly handle "select" tags, which can lead
to an infinite loop. If parsing user supplied input, this may be used
@@ -10,9 +14,6 @@
cves:
- CVE-2018-17846
credit: '@tr3ee'
-symbols:
- - inSelectIM
- - inSelectInTableIM
links:
pr: https://go-review.googlesource.com/c/137275
commit: https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
diff --git a/reports/GO-2020-0015.yaml b/reports/GO-2020-0015.yaml
index a43465d..d7e33b4 100644
--- a/reports/GO-2020-0015.yaml
+++ b/reports/GO-2020-0015.yaml
@@ -1,14 +1,18 @@
-module: golang.org/x/text
-package: golang.org/x/text/encoding/unicode
-additional_packages:
+packages:
+ - module: golang.org/x/text
+ package: golang.org/x/text/encoding/unicode
+ symbols:
+ - utf16Decoder.Transform
+ derived_symbols:
+ - bomOverride.Transform
+ versions:
+ - fixed: v0.3.3
- module: golang.org/x/text
package: golang.org/x/text/transform
symbols:
- Transform
versions:
- fixed: v0.3.3
-versions:
- - fixed: v0.3.3
description: |
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
@@ -22,10 +26,6 @@
ghsas:
- GHSA-5rcv-m4m3-hfh7
credit: '@abacabadabacaba and Anton Gyllenberg'
-symbols:
- - utf16Decoder.Transform
-derived_symbols:
- - bomOverride.Transform
links:
pr: https://go-review.googlesource.com/c/text/+/238238
commit: https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
diff --git a/reports/GO-2020-0016.yaml b/reports/GO-2020-0016.yaml
index fdaa45e..7bac4d3 100644
--- a/reports/GO-2020-0016.yaml
+++ b/reports/GO-2020-0016.yaml
@@ -1,6 +1,13 @@
-module: github.com/ulikunitz/xz
-versions:
- - fixed: v0.5.8
+packages:
+ - module: github.com/ulikunitz/xz
+ symbols:
+ - readUvarint
+ derived_symbols:
+ - Reader.Read
+ - blockHeader.UnmarshalBinary
+ - streamReader.Read
+ versions:
+ - fixed: v0.5.8
description: |
An attacker can construct a series of bytes such that calling
Reader.Read on the bytes could cause an infinite loop. If
@@ -12,12 +19,6 @@
ghsas:
- GHSA-25xm-hr59-7c27
credit: '@0xdecaf'
-symbols:
- - readUvarint
-derived_symbols:
- - Reader.Read
- - blockHeader.UnmarshalBinary
- - streamReader.Read
links:
commit: https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
context:
diff --git a/reports/GO-2020-0017.yaml b/reports/GO-2020-0017.yaml
index d225941..36d94d9 100644
--- a/reports/GO-2020-0017.yaml
+++ b/reports/GO-2020-0017.yaml
@@ -1,12 +1,14 @@
-module: github.com/dgrijalva/jwt-go
-additional_packages:
+packages:
+ - module: github.com/dgrijalva/jwt-go
+ symbols:
+ - MapClaims.VerifyAudience
+ versions:
+ - introduced: v0.0.0-20150717181359-44718f8a89b0
- module: github.com/dgrijalva/jwt-go/v4
symbols:
- MapClaims.VerifyAudience
versions:
- fixed: v4.0.0-preview1
-versions:
- - introduced: v0.0.0-20150717181359-44718f8a89b0
description: |
If a JWT contains an audience claim with an array of strings, rather
than a single string, and MapClaims.VerifyAudience is called with
@@ -18,8 +20,6 @@
ghsas:
- GHSA-w73w-5m7g-f7qc
credit: '@christopher-wong'
-symbols:
- - MapClaims.VerifyAudience
links:
commit: https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab
context:
diff --git a/reports/GO-2020-0018.yaml b/reports/GO-2020-0018.yaml
index 59c74b0..e811da9 100644
--- a/reports/GO-2020-0018.yaml
+++ b/reports/GO-2020-0018.yaml
@@ -1,6 +1,16 @@
-module: github.com/satori/go.uuid
-versions:
- - fixed: v1.2.1-0.20181016170032-d91630c85102
+packages:
+ - module: github.com/satori/go.uuid
+ symbols:
+ - NewV4
+ - rfc4122Generator.getClockSequence
+ - rfc4122Generator.getHardwareAddr
+ derived_symbols:
+ - NewV1
+ - NewV2
+ - init
+ - safeRandom
+ versions:
+ - fixed: v1.2.1-0.20181016170032-d91630c85102
description: |
UUIDs generated using NewV1 and NewV4 may not read the expected
number of random bytes. These UUIDs may contain a significantly smaller
@@ -9,15 +19,6 @@
cves:
- CVE-2021-3538
credit: '@josselin-c'
-symbols:
- - NewV4
- - rfc4122Generator.getClockSequence
- - rfc4122Generator.getHardwareAddr
-derived_symbols:
- - NewV1
- - NewV2
- - init
- - safeRandom
links:
pr: https://github.com/satori/go.uuid/pull/75
commit: https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45
diff --git a/reports/GO-2020-0019.yaml b/reports/GO-2020-0019.yaml
index e6c0f2f..59a4d82 100644
--- a/reports/GO-2020-0019.yaml
+++ b/reports/GO-2020-0019.yaml
@@ -1,6 +1,31 @@
-module: github.com/gorilla/websocket
-versions:
- - fixed: v1.4.1
+packages:
+ - module: github.com/gorilla/websocket
+ symbols:
+ - Conn.advanceFrame
+ - messageReader.Read
+ derived_symbols:
+ - Conn.Close
+ - Conn.NextReader
+ - Conn.ReadJSON
+ - Conn.ReadMessage
+ - Conn.WriteJSON
+ - Conn.WritePreparedMessage
+ - Dialer.Dial
+ - Dialer.DialContext
+ - NewClient
+ - NewPreparedMessage
+ - ReadJSON
+ - Subprotocols
+ - Upgrade
+ - Upgrader.Upgrade
+ - WriteJSON
+ - httpProxyDialer.Dial
+ - netDialerFunc.Dial
+ - proxy_direct.Dial
+ - proxy_envOnce.Get
+ - proxy_socks5.Dial
+ versions:
+ - fixed: v1.4.1
description: |
An attacker can craft malicious WebSocket frames that cause an integer
overflow in a variable which tracks the number of bytes remaining. This
@@ -12,30 +37,6 @@
ghsas:
- GHSA-3xh2-74w9-5vxm
credit: Max Justicz
-symbols:
- - Conn.advanceFrame
- - messageReader.Read
-derived_symbols:
- - Conn.Close
- - Conn.NextReader
- - Conn.ReadJSON
- - Conn.ReadMessage
- - Conn.WriteJSON
- - Conn.WritePreparedMessage
- - Dialer.Dial
- - Dialer.DialContext
- - NewClient
- - NewPreparedMessage
- - ReadJSON
- - Subprotocols
- - Upgrade
- - Upgrader.Upgrade
- - WriteJSON
- - httpProxyDialer.Dial
- - netDialerFunc.Dial
- - proxy_direct.Dial
- - proxy_envOnce.Get
- - proxy_socks5.Dial
links:
pr: https://github.com/gorilla/websocket/pull/537
commit: https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37
diff --git a/reports/GO-2020-0020.yaml b/reports/GO-2020-0020.yaml
index b581751..3421f92 100644
--- a/reports/GO-2020-0020.yaml
+++ b/reports/GO-2020-0020.yaml
@@ -1,14 +1,15 @@
-module: github.com/gorilla/handlers
-versions:
- - fixed: v1.3.0
+packages:
+ - module: github.com/gorilla/handlers
+ symbols:
+ - cors.ServeHTTP
+ versions:
+ - fixed: v1.3.0
description: |
Usage of the CORS handler may apply improper CORS headers, allowing
the requester to explicitly control the value of the Access-Control-Allow-Origin
header, which bypasses the expected behavior of the Same Origin Policy.
published: 2021-04-14T20:04:52Z
credit: Evan J Johnson
-symbols:
- - cors.ServeHTTP
links:
pr: https://github.com/gorilla/handlers/pull/116
commit: https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145
diff --git a/reports/GO-2020-0021.yaml b/reports/GO-2020-0021.yaml
index 0cee665..f62017e 100644
--- a/reports/GO-2020-0021.yaml
+++ b/reports/GO-2020-0021.yaml
@@ -1,6 +1,11 @@
-module: github.com/gogits/gogs
-versions:
- - fixed: v0.5.8
+packages:
+ - module: github.com/gogits/gogs
+ symbols:
+ - GetIssues
+ - SearchRepositoryByName
+ - SearchUserByName
+ versions:
+ - fixed: v0.5.8
description: |
Due to improper santization of user input, a number of methods are
vulnerable to SQL injection if used with user input that has not
@@ -11,10 +16,6 @@
ghsas:
- GHSA-mr6h-chqp-p9g2
credit: Pascal Turbing and Jiahua (Joe) Chen
-symbols:
- - GetIssues
- - SearchRepositoryByName
- - SearchUserByName
links:
commit: https://github.com/gogs/gogs/commit/83283bca4cb4e0f4ec48a28af680f0d88db3d2c8
context:
diff --git a/reports/GO-2020-0022.yaml b/reports/GO-2020-0022.yaml
index c7cdf7d..6661c8d 100644
--- a/reports/GO-2020-0022.yaml
+++ b/reports/GO-2020-0022.yaml
@@ -1,14 +1,15 @@
-module: github.com/cloudflare/golz4
-versions:
- - fixed: v0.0.0-20140711154735-199f5f787806
+packages:
+ - module: github.com/cloudflare/golz4
+ symbols:
+ - Uncompress
+ versions:
+ - fixed: v0.0.0-20140711154735-199f5f787806
description: |
LZ4 bindings use a deprecated C API that is vulnerable to
memory corruption, which could lead to arbitrary code execution
if called with untrusted user input.
published: 2021-04-14T20:04:52Z
credit: Yann Collet
-symbols:
- - Uncompress
links:
commit: https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898
context:
diff --git a/reports/GO-2020-0023.yaml b/reports/GO-2020-0023.yaml
index 5fff7ab..d514889 100644
--- a/reports/GO-2020-0023.yaml
+++ b/reports/GO-2020-0023.yaml
@@ -1,14 +1,15 @@
-module: github.com/robbert229/jwt
-versions:
- - fixed: v0.0.0-20170426191122-ca1404ee6e83
+packages:
+ - module: github.com/robbert229/jwt
+ symbols:
+ - Algorithm.validateSignature
+ versions:
+ - fixed: v0.0.0-20170426191122-ca1404ee6e83
description: |
Token validation methods are susceptible to a timing side-channel
during HMAC comparison. With a large enough number of requests
over a low latency connection, an attacker may use this to determine
the expected HMAC.
published: 2021-04-14T20:04:52Z
-symbols:
- - Algorithm.validateSignature
links:
commit: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
context:
diff --git a/reports/GO-2020-0024.yaml b/reports/GO-2020-0024.yaml
index dfd868d..5e0fa44 100644
--- a/reports/GO-2020-0024.yaml
+++ b/reports/GO-2020-0024.yaml
@@ -1,6 +1,11 @@
-module: github.com/btcsuite/go-socks
-package: github.com/btcsuite/go-socks/socks
-additional_packages:
+packages:
+ - module: github.com/btcsuite/go-socks
+ package: github.com/btcsuite/go-socks/socks
+ symbols:
+ - proxiedConn.LocalAddr
+ - proxiedConn.RemoteAddr
+ versions:
+ - fixed: v0.0.0-20130808000456-233bccbb1abe
- module: github.com/btcsuitereleases/go-socks
package: github.com/btcsuitereleases/go-socks/socks
symbols:
@@ -8,15 +13,10 @@
- proxiedConn.RemoteAddr
versions:
- fixed: v0.0.0-20130808000456-233bccbb1abe
-versions:
- - fixed: v0.0.0-20130808000456-233bccbb1abe
description: |
The RemoteAddr and LocalAddr methods on the returned net.Conn may
call themselves, leading to an infinite loop which will crash the
program due to a stack overflow.
published: 2021-04-14T20:04:52Z
-symbols:
- - proxiedConn.LocalAddr
- - proxiedConn.RemoteAddr
links:
commit: https://github.com/btcsuite/go-socks/commit/233bccbb1abe02f05750f7ace66f5bffdb13defc
diff --git a/reports/GO-2020-0025.yaml b/reports/GO-2020-0025.yaml
index cdb3a70..6545ea1 100644
--- a/reports/GO-2020-0025.yaml
+++ b/reports/GO-2020-0025.yaml
@@ -1,21 +1,21 @@
-module: github.com/cloudfoundry/archiver
-additional_packages:
+packages:
+ - module: github.com/cloudfoundry/archiver
+ symbols:
+ - tgzExtractor.Extract
+ - zipExtractor.Extract
+ versions:
+ - fixed: v0.0.0-20180523222229-09b5706aa936
- module: code.cloudfoundry.org/archiver
symbols:
- tgzExtractor.Extract
- zipExtractor.Extract
versions:
- fixed: v0.0.0-20180523222229-09b5706aa936
-versions:
- - fixed: v0.0.0-20180523222229-09b5706aa936
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
published: 2021-04-14T20:04:52Z
-symbols:
- - tgzExtractor.Extract
- - zipExtractor.Extract
links:
commit: https://github.com/cloudfoundry/archiver/commit/09b5706aa9367972c09144a450bb4523049ee840
context:
diff --git a/reports/GO-2020-0026.yaml b/reports/GO-2020-0026.yaml
index fc4e14d..389c13a 100644
--- a/reports/GO-2020-0026.yaml
+++ b/reports/GO-2020-0026.yaml
@@ -1,7 +1,15 @@
-module: github.com/openshift/source-to-image
-package: github.com/openshift/source-to-image/pkg/tar
-versions:
- - fixed: v1.1.10-0.20180427153919-f5cbcbc5cc6f
+packages:
+ - module: github.com/openshift/source-to-image
+ package: github.com/openshift/source-to-image/pkg/tar
+ symbols:
+ - stiTar.ExtractTarStreamFromTarReader
+ - stiTar.extractLink
+ - New
+ derived_symbols:
+ - stiTar.ExtractTarStream
+ - stiTar.ExtractTarStreamWithLogging
+ versions:
+ - fixed: v1.1.10-0.20180427153919-f5cbcbc5cc6f
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
@@ -9,13 +17,6 @@
published: 2021-04-14T20:04:52Z
cves:
- CVE-2018-1103
-symbols:
- - stiTar.ExtractTarStreamFromTarReader
- - stiTar.extractLink
- - New
-derived_symbols:
- - stiTar.ExtractTarStream
- - stiTar.ExtractTarStreamWithLogging
links:
commit: https://github.com/openshift/source-to-image/commit/f5cbcbc5cc6f8cc2f479a7302443bea407a700cb
context:
diff --git a/reports/GO-2020-0027.yaml b/reports/GO-2020-0027.yaml
index cfeb12f..bfff53e 100644
--- a/reports/GO-2020-0027.yaml
+++ b/reports/GO-2020-0027.yaml
@@ -1,12 +1,16 @@
-module: github.com/google/fscrypt
-package: github.com/google/fscrypt/pam
-additional_packages:
+packages:
+ - module: github.com/google/fscrypt
+ package: github.com/google/fscrypt/pam
+ symbols:
+ - NewHandle
+ - SetProcessPrivileges
+ - Handle.StopAsPamUser
+ versions:
+ - fixed: v0.2.4
- module: github.com/google/fscrypt
package: github.com/google/fscrypt/security
symbols:
- UserKeyringID
-versions:
- - fixed: v0.2.4
description: |
After dropping and then elevating process privileges euid, guid, and groups
are not properly restored to their original values, allowing an unprivileged
@@ -16,10 +20,6 @@
- CVE-2018-6558
ghsas:
- GHSA-qj26-7grj-whg3
-symbols:
- - NewHandle
- - SetProcessPrivileges
- - Handle.StopAsPamUser
links:
commit: https://github.com/google/fscrypt/commit/3022c1603d968c22f147b4a2c49c4637dd1be91b
context:
diff --git a/reports/GO-2020-0028.yaml b/reports/GO-2020-0028.yaml
index 1cc6f94..e6e2704 100644
--- a/reports/GO-2020-0028.yaml
+++ b/reports/GO-2020-0028.yaml
@@ -1,6 +1,12 @@
-module: github.com/miekg/dns
-versions:
- - fixed: v1.0.10
+packages:
+ - module: github.com/miekg/dns
+ symbols:
+ - setTA
+ derived_symbols:
+ - ParseZone
+ - ReadRR
+ versions:
+ - fixed: v1.0.10
description: |
Due to a nil pointer dereference, parsing a malformed zone file
containing TA records may cause a panic. If parsing user supplied
@@ -11,11 +17,6 @@
ghsas:
- GHSA-9jcx-pr2f-qvq5
credit: '@tr3ee'
-symbols:
- - setTA
-derived_symbols:
- - ParseZone
- - ReadRR
links:
commit: https://github.com/miekg/dns/commit/501e858f679edecd4a38a86317ce50271014a80d
context:
diff --git a/reports/GO-2020-0029.yaml b/reports/GO-2020-0029.yaml
index 50557b5..6498f9b 100644
--- a/reports/GO-2020-0029.yaml
+++ b/reports/GO-2020-0029.yaml
@@ -1,14 +1,15 @@
-module: github.com/gin-gonic/gin
-versions:
- - fixed: v0.0.0-20141229113116-0099840c98ae
+packages:
+ - module: github.com/gin-gonic/gin
+ symbols:
+ - Context.ClientIP
+ versions:
+ - fixed: v0.0.0-20141229113116-0099840c98ae
description: |
Due to improper HTTP header santization, a malicious user can spoof their
source IP address by setting the X-Forwarded-For header. This may allow
a user to bypass IP based restrictions, or obfuscate their true source.
published: 2021-04-14T20:04:52Z
credit: '@nl5887'
-symbols:
- - Context.ClientIP
links:
pr: https://github.com/gin-gonic/gin/pull/182
commit: https://github.com/gin-gonic/gin/commit/0099840c98ae1473c5ff0f18bc93a8e13ceed829
diff --git a/reports/GO-2020-0031.yaml b/reports/GO-2020-0031.yaml
index dfb262f..859b5b9 100644
--- a/reports/GO-2020-0031.yaml
+++ b/reports/GO-2020-0031.yaml
@@ -1,6 +1,7 @@
-module: github.com/proglottis/gpgme
-versions:
- - fixed: v0.1.1
+packages:
+ - module: github.com/proglottis/gpgme
+ versions:
+ - fixed: v0.1.1
description: |
Due to improper setting of finalizers, memory passed to C may be freed before it is used,
leading to crashes due to memory corruption or possible code execution.
diff --git a/reports/GO-2020-0032.yaml b/reports/GO-2020-0032.yaml
index a12d8d7..7b0f261 100644
--- a/reports/GO-2020-0032.yaml
+++ b/reports/GO-2020-0032.yaml
@@ -1,5 +1,9 @@
-module: github.com/goadesign/goa
-additional_packages:
+packages:
+ - module: github.com/goadesign/goa
+ symbols:
+ - Controller.FileHandler
+ versions:
+ - fixed: v1.4.3
- module: goa.design/goa
symbols:
- Controller.FileHandler
@@ -10,16 +14,12 @@
- Controller.FileHandler
versions:
- fixed: v3.0.9
-versions:
- - fixed: v1.4.3
description: |
Due to improper santization of user input, Controller.FileHandler allows
for directory traversal, allowing an attacker to read files outside of
the target directory that the server has permission to read.
published: 2021-04-14T20:04:52Z
credit: '@christi3k'
-symbols:
- - Controller.FileHandler
links:
pr: https://github.com/goadesign/goa/pull/2388
commit: https://github.com/goadesign/goa/commit/70b5a199d0f813d74423993832c424e1fc73fb39
diff --git a/reports/GO-2020-0033.yaml b/reports/GO-2020-0033.yaml
index 52ae5ca..1259941 100644
--- a/reports/GO-2020-0033.yaml
+++ b/reports/GO-2020-0033.yaml
@@ -1,18 +1,19 @@
-module: aahframe.work
-versions:
- - fixed: v0.12.4
+packages:
+ - module: aahframe.work
+ symbols:
+ - HTTPEngine.Handle
+ derived_symbols:
+ - Application.Run
+ - Application.ServeHTTP
+ - Application.Start
+ versions:
+ - fixed: v0.12.4
description: |
Due to improper santization of user input, HTTPEngine.Handle allows
for directory traversal, allowing an attacker to read files outside of
the target directory that the server has permission to read.
published: 2021-04-14T20:04:52Z
credit: '@snyff'
-symbols:
- - HTTPEngine.Handle
-derived_symbols:
- - Application.Run
- - Application.ServeHTTP
- - Application.Start
links:
pr: https://github.com/go-aah/aah/pull/267
commit: https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
diff --git a/reports/GO-2020-0034.yaml b/reports/GO-2020-0034.yaml
index 078e012..504274e 100644
--- a/reports/GO-2020-0034.yaml
+++ b/reports/GO-2020-0034.yaml
@@ -1,13 +1,14 @@
-module: github.com/artdarek/go-unzip
-versions:
- - fixed: v1.0.0
+packages:
+ - module: github.com/artdarek/go-unzip
+ symbols:
+ - Unzip.Extract
+ versions:
+ - fixed: v1.0.0
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
published: 2021-04-14T20:04:52Z
-symbols:
- - Unzip.Extract
links:
pr: https://github.com/artdarek/go-unzip/pull/2
commit: https://github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7dfe0
diff --git a/reports/GO-2020-0035.yaml b/reports/GO-2020-0035.yaml
index 7d9d13e..077e386 100644
--- a/reports/GO-2020-0035.yaml
+++ b/reports/GO-2020-0035.yaml
@@ -1,13 +1,14 @@
-module: github.com/yi-ge/unzip
-versions:
- - fixed: v1.0.3-0.20200308084313-2adbaa4891b9
+packages:
+ - module: github.com/yi-ge/unzip
+ symbols:
+ - Unzip.Extract
+ versions:
+ - fixed: v1.0.3-0.20200308084313-2adbaa4891b9
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
published: 2021-04-14T20:04:52Z
-symbols:
- - Unzip.Extract
links:
pr: https://github.com/yi-ge/unzip/pull/1
commit: https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73
diff --git a/reports/GO-2020-0036.yaml b/reports/GO-2020-0036.yaml
index ab66e7f..2b99922 100644
--- a/reports/GO-2020-0036.yaml
+++ b/reports/GO-2020-0036.yaml
@@ -1,5 +1,13 @@
-module: gopkg.in/yaml.v2
-additional_packages:
+packages:
+ - module: gopkg.in/yaml.v2
+ symbols:
+ - yaml_parser_fetch_more_tokens
+ derived_symbols:
+ - Decoder.Decode
+ - Unmarshal
+ - UnmarshalStrict
+ versions:
+ - fixed: v2.2.8
- module: github.com/go-yaml/yaml
symbols:
- yaml_parser_fetch_more_tokens
@@ -7,8 +15,6 @@
- Decoder.Decode
- Unmarshal
- UnmarshalStrict
-versions:
- - fixed: v2.2.8
description: |
Due to unbounded aliasing, a crafted YAML file can cause consumption
of significant system resources. If parsing user supplied input, this
@@ -18,12 +24,6 @@
- CVE-2019-11254
ghsas:
- GHSA-wxc4-f4m6-wwqv
-symbols:
- - yaml_parser_fetch_more_tokens
-derived_symbols:
- - Decoder.Decode
- - Unmarshal
- - UnmarshalStrict
links:
pr: https://github.com/go-yaml/yaml/pull/555
commit: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
diff --git a/reports/GO-2020-0037.yaml b/reports/GO-2020-0037.yaml
index 40c442e..6e031a8 100644
--- a/reports/GO-2020-0037.yaml
+++ b/reports/GO-2020-0037.yaml
@@ -1,7 +1,10 @@
-module: github.com/tendermint/tendermint
-package: github.com/tendermint/tendermint/rpc/client
-versions:
- - fixed: v0.31.1
+packages:
+ - module: github.com/tendermint/tendermint
+ package: github.com/tendermint/tendermint/rpc/client
+ symbols:
+ - makeHTTPClient
+ versions:
+ - fixed: v0.31.1
description: |
Due to support of Gzip compression in request bodies, as well
as a lack of limiting response body sizes, a malicious server
@@ -9,8 +12,6 @@
resources, which may be used as a denial of service vector.
published: 2021-04-14T20:04:52Z
credit: '@guagualvcha'
-symbols:
- - makeHTTPClient
links:
pr: https://github.com/tendermint/tendermint/pull/3430
commit: https://github.com/tendermint/tendermint/commit/03085c2da23b179c4a51f59a03cb40aa4e85a613
diff --git a/reports/GO-2020-0038.yaml b/reports/GO-2020-0038.yaml
index 4d74d41..2657b5b 100644
--- a/reports/GO-2020-0038.yaml
+++ b/reports/GO-2020-0038.yaml
@@ -1,6 +1,15 @@
-module: github.com/pion/dtls
-versions:
- - fixed: v1.5.2
+packages:
+ - module: github.com/pion/dtls
+ symbols:
+ - Conn.handleIncomingPacket
+ derived_symbols:
+ - Client
+ - Dial
+ - Listener.Accept
+ - Resume
+ - Server
+ versions:
+ - fixed: v1.5.2
description: |
Due to improper verification of packets, unencrypted packets containing
application data are accepted after the initial handshake. This allows
@@ -11,14 +20,6 @@
- CVE-2019-20786
ghsas:
- GHSA-7gfg-6934-mqq2
-symbols:
- - Conn.handleIncomingPacket
-derived_symbols:
- - Client
- - Dial
- - Listener.Accept
- - Resume
- - Server
links:
pr: https://github.com/pion/dtls/pull/128
commit: https://github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0
diff --git a/reports/GO-2020-0039.yaml b/reports/GO-2020-0039.yaml
index f9d72db..493a4a5 100644
--- a/reports/GO-2020-0039.yaml
+++ b/reports/GO-2020-0039.yaml
@@ -1,6 +1,15 @@
-module: gopkg.in/macaron.v1
-versions:
- - fixed: v1.3.7
+packages:
+ - module: gopkg.in/macaron.v1
+ symbols:
+ - staticHandler
+ derived_symbols:
+ - Context.Next
+ - LoggerInvoker.Invoke
+ - Macaron.Run
+ - Macaron.ServeHTTP
+ - Router.ServeHTTP
+ versions:
+ - fixed: v1.3.7
description: |
Due to improper request santization, a specifically crafted URL
can cause the static file handler to redirect to an attacker chosen
@@ -11,14 +20,6 @@
ghsas:
- GHSA-733f-44f3-3frw
credit: '@ev0A'
-symbols:
- - staticHandler
-derived_symbols:
- - Context.Next
- - LoggerInvoker.Invoke
- - Macaron.Run
- - Macaron.ServeHTTP
- - Router.ServeHTTP
links:
pr: https://github.com/go-macaron/macaron/pull/199
commit: https://github.com/go-macaron/macaron/commit/addc7461c3a90a040e79aa75bfd245107a210245
diff --git a/reports/GO-2020-0040.yaml b/reports/GO-2020-0040.yaml
index 0746a83..64670d3 100644
--- a/reports/GO-2020-0040.yaml
+++ b/reports/GO-2020-0040.yaml
@@ -1,4 +1,5 @@
-module: github.com/shiyanhui/dht
+packages:
+ - module: github.com/shiyanhui/dht
description: |
Due to unchecked type assertions, maliciously crafted messages can
cause panics, which may be used as a denial of service vector.
diff --git a/reports/GO-2020-0041.yaml b/reports/GO-2020-0041.yaml
index 5195042..8c63c94 100644
--- a/reports/GO-2020-0041.yaml
+++ b/reports/GO-2020-0041.yaml
@@ -1,6 +1,20 @@
-module: github.com/unknwon/cae
-package: github.com/unknwon/cae/tz
-additional_packages:
+packages:
+ - module: github.com/unknwon/cae
+ package: github.com/unknwon/cae/tz
+ symbols:
+ - TzArchive.syncFiles
+ - TzArchive.ExtractToFunc
+ derived_symbols:
+ - Create
+ - ExtractTo
+ - Open
+ - OpenFile
+ - TzArchive.Close
+ - TzArchive.ExtractTo
+ - TzArchive.Flush
+ - TzArchive.Open
+ versions:
+ - fixed: v1.0.1
- module: github.com/unknwon/cae
package: github.com/unknwon/cae/zip
symbols:
@@ -17,8 +31,6 @@
- ZipArchive.Flush
versions:
- fixed: v1.0.1
-versions:
- - fixed: v1.0.1
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
@@ -28,18 +40,6 @@
- CVE-2020-7668
ghsas:
- GHSA-88jf-7rch-32qc
-symbols:
- - TzArchive.syncFiles
- - TzArchive.ExtractToFunc
-derived_symbols:
- - Create
- - ExtractTo
- - Open
- - OpenFile
- - TzArchive.Close
- - TzArchive.ExtractTo
- - TzArchive.Flush
- - TzArchive.Open
links:
commit: https://github.com/unknwon/cae/commit/07971c00a1bfd9dc171c3ad0bfab5b67c2287e11
context:
diff --git a/reports/GO-2020-0042.yaml b/reports/GO-2020-0042.yaml
index 4989d20..a2a2acb 100644
--- a/reports/GO-2020-0042.yaml
+++ b/reports/GO-2020-0042.yaml
@@ -1,7 +1,10 @@
-module: github.com/sassoftware/go-rpmutils
-package: github.com/sassoftware/go-rpmutils/cpio
-versions:
- - fixed: v0.1.0
+packages:
+ - module: github.com/sassoftware/go-rpmutils
+ package: github.com/sassoftware/go-rpmutils/cpio
+ symbols:
+ - Extract
+ versions:
+ - fixed: v0.1.0
description: |
Due to improper path santization, RPMs containing relative file
paths can cause files to be written (or overwritten) outside of the
@@ -11,8 +14,6 @@
- CVE-2020-7667
ghsas:
- GHSA-9423-6c93-gpp8
-symbols:
- - Extract
links:
commit: https://github.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0
context:
diff --git a/reports/GO-2020-0043.yaml b/reports/GO-2020-0043.yaml
index fc92686..b27eb18 100644
--- a/reports/GO-2020-0043.yaml
+++ b/reports/GO-2020-0043.yaml
@@ -1,7 +1,12 @@
-module: github.com/mholt/caddy
-package: github.com/mholt/caddy/caddyhttp/httpserver
-versions:
- - fixed: v0.10.13
+packages:
+ - module: github.com/mholt/caddy
+ package: github.com/mholt/caddy/caddyhttp/httpserver
+ symbols:
+ - httpContext.MakeServers
+ - Server.serveHTTP
+ - assertConfigsCompatible
+ versions:
+ - fixed: v0.10.13
description: |
Due to improper TLS verification when serving traffic for multiple
SNIs, an attacker may bypass TLS client authentication by indicating
@@ -10,10 +15,6 @@
published: 2021-04-14T20:04:52Z
cves:
- CVE-2018-21246
-symbols:
- - httpContext.MakeServers
- - Server.serveHTTP
- - assertConfigsCompatible
links:
pr: https://github.com/caddyserver/caddy/pull/2099
commit: https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3
diff --git a/reports/GO-2020-0045.yaml b/reports/GO-2020-0045.yaml
index 70ff335..2103cb6 100644
--- a/reports/GO-2020-0045.yaml
+++ b/reports/GO-2020-0045.yaml
@@ -1,17 +1,18 @@
-module: github.com/dinever/golf
-versions:
- - fixed: v0.3.0
+packages:
+ - module: github.com/dinever/golf
+ symbols:
+ - randomBytes
+ derived_symbols:
+ - Context.Render
+ - Context.RenderFromString
+ versions:
+ - fixed: v0.3.0
description: |
CSRF tokens are generated using math/rand, which is not a cryptographically secure
rander number generation, making predicting their values relatively trivial and
allowing an attacker to bypass CSRF protections which relatively few requests.
published: 2021-04-14T20:04:52Z
credit: '@elithrar'
-symbols:
- - randomBytes
-derived_symbols:
- - Context.Render
- - Context.RenderFromString
links:
pr: https://github.com/dinever/golf/pull/24
commit: https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe
diff --git a/reports/GO-2020-0046.yaml b/reports/GO-2020-0046.yaml
index 1f4a258..1e98f38 100644
--- a/reports/GO-2020-0046.yaml
+++ b/reports/GO-2020-0046.yaml
@@ -1,5 +1,9 @@
-module: github.com/russellhaering/goxmldsig
-additional_packages:
+packages:
+ - module: github.com/russellhaering/goxmldsig
+ symbols:
+ - ValidationContext.validateSignature
+ versions:
+ - fixed: v1.1.0
- module: github.com/russellhaering/gosaml2
symbols:
- SAMLServiceProvider.validateAssertionSignatures
@@ -8,8 +12,6 @@
- SAMLServiceProvider.ValidateEncodedResponse
versions:
- fixed: v0.6.0
-versions:
- - fixed: v1.1.0
description: |
Due to a nil pointer dereference, a malformed XML Digital Signature
can cause a panic during validation. If user supplied signatures are
@@ -18,8 +20,6 @@
cves:
- CVE-2020-7711
credit: '@stevenjohnstone'
-symbols:
- - ValidationContext.validateSignature
links:
context:
- https://github.com/russellhaering/goxmldsig/issues/48
diff --git a/reports/GO-2020-0047.yaml b/reports/GO-2020-0047.yaml
index 08752f4..09aa55a 100644
--- a/reports/GO-2020-0047.yaml
+++ b/reports/GO-2020-0047.yaml
@@ -1,13 +1,14 @@
-module: github.com/RobotsAndPencils/go-saml
+packages:
+ - module: github.com/RobotsAndPencils/go-saml
+ symbols:
+ - AuthnRequest.Validate
+ - NewAuthnRequest
+ - NewSignedResponse
description: |
XML Digital Signatures generated and validated using this package use
SHA-1, which may allow an attacker to craft inputs which cause hash
collisions depending on their control over the input.
published: 2021-04-14T20:04:52Z
-symbols:
- - AuthnRequest.Validate
- - NewAuthnRequest
- - NewSignedResponse
links:
context:
- https://github.com/RobotsAndPencils/go-saml/pull/38
diff --git a/reports/GO-2020-0048.yaml b/reports/GO-2020-0048.yaml
index f194a4a..6bbcfb6 100644
--- a/reports/GO-2020-0048.yaml
+++ b/reports/GO-2020-0048.yaml
@@ -1,6 +1,9 @@
-module: github.com/antchfx/xmlquery
-versions:
- - fixed: v1.3.1
+packages:
+ - module: github.com/antchfx/xmlquery
+ symbols:
+ - LoadURL
+ versions:
+ - fixed: v1.3.1
description: |
LoadURL does not check the Content-Type of loaded resources,
which can cause a panic due to nil pointer deference if the loaded
@@ -10,8 +13,6 @@
cves:
- CVE-2020-25614
credit: '@dwisiswant0'
-symbols:
- - LoadURL
links:
commit: https://github.com/antchfx/xmlquery/commit/5648b2f39e8d5d3fc903c45a4f1274829df71821
context:
diff --git a/reports/GO-2020-0049.yaml b/reports/GO-2020-0049.yaml
index ec2bae5..33c0eb7 100644
--- a/reports/GO-2020-0049.yaml
+++ b/reports/GO-2020-0049.yaml
@@ -1,17 +1,18 @@
-module: github.com/justinas/nosurf
-versions:
- - fixed: v1.1.1
+packages:
+ - module: github.com/justinas/nosurf
+ symbols:
+ - VerifyToken
+ - verifyToken
+ derived_symbols:
+ - CSRFHandler.ServeHTTP
+ versions:
+ - fixed: v1.1.1
description: |
Due to improper validation of caller input, validation is silently disabled
if the provided expected token is malformed, causing any user supplied token
to be considered valid.
published: 2021-04-14T20:04:52Z
credit: '@aeneasr'
-symbols:
- - VerifyToken
- - verifyToken
-derived_symbols:
- - CSRFHandler.ServeHTTP
links:
pr: https://github.com/justinas/nosurf/pull/60
commit: https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314
diff --git a/reports/GO-2020-0050.yaml b/reports/GO-2020-0050.yaml
index e1552cb..af36911 100644
--- a/reports/GO-2020-0050.yaml
+++ b/reports/GO-2020-0050.yaml
@@ -1,6 +1,9 @@
-module: github.com/russellhaering/goxmldsig
-versions:
- - fixed: v1.1.0
+packages:
+ - module: github.com/russellhaering/goxmldsig
+ symbols:
+ - ValidationContext.findSignature
+ versions:
+ - fixed: v1.1.0
description: |
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
@@ -11,8 +14,6 @@
ghsas:
- GHSA-q547-gmf8-8jr7
credit: '@jupenur'
-symbols:
- - ValidationContext.findSignature
links:
commit: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
context:
diff --git a/reports/GO-2021-0051.yaml b/reports/GO-2021-0051.yaml
index 22545fe..b48ccf7 100644
--- a/reports/GO-2021-0051.yaml
+++ b/reports/GO-2021-0051.yaml
@@ -1,14 +1,15 @@
-module: github.com/labstack/echo/v4
-versions:
- - fixed: v4.1.18-0.20201215153152-4422e3b66b9f
+packages:
+ - module: github.com/labstack/echo/v4
+ symbols:
+ - common.static
+ versions:
+ - fixed: v4.1.18-0.20201215153152-4422e3b66b9f
description: |
Due to improper sanitization of user input on Windows, the static file handler
allows for directory traversal, allowing an attacker to read files outside of
the target directory that the server has permission to read.
published: 2021-04-14T20:04:52Z
credit: '@little-cui (Apache ServiceComb)'
-symbols:
- - common.static
os:
- windows
links:
diff --git a/reports/GO-2021-0052.yaml b/reports/GO-2021-0052.yaml
index 46bc950..4901289 100644
--- a/reports/GO-2021-0052.yaml
+++ b/reports/GO-2021-0052.yaml
@@ -1,6 +1,9 @@
-module: github.com/gin-gonic/gin
-versions:
- - fixed: v1.6.3-0.20210406033725-bfc8ca285eb4
+packages:
+ - module: github.com/gin-gonic/gin
+ symbols:
+ - Context.ClientIP
+ versions:
+ - fixed: v1.6.3-0.20210406033725-bfc8ca285eb4
description: |
Due to improper HTTP header santization, a malicious user can spoof their
source IP address by setting the X-Forwarded-For header. This may allow
@@ -11,8 +14,6 @@
ghsas:
- GHSA-h395-qcrw-5vmq
credit: '@sorenh'
-symbols:
- - Context.ClientIP
links:
pr: https://github.com/gin-gonic/gin/pull/2632
commit: https://github.com/gin-gonic/gin/commit/bfc8ca285eb46dad60e037d57c545cd260636711
diff --git a/reports/GO-2021-0053.yaml b/reports/GO-2021-0053.yaml
index 42162f5..b8ae5b7 100644
--- a/reports/GO-2021-0053.yaml
+++ b/reports/GO-2021-0053.yaml
@@ -1,6 +1,7 @@
-module: github.com/gogo/protobuf
-versions:
- - fixed: v1.3.2
+packages:
+ - module: github.com/gogo/protobuf
+ versions:
+ - fixed: v1.3.2
description: |
Due to improper bounds checking, maliciously crafted input to generated
Unmarshal methods can cause an out-of-bounds panic. If parsing messages
@@ -8,5 +9,7 @@
published: 2021-04-14T20:04:52Z
cves:
- CVE-2021-3121
+ghsas:
+ - GHSA-c3h9-896r-86jm
links:
commit: https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
diff --git a/reports/GO-2021-0054.yaml b/reports/GO-2021-0054.yaml
index b79fcff..bb5a8fd 100644
--- a/reports/GO-2021-0054.yaml
+++ b/reports/GO-2021-0054.yaml
@@ -1,6 +1,11 @@
-module: github.com/tidwall/gjson
-versions:
- - fixed: v1.6.6
+packages:
+ - module: github.com/tidwall/gjson
+ symbols:
+ - unwrap
+ derived_symbols:
+ - Result.ForEach
+ versions:
+ - fixed: v1.6.6
description: |
Due to improper bounds checking, maliciously crafted JSON objects
can cause an out-of-bounds panic. If parsing user input, this may
@@ -9,10 +14,6 @@
cves:
- CVE-2020-36067
credit: '@toptotu'
-symbols:
- - unwrap
-derived_symbols:
- - Result.ForEach
links:
commit: https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b
context:
diff --git a/reports/GO-2021-0056.yaml b/reports/GO-2021-0056.yaml
index 06d13fc..8cc1989 100644
--- a/reports/GO-2021-0056.yaml
+++ b/reports/GO-2021-0056.yaml
@@ -1,7 +1,10 @@
-module: github.com/dexidp/dex
-package: github.com/dexidp/dex/connector/saml
-versions:
- - fixed: v0.0.0-20201214082111-324b1c886b40
+packages:
+ - module: github.com/dexidp/dex
+ package: github.com/dexidp/dex/connector/saml
+ symbols:
+ - provider.HandlePOST
+ versions:
+ - fixed: v0.0.0-20201214082111-324b1c886b40
description: |
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
@@ -12,8 +15,6 @@
ghsas:
- GHSA-q547-gmf8-8jr7
credit: Juho Nurminen (Mattermost)
-symbols:
- - provider.HandlePOST
links:
commit: https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8
context:
diff --git a/reports/GO-2021-0057.yaml b/reports/GO-2021-0057.yaml
index 5d29ded..5b29316 100644
--- a/reports/GO-2021-0057.yaml
+++ b/reports/GO-2021-0057.yaml
@@ -1,6 +1,30 @@
-module: github.com/buger/jsonparser
-versions:
- - fixed: v1.1.1
+packages:
+ - module: github.com/buger/jsonparser
+ symbols:
+ - searchKeys
+ derived_symbols:
+ - ArrayEach
+ - Delete
+ - EachKey
+ - FuzzDelete
+ - FuzzEachKey
+ - FuzzGetBoolean
+ - FuzzGetFloat
+ - FuzzGetInt
+ - FuzzGetString
+ - FuzzGetUnsafeString
+ - FuzzObjectEach
+ - FuzzSet
+ - Get
+ - GetBoolean
+ - GetFloat
+ - GetInt
+ - GetString
+ - GetUnsafeString
+ - ObjectEach
+ - Set
+ versions:
+ - fixed: v1.1.1
description: |
Due to improper bounds checking, maliciously crafted JSON objects
can cause an out-of-bounds panic. If parsing user input, this may
@@ -9,29 +33,6 @@
cves:
- CVE-2020-35381
credit: '@toptotu'
-symbols:
- - searchKeys
-derived_symbols:
- - ArrayEach
- - Delete
- - EachKey
- - FuzzDelete
- - FuzzEachKey
- - FuzzGetBoolean
- - FuzzGetFloat
- - FuzzGetInt
- - FuzzGetString
- - FuzzGetUnsafeString
- - FuzzObjectEach
- - FuzzSet
- - Get
- - GetBoolean
- - GetFloat
- - GetInt
- - GetString
- - GetUnsafeString
- - ObjectEach
- - Set
links:
pr: https://github.com/buger/jsonparser/pull/221
commit: https://github.com/buger/jsonparser/commit/df3ea76ece10095374fd1c9a22a4fb85a44efc42
diff --git a/reports/GO-2021-0058.yaml b/reports/GO-2021-0058.yaml
index 0edaca4..64a18d5 100644
--- a/reports/GO-2021-0058.yaml
+++ b/reports/GO-2021-0058.yaml
@@ -1,5 +1,16 @@
-module: github.com/crewjam/saml
-additional_packages:
+packages:
+ - module: github.com/crewjam/saml
+ symbols:
+ - IdpAuthnRequest.Validate
+ - ServiceProvider.ParseXMLResponse
+ - ServiceProvider.ValidateLogoutResponseForm
+ - ServiceProvider.ValidateLogoutResponseRedirect
+ derived_symbols:
+ - IdentityProvider.ServeSSO
+ - ServiceProvider.ParseResponse
+ - ServiceProvider.ValidateLogoutResponseRequest
+ versions:
+ - fixed: v0.4.3
- module: github.com/crewjam/saml
package: github.com/crewjam/saml/samlidp
versions:
@@ -8,8 +19,6 @@
package: github.com/crewjam/saml/samlsp
versions:
- fixed: v0.4.3
-versions:
- - fixed: v0.4.3
description: |
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
@@ -19,15 +28,6 @@
- CVE-2020-27846
ghsas:
- GHSA-4hq8-gmxx-h6w9
-symbols:
- - IdpAuthnRequest.Validate
- - ServiceProvider.ParseXMLResponse
- - ServiceProvider.ValidateLogoutResponseForm
- - ServiceProvider.ValidateLogoutResponseRedirect
-derived_symbols:
- - IdentityProvider.ServeSSO
- - ServiceProvider.ParseResponse
- - ServiceProvider.ValidateLogoutResponseRequest
links:
commit: https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053
context:
diff --git a/reports/GO-2021-0059.yaml b/reports/GO-2021-0059.yaml
index 1b400d0..01c0f50 100644
--- a/reports/GO-2021-0059.yaml
+++ b/reports/GO-2021-0059.yaml
@@ -1,6 +1,9 @@
-module: github.com/tidwall/gjson
-versions:
- - fixed: v1.6.4
+packages:
+ - module: github.com/tidwall/gjson
+ symbols:
+ - sqaush
+ versions:
+ - fixed: v1.6.4
description: |
Due to improper bounds checking, maliciously crafted JSON objects
can cause an out-of-bounds panic. If parsing user input, this may
@@ -11,8 +14,6 @@
ghsas:
- GHSA-w942-gw6m-p62c
credit: '@toptotu'
-symbols:
- - sqaush
links:
commit: https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc
context:
diff --git a/reports/GO-2021-0060.yaml b/reports/GO-2021-0060.yaml
index fccd2d2..f09b5bb 100644
--- a/reports/GO-2021-0060.yaml
+++ b/reports/GO-2021-0060.yaml
@@ -1,6 +1,14 @@
-module: github.com/russellhaering/gosaml2
-versions:
- - fixed: v0.6.0
+packages:
+ - module: github.com/russellhaering/gosaml2
+ symbols:
+ - parseResponse
+ derived_symbols:
+ - SAMLServiceProvider.RetrieveAssertionInfo
+ - SAMLServiceProvider.ValidateEncodedLogoutRequestPOST
+ - SAMLServiceProvider.ValidateEncodedLogoutResponsePOST
+ - SAMLServiceProvider.ValidateEncodedResponse
+ versions:
+ - fixed: v0.6.0
description: |
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
@@ -11,13 +19,6 @@
ghsas:
- GHSA-xhqq-x44f-9fgg
credit: Juho Nurminen
-symbols:
- - parseResponse
-derived_symbols:
- - SAMLServiceProvider.RetrieveAssertionInfo
- - SAMLServiceProvider.ValidateEncodedLogoutRequestPOST
- - SAMLServiceProvider.ValidateEncodedLogoutResponsePOST
- - SAMLServiceProvider.ValidateEncodedResponse
links:
commit: https://github.com/russellhaering/gosaml2/commit/42606dafba60c58c458f14f75c4c230459672ab9
context:
diff --git a/reports/GO-2021-0061.yaml b/reports/GO-2021-0061.yaml
index 4b2947c..7391528 100644
--- a/reports/GO-2021-0061.yaml
+++ b/reports/GO-2021-0061.yaml
@@ -1,5 +1,13 @@
-module: gopkg.in/yaml.v2
-additional_packages:
+packages:
+ - module: gopkg.in/yaml.v2
+ symbols:
+ - decoder.unmarshal
+ derived_symbols:
+ - Decoder.Decode
+ - Unmarshal
+ - UnmarshalStrict
+ versions:
+ - fixed: v2.2.3
- module: github.com/go-yaml/yaml
symbols:
- decoder.unmarshal
@@ -7,20 +15,12 @@
- Decoder.Decode
- Unmarshal
- UnmarshalStrict
-versions:
- - fixed: v2.2.3
description: |
Due to unbounded alias chasing, a maliciously crafted YAML file
can cause the system to consume significant system resources. If
parsing user input, this may be used as a denial of service vector.
published: 2021-04-14T20:04:52Z
credit: '@simonferquel'
-symbols:
- - decoder.unmarshal
-derived_symbols:
- - Decoder.Decode
- - Unmarshal
- - UnmarshalStrict
links:
pr: https://github.com/go-yaml/yaml/pull/375
commit: https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241
diff --git a/reports/GO-2021-0063.yaml b/reports/GO-2021-0063.yaml
index 47d74c0..d39b7f0 100644
--- a/reports/GO-2021-0063.yaml
+++ b/reports/GO-2021-0063.yaml
@@ -1,7 +1,12 @@
-module: github.com/ethereum/go-ethereum
-package: github.com/ethereum/go-ethereum/les
-versions:
- - fixed: v1.9.25
+packages:
+ - module: github.com/ethereum/go-ethereum
+ package: github.com/ethereum/go-ethereum/les
+ symbols:
+ - serverHandler.handleMsg
+ derived_symbols:
+ - PrivateLightServerAPI.Benchmark
+ versions:
+ - fixed: v1.9.25
description: |
Due to a nil pointer dereference, a malicously crafted RPC message
can cause a panic. If handling RPC messages from untrusted clients,
@@ -12,10 +17,6 @@
ghsas:
- GHSA-r33q-22hv-j29q
credit: '@zsfelfoldi'
-symbols:
- - serverHandler.handleMsg
-derived_symbols:
- - PrivateLightServerAPI.Benchmark
links:
pr: https://github.com/ethereum/go-ethereum/pull/21896
commit: https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46
diff --git a/reports/GO-2021-0064.yaml b/reports/GO-2021-0064.yaml
index 47545b2..a3c01fb 100644
--- a/reports/GO-2021-0064.yaml
+++ b/reports/GO-2021-0064.yaml
@@ -1,14 +1,16 @@
-module: k8s.io/client-go
-package: k8s.io/client-go/transport
-additional_packages:
+packages:
+ - module: k8s.io/client-go
+ package: k8s.io/client-go/transport
+ symbols:
+ - requestInfo.toCurl
+ versions:
+ - fixed: v0.20.0-alpha.2
- module: k8s.io/kubernetes
package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
symbols:
- requestInfo.toCurl
versions:
- fixed: v1.20.0-alpha.2
-versions:
- - fixed: v0.20.0-alpha.2
description: |
Authorization tokens may be inappropriately logged if the verbosity
level is set to a debug level.
@@ -16,8 +18,6 @@
cves:
- CVE-2020-8565
credit: '@sfowl'
-symbols:
- - requestInfo.toCurl
links:
pr: https://github.com/kubernetes/kubernetes/pull/95316
commit: https://github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419
diff --git a/reports/GO-2021-0065.yaml b/reports/GO-2021-0065.yaml
index 8e4e453..34e20ba 100644
--- a/reports/GO-2021-0065.yaml
+++ b/reports/GO-2021-0065.yaml
@@ -1,22 +1,22 @@
-module: k8s.io/client-go
-package: k8s.io/client-go/transport
-additional_packages:
+packages:
+ - module: k8s.io/client-go
+ package: k8s.io/client-go/transport
+ symbols:
+ - debuggingRoundTripper.RoundTrip
+ versions:
+ - fixed: v0.17.0
- module: k8s.io/kubernetes
package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
symbols:
- debuggingRoundTripper.RoundTrip
versions:
- fixed: v1.16.0-beta.1
-versions:
- - fixed: v0.17.0
description: |
Authorization tokens may be inappropriately logged if the verbosity
level is set to a debug level.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2019-11250
-symbols:
- - debuggingRoundTripper.RoundTrip
links:
pr: https://github.com/kubernetes/kubernetes/pull/81330
commit: https://github.com/kubernetes/kubernetes/commit/4441f1d9c3e94d9a3d93b4f184a591cab02a5245
diff --git a/reports/GO-2021-0066.yaml b/reports/GO-2021-0066.yaml
index 775ad08..e8a84d3 100644
--- a/reports/GO-2021-0066.yaml
+++ b/reports/GO-2021-0066.yaml
@@ -1,7 +1,11 @@
-module: k8s.io/kubernetes
-package: k8s.io/kubernetes/pkg/credentialprovider
-versions:
- - fixed: v1.20.0-alpha.1
+packages:
+ - module: k8s.io/kubernetes
+ package: k8s.io/kubernetes/pkg/credentialprovider
+ symbols:
+ - readDockerConfigFileFromBytes
+ - readDockerConfigJSONFileFromBytes
+ versions:
+ - fixed: v1.20.0-alpha.1
description: |
Attempting to read a malformed .dockercfg may cause secrets to be
inappropriately logged.
@@ -9,9 +13,6 @@
cves:
- CVE-2020-8564
credit: '@sfowl'
-symbols:
- - readDockerConfigFileFromBytes
- - readDockerConfigJSONFileFromBytes
links:
pr: https://github.com/kubernetes/kubernetes/pull/94712
commit: https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634
diff --git a/reports/GO-2021-0067.yaml b/reports/GO-2021-0067.yaml
index ff551fb..82eaf03 100644
--- a/reports/GO-2021-0067.yaml
+++ b/reports/GO-2021-0067.yaml
@@ -1,8 +1,11 @@
-module: std
-package: archive/zip
-versions:
- - introduced: go1.16
- fixed: go1.16.1
+packages:
+ - module: std
+ package: archive/zip
+ symbols:
+ - toValidName
+ versions:
+ - introduced: go1.16
+ fixed: go1.16.1
description: |
Using Reader.Open on an archive containing a file with a path
prefixed by "../" will cause a panic due to a stack overflow.
@@ -11,8 +14,6 @@
published: 2021-04-14T20:04:52Z
cves:
- CVE-2021-27919
-symbols:
- - toValidName
links:
pr: https://go-review.googlesource.com/c/go/+/300489
commit: https://go.googlesource.com/go/+/cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8
diff --git a/reports/GO-2021-0068.yaml b/reports/GO-2021-0068.yaml
index 34dad13..5213275 100644
--- a/reports/GO-2021-0068.yaml
+++ b/reports/GO-2021-0068.yaml
@@ -1,9 +1,10 @@
-module: std
-package: cmd/go
do_not_export: true
-versions:
- - fixed: go1.14.14
- - fixed: go1.15.7
+packages:
+ - module: std
+ package: cmd/go
+ versions:
+ - fixed: go1.14.14
+ - fixed: go1.15.7
description: |
The go command may execute arbitrary code at build time when using cgo on Windows.
This can be triggered by running go get on a malicious module, or any other time
diff --git a/reports/GO-2021-0069.yaml b/reports/GO-2021-0069.yaml
index a464507..dc8453f 100644
--- a/reports/GO-2021-0069.yaml
+++ b/reports/GO-2021-0069.yaml
@@ -1,18 +1,19 @@
-module: std
-package: math/big
-versions:
- - introduced: go1.14
- fixed: go1.14.12
- - introduced: go1.15
- fixed: go1.15.5
+packages:
+ - module: std
+ package: math/big
+ symbols:
+ - nat.divRecursiveStep
+ versions:
+ - introduced: go1.14
+ fixed: go1.14.12
+ - introduced: go1.15
+ fixed: go1.15.5
description: |
A number of math/big.Int methods can panic when provided large inputs due
to a flawed division method.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2020-28362
-symbols:
- - nat.divRecursiveStep
links:
pr: https://go-review.googlesource.com/c/go/+/269657
commit: https://go.googlesource.com/go/+/1e1fa5903b760c6714ba17e50bf850b01f49135c
diff --git a/reports/GO-2021-0070.yaml b/reports/GO-2021-0070.yaml
index 66582c7..097face 100644
--- a/reports/GO-2021-0070.yaml
+++ b/reports/GO-2021-0070.yaml
@@ -1,7 +1,12 @@
-module: github.com/opencontainers/runc
-package: github.com/opencontainers/runc/libcontainer/user
-versions:
- - fixed: v0.1.0
+packages:
+ - module: github.com/opencontainers/runc
+ package: github.com/opencontainers/runc/libcontainer/user
+ symbols:
+ - GetExecUser
+ derived_symbols:
+ - GetExecUserPath
+ versions:
+ - fixed: v0.1.0
description: |
GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will
improperly interpret numeric UIDs as usernames. If the method is used without
@@ -12,10 +17,6 @@
- CVE-2016-3697
ghsas:
- GHSA-q3j5-32m5-58c2
-symbols:
- - GetExecUser
-derived_symbols:
- - GetExecUserPath
links:
pr: https://github.com/opencontainers/runc/pull/708
commit: https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091
diff --git a/reports/GO-2021-0071.yaml b/reports/GO-2021-0071.yaml
index 63b2dce..0fc3c1d 100644
--- a/reports/GO-2021-0071.yaml
+++ b/reports/GO-2021-0071.yaml
@@ -1,7 +1,10 @@
-module: github.com/lxc/lxd
-package: github.com/lxc/lxd/shared
-versions:
- - fixed: v0.0.0-20151004155856-19c6961cc101
+packages:
+ - module: github.com/lxc/lxd
+ package: github.com/lxc/lxd/shared
+ symbols:
+ - IdmapSet.doUidshiftIntoContainer
+ versions:
+ - fixed: v0.0.0-20151004155856-19c6961cc101
description: |
A race between chown and chmod operations during a container
filesystem shift may allow a user who can modify the filesystem to
@@ -11,8 +14,6 @@
cves:
- CVE-2015-1340
credit: Seth Arnold
-symbols:
- - IdmapSet.doUidshiftIntoContainer
links:
pr: https://github.com/lxc/lxd/pull/1189
commit: https://github.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4
diff --git a/reports/GO-2021-0072.yaml b/reports/GO-2021-0072.yaml
index 08d757a..e7f2af1 100644
--- a/reports/GO-2021-0072.yaml
+++ b/reports/GO-2021-0072.yaml
@@ -1,6 +1,15 @@
-module: github.com/docker/distribution
-package: github.com/docker/distribution/registry/handlers
-additional_packages:
+packages:
+ - module: github.com/docker/distribution
+ package: github.com/docker/distribution/registry/handlers
+ symbols:
+ - copyFullPayload
+ derived_symbols:
+ - blobUploadHandler.PatchBlobData
+ - blobUploadHandler.PutBlobUploadComplete
+ - imageManifestHandler.GetImageManifest
+ - imageManifestHandler.PutImageManifest
+ versions:
+ - fixed: v2.7.0-rc.0+incompatible
- module: github.com/docker/distribution
package: github.com/docker/distribution/registry/storage
symbols:
@@ -18,8 +27,6 @@
- registry.Repositories
versions:
- fixed: v2.7.0-rc.0+incompatible
-versions:
- - fixed: v2.7.0-rc.0+incompatible
description: |
Various storage methods do not impose limits on how much content is accepted
from user requests, allowing a malicious user to force the caller to allocate
@@ -27,13 +34,6 @@
published: 2021-04-14T20:04:52Z
cves:
- CVE-2017-11468
-symbols:
- - copyFullPayload
-derived_symbols:
- - blobUploadHandler.PatchBlobData
- - blobUploadHandler.PutBlobUploadComplete
- - imageManifestHandler.GetImageManifest
- - imageManifestHandler.PutImageManifest
links:
pr: https://github.com/distribution/distribution/pull/2340
commit: https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f
diff --git a/reports/GO-2021-0073.yaml b/reports/GO-2021-0073.yaml
index 289eae4..09ac192 100644
--- a/reports/GO-2021-0073.yaml
+++ b/reports/GO-2021-0073.yaml
@@ -1,7 +1,10 @@
-module: github.com/git-lfs/git-lfs
-package: github.com/git-lfs/git-lfs/lfsapi
-versions:
- - fixed: v2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
+packages:
+ - module: github.com/git-lfs/git-lfs
+ package: github.com/git-lfs/git-lfs/lfsapi
+ symbols:
+ - sshGetLFSExeAndArgs
+ versions:
+ - fixed: v2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
description: |
Arbitrary command execution can be triggered by improperly
sanitized SSH URLs in LFS configuration files. This can be
@@ -9,8 +12,6 @@
published: 2021-04-14T20:04:52Z
cves:
- CVE-2017-17831
-symbols:
- - sshGetLFSExeAndArgs
links:
pr: https://github.com/git-lfs/git-lfs/pull/2241
commit: https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
diff --git a/reports/GO-2021-0075.yaml b/reports/GO-2021-0075.yaml
index b0aad78..6748c70 100644
--- a/reports/GO-2021-0075.yaml
+++ b/reports/GO-2021-0075.yaml
@@ -1,15 +1,16 @@
-module: github.com/ethereum/go-ethereum
-package: github.com/ethereum/go-ethereum/les
-versions:
- - fixed: v1.8.11
+packages:
+ - module: github.com/ethereum/go-ethereum
+ package: github.com/ethereum/go-ethereum/les
+ symbols:
+ - protocolManager.handleMsg
+ versions:
+ - fixed: v1.8.11
description: |
Due to improper argument validation in RPC messages, a maliciously crafted
message can cause a panic, leading to denial of service.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2018-12018
-symbols:
- - protocolManager.handleMsg
links:
pr: https://github.com/ethereum/go-ethereum/pull/16891
commit: https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4
diff --git a/reports/GO-2021-0076.yaml b/reports/GO-2021-0076.yaml
index 736facf..b20eba7 100644
--- a/reports/GO-2021-0076.yaml
+++ b/reports/GO-2021-0076.yaml
@@ -1,6 +1,9 @@
-module: github.com/evanphx/json-patch
-versions:
- - fixed: v0.5.2
+packages:
+ - module: github.com/evanphx/json-patch
+ symbols:
+ - partialArray.add
+ versions:
+ - fixed: v0.5.2
description: |
A malicious JSON patch can cause a panic due to an out-of-bounds
write attempt. This can be used as a denial of service vector if
@@ -8,8 +11,6 @@
published: 2021-04-14T20:04:52Z
cves:
- CVE-2018-14632
-symbols:
- - partialArray.add
links:
pr: https://github.com/evanphx/json-patch/pull/57
commit: https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03
diff --git a/reports/GO-2021-0077.yaml b/reports/GO-2021-0077.yaml
index a8f5d81..d4e8a71 100644
--- a/reports/GO-2021-0077.yaml
+++ b/reports/GO-2021-0077.yaml
@@ -1,7 +1,10 @@
-module: go.etcd.io/etcd
-package: go.etcd.io/etcd/auth
-versions:
- - fixed: v0.5.0-alpha.5.0.20190108173120-83c051b701d3
+packages:
+ - module: go.etcd.io/etcd
+ package: go.etcd.io/etcd/auth
+ symbols:
+ - authStore.AuthInfoFromTLS
+ versions:
+ - fixed: v0.5.0-alpha.5.0.20190108173120-83c051b701d3
description: |
A user can use a valid client certificate that contains a CommonName that matches a
valid RBAC username to authenticate themselves as that user, despite lacking the
@@ -10,8 +13,8 @@
published: 2021-04-14T20:04:52Z
cves:
- CVE-2018-16886
-symbols:
- - authStore.AuthInfoFromTLS
+ghsas:
+ - GHSA-h6xx-pmxh-3wgp
links:
pr: https://github.com/etcd-io/etcd/pull/10366
commit: https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2
diff --git a/reports/GO-2021-0078.yaml b/reports/GO-2021-0078.yaml
index 3511cfc..dd230b9 100644
--- a/reports/GO-2021-0078.yaml
+++ b/reports/GO-2021-0078.yaml
@@ -1,7 +1,11 @@
-module: golang.org/x/net
-package: golang.org/x/net/html
-versions:
- - fixed: v0.0.0-20180816102801-aaf60122140d
+packages:
+ - module: golang.org/x/net
+ package: golang.org/x/net/html
+ symbols:
+ - inBodyIM
+ - inFramesetIM
+ versions:
+ - fixed: v0.0.0-20180816102801-aaf60122140d
description: |
The HTML parser does not properly handle "in frameset" insertion mode, and can be made
to panic when operating on malformed HTML that contains <template> tags. If operating
@@ -10,9 +14,6 @@
cves:
- CVE-2018-17075
credit: Kunpei Sakai
-symbols:
- - inBodyIM
- - inFramesetIM
links:
pr: https://go-review.googlesource.com/123776
commit: https://go.googlesource.com/net/+/aaf60122140d3fcf75376d319f0554393160eb50
diff --git a/reports/GO-2021-0079.yaml b/reports/GO-2021-0079.yaml
index 1babb2e..d7d290b 100644
--- a/reports/GO-2021-0079.yaml
+++ b/reports/GO-2021-0079.yaml
@@ -1,7 +1,10 @@
-module: github.com/bytom/bytom
-package: github.com/bytom/bytom/p2p/discover
-versions:
- - fixed: v1.0.4-0.20180831054840-1ac3c8ac4f2b
+packages:
+ - module: github.com/bytom/bytom
+ package: github.com/bytom/bytom/p2p/discover
+ symbols:
+ - Network.checkTopicRegister
+ versions:
+ - fixed: v1.0.4-0.20180831054840-1ac3c8ac4f2b
description: |
A malformed query can cause an out-of-bounds panic due to improper
validation of arguments. If processing queries from untrusted
@@ -10,9 +13,9 @@
published: 2021-04-14T20:04:52Z
cves:
- CVE-2018-18206
+ghsas:
+ - GHSA-vc3x-gx6c-g99f
credit: '@yahtoo'
-symbols:
- - Network.checkTopicRegister
links:
pr: https://github.com/Bytom/bytom/pull/1307
commit: https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42
diff --git a/reports/GO-2021-0081.yaml b/reports/GO-2021-0081.yaml
index cb8c116..c902cbd 100644
--- a/reports/GO-2021-0081.yaml
+++ b/reports/GO-2021-0081.yaml
@@ -1,7 +1,10 @@
-module: github.com/containers/image
-package: github.com/containers/image/docker
-versions:
- - fixed: v2.0.2-0.20190802080134-634605d06e73+incompatible
+packages:
+ - module: github.com/containers/image
+ package: github.com/containers/image/docker
+ symbols:
+ - dockerClient.getBearerToken
+ versions:
+ - fixed: v2.0.2-0.20190802080134-634605d06e73+incompatible
description: |
The HTTP client used to connect to the container registry authorization
service explicitly disables TLS verification, allowing an attacker that
@@ -9,8 +12,8 @@
published: 2021-04-14T20:04:52Z
cves:
- CVE-2019-10214
-symbols:
- - dockerClient.getBearerToken
+ghsas:
+ - GHSA-85p9-j7c9-v4gr
links:
pr: https://github.com/containers/image/pull/669
commit: https://github.com/containers/image/commit/634605d06e738aec8332bcfd69162e7509ac7aaf
diff --git a/reports/GO-2021-0082.yaml b/reports/GO-2021-0082.yaml
index ec5f9fe..af31db5 100644
--- a/reports/GO-2021-0082.yaml
+++ b/reports/GO-2021-0082.yaml
@@ -1,7 +1,8 @@
-module: github.com/facebook/fbthrift
-package: github.com/facebook/fbthrift/thrift/lib/go/thrift
-versions:
- - fixed: v0.31.1-0.20200311080807-483ed864d69f
+packages:
+ - module: github.com/facebook/fbthrift
+ package: github.com/facebook/fbthrift/thrift/lib/go/thrift
+ versions:
+ - fixed: v0.31.1-0.20200311080807-483ed864d69f
description: |
Thirft Servers preallocate memory for the declared size of messages before
checking the actual size of the message. This allows a malicious user to
diff --git a/reports/GO-2021-0083.yaml b/reports/GO-2021-0083.yaml
index 16dd141..e4a40ee 100644
--- a/reports/GO-2021-0083.yaml
+++ b/reports/GO-2021-0083.yaml
@@ -1,7 +1,10 @@
-module: github.com/hybridgroup/gobot
-package: github.com/hybridgroup/gobot/platforms/mqtt
-versions:
- - fixed: v1.12.1-0.20190521122906-c1aa4f867846
+packages:
+ - module: github.com/hybridgroup/gobot
+ package: github.com/hybridgroup/gobot/platforms/mqtt
+ symbols:
+ - Adaptor.newTLSConfig
+ versions:
+ - fixed: v1.12.1-0.20190521122906-c1aa4f867846
description: |
TLS certificate verification is skipped when connecting to a MQTT server.
This allows an attacker who can MITM the connection to read, or forge,
@@ -9,8 +12,6 @@
published: 2021-04-14T20:04:52Z
cves:
- CVE-2019-12496
-symbols:
- - Adaptor.newTLSConfig
links:
commit: https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f
context:
diff --git a/reports/GO-2021-0084.yaml b/reports/GO-2021-0084.yaml
index 0d5de51..57c039a 100644
--- a/reports/GO-2021-0084.yaml
+++ b/reports/GO-2021-0084.yaml
@@ -1,7 +1,11 @@
-module: github.com/astaxie/beego
-package: github.com/astaxie/beego/session
-versions:
- - fixed: v1.12.2-0.20200613154013-bac2b31afecc
+packages:
+ - module: github.com/astaxie/beego
+ package: github.com/astaxie/beego/session
+ symbols:
+ - FileProvider.SessionRead
+ - FileProvider.SessionRegenerate
+ versions:
+ - fixed: v1.12.2-0.20200613154013-bac2b31afecc
description: |
Session data is stored using permissive permissions, allowing local users
with filesystem access to read arbitrary data.
@@ -11,9 +15,6 @@
ghsas:
- GHSA-f6px-w8rh-7r89
credit: '@nicowaisman'
-symbols:
- - FileProvider.SessionRead
- - FileProvider.SessionRegenerate
links:
pr: https://github.com/beego/beego/pull/3975
commit: https://github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1
diff --git a/reports/GO-2021-0085.yaml b/reports/GO-2021-0085.yaml
index 821855e..c8c4405 100644
--- a/reports/GO-2021-0085.yaml
+++ b/reports/GO-2021-0085.yaml
@@ -1,12 +1,12 @@
-module: github.com/opencontainers/runc
-package: github.com/opencontainers/runc/libcontainer
-additional_packages:
+packages:
+ - module: github.com/opencontainers/runc
+ package: github.com/opencontainers/runc/libcontainer
+ versions:
+ - fixed: v1.0.0-rc8.0.20190930145003-cad42f6e0932
- module: github.com/opencontainers/selinux
package: github.com/opencontainers/selinux/go-selinux
versions:
- fixed: v1.3.1-0.20190929122143-5215b1806f52
-versions:
- - fixed: v1.0.0-rc8.0.20190930145003-cad42f6e0932
description: |
AppArmor restrictions may be bypassed due to improper validation of mount
targets, allowing a malicious image to mount volumes over e.g. /proc.
diff --git a/reports/GO-2021-0086.yaml b/reports/GO-2021-0086.yaml
index 6bca1ec..c7b07a4 100644
--- a/reports/GO-2021-0086.yaml
+++ b/reports/GO-2021-0086.yaml
@@ -1,7 +1,10 @@
-module: github.com/documize/community
-package: github.com/documize/community/domain/section/markdown
-versions:
- - fixed: v1.76.3-0.20191119114751-a4384210d4d0
+packages:
+ - module: github.com/documize/community
+ package: github.com/documize/community/domain/section/markdown
+ symbols:
+ - Provider.Render
+ versions:
+ - fixed: v1.76.3-0.20191119114751-a4384210d4d0
description: |
HTML content in markdown is not santized during rendering, possibly allowing
XSS if used to render untrusted user input.
@@ -10,7 +13,5 @@
- CVE-2019-19619
ghsas:
- GHSA-wmwp-pggc-h4mj
-symbols:
- - Provider.Render
links:
commit: https://github.com/documize/community/commit/a4384210d4d0d6b18e6fdb7e155de96d4a1cf9f3
diff --git a/reports/GO-2021-0087.yaml b/reports/GO-2021-0087.yaml
index be632d3..1672e00 100644
--- a/reports/GO-2021-0087.yaml
+++ b/reports/GO-2021-0087.yaml
@@ -1,7 +1,10 @@
-module: github.com/opencontainers/runc
-package: github.com/opencontainers/runc/libcontainer
-versions:
- - fixed: v1.0.0-rc9.0.20200122160610-2fc03cc11c77
+packages:
+ - module: github.com/opencontainers/runc
+ package: github.com/opencontainers/runc/libcontainer
+ symbols:
+ - mountToRootfs
+ versions:
+ - fixed: v1.0.0-rc9.0.20200122160610-2fc03cc11c77
description: |
A race while mounting volumes allows a possible symlink-exchange
attack, allowing a user whom can start multiple containers with
@@ -12,8 +15,6 @@
ghsas:
- GHSA-fh74-hm69-rqjw
credit: Leopold Schabel
-symbols:
- - mountToRootfs
links:
pr: https://github.com/opencontainers/runc/pull/2207
commit: https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0
diff --git a/reports/GO-2021-0088.yaml b/reports/GO-2021-0088.yaml
index 374c5ef..ce1532c 100644
--- a/reports/GO-2021-0088.yaml
+++ b/reports/GO-2021-0088.yaml
@@ -1,7 +1,10 @@
-module: github.com/facebook/fbthrift
-package: github.com/facebook/fbthrift/thrift/lib/go/thrift
-versions:
- - fixed: v0.31.1-0.20190225164308-c461c1bd1a3e
+packages:
+ - module: github.com/facebook/fbthrift
+ package: github.com/facebook/fbthrift/thrift/lib/go/thrift
+ symbols:
+ - Skip
+ versions:
+ - fixed: v0.31.1-0.20190225164308-c461c1bd1a3e
description: |
Skip ignores unknown fields, rather than failing. A malicious user can craft small
messages with unknown fields which can take significant resources to parse. If a
@@ -10,8 +13,8 @@
published: 2021-04-14T20:04:52Z
cves:
- CVE-2019-3564
-symbols:
- - Skip
+ghsas:
+ - GHSA-x4rg-4545-4w7w
links:
commit: https://github.com/facebook/fbthrift/commit/c461c1bd1a3e130b181aa9c854da3030cd4b5156
context:
diff --git a/reports/GO-2021-0089.yaml b/reports/GO-2021-0089.yaml
index 2923c8f..4c63182 100644
--- a/reports/GO-2021-0089.yaml
+++ b/reports/GO-2021-0089.yaml
@@ -1,6 +1,9 @@
-module: github.com/buger/jsonparser
-versions:
- - fixed: v0.0.0-20200321185410-91ac96899e49
+packages:
+ - module: github.com/buger/jsonparser
+ symbols:
+ - findKeyStart
+ versions:
+ - fixed: v0.0.0-20200321185410-91ac96899e49
description: |
Parsing malformed JSON which contain opening brackets, but not closing brackets,
leads to an infinite loop. If operating on untrusted user input this can be
@@ -11,8 +14,6 @@
ghsas:
- GHSA-rmh2-65xw-9m6q
credit: Cong Wang
-symbols:
- - findKeyStart
links:
pr: https://github.com/buger/jsonparser/pull/192
commit: https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717
diff --git a/reports/GO-2021-0090.yaml b/reports/GO-2021-0090.yaml
index b5159ce..35a316b 100644
--- a/reports/GO-2021-0090.yaml
+++ b/reports/GO-2021-0090.yaml
@@ -1,8 +1,13 @@
-module: github.com/tendermint/tendermint
-package: github.com/tendermint/tendermint/types
-versions:
- - introduced: v0.33.0
- fixed: v0.34.0-dev1.0.20200702134149-480b995a3172
+packages:
+ - module: github.com/tendermint/tendermint
+ package: github.com/tendermint/tendermint/types
+ symbols:
+ - VoteSet.MakeCommit
+ derived_symbols:
+ - MakeCommit
+ versions:
+ - introduced: v0.33.0
+ fixed: v0.34.0-dev1.0.20200702134149-480b995a3172
description: |
Proposed commits may contain signatures for blocks not contained within the commit. Instead of skipping
these signatures, they cause failure during verification. A malicious proposer can use this to force
@@ -13,10 +18,6 @@
ghsas:
- GHSA-6jqj-f58p-mrw3
credit: Neeraj Murarka
-symbols:
- - VoteSet.MakeCommit
-derived_symbols:
- - MakeCommit
links:
pr: https://github.com/tendermint/tendermint/pull/5426
commit: https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340
diff --git a/reports/GO-2021-0091.yaml b/reports/GO-2021-0091.yaml
index 598e59b..afc277e 100644
--- a/reports/GO-2021-0091.yaml
+++ b/reports/GO-2021-0091.yaml
@@ -1,6 +1,9 @@
-module: github.com/gofiber/fiber
-versions:
- - fixed: v1.12.6-0.20200710202935-a8ad5454363f
+packages:
+ - module: github.com/gofiber/fiber
+ symbols:
+ - Ctx.Attachment
+ versions:
+ - fixed: v1.12.6-0.20200710202935-a8ad5454363f
description: |
Due to improper input validation when uploading a file, a malicious user may
force the server to return arbitrary HTTP headers when the uploaded
@@ -11,8 +14,6 @@
ghsas:
- GHSA-9cx9-x2gp-9qvh
credit: Hasibul Hasan and Abdullah Shaleh
-symbols:
- - Ctx.Attachment
links:
pr: github.com/gofiber/fiber/pull/579
commit: https://github.com/gofiber/fiber/commit/a8ad5454363f627c3f9469c56c5faaf1b943f06a
diff --git a/reports/GO-2021-0092.yaml b/reports/GO-2021-0092.yaml
index ddf9f79..3e58153 100644
--- a/reports/GO-2021-0092.yaml
+++ b/reports/GO-2021-0092.yaml
@@ -1,6 +1,12 @@
-module: github.com/ory/fosite
-versions:
- - fixed: v0.31.0
+packages:
+ - module: github.com/ory/fosite
+ symbols:
+ - Fosite.AuthenticateClient
+ derived_symbols:
+ - Fosite.NewAccessRequest
+ - Fosite.NewRevocationRequest
+ versions:
+ - fixed: v0.31.0
description: |
Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
replayed.
@@ -9,11 +15,6 @@
- CVE-2020-15222
ghsas:
- GHSA-v3q9-2p3m-7g43
-symbols:
- - Fosite.AuthenticateClient
-derived_symbols:
- - Fosite.NewAccessRequest
- - Fosite.NewRevocationRequest
links:
commit: https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9
context:
diff --git a/reports/GO-2021-0094.yaml b/reports/GO-2021-0094.yaml
index 2fdfc12..85ed58d 100644
--- a/reports/GO-2021-0094.yaml
+++ b/reports/GO-2021-0094.yaml
@@ -1,6 +1,9 @@
-module: github.com/hashicorp/go-slug
-versions:
- - fixed: v0.5.0
+packages:
+ - module: github.com/hashicorp/go-slug
+ symbols:
+ - Unpack
+ versions:
+ - fixed: v0.5.0
description: |
Protections against directory traversal during archive extraction can be
bypassed by chaining multiple symbolic links within the archive. This allows
@@ -11,8 +14,6 @@
published: 2021-04-14T20:04:52Z
cves:
- CVE-2020-29529
-symbols:
- - Unpack
links:
pr: https://github.com/hashicorp/go-slug/pull/12
commit: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f
diff --git a/reports/GO-2021-0095.yaml b/reports/GO-2021-0095.yaml
index 3b6eb23..74a07c9 100644
--- a/reports/GO-2021-0095.yaml
+++ b/reports/GO-2021-0095.yaml
@@ -1,7 +1,10 @@
-module: github.com/google/go-tpm
-package: github.com/google/go-tpm/tpm
-versions:
- - fixed: v0.3.0
+packages:
+ - module: github.com/google/go-tpm
+ package: github.com/google/go-tpm/tpm
+ symbols:
+ - CreateWrapKey
+ versions:
+ - fixed: v0.3.0
description: |
Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport
is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,
@@ -12,8 +15,6 @@
ghsas:
- GHSA-5x29-3hr9-6wpw
credit: Chris Fenner
-symbols:
- - CreateWrapKey
links:
pr: https://github.com/google/go-tpm/pull/195
commit: https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141
diff --git a/reports/GO-2021-0096.yaml b/reports/GO-2021-0096.yaml
index 13907fe..18cbc2f 100644
--- a/reports/GO-2021-0096.yaml
+++ b/reports/GO-2021-0096.yaml
@@ -1,6 +1,7 @@
-module: github.com/proglottis/gpgme
-versions:
- - fixed: v0.1.1
+packages:
+ - module: github.com/proglottis/gpgme
+ versions:
+ - fixed: v0.1.1
description: |
Due to improper setting of finalizers, memory passed to C may be freed before it is used,
leading to crashes due to memory corruption or possible code execution.
diff --git a/reports/GO-2021-0097.yaml b/reports/GO-2021-0097.yaml
index 0fbf97e..8a05206 100644
--- a/reports/GO-2021-0097.yaml
+++ b/reports/GO-2021-0097.yaml
@@ -1,6 +1,12 @@
-module: github.com/dhowden/tag
-versions:
- - fixed: v0.0.0-20201120070457-d52dcb253c63
+packages:
+ - module: github.com/dhowden/tag
+ symbols:
+ - readPICFrame
+ - readAPICFrame
+ - readTextWithDescrFrame
+ - readAtomData
+ versions:
+ - fixed: v0.0.0-20201120070457-d52dcb253c63
description: |
Due to improper bounds checking, a number of methods can trigger a panic due to attempted
out-of-bounds reads. If the package is used to parse user supplied input, this may be
@@ -12,11 +18,6 @@
- CVE-2020-29244
- CVE-2020-29245
credit: '@Jayl1n'
-symbols:
- - readPICFrame
- - readAPICFrame
- - readTextWithDescrFrame
- - readAtomData
links:
commit: https://github.com/dhowden/tag/commit/d52dcb253c63a153632bfee5f269dd411dcd8e96
context:
diff --git a/reports/GO-2021-0098.yaml b/reports/GO-2021-0098.yaml
index 564f564..b353d71 100644
--- a/reports/GO-2021-0098.yaml
+++ b/reports/GO-2021-0098.yaml
@@ -1,6 +1,10 @@
-module: github.com/git-lfs/git-lfs
-package: github.com/git-lfs/git-lfs/commands
-additional_packages:
+packages:
+ - module: github.com/git-lfs/git-lfs
+ package: github.com/git-lfs/git-lfs/commands
+ symbols:
+ - PipeCommand
+ versions:
+ - fixed: v1.5.1-0.20210113180018-fc664697ed2c
- module: github.com/git-lfs/git-lfs
package: github.com/git-lfs/git-lfs/creds
symbols:
@@ -20,8 +24,6 @@
- sshAuthClient.Resolve
versions:
- fixed: v1.5.1-0.20210113180018-fc664697ed2c
-versions:
- - fixed: v1.5.1-0.20210113180018-fc664697ed2c
description: |
Due to the standard library behavior of exec.LookPath on Windows a number of methods may
result in arbitrary code execution when cloning or operating on untrusted Git repositories.
@@ -31,8 +33,6 @@
ghsas:
- GHSA-cx3w-xqmc-84g5
credit: '@Ry0taK'
-symbols:
- - PipeCommand
os:
- windows
links:
diff --git a/reports/GO-2021-0099.yaml b/reports/GO-2021-0099.yaml
index caff1dc..fe3896c 100644
--- a/reports/GO-2021-0099.yaml
+++ b/reports/GO-2021-0099.yaml
@@ -1,7 +1,12 @@
-module: github.com/deislabs/oras
-package: github.com/deislabs/oras/pkg/content
-versions:
- - fixed: v0.9.0
+packages:
+ - module: github.com/deislabs/oras
+ package: github.com/deislabs/oras/pkg/content
+ symbols:
+ - extractTarDirectory
+ derived_symbols:
+ - fileWriter.Commit
+ versions:
+ - fixed: v0.9.0
description: |
Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore
content store may result in directory traversal during archive extraction, allowing a
@@ -12,10 +17,6 @@
ghsas:
- GHSA-g5v4-5x39-vwhx
credit: Chris Smowton
-symbols:
- - extractTarDirectory
-derived_symbols:
- - fileWriter.Commit
links:
commit: https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
context:
diff --git a/reports/GO-2021-0100.yaml b/reports/GO-2021-0100.yaml
index 61ddb66..f7fbe59 100644
--- a/reports/GO-2021-0100.yaml
+++ b/reports/GO-2021-0100.yaml
@@ -1,7 +1,24 @@
-module: github.com/containers/storage
-package: github.com/containers/storage/pkg/archive
-versions:
- - fixed: v1.28.1
+packages:
+ - module: github.com/containers/storage
+ package: github.com/containers/storage/pkg/archive
+ symbols:
+ - cmdStream
+ derived_symbols:
+ - ApplyLayer
+ - ApplyUncompressedLayer
+ - Archiver.CopyFileWithTar
+ - Archiver.CopyWithTar
+ - Archiver.TarUntar
+ - Archiver.UntarPath
+ - CopyResource
+ - CopyTo
+ - DecompressStream
+ - IsArchivePath
+ - Untar
+ - UntarPath
+ - UntarUncompressed
+ versions:
+ - fixed: v1.28.1
description: |
Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream
on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker
@@ -13,22 +30,6 @@
ghsas:
- GHSA-7qw8-847f-pggm
credit: Aviv Sasson (Palo Alto Networks)
-symbols:
- - cmdStream
-derived_symbols:
- - ApplyLayer
- - ApplyUncompressedLayer
- - Archiver.CopyFileWithTar
- - Archiver.CopyWithTar
- - Archiver.TarUntar
- - Archiver.UntarPath
- - CopyResource
- - CopyTo
- - DecompressStream
- - IsArchivePath
- - Untar
- - UntarPath
- - UntarUncompressed
links:
pr: https://github.com/containers/storage/pull/860
commit: https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1
diff --git a/reports/GO-2021-0101.yaml b/reports/GO-2021-0101.yaml
index cd8362c..22799e5 100644
--- a/reports/GO-2021-0101.yaml
+++ b/reports/GO-2021-0101.yaml
@@ -1,8 +1,58 @@
-module: github.com/apache/thrift
-package: github.com/apache/thrift/lib/go/thrift
-versions:
- - introduced: v0.0.0-20151001171628-53dd39833a08
- - fixed: v0.13.0
+packages:
+ - module: github.com/apache/thrift
+ package: github.com/apache/thrift/lib/go/thrift
+ symbols:
+ - TSimpleJSONProtocol.safePeekContains
+ derived_symbols:
+ - Skip
+ - SkipDefaultDepth
+ - TJSONProtocol.ParseElemListBegin
+ - TJSONProtocol.ReadBool
+ - TJSONProtocol.ReadByte
+ - TJSONProtocol.ReadDouble
+ - TJSONProtocol.ReadFieldBegin
+ - TJSONProtocol.ReadFieldEnd
+ - TJSONProtocol.ReadI16
+ - TJSONProtocol.ReadI32
+ - TJSONProtocol.ReadI64
+ - TJSONProtocol.ReadListBegin
+ - TJSONProtocol.ReadListEnd
+ - TJSONProtocol.ReadMapBegin
+ - TJSONProtocol.ReadMapEnd
+ - TJSONProtocol.ReadMessageBegin
+ - TJSONProtocol.ReadMessageEnd
+ - TJSONProtocol.ReadSetBegin
+ - TJSONProtocol.ReadSetEnd
+ - TJSONProtocol.ReadStructBegin
+ - TJSONProtocol.ReadStructEnd
+ - TSimpleJSONProtocol.ParseElemListBegin
+ - TSimpleJSONProtocol.ParseF64
+ - TSimpleJSONProtocol.ParseI64
+ - TSimpleJSONProtocol.ParseListBegin
+ - TSimpleJSONProtocol.ParseListEnd
+ - TSimpleJSONProtocol.ParseObjectEnd
+ - TSimpleJSONProtocol.ParseObjectStart
+ - TSimpleJSONProtocol.ReadByte
+ - TSimpleJSONProtocol.ReadDouble
+ - TSimpleJSONProtocol.ReadI16
+ - TSimpleJSONProtocol.ReadI32
+ - TSimpleJSONProtocol.ReadI64
+ - TSimpleJSONProtocol.ReadListBegin
+ - TSimpleJSONProtocol.ReadListEnd
+ - TSimpleJSONProtocol.ReadMapBegin
+ - TSimpleJSONProtocol.ReadMapEnd
+ - TSimpleJSONProtocol.ReadMessageBegin
+ - TSimpleJSONProtocol.ReadMessageEnd
+ - TSimpleJSONProtocol.ReadSetBegin
+ - TSimpleJSONProtocol.ReadSetEnd
+ - TSimpleJSONProtocol.ReadStructBegin
+ - TSimpleJSONProtocol.ReadStructEnd
+ - TStandardClient.Call
+ - TStandardClient.Recv
+ - tApplicationException.Read
+ versions:
+ - introduced: v0.0.0-20151001171628-53dd39833a08
+ - fixed: v0.13.0
description: |
Due to an improper bounds check, parsing maliciously crafted messages can cause panics. If
this package is used to parse untrusted input, this may be used as a vector for a denial of
@@ -12,55 +62,6 @@
- CVE-2019-0210
ghsas:
- GHSA-jq7p-26h5-w78r
-symbols:
- - TSimpleJSONProtocol.safePeekContains
-derived_symbols:
- - Skip
- - SkipDefaultDepth
- - TJSONProtocol.ParseElemListBegin
- - TJSONProtocol.ReadBool
- - TJSONProtocol.ReadByte
- - TJSONProtocol.ReadDouble
- - TJSONProtocol.ReadFieldBegin
- - TJSONProtocol.ReadFieldEnd
- - TJSONProtocol.ReadI16
- - TJSONProtocol.ReadI32
- - TJSONProtocol.ReadI64
- - TJSONProtocol.ReadListBegin
- - TJSONProtocol.ReadListEnd
- - TJSONProtocol.ReadMapBegin
- - TJSONProtocol.ReadMapEnd
- - TJSONProtocol.ReadMessageBegin
- - TJSONProtocol.ReadMessageEnd
- - TJSONProtocol.ReadSetBegin
- - TJSONProtocol.ReadSetEnd
- - TJSONProtocol.ReadStructBegin
- - TJSONProtocol.ReadStructEnd
- - TSimpleJSONProtocol.ParseElemListBegin
- - TSimpleJSONProtocol.ParseF64
- - TSimpleJSONProtocol.ParseI64
- - TSimpleJSONProtocol.ParseListBegin
- - TSimpleJSONProtocol.ParseListEnd
- - TSimpleJSONProtocol.ParseObjectEnd
- - TSimpleJSONProtocol.ParseObjectStart
- - TSimpleJSONProtocol.ReadByte
- - TSimpleJSONProtocol.ReadDouble
- - TSimpleJSONProtocol.ReadI16
- - TSimpleJSONProtocol.ReadI32
- - TSimpleJSONProtocol.ReadI64
- - TSimpleJSONProtocol.ReadListBegin
- - TSimpleJSONProtocol.ReadListEnd
- - TSimpleJSONProtocol.ReadMapBegin
- - TSimpleJSONProtocol.ReadMapEnd
- - TSimpleJSONProtocol.ReadMessageBegin
- - TSimpleJSONProtocol.ReadMessageEnd
- - TSimpleJSONProtocol.ReadSetBegin
- - TSimpleJSONProtocol.ReadSetEnd
- - TSimpleJSONProtocol.ReadStructBegin
- - TSimpleJSONProtocol.ReadStructEnd
- - TStandardClient.Call
- - TStandardClient.Recv
- - tApplicationException.Read
links:
commit: https://github.com/apache/thrift/commit/264a3f318ed3e9e51573f67f963c8509786bcec2
context:
diff --git a/reports/GO-2021-0102.yaml b/reports/GO-2021-0102.yaml
index 9ddacd5..a239896 100644
--- a/reports/GO-2021-0102.yaml
+++ b/reports/GO-2021-0102.yaml
@@ -1,14 +1,16 @@
-module: code.cloudfoundry.org/gorouter
-package: code.cloudfoundry.org/gorouter/common/secure
-additional_packages:
+packages:
+ - module: code.cloudfoundry.org/gorouter
+ package: code.cloudfoundry.org/gorouter/common/secure
+ symbols:
+ - AesGCM.Decrypt
+ versions:
+ - fixed: v0.0.0-20191101214924-b1b5c44e050f
- module: github.com/cloudfoundry/gorouter
package: github.com/cloudfoundry/gorouter/common/secure
symbols:
- AesGCM.Decrypt
versions:
- fixed: v0.0.0-20191101214924-b1b5c44e050f
-versions:
- - fixed: v0.0.0-20191101214924-b1b5c44e050f
description: |
Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect
nonce size. If this package is used to decrypt user supplied messages without checking the size of
@@ -18,8 +20,6 @@
- CVE-2019-11289
ghsas:
- GHSA-5796-p3m6-9qj4
-symbols:
- - AesGCM.Decrypt
links:
commit: https://github.com/cloudfoundry/gorouter/commit/b1b5c44e050f73b399b379ca63a42a2c5780a83f
context:
diff --git a/reports/GO-2021-0103.yaml b/reports/GO-2021-0103.yaml
index 7e4a416..d10c2e3 100644
--- a/reports/GO-2021-0103.yaml
+++ b/reports/GO-2021-0103.yaml
@@ -1,7 +1,17 @@
-module: github.com/holiman/uint256
-versions:
- - introduced: v0.1.0
- - fixed: v1.1.1
+packages:
+ - module: github.com/holiman/uint256
+ symbols:
+ - udivrem
+ derived_symbols:
+ - Int.AddMod
+ - Int.Div
+ - Int.Mod
+ - Int.MulMod
+ - Int.SDiv
+ - Int.SMod
+ versions:
+ - introduced: v0.1.0
+ - fixed: v1.1.1
description: |
Due to improper bounds checking, certain mathmatical operations can cause a panic via an
out of bounds read. If this package is used to process untrusted user inputs, this may be used
@@ -12,15 +22,6 @@
ghsas:
- GHSA-jm5c-rv3w-w83m
credit: Dima Stebaev
-symbols:
- - udivrem
-derived_symbols:
- - Int.AddMod
- - Int.Div
- - Int.Mod
- - Int.MulMod
- - Int.SDiv
- - Int.SMod
links:
pr: https://github.com/holiman/uint256/pull/80
commit: https://github.com/holiman/uint256/commit/6785da6e3eea403260a5760029e722aa4ff1716d
diff --git a/reports/GO-2021-0104.yaml b/reports/GO-2021-0104.yaml
index 75bc45f..d6bb98f 100644
--- a/reports/GO-2021-0104.yaml
+++ b/reports/GO-2021-0104.yaml
@@ -1,6 +1,18 @@
-module: github.com/pion/webrtc/v3
-versions:
- - fixed: v3.0.15
+packages:
+ - module: github.com/pion/webrtc/v3
+ symbols:
+ - DTLSTransport.Start
+ derived_symbols:
+ - PeerConnection.AddTrack
+ - PeerConnection.AddTransceiverFromTrack
+ - PeerConnection.CreateDataChannel
+ - PeerConnection.RemoveTrack
+ - PeerConnection.SetLocalDescription
+ - PeerConnection.SetRemoteDescription
+ - operations.Done
+ - operations.Enqueue
+ versions:
+ - fixed: v3.0.15
description: |
Due to improper error handling, DTLS connections were not killed when certificate verification
failed, causing users who did not check the connection state to continue to use the connection.
@@ -12,17 +24,6 @@
ghsas:
- GHSA-74xm-qj29-cq8p
credit: Gaukas Wang (@Gaukas)
-symbols:
- - DTLSTransport.Start
-derived_symbols:
- - PeerConnection.AddTrack
- - PeerConnection.AddTransceiverFromTrack
- - PeerConnection.CreateDataChannel
- - PeerConnection.RemoveTrack
- - PeerConnection.SetLocalDescription
- - PeerConnection.SetRemoteDescription
- - operations.Done
- - operations.Enqueue
links:
pr: https://github.com/pion/webrtc/pull/1709
commit: https://github.com/pion/webrtc/commit/545613dcdeb5dedb01cce94175f40bcbe045df2e
diff --git a/reports/GO-2021-0105.yaml b/reports/GO-2021-0105.yaml
index 61dbcea..1e77b8f 100644
--- a/reports/GO-2021-0105.yaml
+++ b/reports/GO-2021-0105.yaml
@@ -1,8 +1,11 @@
-module: github.com/ethereum/go-ethereum
-package: github.com/ethereum/go-ethereum/core
-versions:
- - introduced: v1.9.4
- - fixed: v1.9.20
+packages:
+ - module: github.com/ethereum/go-ethereum
+ package: github.com/ethereum/go-ethereum/core
+ symbols:
+ - StateDB.createObject
+ versions:
+ - introduced: v1.9.4
+ - fixed: v1.9.20
description: |
Due to an incorrect state calculation, a specific set of transactions could cause a consensus disagreement,
causing users of this package to reject a canonical chain.
@@ -12,8 +15,6 @@
ghsas:
- GHSA-xw37-57qp-9mm4
credit: John Youngseok Yang (Software Platform Lab)
-symbols:
- - StateDB.createObject
links:
pr: https://github.com/ethereum/go-ethereum/pull/21080
commit: https://github.com/ethereum/go-ethereum/commit/87c0ba92136a75db0ab2aba1046d4a9860375d6a
diff --git a/reports/GO-2021-0106.yaml b/reports/GO-2021-0106.yaml
index 41290bb..1f0158f 100644
--- a/reports/GO-2021-0106.yaml
+++ b/reports/GO-2021-0106.yaml
@@ -1,13 +1,14 @@
-module: github.com/whyrusleeping/tar-utils
-versions:
- - fixed: v0.0.0-20201201191210-20a61371de5b
+packages:
+ - module: github.com/whyrusleeping/tar-utils
+ symbols:
+ - Extractor.outputPath
+ versions:
+ - fixed: v0.0.0-20201201191210-20a61371de5b
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
published: 2021-07-28T18:08:05Z
-symbols:
- - Extractor.outputPath
links:
commit: https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227
context:
diff --git a/reports/GO-2021-0107.yaml b/reports/GO-2021-0107.yaml
index 0a1825c..f0f8117 100644
--- a/reports/GO-2021-0107.yaml
+++ b/reports/GO-2021-0107.yaml
@@ -1,15 +1,16 @@
-module: github.com/ecnepsnai/web
-versions:
- - fixed: v1.5.2
+packages:
+ - module: github.com/ecnepsnai/web
+ symbols:
+ - Server.socketHandler
+ derived_symbols:
+ - Server.Socket
+ versions:
+ - fixed: v1.5.2
description: |
Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a
nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or
authentication bypass.
published: 2021-07-28T18:08:05Z
-symbols:
- - Server.socketHandler
-derived_symbols:
- - Server.Socket
links:
commit: https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
context:
diff --git a/reports/GO-2021-0108.yaml b/reports/GO-2021-0108.yaml
index 2b08218..3986867 100644
--- a/reports/GO-2021-0108.yaml
+++ b/reports/GO-2021-0108.yaml
@@ -1,6 +1,9 @@
-module: github.com/gofiber/fiber
-versions:
- - fixed: v1.12.6
+packages:
+ - module: github.com/gofiber/fiber
+ symbols:
+ - Ctx.Attachment
+ versions:
+ - fixed: v1.12.6
description: |
Due to improper input sanitization, a maliciously constructed filename could cause a file
download to use an attacker controlled filename, as well as injecting additional headers
@@ -11,8 +14,6 @@
ghsas:
- GHSA-9cx9-x2gp-9qvh
credit: Hasibul Hasan and Abdullah Shaleh
-symbols:
- - Ctx.Attachment
links:
pr: https://github.com/gofiber/fiber/pull/579
commit: https://github.com/gofiber/fiber/commit/f698b5d5066cfe594102ae252cd58a1fe57cf56f
diff --git a/reports/GO-2021-0109.yaml b/reports/GO-2021-0109.yaml
index 93aa159..1c9a570 100644
--- a/reports/GO-2021-0109.yaml
+++ b/reports/GO-2021-0109.yaml
@@ -1,6 +1,9 @@
-module: github.com/ory/fosite
-versions:
- - fixed: v0.34.0
+packages:
+ - module: github.com/ory/fosite
+ symbols:
+ - TokenRevocationHandler.RevokeToken
+ versions:
+ - fixed: v0.34.0
description: |
Due to improper error handling, an error with the underlying token storage may cause a user
to believe a token has been successfully revoked when it is in fact still valid. An attackers
@@ -10,8 +13,6 @@
- CVE-2020-15223
ghsas:
- GHSA-7mqr-2v3q-v2wm
-symbols:
- - TokenRevocationHandler.RevokeToken
links:
commit: https://github.com/ory/fosite/commit/03dd55813f5521985f7dd64277b7ba0cf1441319
context:
diff --git a/reports/GO-2021-0110.yaml b/reports/GO-2021-0110.yaml
index 675792a..ea85c9a 100644
--- a/reports/GO-2021-0110.yaml
+++ b/reports/GO-2021-0110.yaml
@@ -1,6 +1,12 @@
-module: github.com/ory/fosite
-versions:
- - fixed: v0.31.0
+packages:
+ - module: github.com/ory/fosite
+ symbols:
+ - Fosite.AuthenticateClient
+ derived_symbols:
+ - Fosite.NewAccessRequest
+ - Fosite.NewRevocationRequest
+ versions:
+ - fixed: v0.31.0
description: |
Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
replayed.
@@ -9,11 +15,6 @@
- CVE-2020-15222
ghsas:
- GHSA-v3q9-2p3m-7g43
-symbols:
- - Fosite.AuthenticateClient
-derived_symbols:
- - Fosite.NewAccessRequest
- - Fosite.NewRevocationRequest
links:
commit: https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9
context:
diff --git a/reports/GO-2021-0111.yaml b/reports/GO-2021-0111.yaml
index e70ed08..a020b41 100644
--- a/reports/GO-2021-0111.yaml
+++ b/reports/GO-2021-0111.yaml
@@ -1,7 +1,47 @@
-module: go.mongodb.org/mongo-driver
-package: go.mongodb.org/mongo-driver/bson/bsonrw
-versions:
- - fixed: v1.5.1
+packages:
+ - module: go.mongodb.org/mongo-driver
+ package: go.mongodb.org/mongo-driver/bson/bsonrw
+ symbols:
+ - valueWriter.writeElementHeader
+ derived_symbols:
+ - Copier.AppendArrayBytes
+ - Copier.AppendDocumentBytes
+ - Copier.AppendValueBytes
+ - Copier.CopyArrayFromBytes
+ - Copier.CopyBytesToArrayWriter
+ - Copier.CopyBytesToDocumentWriter
+ - Copier.CopyDocument
+ - Copier.CopyDocumentFromBytes
+ - Copier.CopyDocumentToBytes
+ - Copier.CopyValue
+ - Copier.CopyValueFromBytes
+ - Copier.CopyValueToBytes
+ - CopyDocument
+ - valueWriter.WriteArray
+ - valueWriter.WriteBinary
+ - valueWriter.WriteBinaryWithSubtype
+ - valueWriter.WriteBoolean
+ - valueWriter.WriteCodeWithScope
+ - valueWriter.WriteDBPointer
+ - valueWriter.WriteDateTime
+ - valueWriter.WriteDecimal128
+ - valueWriter.WriteDocument
+ - valueWriter.WriteDouble
+ - valueWriter.WriteInt32
+ - valueWriter.WriteInt64
+ - valueWriter.WriteJavascript
+ - valueWriter.WriteMaxKey
+ - valueWriter.WriteMinKey
+ - valueWriter.WriteNull
+ - valueWriter.WriteObjectID
+ - valueWriter.WriteRegex
+ - valueWriter.WriteString
+ - valueWriter.WriteSymbol
+ - valueWriter.WriteTimestamp
+ - valueWriter.WriteUndefined
+ - valueWriter.WriteValueBytes
+ versions:
+ - fixed: v1.5.1
description: |
Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed
Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are
@@ -11,45 +51,6 @@
- CVE-2021-20329
ghsas:
- GHSA-f6mq-5m25-4r72
-symbols:
- - valueWriter.writeElementHeader
-derived_symbols:
- - Copier.AppendArrayBytes
- - Copier.AppendDocumentBytes
- - Copier.AppendValueBytes
- - Copier.CopyArrayFromBytes
- - Copier.CopyBytesToArrayWriter
- - Copier.CopyBytesToDocumentWriter
- - Copier.CopyDocument
- - Copier.CopyDocumentFromBytes
- - Copier.CopyDocumentToBytes
- - Copier.CopyValue
- - Copier.CopyValueFromBytes
- - Copier.CopyValueToBytes
- - CopyDocument
- - valueWriter.WriteArray
- - valueWriter.WriteBinary
- - valueWriter.WriteBinaryWithSubtype
- - valueWriter.WriteBoolean
- - valueWriter.WriteCodeWithScope
- - valueWriter.WriteDBPointer
- - valueWriter.WriteDateTime
- - valueWriter.WriteDecimal128
- - valueWriter.WriteDocument
- - valueWriter.WriteDouble
- - valueWriter.WriteInt32
- - valueWriter.WriteInt64
- - valueWriter.WriteJavascript
- - valueWriter.WriteMaxKey
- - valueWriter.WriteMinKey
- - valueWriter.WriteNull
- - valueWriter.WriteObjectID
- - valueWriter.WriteRegex
- - valueWriter.WriteString
- - valueWriter.WriteSymbol
- - valueWriter.WriteTimestamp
- - valueWriter.WriteUndefined
- - valueWriter.WriteValueBytes
links:
pr: https://github.com/mongodb/mongo-go-driver/pull/622
commit: https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca
diff --git a/reports/GO-2021-0112.yaml b/reports/GO-2021-0112.yaml
index 6dff105..1304f6a 100644
--- a/reports/GO-2021-0112.yaml
+++ b/reports/GO-2021-0112.yaml
@@ -1,7 +1,86 @@
-module: go.mongodb.org/mongo-driver
-package: go.mongodb.org/mongo-driver/x/bsonx/bsoncore
-versions:
- - fixed: v1.5.1
+packages:
+ - module: go.mongodb.org/mongo-driver
+ package: go.mongodb.org/mongo-driver/x/bsonx/bsoncore
+ symbols:
+ - AppendHeader
+ - AppendRegex
+ derived_symbols:
+ - AppendArrayElement
+ - AppendArrayElementStart
+ - AppendBinaryElement
+ - AppendBooleanElement
+ - AppendCodeWithScopeElement
+ - AppendDBPointerElement
+ - AppendDateTimeElement
+ - AppendDecimal128Element
+ - AppendDocumentElement
+ - AppendDocumentElementStart
+ - AppendDoubleElement
+ - AppendInt32Element
+ - AppendInt64Element
+ - AppendJavaScriptElement
+ - AppendMaxKeyElement
+ - AppendMinKeyElement
+ - AppendNullElement
+ - AppendObjectIDElement
+ - AppendRegexElement
+ - AppendStringElement
+ - AppendSymbolElement
+ - AppendTimeElement
+ - AppendTimestampElement
+ - AppendUndefinedElement
+ - AppendValueElement
+ - ArrayBuilder.AppendArray
+ - ArrayBuilder.AppendBinary
+ - ArrayBuilder.AppendBoolean
+ - ArrayBuilder.AppendCodeWithScope
+ - ArrayBuilder.AppendDBPointer
+ - ArrayBuilder.AppendDateTime
+ - ArrayBuilder.AppendDecimal128
+ - ArrayBuilder.AppendDocument
+ - ArrayBuilder.AppendDouble
+ - ArrayBuilder.AppendInt32
+ - ArrayBuilder.AppendInt64
+ - ArrayBuilder.AppendJavaScript
+ - ArrayBuilder.AppendMaxKey
+ - ArrayBuilder.AppendMinKey
+ - ArrayBuilder.AppendNull
+ - ArrayBuilder.AppendObjectID
+ - ArrayBuilder.AppendRegex
+ - ArrayBuilder.AppendString
+ - ArrayBuilder.AppendSymbol
+ - ArrayBuilder.AppendTimestamp
+ - ArrayBuilder.AppendUndefined
+ - ArrayBuilder.AppendValue
+ - ArrayBuilder.StartArray
+ - BuildArray
+ - BuildArrayElement
+ - BuildDocumentElement
+ - DocumentBuilder.AppendArray
+ - DocumentBuilder.AppendBinary
+ - DocumentBuilder.AppendBoolean
+ - DocumentBuilder.AppendCodeWithScope
+ - DocumentBuilder.AppendDBPointer
+ - DocumentBuilder.AppendDateTime
+ - DocumentBuilder.AppendDecimal128
+ - DocumentBuilder.AppendDocument
+ - DocumentBuilder.AppendDouble
+ - DocumentBuilder.AppendInt32
+ - DocumentBuilder.AppendInt64
+ - DocumentBuilder.AppendJavaScript
+ - DocumentBuilder.AppendMaxKey
+ - DocumentBuilder.AppendMinKey
+ - DocumentBuilder.AppendNull
+ - DocumentBuilder.AppendObjectID
+ - DocumentBuilder.AppendRegex
+ - DocumentBuilder.AppendString
+ - DocumentBuilder.AppendSymbol
+ - DocumentBuilder.AppendTimestamp
+ - DocumentBuilder.AppendUndefined
+ - DocumentBuilder.AppendValue
+ - DocumentBuilder.StartDocument
+ versions:
+ - fixed: v1.5.1
description: |
Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed
Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are
@@ -11,84 +90,6 @@
- CVE-2021-20329
ghsas:
- GHSA-f6mq-5m25-4r72
-symbols:
- - AppendHeader
- - AppendRegex
-derived_symbols:
- - AppendArrayElement
- - AppendArrayElementStart
- - AppendBinaryElement
- - AppendBooleanElement
- - AppendCodeWithScopeElement
- - AppendDBPointerElement
- - AppendDateTimeElement
- - AppendDecimal128Element
- - AppendDocumentElement
- - AppendDocumentElementStart
- - AppendDoubleElement
- - AppendInt32Element
- - AppendInt64Element
- - AppendJavaScriptElement
- - AppendMaxKeyElement
- - AppendMinKeyElement
- - AppendNullElement
- - AppendObjectIDElement
- - AppendRegexElement
- - AppendStringElement
- - AppendSymbolElement
- - AppendTimeElement
- - AppendTimestampElement
- - AppendUndefinedElement
- - AppendValueElement
- - ArrayBuilder.AppendArray
- - ArrayBuilder.AppendBinary
- - ArrayBuilder.AppendBoolean
- - ArrayBuilder.AppendCodeWithScope
- - ArrayBuilder.AppendDBPointer
- - ArrayBuilder.AppendDateTime
- - ArrayBuilder.AppendDecimal128
- - ArrayBuilder.AppendDocument
- - ArrayBuilder.AppendDouble
- - ArrayBuilder.AppendInt32
- - ArrayBuilder.AppendInt64
- - ArrayBuilder.AppendJavaScript
- - ArrayBuilder.AppendMaxKey
- - ArrayBuilder.AppendMinKey
- - ArrayBuilder.AppendNull
- - ArrayBuilder.AppendObjectID
- - ArrayBuilder.AppendRegex
- - ArrayBuilder.AppendString
- - ArrayBuilder.AppendSymbol
- - ArrayBuilder.AppendTimestamp
- - ArrayBuilder.AppendUndefined
- - ArrayBuilder.AppendValue
- - ArrayBuilder.StartArray
- - BuildArray
- - BuildArrayElement
- - BuildDocumentElement
- - DocumentBuilder.AppendArray
- - DocumentBuilder.AppendBinary
- - DocumentBuilder.AppendBoolean
- - DocumentBuilder.AppendCodeWithScope
- - DocumentBuilder.AppendDBPointer
- - DocumentBuilder.AppendDateTime
- - DocumentBuilder.AppendDecimal128
- - DocumentBuilder.AppendDocument
- - DocumentBuilder.AppendDouble
- - DocumentBuilder.AppendInt32
- - DocumentBuilder.AppendInt64
- - DocumentBuilder.AppendJavaScript
- - DocumentBuilder.AppendMaxKey
- - DocumentBuilder.AppendMinKey
- - DocumentBuilder.AppendNull
- - DocumentBuilder.AppendObjectID
- - DocumentBuilder.AppendRegex
- - DocumentBuilder.AppendString
- - DocumentBuilder.AppendSymbol
- - DocumentBuilder.AppendTimestamp
- - DocumentBuilder.AppendUndefined
- - DocumentBuilder.AppendValue
- - DocumentBuilder.StartDocument
links:
pr: https://github.com/mongodb/mongo-go-driver/pull/622
commit: https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca
diff --git a/reports/GO-2021-0113.yaml b/reports/GO-2021-0113.yaml
index 1c42ffa..b4bef0b 100644
--- a/reports/GO-2021-0113.yaml
+++ b/reports/GO-2021-0113.yaml
@@ -1,7 +1,14 @@
-module: golang.org/x/text
-package: golang.org/x/text/language
-versions:
- - fixed: v0.3.7
+packages:
+ - module: golang.org/x/text
+ package: golang.org/x/text/language
+ symbols:
+ - Parse
+ derived_symbols:
+ - MatchStrings
+ - MustParse
+ - ParseAcceptLanguage
+ versions:
+ - fixed: v0.3.7
description: |
Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic via an out of bounds read. If Parse is used to process untrusted user inputs,
@@ -10,12 +17,6 @@
cves:
- CVE-2021-38561
credit: Guido Vranken
-symbols:
- - Parse
-derived_symbols:
- - MatchStrings
- - MustParse
- - ParseAcceptLanguage
links:
pr: https://go-review.googlesource.com/c/text/+/340830
commit: https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f
diff --git a/reports/GO-2021-0140.yaml b/reports/GO-2021-0140.yaml
index fefc859..77bbfe2 100644
--- a/reports/GO-2021-0140.yaml
+++ b/reports/GO-2021-0140.yaml
@@ -1,8 +1,11 @@
-module: std
-package: crypto/x509
-versions:
- - fixed: go1.13.13
- - fixed: go1.14.5
+packages:
+ - module: std
+ package: crypto/x509
+ symbols:
+ - Certificate.Verify
+ versions:
+ - fixed: go1.13.13
+ - fixed: go1.14.5
description: |
X509 Certificate verification does not validate KeyUsages EKU
requirements on Windows if VerifyOptions.Roots is nil.
@@ -10,8 +13,6 @@
cves:
- CVE-2020-14039
credit: Niall Newman
-symbols:
- - Certificate.Verify
os:
- windows
links:
diff --git a/reports/GO-2021-0141.yaml b/reports/GO-2021-0141.yaml
index f5328a0..b238aaa 100644
--- a/reports/GO-2021-0141.yaml
+++ b/reports/GO-2021-0141.yaml
@@ -1,8 +1,11 @@
-module: std
-package: net/http
-versions:
- - fixed: go1.13.13
- - fixed: go1.14.5
+packages:
+ - module: std
+ package: net/http
+ symbols:
+ - expectContinueReader.Read
+ versions:
+ - fixed: go1.13.13
+ - fixed: go1.14.5
description: |
A Go HTTP server which reads from the request body while
simultaneously writing a response can panic when clients
@@ -11,8 +14,6 @@
cves:
- CVE-2020-15586
credit: Mikael Manukyan
-symbols:
- - expectContinueReader.Read
links:
pr: https://go.dev/cl/242598
commit: https://go.googlesource.com/go/+/fa98f46741f818913a8c11b877520a548715131f
diff --git a/reports/GO-2021-0143.yaml b/reports/GO-2021-0143.yaml
index 4aa986d..a664c95 100644
--- a/reports/GO-2021-0143.yaml
+++ b/reports/GO-2021-0143.yaml
@@ -1,6 +1,12 @@
-module: std
-package: net/http/cgi
-additional_packages:
+packages:
+ - module: std
+ package: net/http/cgi
+ symbols:
+ - response.Write
+ versions:
+ - fixed: go1.14.8
+ - fixed: go1.15.1
+ - fixed: go1.16.0
- module: std
package: net/http/fcgi
symbols:
@@ -9,10 +15,6 @@
- fixed: go1.14.8
- fixed: go1.15.1
- fixed: go1.16.0
-versions:
- - fixed: go1.14.8
- - fixed: go1.15.1
- - fixed: go1.16.0
description: |
When a Handler does not explicitly set the Content-Type header,
the net/http/cgi and net/http/fcgi packages default to "text/html",
@@ -22,8 +24,6 @@
cves:
- CVE-2020-24553
credit: RedTeam Pentesting GmbH
-symbols:
- - response.Write
links:
pr: https://go.dev/cl/252179
commit: https://go.googlesource.com/go/+/4f5cd0c0331943c7ec72df3b827d972584f77833
diff --git a/reports/GO-2021-0157.yaml b/reports/GO-2021-0157.yaml
index a8056ec..db2c748 100644
--- a/reports/GO-2021-0157.yaml
+++ b/reports/GO-2021-0157.yaml
@@ -1,7 +1,11 @@
-module: std
-package: net/textproto
-versions:
- - fixed: go1.4.3
+packages:
+ - module: std
+ package: net/textproto
+ symbols:
+ - CanonicalMIMEHeaderKey
+ - canonicalMIMEHeaderKey
+ versions:
+ - fixed: go1.4.3
description: |
The MIME header parser treated spaces and hyphens
as equivalent, which can permit HTTP request smuggling.
@@ -9,9 +13,6 @@
cves:
- CVE-2015-5739
credit: Régis Leroy
-symbols:
- - CanonicalMIMEHeaderKey
- - canonicalMIMEHeaderKey
links:
pr: https://go.dev/cl/11772
commit: https://go.googlesource.com/go/+/117ddcb83d7f42d6aa72241240af99ded81118e9
diff --git a/reports/GO-2021-0159.yaml b/reports/GO-2021-0159.yaml
index 86469d9..2885668 100644
--- a/reports/GO-2021-0159.yaml
+++ b/reports/GO-2021-0159.yaml
@@ -1,7 +1,18 @@
-module: std
-package: net/http
-versions:
- - fixed: go1.4.3
+packages:
+ - module: std
+ package: net/http
+ symbols:
+ - CanonicalMIMEHeaderKey
+ - body.readLocked
+ - canonicalMIMEHeaderKey
+ - chunkWriter.writeHeader
+ - fixLength
+ - fixTransferEncoding
+ - readTransfer
+ - transferWriter.shouldSendContentLength
+ - validHeaderFieldByte
+ versions:
+ - fixed: go1.4.3
description: |
HTTP headers were not properly parsed, which allows remote attackers to
conduct HTTP request smuggling attacks via a request that contains
@@ -12,16 +23,6 @@
- CVE-2015-5740
- CVE-2015-5741
credit: Jed Denlea and Régis Leroy
-symbols:
- - CanonicalMIMEHeaderKey
- - body.readLocked
- - canonicalMIMEHeaderKey
- - chunkWriter.writeHeader
- - fixLength
- - fixTransferEncoding
- - readTransfer
- - transferWriter.shouldSendContentLength
- - validHeaderFieldByte
links:
pr: https://go.dev/cl/13148
commit: https://go.googlesource.com/go/+/26049f6f9171d1190f3bbe05ec304845cfe6399f
diff --git a/reports/GO-2021-0160.yaml b/reports/GO-2021-0160.yaml
index 589c88f..8037b5d 100644
--- a/reports/GO-2021-0160.yaml
+++ b/reports/GO-2021-0160.yaml
@@ -1,8 +1,12 @@
-module: std
-package: math/big
-versions:
- - introduced: go1.5
- fixed: go1.5.3
+packages:
+ - module: std
+ package: math/big
+ symbols:
+ - nat.expNNMontgomery
+ - nat.montgomery
+ versions:
+ - introduced: go1.5
+ fixed: go1.5.3
description: |
Int.Exp Montgomery mishandled carry propagation and produced an incorrect
output, which makes it easier for attackers to obtain private RSA keys via
@@ -27,9 +31,6 @@
cves:
- CVE-2015-8618
credit: Nick Craig-Wood
-symbols:
- - nat.expNNMontgomery
- - nat.montgomery
links:
pr: https://go.dev/cl/18491
commit: https://go.googlesource.com/go/+/1e066cad1ba23f4064545355b8737e4762dd6838
diff --git a/reports/GO-2021-0163.yaml b/reports/GO-2021-0163.yaml
index d4bcb03..a6b9cef 100644
--- a/reports/GO-2021-0163.yaml
+++ b/reports/GO-2021-0163.yaml
@@ -1,8 +1,11 @@
-module: std
-package: syscall
-versions:
- - fixed: go1.5.4
- - fixed: go1.6.1
+packages:
+ - module: std
+ package: syscall
+ symbols:
+ - LoadLibrary
+ versions:
+ - fixed: go1.5.4
+ - fixed: go1.6.1
description: |
Untrusted search path vulnerability on Windows related to LoadLibrary allows
local users to gain privileges via a malicious DLL in the current working
@@ -10,8 +13,6 @@
published: 2022-01-05T22:41:50Z
cves:
- CVE-2016-3958
-symbols:
- - LoadLibrary
links:
pr: https://go.dev/cl/21428
commit: https://go.googlesource.com/go/+/6a0bb87bd0bf0fdf8ddbd35f77a75ebd412f61b0
diff --git a/reports/GO-2021-0172.yaml b/reports/GO-2021-0172.yaml
index 801f8b4..d130765 100644
--- a/reports/GO-2021-0172.yaml
+++ b/reports/GO-2021-0172.yaml
@@ -1,9 +1,12 @@
-module: std
-package: mime/multipart
-versions:
- - fixed: go1.6.4
- - fixed: go1.7.4
- - fixed: go1.8.0
+packages:
+ - module: std
+ package: mime/multipart
+ symbols:
+ - Reader.readForm
+ versions:
+ - fixed: go1.6.4
+ - fixed: go1.7.4
+ - fixed: go1.8.0
description: |
When parsing large multipart/form-data, an attacker can
cause a HTTP server to open a large number of file
@@ -13,8 +16,6 @@
cves:
- CVE-2017-1000098
credit: Simon Rawet
-symbols:
- - Reader.readForm
links:
pr: https://go.dev/cl/30410
commit: https://go.googlesource.com/go/+/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
diff --git a/reports/GO-2021-0178.yaml b/reports/GO-2021-0178.yaml
index 7802479..40bd88e 100644
--- a/reports/GO-2021-0178.yaml
+++ b/reports/GO-2021-0178.yaml
@@ -1,10 +1,13 @@
-module: std
-package: net/smtp
-versions:
- - introduced: go1.1
- fixed: go1.8.4
- - introduced: go1.1
- fixed: go1.9.1
+packages:
+ - module: std
+ package: net/smtp
+ symbols:
+ - plainAuth.Start
+ versions:
+ - introduced: go1.1
+ fixed: go1.8.4
+ - introduced: go1.1
+ fixed: go1.9.1
description: |
SMTP clients using net/smtp can use the PLAIN authentication scheme on
network connections not secured with TLS, exposing passwords to
@@ -13,8 +16,6 @@
cves:
- CVE-2017-15042
credit: Stevie Johnstone
-symbols:
- - plainAuth.Start
links:
pr: https://go.dev/cl/68170
commit: https://go.googlesource.com/go/+/ec3b6131de8f9c9c25283260c95c616c74f6d790
diff --git a/reports/GO-2021-0223.yaml b/reports/GO-2021-0223.yaml
index 2e49f3b..e4d842d 100644
--- a/reports/GO-2021-0223.yaml
+++ b/reports/GO-2021-0223.yaml
@@ -1,9 +1,12 @@
-module: std
-package: crypto/x509
-versions:
- - fixed: go1.13.13
- - fixed: go1.14.5
- - fixed: go1.15.0
+packages:
+ - module: std
+ package: crypto/x509
+ symbols:
+ - Certificate.systemVerify
+ versions:
+ - fixed: go1.13.13
+ - fixed: go1.14.5
+ - fixed: go1.15.0
description: |
On Windows, if VerifyOptions.Roots is nil, Certificate.Verify
does not check the EKU requirements specified in VerifyOptions.KeyUsages.
@@ -12,8 +15,6 @@
cves:
- CVE-2020-14039
credit: Niall Newman
-symbols:
- - Certificate.systemVerify
os:
- windows
links:
diff --git a/reports/GO-2021-0224.yaml b/reports/GO-2021-0224.yaml
index b26e618..0774836 100644
--- a/reports/GO-2021-0224.yaml
+++ b/reports/GO-2021-0224.yaml
@@ -1,9 +1,12 @@
-module: std
-package: net/http
-versions:
- - fixed: go1.13.13
- - fixed: go1.14.5
- - fixed: go1.15.0
+packages:
+ - module: std
+ package: net/http
+ symbols:
+ - expectContinueReader.Read
+ versions:
+ - fixed: go1.13.13
+ - fixed: go1.14.5
+ - fixed: go1.15.0
description: |
HTTP servers where the Handler concurrently reads the request
body and writes a response can encounter a data race and crash.
@@ -14,8 +17,6 @@
credit: |
Mikael Manukyan, Andrew Kutz, Dave McClure, Tim Downey, Clay
Kauzlaric, and Gabe Rosenhouse
-symbols:
- - expectContinueReader.Read
links:
pr: https://go.dev/cl/242598
commit: https://go.googlesource.com/go/+/fa98f46741f818913a8c11b877520a548715131f
diff --git a/reports/GO-2021-0225.yaml b/reports/GO-2021-0225.yaml
index 048ffd1..b80a2e9 100644
--- a/reports/GO-2021-0225.yaml
+++ b/reports/GO-2021-0225.yaml
@@ -1,8 +1,11 @@
-module: std
-package: encoding/binary
-versions:
- - fixed: go1.13.15
- - fixed: go1.14.7
+packages:
+ - module: std
+ package: encoding/binary
+ symbols:
+ - ReadUvarint
+ versions:
+ - fixed: go1.13.15
+ - fixed: go1.14.7
description: |
Certain invalid inputs to ReadUvarint or ReadVarint could cause those
functions to read an unlimited number of bytes from the ByteReader argument
@@ -21,8 +24,6 @@
ghsas:
- GHSA-q6gq-997w-f55g
credit: Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon
-symbols:
- - ReadUvarint
links:
pr: https://go.dev/cl/247120
commit: https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258
diff --git a/reports/GO-2021-0226.yaml b/reports/GO-2021-0226.yaml
index fabf8c0..9def5cf 100644
--- a/reports/GO-2021-0226.yaml
+++ b/reports/GO-2021-0226.yaml
@@ -1,6 +1,13 @@
-module: std
-package: net/http/cgi
-additional_packages:
+packages:
+ - module: std
+ package: net/http/cgi
+ symbols:
+ - response.Write
+ - response.WriteHeader
+ - response.writeCGIHeader
+ versions:
+ - fixed: go1.14.8
+ - fixed: go1.15.1
- module: std
package: net/http/fcgi
symbols:
@@ -10,9 +17,6 @@
versions:
- fixed: go1.14.8
- fixed: go1.15.1
-versions:
- - fixed: go1.14.8
- - fixed: go1.15.1
description: |
When a Handler does not explicitly set the Content-Type header, the the
package would default to “text/html”, which could cause a Cross-Site Scripting
@@ -30,10 +34,6 @@
cves:
- CVE-2020-24553
credit: RedTeam Pentesting GmbH
-symbols:
- - response.Write
- - response.WriteHeader
- - response.writeCGIHeader
links:
pr: https://go.dev/cl/252179
commit: https://go.googlesource.com/go/+/4f5cd0c0331943c7ec72df3b827d972584f77833
diff --git a/reports/GO-2021-0227.yaml b/reports/GO-2021-0227.yaml
index f5071d4..80e3d7d 100644
--- a/reports/GO-2021-0227.yaml
+++ b/reports/GO-2021-0227.yaml
@@ -1,7 +1,10 @@
-module: golang.org/x/crypto
-package: golang.org/x/crypto/ssh
-versions:
- - fixed: v0.0.0-20201216223049-8b5274cf687f
+packages:
+ - module: golang.org/x/crypto
+ package: golang.org/x/crypto/ssh
+ symbols:
+ - connection.serverAuthenticate
+ versions:
+ - fixed: v0.0.0-20201216223049-8b5274cf687f
description: |
Clients can cause a panic in SSH servers. An attacker can craft
an authentication request message for the “gssapi-with-mic” method
@@ -11,8 +14,6 @@
cves:
- CVE-2020-29652
credit: Joern Schneewesiz, GitLab Security Research Team
-symbols:
- - connection.serverAuthenticate
links:
pr: https://go-review.googlesource.com/c/crypto/+/278852
commit: https://go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e8
diff --git a/reports/GO-2021-0228.yaml b/reports/GO-2021-0228.yaml
index 4a5f238..4a73ff0 100644
--- a/reports/GO-2021-0228.yaml
+++ b/reports/GO-2021-0228.yaml
@@ -1,7 +1,26 @@
-module: github.com/unknwon/cae
-package: github.com/unknwon/cae/zip
-versions:
- - fixed: v1.0.1
+packages:
+ - module: github.com/unknwon/cae
+ package: github.com/unknwon/cae/zip
+ symbols:
+ - TzArchive.syncFiles
+ - TzArchive.ExtractToFunc
+ - ZipArchive.Open
+ - ZipArchive.ExtractToFunc
+ derived_symbols:
+ - Create
+ - ExtractTo
+ - ExtractToFunc
+ - Open
+ - OpenFile
+ - TzArchive.ExtractToFunc
+ - TzArchive.syncFiles
+ - ZipArchive.Close
+ - ZipArchive.ExtractTo
+ - ZipArchive.ExtractToFunc
+ - ZipArchive.Flush
+ - ZipArchive.Open
+ versions:
+ - fixed: v1.0.1
description: |
The ExtractTo function doesn't securely escape file paths in zip archives
which include leading or non-leading "..". This allows an attacker to add or
@@ -12,24 +31,6 @@
ghsas:
- GHSA-vpx7-vm66-qx8r
credit: Georgios Gkitsas of Snyk Security Team
-symbols:
- - TzArchive.syncFiles
- - TzArchive.ExtractToFunc
- - ZipArchive.Open
- - ZipArchive.ExtractToFunc
-derived_symbols:
- - Create
- - ExtractTo
- - ExtractToFunc
- - Open
- - OpenFile
- - TzArchive.ExtractToFunc
- - TzArchive.syncFiles
- - ZipArchive.Close
- - ZipArchive.ExtractTo
- - ZipArchive.ExtractToFunc
- - ZipArchive.Flush
- - ZipArchive.Open
links:
commit: https://github.com/unknwon/cae/commit/07971c00a1bfd9dc171c3ad0bfab5b67c2287e11
context:
diff --git a/reports/GO-2021-0234.yaml b/reports/GO-2021-0234.yaml
index dee48eb..ad246d6 100644
--- a/reports/GO-2021-0234.yaml
+++ b/reports/GO-2021-0234.yaml
@@ -1,9 +1,12 @@
-module: std
-package: encoding/xml
-versions:
- - fixed: go1.15.9
- - fixed: go1.16.1
- - fixed: go1.17.0
+packages:
+ - module: std
+ package: encoding/xml
+ symbols:
+ - Decoder.Token
+ versions:
+ - fixed: go1.15.9
+ - fixed: go1.16.1
+ - fixed: go1.17.0
description: |
The Decode, DecodeElement, and Skip methods of an xml.Decoder
provided by xml.NewTokenDecoder may enter an infinite loop when
@@ -13,8 +16,6 @@
cves:
- CVE-2021-27918
credit: Sam Whited
-symbols:
- - Decoder.Token
links:
pr: https://go.dev/cl/300391
commit: https://go.googlesource.com/go/+/d0b79e3513a29628f3599dc8860666b6eed75372
diff --git a/reports/GO-2021-0235.yaml b/reports/GO-2021-0235.yaml
index ab8fd43..5046fc5 100644
--- a/reports/GO-2021-0235.yaml
+++ b/reports/GO-2021-0235.yaml
@@ -1,9 +1,12 @@
-module: std
-package: crypto/elliptic
-versions:
- - fixed: go1.14.14
- - fixed: go1.15.7
- - fixed: go1.16.0
+packages:
+ - module: std
+ package: crypto/elliptic
+ symbols:
+ - p224Contract
+ versions:
+ - fixed: go1.14.14
+ - fixed: go1.15.7
+ - fixed: go1.16.0
description: |
The P224() Curve implementation can in rare circumstances generate
incorrect outputs, including returning invalid points from
@@ -14,8 +17,6 @@
credit: |
the elliptic-curve-differential-fuzzer project running on OSS-Fuzz
and reported by Philippe Antoine (Catena cyber)
-symbols:
- - p224Contract
links:
pr: https://go.dev/cl/284779
commit: https://go.googlesource.com/go/+/d95ca9138026cbe40e0857d76a81a16d03230871
diff --git a/reports/GO-2021-0237.yaml b/reports/GO-2021-0237.yaml
index e0ebdfc..62fa6a3 100644
--- a/reports/GO-2021-0237.yaml
+++ b/reports/GO-2021-0237.yaml
@@ -1,6 +1,9 @@
-module: github.com/AndrewBurian/powermux
-versions:
- - fixed: v1.1.1
+packages:
+ - module: github.com/AndrewBurian/powermux
+ symbols:
+ - Route.execute
+ versions:
+ - fixed: v1.1.1
description: |
Attackers may be able to craft phishing links and other open
redirects by exploiting PowerMux's trailing slash redirection
@@ -11,8 +14,6 @@
- CVE-2021-32721
ghsas:
- GHSA-mj9r-wwm8-7q52
-symbols:
- - Route.execute
links:
pr: https://github.com/AndrewBurian/powermux/pull/42
commit: https://github.com/AndrewBurian/powermux/commit/5e60a8a0372b35a898796c2697c40e8daabed8e9
diff --git a/reports/GO-2021-0238.yaml b/reports/GO-2021-0238.yaml
index 8b1940b..eb9f768 100644
--- a/reports/GO-2021-0238.yaml
+++ b/reports/GO-2021-0238.yaml
@@ -1,7 +1,10 @@
-module: golang.org/x/net
-package: golang.org/x/net/html
-versions:
- - fixed: v0.0.0-20210520170846-37e1c6afe023
+packages:
+ - module: golang.org/x/net
+ package: golang.org/x/net/html
+ symbols:
+ - inHeadIM
+ versions:
+ - fixed: v0.0.0-20210520170846-37e1c6afe023
description: |
An attacker can craft an input to ParseFragment that causes it
to enter an infinite loop and never return.
@@ -9,8 +12,6 @@
cves:
- CVE-2021-33194
credit: discovered by OSS-Fuzz and reported by Andrew Thornton
-symbols:
- - inHeadIM
links:
pr: https://go.dev/cl/311090
commit: https://go.googlesource.com/net/+/37e1c6afe02340126705deced573a85ab75209d7
diff --git a/reports/GO-2021-0239.yaml b/reports/GO-2021-0239.yaml
index e37ec57..74c98dc 100644
--- a/reports/GO-2021-0239.yaml
+++ b/reports/GO-2021-0239.yaml
@@ -1,9 +1,16 @@
-module: std
-package: net
-versions:
- - fixed: go1.15.13
- - fixed: go1.16.5
- - fixed: go1.17
+packages:
+ - module: std
+ package: net
+ symbols:
+ - Resolver.LookupAddr
+ - Resolver.LookupCNAME
+ - Resolver.LookupMX
+ - Resolver.LookupNS
+ - Resolver.LookupSRV
+ versions:
+ - fixed: go1.15.13
+ - fixed: go1.16.5
+ - fixed: go1.17
description: |
The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr
functions and their respective methods on the Resolver type may
@@ -17,12 +24,6 @@
cves:
- CVE-2021-33195
credit: Philipp Jeitner and Haya Shulman from Fraunhofer SIT
-symbols:
- - Resolver.LookupAddr
- - Resolver.LookupCNAME
- - Resolver.LookupMX
- - Resolver.LookupNS
- - Resolver.LookupSRV
links:
pr: https://go.dev/cl/320949
commit: https://go.googlesource.com/go/+/c89f1224a544cde464fcb86e78ebb0cc97eedba2
diff --git a/reports/GO-2021-0240.yaml b/reports/GO-2021-0240.yaml
index b3049e0..2b066b3 100644
--- a/reports/GO-2021-0240.yaml
+++ b/reports/GO-2021-0240.yaml
@@ -1,9 +1,12 @@
-module: std
-package: archive/zip
-versions:
- - fixed: go1.15.13
- - fixed: go1.16.5
- - fixed: go1.17.0
+packages:
+ - module: std
+ package: archive/zip
+ symbols:
+ - Reader.init
+ versions:
+ - fixed: go1.15.13
+ - fixed: go1.16.5
+ - fixed: go1.17.0
description: |
NewReader and OpenReader can cause a panic or an unrecoverable
fatal error when reading an archive that claims to contain a large
@@ -14,8 +17,6 @@
credit: |
the OSS-Fuzz project for discovering this issue and
Emmanuel Odeke for reporting it
-symbols:
- - Reader.init
links:
pr: https://go.dev/cl/318909
commit: https://go.googlesource.com/go/+/74242baa4136c7a9132a8ccd9881354442788c8c
diff --git a/reports/GO-2021-0241.yaml b/reports/GO-2021-0241.yaml
index ea56c73..79353a6 100644
--- a/reports/GO-2021-0241.yaml
+++ b/reports/GO-2021-0241.yaml
@@ -1,9 +1,12 @@
-module: std
-package: net/http/httputil
-versions:
- - fixed: go1.15.13
- - fixed: go1.16.5
- - fixed: go1.17.0
+packages:
+ - module: std
+ package: net/http/httputil
+ symbols:
+ - ReverseProxy.ServeHTTP
+ versions:
+ - fixed: go1.15.13
+ - fixed: go1.16.5
+ - fixed: go1.17.0
description: |
ReverseProxy can be made to forward certain hop-by-hop headers,
including Connection. If the target of the ReverseProxy is
@@ -13,8 +16,6 @@
cves:
- CVE-2021-33197
credit: Mattias Grenfeldt (https://grenfeldt.dev) and Asta Olofsson
-symbols:
- - ReverseProxy.ServeHTTP
links:
pr: https://go.dev/cl/321929
commit: https://go.googlesource.com/go/+/950fa11c4cb01a145bb07eeb167d90a1846061b3
diff --git a/reports/GO-2021-0242.yaml b/reports/GO-2021-0242.yaml
index 48dd8ce..0146e35 100644
--- a/reports/GO-2021-0242.yaml
+++ b/reports/GO-2021-0242.yaml
@@ -1,9 +1,12 @@
-module: std
-package: math/big
-versions:
- - fixed: go1.15.13
- - fixed: go1.16.5
- - fixed: go1.17.0
+packages:
+ - module: std
+ package: math/big
+ symbols:
+ - Rat.SetString
+ versions:
+ - fixed: go1.15.13
+ - fixed: go1.16.5
+ - fixed: go1.17.0
description: |
Rat.SetString and Rat.UnmarshalText may cause a panic or an
unrecoverable fatal error if passed inputs with very large
@@ -14,8 +17,6 @@
credit: |
the OSS-Fuzz project for discovering this issue and to Emmanuel
Odeke for reporting it
-symbols:
- - Rat.SetString
links:
pr: https://go.dev/cl/316149
commit: https://go.googlesource.com/go/+/6c591f79b0b5327549bd4e94970f7a279efb4ab0
diff --git a/reports/GO-2021-0243.yaml b/reports/GO-2021-0243.yaml
index b68b200..76f30db 100644
--- a/reports/GO-2021-0243.yaml
+++ b/reports/GO-2021-0243.yaml
@@ -1,9 +1,12 @@
-module: std
-package: crypto/tls
-versions:
- - fixed: go1.15.14
- - fixed: go1.16.6
- - fixed: go1.17.0
+packages:
+ - module: std
+ package: crypto/tls
+ symbols:
+ - rsaKeyAgreement.generateClientKeyExchange
+ versions:
+ - fixed: go1.15.14
+ - fixed: go1.16.6
+ - fixed: go1.17.0
description: |
crypto/tls clients can panic when provided a certificate of the
wrong type for the negotiated parameters. net/http clients
@@ -12,8 +15,6 @@
cves:
- CVE-2021-34558
credit: Imre Rad
-symbols:
- - rsaKeyAgreement.generateClientKeyExchange
links:
pr: https://go.dev/cl/334031
commit: https://go.googlesource.com/go/+/a98589711da5e9d935e8d690cfca92892e86d557
diff --git a/reports/GO-2021-0245.yaml b/reports/GO-2021-0245.yaml
index 43a576f..bc0076b 100644
--- a/reports/GO-2021-0245.yaml
+++ b/reports/GO-2021-0245.yaml
@@ -1,9 +1,12 @@
-module: std
-package: net/http/httputil
-versions:
- - fixed: go1.15.15
- - fixed: go1.16.7
- - fixed: go1.17.0
+packages:
+ - module: std
+ package: net/http/httputil
+ symbols:
+ - ReverseProxy.ServeHTTP
+ versions:
+ - fixed: go1.15.15
+ - fixed: go1.16.7
+ - fixed: go1.17.0
description: |
ReverseProxy can panic after encountering a problem copying
a proxied response body.
@@ -11,8 +14,6 @@
cves:
- CVE-2021-36221
credit: Andrew Crump
-symbols:
- - ReverseProxy.ServeHTTP
links:
pr: https://go.dev/cl/333191
commit: https://go.googlesource.com/go/+/b7a85e0003cedb1b48a1fd3ae5b746ec6330102e
diff --git a/reports/GO-2021-0258.yaml b/reports/GO-2021-0258.yaml
index d978b51..f27fad8 100644
--- a/reports/GO-2021-0258.yaml
+++ b/reports/GO-2021-0258.yaml
@@ -1,6 +1,9 @@
-module: github.com/pomerium/pomerium
-versions:
- - fixed: v0.15.6
+packages:
+ - module: github.com/pomerium/pomerium
+ symbols:
+ - Manager.onUpdateRecords
+ versions:
+ - fixed: v0.15.6
description: |
Pomerium is an open source identity-aware access proxy. Changes to the OIDC
claims of a user after initial login are not reflected in policy evaluation
@@ -15,8 +18,6 @@
- CVE-2021-41230
ghsas:
- GHSA-j6wp-3859-vxfg
-symbols:
- - Manager.onUpdateRecords
links:
pr: https://github.com/pomerium/pomerium/pull/2724
commit: https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511
diff --git a/reports/GO-2021-0263.yaml b/reports/GO-2021-0263.yaml
index 0e341d5..81fd9a3 100644
--- a/reports/GO-2021-0263.yaml
+++ b/reports/GO-2021-0263.yaml
@@ -1,8 +1,11 @@
-module: std
-package: debug/macho
-versions:
- - fixed: go1.17.3
- - fixed: go1.16.10
+packages:
+ - module: std
+ package: debug/macho
+ symbols:
+ - NewFile
+ versions:
+ - fixed: go1.17.3
+ - fixed: go1.16.10
description: |
Calling File.ImportedSymbols on a loaded file which contains an invalid
dynamic symbol table command can cause a panic, in particular if the encoded
@@ -12,8 +15,6 @@
cves:
- CVE-2021-41771
credit: Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech)
-symbols:
- - NewFile
links:
pr: https://go.dev/cl/367075
commit: https://go.googlesource.com/go/+/61536ec03063b4951163bd09609c86d82631fa27
diff --git a/reports/GO-2021-0264.yaml b/reports/GO-2021-0264.yaml
index f1fbd20..73fd19b 100644
--- a/reports/GO-2021-0264.yaml
+++ b/reports/GO-2021-0264.yaml
@@ -1,8 +1,12 @@
-module: std
-package: archive/zip
-versions:
- - fixed: go1.16.10
- - fixed: go1.17.3
+packages:
+ - module: std
+ package: archive/zip
+ symbols:
+ - split
+ - Reader.Open
+ versions:
+ - fixed: go1.16.10
+ - fixed: go1.17.3
description: |
Previously, opening a zip with (*Reader).Open could result in a panic if the
zip contained a file whose name was exclusively made up of slash characters or
@@ -24,9 +28,6 @@
- CVE-2021-41772
credit: Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code Intelligence
Team
-symbols:
- - split
- - Reader.Open
links:
pr: https://go.dev/cl/349770
commit: https://go.googlesource.com/go/+/b24687394b55a93449e2be4e6892ead58ea9a10f
diff --git a/reports/GO-2021-0265.yaml b/reports/GO-2021-0265.yaml
index 0aab67c..96fe2a4 100644
--- a/reports/GO-2021-0265.yaml
+++ b/reports/GO-2021-0265.yaml
@@ -1,6 +1,9 @@
-module: github.com/tidwall/gjson
-versions:
- - fixed: v1.9.3
+packages:
+ - module: github.com/tidwall/gjson
+ symbols:
+ - match.Match
+ versions:
+ - fixed: v1.9.3
description: |
GJSON allowed a ReDoS (regular expression denial of service) attack.
published: 2022-01-14T17:30:24Z
@@ -8,8 +11,6 @@
- CVE-2021-42836
ghsas:
- GHSA-ppj4-34rq-v8j9
-symbols:
- - match.Match
links:
commit: https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944
context:
diff --git a/reports/GO-2021-0321.yaml b/reports/GO-2021-0321.yaml
index 3ca9530..cb0e0f2 100644
--- a/reports/GO-2021-0321.yaml
+++ b/reports/GO-2021-0321.yaml
@@ -1,8 +1,11 @@
-module: mellium.im/xmpp
-package: mellium.im/xmpp/websocket
-versions:
- - introduced: v0.18.0
- fixed: v0.21.1
+packages:
+ - module: mellium.im/xmpp
+ package: mellium.im/xmpp/websocket
+ symbols:
+ - Dialer.config
+ versions:
+ - introduced: v0.18.0
+ fixed: v0.21.1
description: |
An attacker capable of spoofing DNS TXT records can redirect a
WebSocket connection request to a server under their control without
@@ -10,9 +13,9 @@
the wrong host name is selected during this verification.
cves:
- CVE-2022-24968
+ghsas:
+ - GHSA-m658-p24x-p74r
credit: Travis Burtrum
-symbols:
- - Dialer.config
links:
pr: https://github.com/mellium/xmpp/pull/260
commit: https://github.com/mellium/xmpp/commit/0d92aa486da69b71f2f4a30e62aa722c711b98ac
diff --git a/reports/GO-2021-0356.yaml b/reports/GO-2021-0356.yaml
index 0fd6860..5ef2a11 100644
--- a/reports/GO-2021-0356.yaml
+++ b/reports/GO-2021-0356.yaml
@@ -1,24 +1,25 @@
-module: golang.org/x/crypto
-package: golang.org/x/crypto/ssh
-versions:
- - fixed: v0.0.0-20220314234659-1baeb1ce4c0b
+packages:
+ - module: golang.org/x/crypto
+ package: golang.org/x/crypto/ssh
+ symbols:
+ - ServerConfig.AddHostKey
+ derived_symbols:
+ - ServerConfig.AddHostKey
+ versions:
+ - fixed: v0.0.0-20220314234659-1baeb1ce4c0b
description: |
- Attackers can cause a crash in SSH servers when the server has been
- configured by passing a Signer to ServerConfig.AddHostKey such that
- 1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and
- 2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its
- PublicKey method.
+ Attackers can cause a crash in SSH servers when the server has been
+ configured by passing a Signer to ServerConfig.AddHostKey such that
+ 1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and
+ 2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its
+ PublicKey method.
- Servers that only use Signer implementations provided by the ssh package are
- unaffected.
+ Servers that only use Signer implementations provided by the ssh package are
+ unaffected.
cves:
- CVE-2022-27191
ghsas:
- GHSA-8c26-wmh5-6g9v
-symbols:
- - ServerConfig.AddHostKey
-derived_symbols:
- - ServerConfig.AddHostKey
links:
pr: https://go.dev/cl/392355
commit: https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d
diff --git a/reports/GO-2021-0412.yaml b/reports/GO-2021-0412.yaml
index d769b4d..08c248b 100644
--- a/reports/GO-2021-0412.yaml
+++ b/reports/GO-2021-0412.yaml
@@ -1,7 +1,10 @@
-module: github.com/containerd/imgcrypt
-package: github.com/containerd/imgcrypt/images/encryption
-versions:
- - fixed: v1.1.4
+packages:
+ - module: github.com/containerd/imgcrypt
+ package: github.com/containerd/imgcrypt/images/encryption
+ symbols:
+ - cryptManifestList
+ versions:
+ - fixed: v1.1.4
description: |
The imgcrypt library provides API exensions for containerd to
support encrypted container images and implements the ctd-decoder
@@ -25,9 +28,9 @@
different namespaces for each remote user.
cves:
- CVE-2022-24778
+ghsas:
+ - GHSA-8v99-48m9-c8pm
credit: '@dimitar-dimitrow'
-symbols:
- - cryptManifestList
links:
commit: https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9
context:
