blob: 0d86429cd4b1374210fed0f82a93e8ec55f38567 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2022-0470",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-07-15T23:29:55Z",
"aliases": [
"CVE-2022-31022",
"GHSA-9w9f-6mg8-jp7w"
],
"summary": "No access control in github.com/blevesearch/bleve and bleve/v2",
"details": "HTTP handlers provide unauthenticated access to the local filesystem.\n\nThe Bleve http package is intended for demonstration purposes and contains no authentication, authorization, or validation of user inputs. Exposing handlers from this package can permit attackers to create files and delete directories.",
"affected": [
{
"package": {
"name": "github.com/blevesearch/bleve",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/blevesearch/bleve/http",
"symbols": [
"AliasHandler.ServeHTTP",
"CreateIndexHandler.ServeHTTP",
"DebugDocumentHandler.ServeHTTP",
"DeleteIndexHandler.ServeHTTP",
"DocCountHandler.ServeHTTP",
"DocDeleteHandler.ServeHTTP",
"DocGetHandler.ServeHTTP",
"DocIndexHandler.ServeHTTP",
"GetIndexHandler.ServeHTTP",
"ListFieldsHandler.ServeHTTP",
"SearchHandler.ServeHTTP"
]
}
]
}
},
{
"package": {
"name": "github.com/blevesearch/bleve/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/blevesearch/bleve/v2/http",
"symbols": [
"AliasHandler.ServeHTTP",
"CreateIndexHandler.ServeHTTP",
"DebugDocumentHandler.ServeHTTP",
"DeleteIndexHandler.ServeHTTP",
"DocCountHandler.ServeHTTP",
"DocDeleteHandler.ServeHTTP",
"DocGetHandler.ServeHTTP",
"DocIndexHandler.ServeHTTP",
"GetIndexHandler.ServeHTTP",
"ListFieldsHandler.ServeHTTP",
"SearchHandler.ServeHTTP"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0470"
}
}