Google Git
Sign in
go / vulndb / 9777e1c8cddb0d190405724d91db2599c6896c8e / . / internal / genericosv / testdata / osv / GHSA-wx8q-rgfr-cf6v.json
blob: af5015fbfc216a7340df37dda82b5c84766c6e5b [file] [log] [blame]
{
"schema_version": "1.4.0",
"id": "GHSA-wx8q-rgfr-cf6v",
"modified": "2021-12-10T18:30:24Z",
"published": "2021-11-10T18:20:11Z",
"aliases": [
"CVE-2021-22565"
],
"summary": "Insufficient Granularity of Access Control in github.com/google/exposure-notifications-verification-server",
"details": "### Impact\nUsers or API keys with permission to expire verification codes could have expired codes that belonged to another realm if they guessed the UUID.\n\n### Patches\nv1.1.2+\n\n### Workarounds\nThere are no workarounds, and there are no indications this has been exploited in the wild. Verification codes can only be expired by providing their 64-bit UUID, and verification codes are already valid for a very short period of time (thus the UUID rotates frequently).\n\n### For more information\nContact exposure-notifications-feedback@google.com",
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/google/exposure-notifications-verification-server"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.2"
}
]
}
]
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-wx8q-rgfr-cf6v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22565"
},
{
"type": "PACKAGE",
"url": "https://github.com/google/exposure-notifications-verification-server/"
},
{
"type": "WEB",
"url": "https://github.com/google/exposure-notifications-verification-server/releases/tag/v1.1.2"
}
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-09T21:03:07Z",
"nvd_published_at": "2021-12-09T13:15:00Z",
"severity": "MODERATE"
}
}