data/reports: withdraw GO-2024-2730
Change-Id: I7ba3565eacd596ce8b962abc3155d428db2b349d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/579736
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2024-2730.json b/data/osv/GO-2024-2730.json
index de82aa5..f7f8a84 100644
--- a/data/osv/GO-2024-2730.json
+++ b/data/osv/GO-2024-2730.json
@@ -3,11 +3,12 @@
"id": "GO-2024-2730",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
+ "withdrawn": "2024-04-17T18:06:23Z",
"related": [
"CVE-2024-3400"
],
- "summary": "Directory traversal in FilesystemStore in github.com/gorilla/sessions",
- "details": "FilesystemStore does not sanitize the Session.ID value, making it vulnerable to directory traversal attacks. If an attacker has control over the contents of the session ID, this can be exploited to write to arbitrary files in the filesystem.\n\nPrograms which do not set session IDs explicitly, or which only set session IDs that will not be interpreted by the filesystem, are not vulnerable.",
+ "summary": "WITHDRAWN: Directory traversal in FilesystemStore in github.com/gorilla/sessions",
+ "details": "(This report has been withdrawn on the grounds that it generates too many false positives. Session IDs are documented as not being suitable to hold user-provided data.)\n\nFilesystemStore does not sanitize the Session.ID value, making it vulnerable to directory traversal attacks. If an attacker has control over the contents of the session ID, this can be exploited to write to arbitrary files in the filesystem.\n\nPrograms which do not set session IDs explicitly, or which only set session IDs that will not be interpreted by the filesystem, are not vulnerable.",
"affected": [
{
"package": {
diff --git a/data/reports/GO-2024-2730.yaml b/data/reports/GO-2024-2730.yaml
index ef88ca9..dc69631 100644
--- a/data/reports/GO-2024-2730.yaml
+++ b/data/reports/GO-2024-2730.yaml
@@ -17,8 +17,13 @@
- Registry.Save
- Save
- Session.Save
-summary: Directory traversal in FilesystemStore in github.com/gorilla/sessions
+summary: 'WITHDRAWN: Directory traversal in FilesystemStore in github.com/gorilla/sessions'
description: |-
+ (This report has been withdrawn on the grounds that it
+ generates too many false positives. Session IDs are
+ documented as not being suitable to hold user-provided
+ data.)
+
FilesystemStore does not sanitize the Session.ID value,
making it vulnerable to directory traversal attacks.
If an attacker has control over the contents of the session ID,
@@ -28,6 +33,7 @@
Programs which do not set session IDs explicitly,
or which only set session IDs that will not be
interpreted by the filesystem, are not vulnerable.
+withdrawn: 2024-04-17T11:06:23-07:00
related:
- CVE-2024-3400
references:
