data/reports/GO-2023-1497.yaml

modules:
  - module: github.com/sylabs/scs-library-client
    versions:
      - fixed: 1.3.4
    vulnerable_at: 1.3.3
    packages:
      - package: github.com/sylabs/scs-library-client/client
        symbols:
          - Client.httpGetRangeRequest
        derived_symbols:
          - Client.ConcurrentDownloadImage
          - Client.UploadImage
  - module: github.com/sylabs/scs-library-client
    versions:
      - introduced: 1.4.0
        fixed: 1.4.2
    vulnerable_at: 1.4.1
    packages:
      - package: github.com/sylabs/scs-library-client/client
        symbols:
          - Client.legacyDownloadImage
        derived_symbols:
          - Client.ConcurrentDownloadImage
description: |
    When the scs-library-client is used to pull a container image, with
    authentication, the HTTP Authorization header sent by the client to the library
    service may be incorrectly leaked to an S3 backing storage provider.
cves:
  - CVE-2022-23538
ghsas:
  - GHSA-7p8m-22h4-9pj7
references:
  - fix: https://github.com/sylabs/scs-library-client/commit/68ac4cab5cda0afd8758ff5b5e2e57be6a22fcfa
  - fix: https://github.com/sylabs/scs-library-client/commit/eebd7caaab310b1fa803e55b8fc1acd9dcd2d00c