data/reports: add GO-2024-2826.yaml
Aliases: CVE-2024-32886, GHSA-649x-hxfx-57j2
Fixes golang/vulndb#2826
Change-Id: I6ed71a1ba6370f517ae7fdce8eccf608d93db326
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/584257
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2024-2826.json b/data/osv/GO-2024-2826.json
new file mode 100644
index 0000000..5d80472
--- /dev/null
+++ b/data/osv/GO-2024-2826.json
@@ -0,0 +1,191 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2826",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-32886",
+ "GHSA-649x-hxfx-57j2"
+ ],
+ "summary": "Denial of service attack by triggering unbounded memory usage in vitess.io/vitess",
+ "details": "When executing a query, the vtgate will go into an endless loop that also keeps consuming memory and eventually will OOM. This causes a denial of service.",
+ "affected": [
+ {
+ "package": {
+ "name": "vitess.io/vitess",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.17.7"
+ },
+ {
+ "introduced": "0.18.0"
+ },
+ {
+ "fixed": "0.18.5"
+ },
+ {
+ "introduced": "0.19.0"
+ },
+ {
+ "fixed": "0.19.4"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "vitess.io/vitess/go/mysql/collations/charset",
+ "symbols": [
+ "Convert",
+ "ConvertFromBinary",
+ "ConvertFromUTF8",
+ "Validate",
+ "convertSlow"
+ ]
+ },
+ {
+ "path": "vitess.io/vitess/go/mysql/collations/charset/unicode",
+ "symbols": [
+ "Charset_ucs2.DecodeRune",
+ "Charset_utf16be.DecodeRune",
+ "Charset_utf16be.EncodeRune",
+ "Charset_utf32.EncodeRune"
+ ]
+ },
+ {
+ "path": "vitess.io/vitess/go/vt/vtgate/evalengine",
+ "symbols": [
+ "Add",
+ "AggregateEvalTypes",
+ "CoerceTo",
+ "CoerceTypes",
+ "Column.Format",
+ "Column.FormatFast",
+ "Comparison.ApplyTinyWeights",
+ "Comparison.Compare",
+ "Comparison.Less",
+ "Comparison.More",
+ "Comparison.Sort",
+ "Comparison.SortResult",
+ "CompiledExpr.Format",
+ "CompiledExpr.FormatFast",
+ "Divide",
+ "EvalResult.MustBoolean",
+ "EvalResult.String",
+ "EvalResult.ToBoolean",
+ "EvalResult.ToBooleanStrict",
+ "EvalResult.TupleValues",
+ "EvalResult.Value",
+ "ExpressionEnv.Evaluate",
+ "ExpressionEnv.EvaluateVM",
+ "FieldResolver.Column",
+ "IntroducerExpr.eval",
+ "Literal.Format",
+ "Literal.FormatFast",
+ "Merger.Init",
+ "Merger.Pop",
+ "Merger.Push",
+ "Multiply",
+ "NewLiteralBinaryFromBit",
+ "NewLiteralDateFromBytes",
+ "NewLiteralDatetimeFromBytes",
+ "NewLiteralDecimalFromBytes",
+ "NewLiteralFloatFromBytes",
+ "NewLiteralIntegralFromBytes",
+ "NewLiteralTimeFromBytes",
+ "NullSafeAdd",
+ "NullsafeCompare",
+ "NullsafeHashcode",
+ "NullsafeHashcode128",
+ "OrderByParams.Compare",
+ "OrderByParams.String",
+ "Sorter.Push",
+ "Sorter.Sorted",
+ "Subtract",
+ "Translate",
+ "TupleBindVariable.Format",
+ "TupleBindVariable.FormatFast",
+ "TupleExpr.Format",
+ "TupleExpr.FormatFast",
+ "UnsupportedCollationError.Error",
+ "UntypedExpr.Compile",
+ "UntypedExpr.Format",
+ "UntypedExpr.FormatFast",
+ "WeightString",
+ "aggregationDecimal.Add",
+ "aggregationDecimal.Max",
+ "aggregationDecimal.Min",
+ "aggregationFloat.Add",
+ "aggregationFloat.Max",
+ "aggregationFloat.Min",
+ "aggregationInt.Add",
+ "aggregationInt.Max",
+ "aggregationInt.Min",
+ "aggregationMinMax.Max",
+ "aggregationMinMax.Min",
+ "aggregationSumAny.Add",
+ "aggregationSumCount.Add",
+ "aggregationUint.Add",
+ "aggregationUint.Max",
+ "aggregationUint.Min",
+ "argError.Error",
+ "assembler.Fn_JSON_KEYS",
+ "assembler.Fn_REGEXP_REPLACE_slow",
+ "assembler.PushLiteral",
+ "astCompiler.translateIntroducerExpr",
+ "errJSONType.Error",
+ "evalBytes.Hash"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/vitessio/vitess/security/advisories/GHSA-649x-hxfx-57j2"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/vitessio/vitess/commit/2fd5ba1dbf6e9b32fdfdaf869d130066b1b5c0df"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/vitessio/vitess/commit/9df4b66550e46b5d7079e21ed0e1b0f49f92b055"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/vitessio/vitess/commit/c46dc5b6a4329a10589ca928392218d96031ac8d"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/vitessio/vitess/commit/d438adf7e34a6cf00fe441db80842ec669a99202"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/convert.go#L73-L79"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/unicode/utf16.go#L69-L71"
+ }
+ ],
+ "credits": [
+ {
+ "name": "@dbussink, @mattrobenolt, and @vmg"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2826"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2826.yaml b/data/reports/GO-2024-2826.yaml
new file mode 100644
index 0000000..05a1899
--- /dev/null
+++ b/data/reports/GO-2024-2826.yaml
@@ -0,0 +1,138 @@
+id: GO-2024-2826
+modules:
+ - module: vitess.io/vitess
+ versions:
+ - fixed: 0.17.7
+ - introduced: 0.18.0
+ fixed: 0.18.5
+ - introduced: 0.19.0
+ fixed: 0.19.4
+ non_go_versions:
+ - fixed: 17.0.7
+ - introduced: 18.0.0
+ fixed: 18.0.5
+ - introduced: 19.0.0
+ fixed: 19.0.4
+ vulnerable_at: 0.19.0
+ packages:
+ - package: vitess.io/vitess/go/mysql/collations/charset
+ symbols:
+ - convertSlow
+ - Validate
+ derived_symbols:
+ - Convert
+ - ConvertFromBinary
+ - ConvertFromUTF8
+ - package: vitess.io/vitess/go/mysql/collations/charset/unicode
+ symbols:
+ - Charset_utf16be.EncodeRune
+ - Charset_utf16be.DecodeRune
+ - Charset_ucs2.DecodeRune
+ - Charset_utf32.EncodeRune
+ - package: vitess.io/vitess/go/vt/vtgate/evalengine
+ symbols:
+ - assembler.Fn_REGEXP_REPLACE_slow
+ - IntroducerExpr.eval
+ - astCompiler.translateIntroducerExpr
+ derived_symbols:
+ - Add
+ - AggregateEvalTypes
+ - CoerceTo
+ - CoerceTypes
+ - Column.Format
+ - Column.FormatFast
+ - Comparison.ApplyTinyWeights
+ - Comparison.Compare
+ - Comparison.Less
+ - Comparison.More
+ - Comparison.Sort
+ - Comparison.SortResult
+ - CompiledExpr.Format
+ - CompiledExpr.FormatFast
+ - Divide
+ - EvalResult.MustBoolean
+ - EvalResult.String
+ - EvalResult.ToBoolean
+ - EvalResult.ToBooleanStrict
+ - EvalResult.TupleValues
+ - EvalResult.Value
+ - ExpressionEnv.Evaluate
+ - ExpressionEnv.EvaluateVM
+ - FieldResolver.Column
+ - Literal.Format
+ - Literal.FormatFast
+ - Merger.Init
+ - Merger.Pop
+ - Merger.Push
+ - Multiply
+ - NewLiteralBinaryFromBit
+ - NewLiteralDateFromBytes
+ - NewLiteralDatetimeFromBytes
+ - NewLiteralDecimalFromBytes
+ - NewLiteralFloatFromBytes
+ - NewLiteralIntegralFromBytes
+ - NewLiteralTimeFromBytes
+ - NullSafeAdd
+ - NullsafeCompare
+ - NullsafeHashcode
+ - NullsafeHashcode128
+ - OrderByParams.Compare
+ - OrderByParams.String
+ - Sorter.Push
+ - Sorter.Sorted
+ - Subtract
+ - Translate
+ - TupleBindVariable.Format
+ - TupleBindVariable.FormatFast
+ - TupleExpr.Format
+ - TupleExpr.FormatFast
+ - UnsupportedCollationError.Error
+ - UntypedExpr.Compile
+ - UntypedExpr.Format
+ - UntypedExpr.FormatFast
+ - WeightString
+ - aggregationDecimal.Add
+ - aggregationDecimal.Max
+ - aggregationDecimal.Min
+ - aggregationFloat.Add
+ - aggregationFloat.Max
+ - aggregationFloat.Min
+ - aggregationInt.Add
+ - aggregationInt.Max
+ - aggregationInt.Min
+ - aggregationMinMax.Max
+ - aggregationMinMax.Min
+ - aggregationSumAny.Add
+ - aggregationSumCount.Add
+ - aggregationUint.Add
+ - aggregationUint.Max
+ - aggregationUint.Min
+ - argError.Error
+ - assembler.Fn_JSON_KEYS
+ - assembler.PushLiteral
+ - errJSONType.Error
+ - evalBytes.Hash
+summary: |-
+ Denial of service attack by triggering unbounded memory usage in
+ vitess.io/vitess
+description: |-
+ When executing a query, the vtgate will go into an endless
+ loop that also keeps consuming memory and eventually will OOM.
+ This causes a denial of service.
+cves:
+ - CVE-2024-32886
+ghsas:
+ - GHSA-649x-hxfx-57j2
+credits:
+ - '@dbussink, @mattrobenolt, and @vmg'
+references:
+ - advisory: https://github.com/vitessio/vitess/security/advisories/GHSA-649x-hxfx-57j2
+ - fix: https://github.com/vitessio/vitess/commit/2fd5ba1dbf6e9b32fdfdaf869d130066b1b5c0df
+ - fix: https://github.com/vitessio/vitess/commit/9df4b66550e46b5d7079e21ed0e1b0f49f92b055
+ - fix: https://github.com/vitessio/vitess/commit/c46dc5b6a4329a10589ca928392218d96031ac8d
+ - fix: https://github.com/vitessio/vitess/commit/d438adf7e34a6cf00fe441db80842ec669a99202
+ - web: https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/convert.go#L73-L79
+ - web: https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/unicode/utf16.go#L69-L71
+source:
+ id: GHSA-649x-hxfx-57j2
+ created: 2024-05-10T11:07:07.249403-07:00