commit b22fdb071dfdf596b2b0f11f6ccf8e7643418eac
author Tatiana Bradley <tatianabradley@google.com> Mon May 20 17:00:19 2024 -0400
committer Tatiana Bradley <tatianabradley@google.com> Tue May 21 15:08:01 2024 +0000
tree 70837b313b4407f61457b807210158565eed32b2
parent d6b915601945f098be2004d8652ef1b4d9fd3278

data/reports: add 2 reports

  - data/reports/GO-2024-2812.yaml
  - data/reports/GO-2024-2813.yaml

Fixes golang/vulndb#2812
Fixes golang/vulndb#2813
Fixes golang/vulndb#2807
Fixes golang/vulndb#2806

Change-Id: Idf3f1c1ae112152dfe7967bb349f9dc9fa10b517
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/586140
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

data/osv/GO-2024-2812.json

diff --git a/data/osv/GO-2024-2812.json b/data/osv/GO-2024-2812.json
new file mode 100644
index 0000000..ed239d8
--- /dev/null
+++ b/data/osv/GO-2024-2812.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2812",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-v84h-653v-4pq9"
+  ],
+  "related": [
+    "GHSA-vhxv-fg4m-p2w8"
+  ],
+  "summary": "Some CORS middleware allow untrusted origins in github.com/jub0bs/fcors",
+  "details": "Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.\n\nFor example, specifying origin patterns \"https://foo.com\" and \"https://bar.com\" (in that order) would yield a middleware that would incorrectly allow untrusted origin \"https://barfoo.com\".",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/jub0bs/fcors",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.9.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/jub0bs/fcors/internal/radix",
+            "symbols": [
+              "Tree.Contains",
+              "Tree.Insert",
+              "lastByteIn",
+              "lengthOfCommonSuffix",
+              "node.add",
+              "splitRight"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/jub0bs/fcors/security/advisories/GHSA-v84h-653v-4pq9"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/jub0bs/fcors/commit/b5dcb889a49def37d7d9c25deb7135f4eb45625e"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2812",
+    "review_status": "REVIEWED"
+  }
+}
\ No newline at end of file

data/osv/GO-2024-2813.json

diff --git a/data/osv/GO-2024-2813.json b/data/osv/GO-2024-2813.json
new file mode 100644
index 0000000..a8b57b0
--- /dev/null
+++ b/data/osv/GO-2024-2813.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2813",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-vhxv-fg4m-p2w8"
+  ],
+  "related": [
+    "GHSA-v84h-653v-4pq9"
+  ],
+  "summary": "Some CORS middleware allow untrusted origins in github.com/jub0bs/cors",
+  "details": "Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.\n\nFor example, specifying origin patterns \"https://foo.com\" and \"https://bar.com\" (in that order) would yield a middleware that would incorrectly allow untrusted origin \"https://barfoo.com\".",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/jub0bs/cors",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.1.3"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/jub0bs/cors/internal/origins/radix",
+            "symbols": [
+              "Tree.Contains",
+              "Tree.Insert"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/jub0bs/cors/security/advisories/GHSA-vhxv-fg4m-p2w8"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/jub0bs/cors/commit/63900fa1776237095fa0ed47ff85791e21f3a7d7"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2813",
+    "review_status": "REVIEWED"
+  }
+}
\ No newline at end of file

data/reports/GO-2024-2812.yaml

diff --git a/data/reports/GO-2024-2812.yaml b/data/reports/GO-2024-2812.yaml
new file mode 100644
index 0000000..be80ac5
--- /dev/null
+++ b/data/reports/GO-2024-2812.yaml
@@ -0,0 +1,36 @@
+id: GO-2024-2812
+modules:
+    - module: github.com/jub0bs/fcors
+      versions:
+        - fixed: 0.9.0
+      vulnerable_at: 0.8.0
+      packages:
+        - package: github.com/jub0bs/fcors/internal/radix
+          symbols:
+            - splitRight
+            - Tree.Insert
+            - node.add
+            - lengthOfCommonSuffix
+            - lastByteIn
+            - Tree.Contains
+summary: Some CORS middleware allow untrusted origins in github.com/jub0bs/fcors
+description: |-
+    Some CORS middleware (more specifically those created by specifying two or more
+    origin patterns whose hosts share a proper suffix) incorrectly allow some
+    untrusted origins, thereby opening the door to cross-origin attacks from the
+    untrusted origins in question.
+
+    For example, specifying origin patterns "https://foo.com" and "https://bar.com"
+    (in that order) would yield a middleware that would incorrectly allow untrusted
+    origin "https://barfoo.com".
+ghsas:
+    - GHSA-v84h-653v-4pq9
+related:
+    - GHSA-vhxv-fg4m-p2w8
+references:
+    - advisory: https://github.com/jub0bs/fcors/security/advisories/GHSA-v84h-653v-4pq9
+    - fix: https://github.com/jub0bs/fcors/commit/b5dcb889a49def37d7d9c25deb7135f4eb45625e
+source:
+    id: GHSA-v84h-653v-4pq9
+    created: 2024-05-20T16:46:53.091159-04:00
+review_status: REVIEWED

data/reports/GO-2024-2813.yaml

diff --git a/data/reports/GO-2024-2813.yaml b/data/reports/GO-2024-2813.yaml
new file mode 100644
index 0000000..e29186b
--- /dev/null
+++ b/data/reports/GO-2024-2813.yaml
@@ -0,0 +1,32 @@
+id: GO-2024-2813
+modules:
+    - module: github.com/jub0bs/cors
+      versions:
+        - fixed: 0.1.3
+      vulnerable_at: 0.1.2
+      packages:
+        - package: github.com/jub0bs/cors/internal/origins/radix
+          symbols:
+            - Tree.Contains
+            - Tree.Insert
+summary: Some CORS middleware allow untrusted origins in github.com/jub0bs/cors
+description: |-
+    Some CORS middleware (more specifically those created by specifying two or more
+    origin patterns whose hosts share a proper suffix) incorrectly allow some
+    untrusted origins, thereby opening the door to cross-origin attacks from the
+    untrusted origins in question.
+
+    For example, specifying origin patterns "https://foo.com" and "https://bar.com"
+    (in that order) would yield a middleware that would incorrectly allow untrusted
+    origin "https://barfoo.com".
+ghsas:
+    - GHSA-vhxv-fg4m-p2w8
+related:
+    - GHSA-v84h-653v-4pq9
+references:
+    - advisory: https://github.com/jub0bs/cors/security/advisories/GHSA-vhxv-fg4m-p2w8
+    - fix: https://github.com/jub0bs/cors/commit/63900fa1776237095fa0ed47ff85791e21f3a7d7
+source:
+    id: GHSA-vhxv-fg4m-p2w8
+    created: 2024-05-20T16:46:53.79904-04:00
+review_status: REVIEWED