data/reports: add 2 reports
- data/reports/GO-2024-2812.yaml
- data/reports/GO-2024-2813.yaml
Fixes golang/vulndb#2812
Fixes golang/vulndb#2813
Fixes golang/vulndb#2807
Fixes golang/vulndb#2806
Change-Id: Idf3f1c1ae112152dfe7967bb349f9dc9fa10b517
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/586140
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2024-2812.json b/data/osv/GO-2024-2812.json
new file mode 100644
index 0000000..ed239d8
--- /dev/null
+++ b/data/osv/GO-2024-2812.json
@@ -0,0 +1,64 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2812",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-v84h-653v-4pq9"
+ ],
+ "related": [
+ "GHSA-vhxv-fg4m-p2w8"
+ ],
+ "summary": "Some CORS middleware allow untrusted origins in github.com/jub0bs/fcors",
+ "details": "Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.\n\nFor example, specifying origin patterns \"https://foo.com\" and \"https://bar.com\" (in that order) would yield a middleware that would incorrectly allow untrusted origin \"https://barfoo.com\".",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/jub0bs/fcors",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.9.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/jub0bs/fcors/internal/radix",
+ "symbols": [
+ "Tree.Contains",
+ "Tree.Insert",
+ "lastByteIn",
+ "lengthOfCommonSuffix",
+ "node.add",
+ "splitRight"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/jub0bs/fcors/security/advisories/GHSA-v84h-653v-4pq9"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/jub0bs/fcors/commit/b5dcb889a49def37d7d9c25deb7135f4eb45625e"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2812",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-2813.json b/data/osv/GO-2024-2813.json
new file mode 100644
index 0000000..a8b57b0
--- /dev/null
+++ b/data/osv/GO-2024-2813.json
@@ -0,0 +1,60 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2813",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-vhxv-fg4m-p2w8"
+ ],
+ "related": [
+ "GHSA-v84h-653v-4pq9"
+ ],
+ "summary": "Some CORS middleware allow untrusted origins in github.com/jub0bs/cors",
+ "details": "Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.\n\nFor example, specifying origin patterns \"https://foo.com\" and \"https://bar.com\" (in that order) would yield a middleware that would incorrectly allow untrusted origin \"https://barfoo.com\".",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/jub0bs/cors",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.1.3"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/jub0bs/cors/internal/origins/radix",
+ "symbols": [
+ "Tree.Contains",
+ "Tree.Insert"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/jub0bs/cors/security/advisories/GHSA-vhxv-fg4m-p2w8"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/jub0bs/cors/commit/63900fa1776237095fa0ed47ff85791e21f3a7d7"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2813",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2812.yaml b/data/reports/GO-2024-2812.yaml
new file mode 100644
index 0000000..be80ac5
--- /dev/null
+++ b/data/reports/GO-2024-2812.yaml
@@ -0,0 +1,36 @@
+id: GO-2024-2812
+modules:
+ - module: github.com/jub0bs/fcors
+ versions:
+ - fixed: 0.9.0
+ vulnerable_at: 0.8.0
+ packages:
+ - package: github.com/jub0bs/fcors/internal/radix
+ symbols:
+ - splitRight
+ - Tree.Insert
+ - node.add
+ - lengthOfCommonSuffix
+ - lastByteIn
+ - Tree.Contains
+summary: Some CORS middleware allow untrusted origins in github.com/jub0bs/fcors
+description: |-
+ Some CORS middleware (more specifically those created by specifying two or more
+ origin patterns whose hosts share a proper suffix) incorrectly allow some
+ untrusted origins, thereby opening the door to cross-origin attacks from the
+ untrusted origins in question.
+
+ For example, specifying origin patterns "https://foo.com" and "https://bar.com"
+ (in that order) would yield a middleware that would incorrectly allow untrusted
+ origin "https://barfoo.com".
+ghsas:
+ - GHSA-v84h-653v-4pq9
+related:
+ - GHSA-vhxv-fg4m-p2w8
+references:
+ - advisory: https://github.com/jub0bs/fcors/security/advisories/GHSA-v84h-653v-4pq9
+ - fix: https://github.com/jub0bs/fcors/commit/b5dcb889a49def37d7d9c25deb7135f4eb45625e
+source:
+ id: GHSA-v84h-653v-4pq9
+ created: 2024-05-20T16:46:53.091159-04:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2024-2813.yaml b/data/reports/GO-2024-2813.yaml
new file mode 100644
index 0000000..e29186b
--- /dev/null
+++ b/data/reports/GO-2024-2813.yaml
@@ -0,0 +1,32 @@
+id: GO-2024-2813
+modules:
+ - module: github.com/jub0bs/cors
+ versions:
+ - fixed: 0.1.3
+ vulnerable_at: 0.1.2
+ packages:
+ - package: github.com/jub0bs/cors/internal/origins/radix
+ symbols:
+ - Tree.Contains
+ - Tree.Insert
+summary: Some CORS middleware allow untrusted origins in github.com/jub0bs/cors
+description: |-
+ Some CORS middleware (more specifically those created by specifying two or more
+ origin patterns whose hosts share a proper suffix) incorrectly allow some
+ untrusted origins, thereby opening the door to cross-origin attacks from the
+ untrusted origins in question.
+
+ For example, specifying origin patterns "https://foo.com" and "https://bar.com"
+ (in that order) would yield a middleware that would incorrectly allow untrusted
+ origin "https://barfoo.com".
+ghsas:
+ - GHSA-vhxv-fg4m-p2w8
+related:
+ - GHSA-v84h-653v-4pq9
+references:
+ - advisory: https://github.com/jub0bs/cors/security/advisories/GHSA-vhxv-fg4m-p2w8
+ - fix: https://github.com/jub0bs/cors/commit/63900fa1776237095fa0ed47ff85791e21f3a7d7
+source:
+ id: GHSA-vhxv-fg4m-p2w8
+ created: 2024-05-20T16:46:53.79904-04:00
+review_status: REVIEWED