data: update reports for OSV schema changes
Change-Id: I381c0225514627719d103395580f3b2d8d8efc2d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/424899
Reviewed-by: Julie Qiu <julieqiu@google.com>
diff --git a/data/reports/GO-2020-0001.yaml b/data/reports/GO-2020-0001.yaml
index 0e6dc13..f3be9e9 100644
--- a/data/reports/GO-2020-0001.yaml
+++ b/data/reports/GO-2020-0001.yaml
@@ -1,9 +1,11 @@
-packages:
+modules:
- module: github.com/gin-gonic/gin
- symbols:
- - defaultLogFormatter
versions:
- fixed: 1.6.0
+ packages:
+ - package: github.com/gin-gonic/gin
+ symbols:
+ - defaultLogFormatter
description: |
The default Formatter for the Logger middleware (LoggerConfig.Formatter),
which is included in the Default engine, allows attackers to inject arbitrary
@@ -15,7 +17,7 @@
commit: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
cve_metadata:
id: CVE-2020-36567
- cwe: "CWE-117 Improper Output Neutralization for Logs"
+ cwe: CWE-117 Improper Output Neutralization for Logs
description: |
Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0
allows remote attackers to inject arbitrary log lines.
diff --git a/data/reports/GO-2020-0002.yaml b/data/reports/GO-2020-0002.yaml
index c658ed4..5c6a445 100644
--- a/data/reports/GO-2020-0002.yaml
+++ b/data/reports/GO-2020-0002.yaml
@@ -1,7 +1,9 @@
-packages:
+modules:
- module: github.com/proglottis/gpgme
versions:
- fixed: 0.1.1
+ packages:
+ - package: github.com/proglottis/gpgme
description: |
The Data, Context, or Key finalizers might run during or before GPGME
operations. This will release the C structures that are still in use, leading
diff --git a/data/reports/GO-2020-0003.yaml b/data/reports/GO-2020-0003.yaml
index 73e5ada..59ee2bb 100644
--- a/data/reports/GO-2020-0003.yaml
+++ b/data/reports/GO-2020-0003.yaml
@@ -1,7 +1,9 @@
-packages:
+modules:
- module: github.com/revel/revel
versions:
- fixed: 1.0.0
+ packages:
+ - package: github.com/revel/revel
description: |
An attacker can cause an application that accepts slice parameters
(https://revel.github.io/manual/parameters.html#slices) to allocate large
diff --git a/data/reports/GO-2020-0004.yaml b/data/reports/GO-2020-0004.yaml
index 14ec241..9535d68 100644
--- a/data/reports/GO-2020-0004.yaml
+++ b/data/reports/GO-2020-0004.yaml
@@ -1,15 +1,17 @@
-packages:
+modules:
- module: github.com/nanobox-io/golang-nanoauth
- symbols:
- - Auth.ServerHTTP
- - Auth.ListenAndServeTLS
- - Auth.ListenAndServe
- derived_symbols:
- - ListenAndServe
- - ListenAndServeTLS
versions:
- introduced: 0.0.0-20160722212129-ac0cc4484ad4
fixed: 0.0.0-20200131131040-063a3fb69896
+ packages:
+ - package: github.com/nanobox-io/golang-nanoauth
+ symbols:
+ - Auth.ServerHTTP
+ - Auth.ListenAndServeTLS
+ - Auth.ListenAndServe
+ derived_symbols:
+ - ListenAndServe
+ - ListenAndServeTLS
description: |
If any of the ListenAndServe functions are called with an empty token,
token authentication is disabled globally for all listeners.
diff --git a/data/reports/GO-2020-0005.yaml b/data/reports/GO-2020-0005.yaml
index 60548c7..5cd02bd 100644
--- a/data/reports/GO-2020-0005.yaml
+++ b/data/reports/GO-2020-0005.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: go.etcd.io/etcd
- package: go.etcd.io/etcd/wal
- symbols:
- - WAL.ReadAll
- - decoder.decodeRecord
versions:
- fixed: 0.5.0-alpha.5.0.20200423152442-f4b650b51dc4
+ packages:
+ - package: go.etcd.io/etcd/wal
+ symbols:
+ - WAL.ReadAll
+ - decoder.decodeRecord
description: |
Malformed WALs can be constructed such that WAL.ReadAll can cause attempted
out of bounds reads, or creation of arbitrarily sized slices, which may be used as
diff --git a/data/reports/GO-2020-0006.yaml b/data/reports/GO-2020-0006.yaml
index a87a0de..547d8aa 100644
--- a/data/reports/GO-2020-0006.yaml
+++ b/data/reports/GO-2020-0006.yaml
@@ -1,15 +1,17 @@
-packages:
+modules:
- module: github.com/miekg/dns
- symbols:
- - Server.serveTCP
- derived_symbols:
- - ActivateAndServe
- - ListenAndServe
- - ListenAndServeTLS
- - Server.ActivateAndServe
- - Server.ListenAndServe
versions:
- fixed: 1.0.4-0.20180125103619-43913f2f4fbd
+ packages:
+ - package: github.com/miekg/dns
+ symbols:
+ - Server.serveTCP
+ derived_symbols:
+ - ActivateAndServe
+ - ListenAndServe
+ - ListenAndServeTLS
+ - Server.ActivateAndServe
+ - Server.ListenAndServe
description: |
An attacker may prevent TCP connections to a Server by opening
a connection and leaving it idle, until the connection is closed by
diff --git a/data/reports/GO-2020-0007.yaml b/data/reports/GO-2020-0007.yaml
index b03ce71..de683b3 100644
--- a/data/reports/GO-2020-0007.yaml
+++ b/data/reports/GO-2020-0007.yaml
@@ -1,14 +1,16 @@
-packages:
+modules:
- module: github.com/seccomp/libseccomp-golang
- symbols:
- - ScmpFilter.addRuleGeneric
- derived_symbols:
- - ScmpFilter.AddRule
- - ScmpFilter.AddRuleConditional
- - ScmpFilter.AddRuleConditionalExact
- - ScmpFilter.AddRuleExact
versions:
- fixed: 0.9.1-0.20170424173420-06e7a29f36a3
+ packages:
+ - package: github.com/seccomp/libseccomp-golang
+ symbols:
+ - ScmpFilter.addRuleGeneric
+ derived_symbols:
+ - ScmpFilter.AddRule
+ - ScmpFilter.AddRuleConditional
+ - ScmpFilter.AddRuleConditionalExact
+ - ScmpFilter.AddRuleExact
description: |
Filters containing rules with multiple syscall arguments are improperly
constructed, such that all arguments are required to match rather than
diff --git a/data/reports/GO-2020-0008.yaml b/data/reports/GO-2020-0008.yaml
index e0e59dd..cdd9be7 100644
--- a/data/reports/GO-2020-0008.yaml
+++ b/data/reports/GO-2020-0008.yaml
@@ -1,15 +1,17 @@
-packages:
+modules:
- module: github.com/miekg/dns
- symbols:
- - id
- derived_symbols:
- - Msg.SetAxfr
- - Msg.SetIxfr
- - Msg.SetNotify
- - Msg.SetQuestion
- - Msg.SetUpdate
versions:
- fixed: 1.1.25-0.20191211073109-8ebf2e419df7
+ packages:
+ - package: github.com/miekg/dns
+ symbols:
+ - id
+ derived_symbols:
+ - Msg.SetAxfr
+ - Msg.SetIxfr
+ - Msg.SetNotify
+ - Msg.SetQuestion
+ - Msg.SetUpdate
description: |
DNS message transaction IDs are generated using math/rand which
makes them relatively predictable. This reduces the complexity
diff --git a/data/reports/GO-2020-0009.yaml b/data/reports/GO-2020-0009.yaml
index e0643e1..d08558e 100644
--- a/data/reports/GO-2020-0009.yaml
+++ b/data/reports/GO-2020-0009.yaml
@@ -1,16 +1,41 @@
-packages:
- - module: github.com/square/go-jose
- package: github.com/square/go-jose/cipher
- symbols:
- - cbcAEAD.computeAuthTag
- versions:
- - fixed: 0.0.0-20160903044734-789a4c4bd4c1
+modules:
- module: github.com/square/go-jose
versions:
- fixed: 0.0.0-20160903044734-789a4c4bd4c1
- symbols:
- - JsonWebEncryption.Decrypt
- - JsonWebEncryption.DecryptMulti
+ packages:
+ - package: github.com/square/go-jose/cipher
+ goarch:
+ - "386"
+ - arm
+ - armbe
+ - amd64p32
+ - mips
+ - mipsle
+ - mips64p32
+ - mips64p32le
+ - ppc
+ - riscv
+ - s390
+ - sparc
+ symbols:
+ - cbcAEAD.computeAuthTag
+ - package: github.com/square/go-jose
+ goarch:
+ - "386"
+ - arm
+ - armbe
+ - amd64p32
+ - mips
+ - mipsle
+ - mips64p32
+ - mips64p32le
+ - ppc
+ - riscv
+ - s390
+ - sparc
+ symbols:
+ - JsonWebEncryption.Decrypt
+ - JsonWebEncryption.DecryptMulti
description: |
On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC
with HMAC such that they can control how large the input buffer is when computing
@@ -22,6 +47,10 @@
ghsas:
- GHSA-3fx4-7f69-5mmg
credit: Quan Nguyen from Google's Information Security Engineering Team
+links:
+ commit: https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96
+ context:
+ - https://www.openwall.com/lists/oss-security/2016/11/03/1
arch:
- "386"
- arm
@@ -35,7 +64,3 @@
- riscv
- s390
- sparc
-links:
- commit: https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96
- context:
- - https://www.openwall.com/lists/oss-security/2016/11/03/1
diff --git a/data/reports/GO-2020-0010.yaml b/data/reports/GO-2020-0010.yaml
index 4418e91..708ff8c 100644
--- a/data/reports/GO-2020-0010.yaml
+++ b/data/reports/GO-2020-0010.yaml
@@ -1,17 +1,16 @@
-packages:
- - module: github.com/square/go-jose
- package: github.com/square/go-jose/cipher
- symbols:
- - DeriveECDHES
- - ecDecrypterSigner.decryptKey
- - rawJsonWebKey.ecPublicKey
- versions:
- - fixed: 0.0.0-20160831185616-c7581939a365
+modules:
- module: github.com/square/go-jose
versions:
- fixed: 0.0.0-20160831185616-c7581939a365
- symbols:
- - JsonWebEncryption.Decrypt
+ packages:
+ - package: github.com/square/go-jose/cipher
+ symbols:
+ - DeriveECDHES
+ - ecDecrypterSigner.decryptKey
+ - rawJsonWebKey.ecPublicKey
+ - package: github.com/square/go-jose
+ symbols:
+ - JsonWebEncryption.Decrypt
description: |
When using ECDH-ES an attacker can mount an invalid curve attack during
decryption as the supplied public key is not checked to be on the same
diff --git a/data/reports/GO-2020-0011.yaml b/data/reports/GO-2020-0011.yaml
index d9687db..84b67c9 100644
--- a/data/reports/GO-2020-0011.yaml
+++ b/data/reports/GO-2020-0011.yaml
@@ -1,10 +1,12 @@
-packages:
+modules:
- module: github.com/square/go-jose
- symbols:
- - JsonWebEncryption.Decrypt
- - JsonWebSignature.Verify
versions:
- fixed: 0.0.0-20160922232413-2c5656adca99
+ packages:
+ - package: github.com/square/go-jose
+ symbols:
+ - JsonWebEncryption.Decrypt
+ - JsonWebSignature.Verify
description: |
When decrypting JsonWebEncryption objects with multiple recipients
or JsonWebSignature objects with multiple signatures the Decrypt
diff --git a/data/reports/GO-2020-0012.yaml b/data/reports/GO-2020-0012.yaml
index e4f38d4..769a614 100644
--- a/data/reports/GO-2020-0012.yaml
+++ b/data/reports/GO-2020-0012.yaml
@@ -1,14 +1,15 @@
-packages:
+modules:
- module: golang.org/x/crypto
- package: golang.org/x/crypto/ssh
- symbols:
- - parseED25519
- - ed25519PublicKey.Verify
- - parseSKEd25519
- - skEd25519PublicKey.Verify
- - NewPublicKey
versions:
- fixed: 0.0.0-20200220183623-bac4c82f6975
+ packages:
+ - package: golang.org/x/crypto/ssh
+ symbols:
+ - parseED25519
+ - ed25519PublicKey.Verify
+ - parseSKEd25519
+ - skEd25519PublicKey.Verify
+ - NewPublicKey
description: |
An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
key, such that the library will panic when trying to verify a signature
diff --git a/data/reports/GO-2020-0013.yaml b/data/reports/GO-2020-0013.yaml
index 1f8e0be..daacd42 100644
--- a/data/reports/GO-2020-0013.yaml
+++ b/data/reports/GO-2020-0013.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: golang.org/x/crypto
- package: golang.org/x/crypto/ssh
- symbols:
- - NewClientConn
versions:
- fixed: 0.0.0-20170330155735-e4e2799dd7aa
+ packages:
+ - package: golang.org/x/crypto/ssh
+ symbols:
+ - NewClientConn
description: |
By default host key verification is disabled which allows for
man-in-the-middle attacks against SSH clients if
diff --git a/data/reports/GO-2020-0014.yaml b/data/reports/GO-2020-0014.yaml
index 189016d..4c64954 100644
--- a/data/reports/GO-2020-0014.yaml
+++ b/data/reports/GO-2020-0014.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: golang.org/x/net
- package: golang.org/x/net/html
- symbols:
- - inSelectIM
- - inSelectInTableIM
versions:
- fixed: 0.0.0-20190125091013-d26f9f9a57f3
+ packages:
+ - package: golang.org/x/net/html
+ symbols:
+ - inSelectIM
+ - inSelectInTableIM
description: |
html.Parse does not properly handle "select" tags, which can lead
to an infinite loop. If parsing user supplied input, this may be used
diff --git a/data/reports/GO-2020-0015.yaml b/data/reports/GO-2020-0015.yaml
index dca9f35..b5cdfb2 100644
--- a/data/reports/GO-2020-0015.yaml
+++ b/data/reports/GO-2020-0015.yaml
@@ -1,18 +1,16 @@
-packages:
+modules:
- module: golang.org/x/text
- package: golang.org/x/text/encoding/unicode
- symbols:
- - utf16Decoder.Transform
- derived_symbols:
- - bomOverride.Transform
versions:
- fixed: 0.3.3
- - module: golang.org/x/text
- package: golang.org/x/text/transform
- symbols:
- - Transform
- versions:
- - fixed: 0.3.3
+ packages:
+ - package: golang.org/x/text/encoding/unicode
+ symbols:
+ - utf16Decoder.Transform
+ derived_symbols:
+ - bomOverride.Transform
+ - package: golang.org/x/text/transform
+ symbols:
+ - Transform
description: |
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
diff --git a/data/reports/GO-2020-0016.yaml b/data/reports/GO-2020-0016.yaml
index 62308ae..b3cb5b0 100644
--- a/data/reports/GO-2020-0016.yaml
+++ b/data/reports/GO-2020-0016.yaml
@@ -1,13 +1,15 @@
-packages:
+modules:
- module: github.com/ulikunitz/xz
- symbols:
- - readUvarint
- derived_symbols:
- - Reader.Read
- - blockHeader.UnmarshalBinary
- - streamReader.Read
versions:
- fixed: 0.5.8
+ packages:
+ - package: github.com/ulikunitz/xz
+ symbols:
+ - readUvarint
+ derived_symbols:
+ - Reader.Read
+ - blockHeader.UnmarshalBinary
+ - streamReader.Read
description: |
An attacker can construct a series of bytes such that calling
Reader.Read on the bytes could cause an infinite loop. If
diff --git a/data/reports/GO-2020-0017.yaml b/data/reports/GO-2020-0017.yaml
index c5a731e..92ff516 100644
--- a/data/reports/GO-2020-0017.yaml
+++ b/data/reports/GO-2020-0017.yaml
@@ -1,14 +1,18 @@
-packages:
+modules:
- module: github.com/dgrijalva/jwt-go
- symbols:
- - MapClaims.VerifyAudience
versions:
- introduced: 0.0.0-20150717181359-44718f8a89b0
+ packages:
+ - package: github.com/dgrijalva/jwt-go
+ symbols:
+ - MapClaims.VerifyAudience
- module: github.com/dgrijalva/jwt-go/v4
- symbols:
- - MapClaims.VerifyAudience
versions:
- fixed: 4.0.0-preview1
+ packages:
+ - package: github.com/dgrijalva/jwt-go/v4
+ symbols:
+ - MapClaims.VerifyAudience
description: |
If a JWT contains an audience claim with an array of strings, rather
than a single string, and MapClaims.VerifyAudience is called with
diff --git a/data/reports/GO-2020-0018.yaml b/data/reports/GO-2020-0018.yaml
index d0651a7..7a47857 100644
--- a/data/reports/GO-2020-0018.yaml
+++ b/data/reports/GO-2020-0018.yaml
@@ -1,17 +1,19 @@
-packages:
+modules:
- module: github.com/satori/go.uuid
- symbols:
- - NewV1
- - NewV4
- - rfc4122Generator.getClockSequence
- - rfc4122Generator.getHardwareAddr
- derived_symbols:
- - NewV2
- - rfc4122Generator.NewV1
- - rfc4122Generator.NewV2
versions:
- fixed: 1.2.1-0.20181016170032-d91630c85102
vulnerable_at: 1.2.1-0.20180103161547-0ef6afb2f6cd
+ packages:
+ - package: github.com/satori/go.uuid
+ symbols:
+ - NewV1
+ - NewV4
+ - rfc4122Generator.getClockSequence
+ - rfc4122Generator.getHardwareAddr
+ derived_symbols:
+ - NewV2
+ - rfc4122Generator.NewV1
+ - rfc4122Generator.NewV2
description: |
UUIDs generated using NewV1 and NewV4 may not read the expected
number of random bytes. These UUIDs may contain a significantly smaller
diff --git a/data/reports/GO-2020-0019.yaml b/data/reports/GO-2020-0019.yaml
index 403c2e7..136ba96 100644
--- a/data/reports/GO-2020-0019.yaml
+++ b/data/reports/GO-2020-0019.yaml
@@ -1,31 +1,33 @@
-packages:
+modules:
- module: github.com/gorilla/websocket
- symbols:
- - Conn.advanceFrame
- - messageReader.Read
- derived_symbols:
- - Conn.Close
- - Conn.NextReader
- - Conn.ReadJSON
- - Conn.ReadMessage
- - Conn.WriteJSON
- - Conn.WritePreparedMessage
- - Dialer.Dial
- - Dialer.DialContext
- - NewClient
- - NewPreparedMessage
- - ReadJSON
- - Subprotocols
- - Upgrade
- - Upgrader.Upgrade
- - WriteJSON
- - httpProxyDialer.Dial
- - netDialerFunc.Dial
- - proxy_direct.Dial
- - proxy_envOnce.Get
- - proxy_socks5.Dial
versions:
- fixed: 1.4.1
+ packages:
+ - package: github.com/gorilla/websocket
+ symbols:
+ - Conn.advanceFrame
+ - messageReader.Read
+ derived_symbols:
+ - Conn.Close
+ - Conn.NextReader
+ - Conn.ReadJSON
+ - Conn.ReadMessage
+ - Conn.WriteJSON
+ - Conn.WritePreparedMessage
+ - Dialer.Dial
+ - Dialer.DialContext
+ - NewClient
+ - NewPreparedMessage
+ - ReadJSON
+ - Subprotocols
+ - Upgrade
+ - Upgrader.Upgrade
+ - WriteJSON
+ - httpProxyDialer.Dial
+ - netDialerFunc.Dial
+ - proxy_direct.Dial
+ - proxy_envOnce.Get
+ - proxy_socks5.Dial
description: |
An attacker can craft malicious WebSocket frames that cause an integer
overflow in a variable which tracks the number of bytes remaining. This
diff --git a/data/reports/GO-2020-0020.yaml b/data/reports/GO-2020-0020.yaml
index 5c773cc..d0ccac7 100644
--- a/data/reports/GO-2020-0020.yaml
+++ b/data/reports/GO-2020-0020.yaml
@@ -1,18 +1,20 @@
-packages:
+modules:
- module: github.com/gorilla/handlers
- symbols:
- - cors.ServeHTTP
versions:
- fixed: 1.3.0
+ packages:
+ - package: github.com/gorilla/handlers
+ symbols:
+ - cors.ServeHTTP
description: |
Usage of the CORS handler may apply improper CORS headers, allowing
the requester to explicitly control the value of the Access-Control-Allow-Origin
header, which bypasses the expected behavior of the Same Origin Policy.
published: 2021-04-14T20:04:52Z
credit: Evan J Johnson
-cve_metadata:
- id: CVE-2017-20146
- cwe: "CWE 284: Improper Access Control"
links:
pr: https://github.com/gorilla/handlers/pull/116
commit: https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145
+cve_metadata:
+ id: CVE-2017-20146
+ cwe: 'CWE 284: Improper Access Control'
diff --git a/data/reports/GO-2020-0021.yaml b/data/reports/GO-2020-0021.yaml
index 9158517..a8a0cb3 100644
--- a/data/reports/GO-2020-0021.yaml
+++ b/data/reports/GO-2020-0021.yaml
@@ -1,11 +1,13 @@
-packages:
+modules:
- module: github.com/gogits/gogs
- symbols:
- - GetIssues
- - SearchRepositoryByName
- - SearchUserByName
versions:
- fixed: 0.5.8
+ packages:
+ - package: github.com/gogits/gogs
+ symbols:
+ - GetIssues
+ - SearchRepositoryByName
+ - SearchUserByName
description: |
Due to improper santization of user input, a number of methods are
vulnerable to SQL injection if used with user input that has not
diff --git a/data/reports/GO-2020-0022.yaml b/data/reports/GO-2020-0022.yaml
index e04796b..b1543bb 100644
--- a/data/reports/GO-2020-0022.yaml
+++ b/data/reports/GO-2020-0022.yaml
@@ -1,19 +1,21 @@
-packages:
+modules:
- module: github.com/cloudflare/golz4
- symbols:
- - Uncompress
versions:
- fixed: 0.0.0-20140711154735-199f5f787806
+ packages:
+ - package: github.com/cloudflare/golz4
+ symbols:
+ - Uncompress
description: |
LZ4 bindings use a deprecated C API that is vulnerable to
memory corruption, which could lead to arbitrary code execution
if called with untrusted user input.
published: 2021-04-14T20:04:52Z
credit: Yann Collet
-cve_metadata:
- id: CVE-2014-125026
- cwe: "CWE 94: Improper Control of Generation of Code ('Code Injection')"
links:
commit: https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898
context:
- https://github.com/cloudflare/golz4/issues/5
+cve_metadata:
+ id: CVE-2014-125026
+ cwe: 'CWE 94: Improper Control of Generation of Code (''Code Injection'')'
diff --git a/data/reports/GO-2020-0023.yaml b/data/reports/GO-2020-0023.yaml
index 20e6434..dda67f0 100644
--- a/data/reports/GO-2020-0023.yaml
+++ b/data/reports/GO-2020-0023.yaml
@@ -1,19 +1,21 @@
-packages:
+modules:
- module: github.com/robbert229/jwt
- symbols:
- - Algorithm.validateSignature
versions:
- fixed: 0.0.0-20170426191122-ca1404ee6e83
+ packages:
+ - package: github.com/robbert229/jwt
+ symbols:
+ - Algorithm.validateSignature
description: |
Token validation methods are susceptible to a timing side-channel
during HMAC comparison. With a large enough number of requests
over a low latency connection, an attacker may use this to determine
the expected HMAC.
published: 2021-04-14T20:04:52Z
-cve_metadata:
- id: CVE-2015-10004
- cwe: "CWE 208: Information Exposure Through Timing Discrepancy"
links:
commit: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
context:
- https://github.com/robbert229/jwt/issues/12
+cve_metadata:
+ id: CVE-2015-10004
+ cwe: 'CWE 208: Information Exposure Through Timing Discrepancy'
diff --git a/data/reports/GO-2020-0024.yaml b/data/reports/GO-2020-0024.yaml
index d63d1a6..e146a15 100644
--- a/data/reports/GO-2020-0024.yaml
+++ b/data/reports/GO-2020-0024.yaml
@@ -1,25 +1,27 @@
-packages:
+modules:
- module: github.com/btcsuite/go-socks
- package: github.com/btcsuite/go-socks/socks
- symbols:
- - proxiedConn.LocalAddr
- - proxiedConn.RemoteAddr
versions:
- fixed: 0.0.0-20130808000456-233bccbb1abe
+ packages:
+ - package: github.com/btcsuite/go-socks/socks
+ symbols:
+ - proxiedConn.LocalAddr
+ - proxiedConn.RemoteAddr
- module: github.com/btcsuitereleases/go-socks
- package: github.com/btcsuitereleases/go-socks/socks
- symbols:
- - proxiedConn.LocalAddr
- - proxiedConn.RemoteAddr
versions:
- fixed: 0.0.0-20130808000456-233bccbb1abe
+ packages:
+ - package: github.com/btcsuitereleases/go-socks/socks
+ symbols:
+ - proxiedConn.LocalAddr
+ - proxiedConn.RemoteAddr
description: |
The RemoteAddr and LocalAddr methods on the returned net.Conn may
call themselves, leading to an infinite loop which will crash the
program due to a stack overflow.
published: 2021-04-14T20:04:52Z
-cve_metadata:
- id: CVE-2013-10005
- cwe: "CWE 400: Uncontrolled Resource Consumption"
links:
commit: https://github.com/btcsuite/go-socks/commit/233bccbb1abe02f05750f7ace66f5bffdb13defc
+cve_metadata:
+ id: CVE-2013-10005
+ cwe: 'CWE 400: Uncontrolled Resource Consumption'
diff --git a/data/reports/GO-2020-0025.yaml b/data/reports/GO-2020-0025.yaml
index 380d701..9941e18 100644
--- a/data/reports/GO-2020-0025.yaml
+++ b/data/reports/GO-2020-0025.yaml
@@ -1,25 +1,29 @@
-packages:
+modules:
- module: github.com/cloudfoundry/archiver
- symbols:
- - tgzExtractor.Extract
- - zipExtractor.Extract
versions:
- fixed: 0.0.0-20180523222229-09b5706aa936
+ packages:
+ - package: github.com/cloudfoundry/archiver
+ symbols:
+ - tgzExtractor.Extract
+ - zipExtractor.Extract
- module: code.cloudfoundry.org/archiver
- symbols:
- - tgzExtractor.Extract
- - zipExtractor.Extract
versions:
- fixed: 0.0.0-20180523222229-09b5706aa936
+ packages:
+ - package: code.cloudfoundry.org/archiver
+ symbols:
+ - tgzExtractor.Extract
+ - zipExtractor.Extract
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
published: 2021-04-14T20:04:52Z
-cve_metadata:
- id: CVE-2018-25046
- cwe: 'CWE 29: Path Traversal: "\..\filename"'
links:
commit: https://github.com/cloudfoundry/archiver/commit/09b5706aa9367972c09144a450bb4523049ee840
context:
- https://snyk.io/research/zip-slip-vulnerability
+cve_metadata:
+ id: CVE-2018-25046
+ cwe: 'CWE 29: Path Traversal: "\..\filename"'
diff --git a/data/reports/GO-2020-0026.yaml b/data/reports/GO-2020-0026.yaml
index 02e53f7..5e71073 100644
--- a/data/reports/GO-2020-0026.yaml
+++ b/data/reports/GO-2020-0026.yaml
@@ -1,15 +1,16 @@
-packages:
+modules:
- module: github.com/openshift/source-to-image
- package: github.com/openshift/source-to-image/pkg/tar
- symbols:
- - stiTar.ExtractTarStreamFromTarReader
- - stiTar.extractLink
- - New
- derived_symbols:
- - stiTar.ExtractTarStream
- - stiTar.ExtractTarStreamWithLogging
versions:
- fixed: 1.1.10-0.20180427153919-f5cbcbc5cc6f
+ packages:
+ - package: github.com/openshift/source-to-image/pkg/tar
+ symbols:
+ - stiTar.ExtractTarStreamFromTarReader
+ - stiTar.extractLink
+ - New
+ derived_symbols:
+ - stiTar.ExtractTarStream
+ - stiTar.ExtractTarStreamWithLogging
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
diff --git a/data/reports/GO-2020-0027.yaml b/data/reports/GO-2020-0027.yaml
index b01239e..470e262 100644
--- a/data/reports/GO-2020-0027.yaml
+++ b/data/reports/GO-2020-0027.yaml
@@ -1,18 +1,16 @@
-packages:
+modules:
- module: github.com/google/fscrypt
- package: github.com/google/fscrypt/pam
- symbols:
- - NewHandle
- - SetProcessPrivileges
- - Handle.StopAsPamUser
versions:
- fixed: 0.2.4
- - module: github.com/google/fscrypt
- package: github.com/google/fscrypt/security
- symbols:
- - UserKeyringID
- versions:
- - fixed: 0.2.4
+ packages:
+ - package: github.com/google/fscrypt/pam
+ symbols:
+ - NewHandle
+ - SetProcessPrivileges
+ - Handle.StopAsPamUser
+ - package: github.com/google/fscrypt/security
+ symbols:
+ - UserKeyringID
description: |
After dropping and then elevating process privileges euid, guid, and groups
are not properly restored to their original values, allowing an unprivileged
diff --git a/data/reports/GO-2020-0028.yaml b/data/reports/GO-2020-0028.yaml
index 12484cf..c90aed5 100644
--- a/data/reports/GO-2020-0028.yaml
+++ b/data/reports/GO-2020-0028.yaml
@@ -1,12 +1,14 @@
-packages:
+modules:
- module: github.com/miekg/dns
- symbols:
- - setTA
- derived_symbols:
- - ParseZone
- - ReadRR
versions:
- fixed: 1.0.10
+ packages:
+ - package: github.com/miekg/dns
+ symbols:
+ - setTA
+ derived_symbols:
+ - ParseZone
+ - ReadRR
description: |
Due to a nil pointer dereference, parsing a malformed zone file
containing TA records may cause a panic. If parsing user supplied
diff --git a/data/reports/GO-2020-0029.yaml b/data/reports/GO-2020-0029.yaml
index 612378d..169943e 100644
--- a/data/reports/GO-2020-0029.yaml
+++ b/data/reports/GO-2020-0029.yaml
@@ -1,17 +1,19 @@
-packages:
+modules:
- module: github.com/gin-gonic/gin
- symbols:
- - Context.ClientIP
versions:
- fixed: 0.0.0-20141229113116-0099840c98ae
+ packages:
+ - package: github.com/gin-gonic/gin
+ symbols:
+ - Context.ClientIP
description: |
Due to improper HTTP header santization, a malicious user can spoof their
source IP address by setting the X-Forwarded-For header. This may allow
a user to bypass IP based restrictions, or obfuscate their true source.
published: 2021-04-14T20:04:52Z
-credit: '@nl5887'
cves:
- CVE-2020-28483
+credit: '@nl5887'
links:
pr: https://github.com/gin-gonic/gin/pull/182
commit: https://github.com/gin-gonic/gin/commit/0099840c98ae1473c5ff0f18bc93a8e13ceed829
diff --git a/data/reports/GO-2020-0031.yaml b/data/reports/GO-2020-0031.yaml
index b3ebb00..57840c8 100644
--- a/data/reports/GO-2020-0031.yaml
+++ b/data/reports/GO-2020-0031.yaml
@@ -1,7 +1,9 @@
-packages:
+modules:
- module: github.com/proglottis/gpgme
versions:
- fixed: 0.1.1
+ packages:
+ - package: github.com/proglottis/gpgme
description: |
Due to improper setting of finalizers, memory passed to C may be freed before it is used,
leading to crashes due to memory corruption or possible code execution.
diff --git a/data/reports/GO-2020-0032.yaml b/data/reports/GO-2020-0032.yaml
index 0e21ac3..46bb011 100644
--- a/data/reports/GO-2020-0032.yaml
+++ b/data/reports/GO-2020-0032.yaml
@@ -1,19 +1,25 @@
-packages:
+modules:
- module: github.com/goadesign/goa
- symbols:
- - Controller.FileHandler
versions:
- fixed: 1.4.3
+ packages:
+ - package: github.com/goadesign/goa
+ symbols:
+ - Controller.FileHandler
- module: goa.design/goa
- symbols:
- - Controller.FileHandler
versions:
- fixed: 1.4.3
+ packages:
+ - package: goa.design/goa
+ symbols:
+ - Controller.FileHandler
- module: goa.design/goa/v3
- symbols:
- - Controller.FileHandler
versions:
- fixed: 3.0.9
+ packages:
+ - package: goa.design/goa/v3
+ symbols:
+ - Controller.FileHandler
description: |
Due to improper santization of user input, Controller.FileHandler allows
for directory traversal, allowing an attacker to read files outside of
@@ -25,7 +31,8 @@
commit: https://github.com/goadesign/goa/commit/70b5a199d0f813d74423993832c424e1fc73fb39
cve_metadata:
id: CVE-2019-25073
- cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory('Path Traversal')"
+ cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory(''Path
+ Traversal'')'
description: |
Improper path santiziation in github.com/goadesign/goa before v3.0.9, v2.0.10, or
v1.4.3 allow remote attackers to read files outside of the intended directory.
diff --git a/data/reports/GO-2020-0033.yaml b/data/reports/GO-2020-0033.yaml
index 7e0ac73..ea1d64d 100644
--- a/data/reports/GO-2020-0033.yaml
+++ b/data/reports/GO-2020-0033.yaml
@@ -1,24 +1,26 @@
-packages:
+modules:
- module: aahframe.work
- symbols:
- - HTTPEngine.Handle
- derived_symbols:
- - Application.Run
- - Application.ServeHTTP
- - Application.Start
versions:
- fixed: 0.12.4
+ packages:
+ - package: aahframe.work
+ symbols:
+ - HTTPEngine.Handle
+ derived_symbols:
+ - Application.Run
+ - Application.ServeHTTP
+ - Application.Start
description: |
Due to improper santization of user input, HTTPEngine.Handle allows
for directory traversal, allowing an attacker to read files outside of
the target directory that the server has permission to read.
published: 2021-04-14T20:04:52Z
credit: '@snyff'
-cve_metadata:
- id: CVE-2020-36559
- cwe: "CWE 23: Relative Path Traversal"
links:
pr: https://github.com/go-aah/aah/pull/267
commit: https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
context:
- https://github.com/go-aah/aah/issues/266
+cve_metadata:
+ id: CVE-2020-36559
+ cwe: 'CWE 23: Relative Path Traversal'
diff --git a/data/reports/GO-2020-0034.yaml b/data/reports/GO-2020-0034.yaml
index 0c3e0ef..a879c73 100644
--- a/data/reports/GO-2020-0034.yaml
+++ b/data/reports/GO-2020-0034.yaml
@@ -1,19 +1,21 @@
-packages:
+modules:
- module: github.com/artdarek/go-unzip
- symbols:
- - Unzip.Extract
versions:
- fixed: 1.0.0
+ packages:
+ - package: github.com/artdarek/go-unzip
+ symbols:
+ - Unzip.Extract
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
published: 2021-04-14T20:04:52Z
-cve_metadata:
- id: CVE-2020-36560
- cwe: 'CWE 29: Path Traversal: "\..\filename"'
links:
pr: https://github.com/artdarek/go-unzip/pull/2
commit: https://github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7dfe0
context:
- https://snyk.io/research/zip-slip-vulnerability
+cve_metadata:
+ id: CVE-2020-36560
+ cwe: 'CWE 29: Path Traversal: "\..\filename"'
diff --git a/data/reports/GO-2020-0035.yaml b/data/reports/GO-2020-0035.yaml
index 717aa46..16e55b4 100644
--- a/data/reports/GO-2020-0035.yaml
+++ b/data/reports/GO-2020-0035.yaml
@@ -1,19 +1,21 @@
-packages:
+modules:
- module: github.com/yi-ge/unzip
- symbols:
- - Unzip.Extract
versions:
- fixed: 1.0.3-0.20200308084313-2adbaa4891b9
+ packages:
+ - package: github.com/yi-ge/unzip
+ symbols:
+ - Unzip.Extract
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
published: 2021-04-14T20:04:52Z
-cve_metadata:
- id: CVE-2020-36561
- cwe: 'CWE 29: Path Traversal: "\..\filename"'
links:
pr: https://github.com/yi-ge/unzip/pull/1
commit: https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73
context:
- https://snyk.io/research/zip-slip-vulnerability
+cve_metadata:
+ id: CVE-2020-36561
+ cwe: 'CWE 29: Path Traversal: "\..\filename"'
diff --git a/data/reports/GO-2020-0036.yaml b/data/reports/GO-2020-0036.yaml
index 6c20348..466d8f2 100644
--- a/data/reports/GO-2020-0036.yaml
+++ b/data/reports/GO-2020-0036.yaml
@@ -1,20 +1,24 @@
-packages:
+modules:
- module: gopkg.in/yaml.v2
- symbols:
- - yaml_parser_fetch_more_tokens
- derived_symbols:
- - Decoder.Decode
- - Unmarshal
- - UnmarshalStrict
versions:
- fixed: 2.2.8
+ packages:
+ - package: gopkg.in/yaml.v2
+ symbols:
+ - yaml_parser_fetch_more_tokens
+ derived_symbols:
+ - Decoder.Decode
+ - Unmarshal
+ - UnmarshalStrict
- module: github.com/go-yaml/yaml
- symbols:
- - yaml_parser_fetch_more_tokens
- derived_symbols:
- - Decoder.Decode
- - Unmarshal
- - UnmarshalStrict
+ packages:
+ - package: github.com/go-yaml/yaml
+ symbols:
+ - yaml_parser_fetch_more_tokens
+ derived_symbols:
+ - Decoder.Decode
+ - Unmarshal
+ - UnmarshalStrict
description: |
Due to unbounded aliasing, a crafted YAML file can cause consumption
of significant system resources. If parsing user supplied input, this
diff --git a/data/reports/GO-2020-0037.yaml b/data/reports/GO-2020-0037.yaml
index 094c796..247dffe 100644
--- a/data/reports/GO-2020-0037.yaml
+++ b/data/reports/GO-2020-0037.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: github.com/tendermint/tendermint
- package: github.com/tendermint/tendermint/rpc/client
- symbols:
- - makeHTTPClient
versions:
- fixed: 0.31.1
+ packages:
+ - package: github.com/tendermint/tendermint/rpc/client
+ symbols:
+ - makeHTTPClient
description: |
Due to support of Gzip compression in request bodies, as well
as a lack of limiting response body sizes, a malicious server
@@ -12,9 +13,9 @@
resources, which may be used as a denial of service vector.
published: 2021-04-14T20:04:52Z
credit: '@guagualvcha'
-cve_metadata:
- id: CVE-2019-25072
- cwe: "CWE-400: Uncontrolled Resource Consumption"
links:
pr: https://github.com/tendermint/tendermint/pull/3430
commit: https://github.com/tendermint/tendermint/commit/03085c2da23b179c4a51f59a03cb40aa4e85a613
+cve_metadata:
+ id: CVE-2019-25072
+ cwe: 'CWE-400: Uncontrolled Resource Consumption'
diff --git a/data/reports/GO-2020-0038.yaml b/data/reports/GO-2020-0038.yaml
index 1261f53..c2a117c 100644
--- a/data/reports/GO-2020-0038.yaml
+++ b/data/reports/GO-2020-0038.yaml
@@ -1,15 +1,17 @@
-packages:
+modules:
- module: github.com/pion/dtls
- symbols:
- - Conn.handleIncomingPacket
- derived_symbols:
- - Client
- - Dial
- - Listener.Accept
- - Resume
- - Server
versions:
- fixed: 1.5.2
+ packages:
+ - package: github.com/pion/dtls
+ symbols:
+ - Conn.handleIncomingPacket
+ derived_symbols:
+ - Client
+ - Dial
+ - Listener.Accept
+ - Resume
+ - Server
description: |
Due to improper verification of packets, unencrypted packets containing
application data are accepted after the initial handshake. This allows
diff --git a/data/reports/GO-2020-0039.yaml b/data/reports/GO-2020-0039.yaml
index cdb508d..3b021df 100644
--- a/data/reports/GO-2020-0039.yaml
+++ b/data/reports/GO-2020-0039.yaml
@@ -1,15 +1,17 @@
-packages:
+modules:
- module: gopkg.in/macaron.v1
- symbols:
- - staticHandler
- derived_symbols:
- - Context.Next
- - LoggerInvoker.Invoke
- - Macaron.Run
- - Macaron.ServeHTTP
- - Router.ServeHTTP
versions:
- fixed: 1.3.7
+ packages:
+ - package: gopkg.in/macaron.v1
+ symbols:
+ - staticHandler
+ derived_symbols:
+ - Context.Next
+ - LoggerInvoker.Invoke
+ - Macaron.Run
+ - Macaron.ServeHTTP
+ - Router.ServeHTTP
description: |
Due to improper request santization, a specifically crafted URL
can cause the static file handler to redirect to an attacker chosen
diff --git a/data/reports/GO-2020-0040.yaml b/data/reports/GO-2020-0040.yaml
index 97dcf9e..77dba45 100644
--- a/data/reports/GO-2020-0040.yaml
+++ b/data/reports/GO-2020-0040.yaml
@@ -1,13 +1,15 @@
-packages:
+modules:
- module: github.com/shiyanhui/dht
+ packages:
+ - package: github.com/shiyanhui/dht
description: |
Due to unchecked type assertions, maliciously crafted messages can
cause panics, which may be used as a denial of service vector.
published: 2021-04-14T20:04:52Z
credit: '@hMihaiDavid'
-cve_metadata:
- id: CVE-2020-36562
- cwe: "CWE-400: Uncontrolled Resource Consumption"
links:
context:
- https://github.com/shiyanhui/dht/issues/57
+cve_metadata:
+ id: CVE-2020-36562
+ cwe: 'CWE-400: Uncontrolled Resource Consumption'
diff --git a/data/reports/GO-2020-0041.yaml b/data/reports/GO-2020-0041.yaml
index 69fb93f..882a7c3 100644
--- a/data/reports/GO-2020-0041.yaml
+++ b/data/reports/GO-2020-0041.yaml
@@ -1,36 +1,34 @@
-packages:
+modules:
- module: github.com/unknwon/cae
- package: github.com/unknwon/cae/tz
- symbols:
- - TzArchive.syncFiles
- - TzArchive.ExtractToFunc
- derived_symbols:
- - Create
- - ExtractTo
- - Open
- - OpenFile
- - TzArchive.Close
- - TzArchive.ExtractTo
- - TzArchive.Flush
- - TzArchive.Open
versions:
- fixed: 1.0.1
- - module: github.com/unknwon/cae
- package: github.com/unknwon/cae/zip
- symbols:
- - ZipArchive.Open
- - ZipArchive.ExtractToFunc
- derived_symbols:
- - Create
- - ExtractTo
- - ExtractToFunc
- - Open
- - OpenFile
- - ZipArchive.Close
- - ZipArchive.ExtractTo
- - ZipArchive.Flush
- versions:
- - fixed: 1.0.1
+ packages:
+ - package: github.com/unknwon/cae/tz
+ symbols:
+ - TzArchive.syncFiles
+ - TzArchive.ExtractToFunc
+ derived_symbols:
+ - Create
+ - ExtractTo
+ - Open
+ - OpenFile
+ - TzArchive.Close
+ - TzArchive.ExtractTo
+ - TzArchive.Flush
+ - TzArchive.Open
+ - package: github.com/unknwon/cae/zip
+ symbols:
+ - ZipArchive.Open
+ - ZipArchive.ExtractToFunc
+ derived_symbols:
+ - Create
+ - ExtractTo
+ - ExtractToFunc
+ - Open
+ - OpenFile
+ - ZipArchive.Close
+ - ZipArchive.ExtractTo
+ - ZipArchive.Flush
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
diff --git a/data/reports/GO-2020-0042.yaml b/data/reports/GO-2020-0042.yaml
index 38063a3..8bbdffa 100644
--- a/data/reports/GO-2020-0042.yaml
+++ b/data/reports/GO-2020-0042.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: github.com/sassoftware/go-rpmutils
- package: github.com/sassoftware/go-rpmutils/cpio
- symbols:
- - Extract
versions:
- fixed: 0.1.0
+ packages:
+ - package: github.com/sassoftware/go-rpmutils/cpio
+ symbols:
+ - Extract
description: |
Due to improper path santization, RPMs containing relative file
paths can cause files to be written (or overwritten) outside of the
diff --git a/data/reports/GO-2020-0043.yaml b/data/reports/GO-2020-0043.yaml
index bed8969..16731ac 100644
--- a/data/reports/GO-2020-0043.yaml
+++ b/data/reports/GO-2020-0043.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: github.com/mholt/caddy
- package: github.com/mholt/caddy/caddyhttp/httpserver
- symbols:
- - httpContext.MakeServers
- - Server.serveHTTP
- - assertConfigsCompatible
versions:
- fixed: 0.10.13
+ packages:
+ - package: github.com/mholt/caddy/caddyhttp/httpserver
+ symbols:
+ - httpContext.MakeServers
+ - Server.serveHTTP
+ - assertConfigsCompatible
description: |
Due to improper TLS verification when serving traffic for multiple
SNIs, an attacker may bypass TLS client authentication by indicating
diff --git a/data/reports/GO-2020-0045.yaml b/data/reports/GO-2020-0045.yaml
index 21f1d16..cf83c76 100644
--- a/data/reports/GO-2020-0045.yaml
+++ b/data/reports/GO-2020-0045.yaml
@@ -1,23 +1,25 @@
-packages:
+modules:
- module: github.com/dinever/golf
- symbols:
- - randomBytes
- derived_symbols:
- - Context.Render
- - Context.RenderFromString
versions:
- fixed: 0.3.0
+ packages:
+ - package: github.com/dinever/golf
+ symbols:
+ - randomBytes
+ derived_symbols:
+ - Context.Render
+ - Context.RenderFromString
description: |
CSRF tokens are generated using math/rand, which is not a cryptographically secure
rander number generation, making predicting their values relatively trivial and
allowing an attacker to bypass CSRF protections which relatively few requests.
published: 2021-04-14T20:04:52Z
credit: '@elithrar'
-cve_metadata:
- id: CVE-2016-15005
- cwe: "CWE 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
links:
pr: https://github.com/dinever/golf/pull/24
commit: https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe
context:
- https://github.com/dinever/golf/issues/20
+cve_metadata:
+ id: CVE-2016-15005
+ cwe: 'CWE 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)'
diff --git a/data/reports/GO-2020-0046.yaml b/data/reports/GO-2020-0046.yaml
index 846f45e..64e2504 100644
--- a/data/reports/GO-2020-0046.yaml
+++ b/data/reports/GO-2020-0046.yaml
@@ -1,17 +1,21 @@
-packages:
+modules:
- module: github.com/russellhaering/goxmldsig
- symbols:
- - ValidationContext.validateSignature
versions:
- fixed: 1.1.0
+ packages:
+ - package: github.com/russellhaering/goxmldsig
+ symbols:
+ - ValidationContext.validateSignature
- module: github.com/russellhaering/gosaml2
- symbols:
- - SAMLServiceProvider.validateAssertionSignatures
- derived_symbols:
- - SAMLServiceProvider.RetrieveAssertionInfo
- - SAMLServiceProvider.ValidateEncodedResponse
versions:
- fixed: 0.6.0
+ packages:
+ - package: github.com/russellhaering/gosaml2
+ symbols:
+ - SAMLServiceProvider.validateAssertionSignatures
+ derived_symbols:
+ - SAMLServiceProvider.RetrieveAssertionInfo
+ - SAMLServiceProvider.ValidateEncodedResponse
description: |
Due to a nil pointer dereference, a malformed XML Digital Signature
can cause a panic during validation. If user supplied signatures are
diff --git a/data/reports/GO-2020-0047.yaml b/data/reports/GO-2020-0047.yaml
index e42a755..dbe34fe 100644
--- a/data/reports/GO-2020-0047.yaml
+++ b/data/reports/GO-2020-0047.yaml
@@ -1,17 +1,19 @@
-packages:
+modules:
- module: github.com/RobotsAndPencils/go-saml
- symbols:
- - AuthnRequest.Validate
- - NewAuthnRequest
- - NewSignedResponse
+ packages:
+ - package: github.com/RobotsAndPencils/go-saml
+ symbols:
+ - AuthnRequest.Validate
+ - NewAuthnRequest
+ - NewSignedResponse
description: |
XML Digital Signatures generated and validated using this package use
SHA-1, which may allow an attacker to craft inputs which cause hash
collisions depending on their control over the input.
published: 2021-04-14T20:04:52Z
-cve_metadata:
- id: CVE-2020-36563
- cwe: "CWE 328: Use of Weak Hash"
links:
context:
- https://github.com/RobotsAndPencils/go-saml/pull/38
+cve_metadata:
+ id: CVE-2020-36563
+ cwe: 'CWE 328: Use of Weak Hash'
diff --git a/data/reports/GO-2020-0048.yaml b/data/reports/GO-2020-0048.yaml
index eda959e..60cf4e4 100644
--- a/data/reports/GO-2020-0048.yaml
+++ b/data/reports/GO-2020-0048.yaml
@@ -1,9 +1,11 @@
-packages:
+modules:
- module: github.com/antchfx/xmlquery
- symbols:
- - LoadURL
versions:
- fixed: 1.3.1
+ packages:
+ - package: github.com/antchfx/xmlquery
+ symbols:
+ - LoadURL
description: |
LoadURL does not check the Content-Type of loaded resources,
which can cause a panic due to nil pointer deference if the loaded
diff --git a/data/reports/GO-2020-0049.yaml b/data/reports/GO-2020-0049.yaml
index 0c61c3b..58b256c 100644
--- a/data/reports/GO-2020-0049.yaml
+++ b/data/reports/GO-2020-0049.yaml
@@ -1,21 +1,23 @@
-packages:
+modules:
- module: github.com/justinas/nosurf
- symbols:
- - VerifyToken
- - verifyToken
- derived_symbols:
- - CSRFHandler.ServeHTTP
versions:
- fixed: 1.1.1
+ packages:
+ - package: github.com/justinas/nosurf
+ symbols:
+ - VerifyToken
+ - verifyToken
+ derived_symbols:
+ - CSRFHandler.ServeHTTP
description: |
Due to improper validation of caller input, validation is silently disabled
if the provided expected token is malformed, causing any user supplied token
to be considered valid.
published: 2021-04-14T20:04:52Z
credit: '@aeneasr'
-cve_metadata:
- id: CVE-2020-36564
- cwe: "CWE 345: Insufficient Verification of Data Authenticity"
links:
pr: https://github.com/justinas/nosurf/pull/60
commit: https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314
+cve_metadata:
+ id: CVE-2020-36564
+ cwe: 'CWE 345: Insufficient Verification of Data Authenticity'
diff --git a/data/reports/GO-2020-0050.yaml b/data/reports/GO-2020-0050.yaml
index f6dbe51..057eea8 100644
--- a/data/reports/GO-2020-0050.yaml
+++ b/data/reports/GO-2020-0050.yaml
@@ -1,12 +1,14 @@
-packages:
+modules:
- module: github.com/russellhaering/goxmldsig
- symbols:
- - ValidationContext.findSignature
- derived_symbols:
- - ValidationContext.Validate
versions:
- fixed: 1.1.0
vulnerable_at: 0.0.0-20200902171629-2e1fbc2c5593
+ packages:
+ - package: github.com/russellhaering/goxmldsig
+ symbols:
+ - ValidationContext.findSignature
+ derived_symbols:
+ - ValidationContext.Validate
description: |
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
diff --git a/data/reports/GO-2021-0051.yaml b/data/reports/GO-2021-0051.yaml
index 3845825..49e9da7 100644
--- a/data/reports/GO-2021-0051.yaml
+++ b/data/reports/GO-2021-0051.yaml
@@ -1,20 +1,25 @@
-packages:
+modules:
- module: github.com/labstack/echo/v4
- symbols:
- - common.static
versions:
- fixed: 4.1.18-0.20201215153152-4422e3b66b9f
+ packages:
+ - package: github.com/labstack/echo/v4
+ goos:
+ - windows
+ symbols:
+ - common.static
description: |
Due to improper sanitization of user input on Windows, the static file handler
allows for directory traversal, allowing an attacker to read files outside of
the target directory that the server has permission to read.
published: 2021-04-14T20:04:52Z
credit: '@little-cui (Apache ServiceComb)'
-cve_metadata:
- id: CVE-2020-36565
- cwe: "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
-os:
- - windows
links:
pr: https://github.com/labstack/echo/pull/1718
commit: https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa
+cve_metadata:
+ id: CVE-2020-36565
+ cwe: 'CWE 22: Improper Limitation of a Pathname to a Restricted Directory (''Path
+ Traversal'')'
+os:
+ - windows
diff --git a/data/reports/GO-2021-0052.yaml b/data/reports/GO-2021-0052.yaml
index 20b62f1..df84976 100644
--- a/data/reports/GO-2021-0052.yaml
+++ b/data/reports/GO-2021-0052.yaml
@@ -1,9 +1,11 @@
-packages:
+modules:
- module: github.com/gin-gonic/gin
- symbols:
- - Context.ClientIP
versions:
- fixed: 1.6.3-0.20210406033725-bfc8ca285eb4
+ packages:
+ - package: github.com/gin-gonic/gin
+ symbols:
+ - Context.ClientIP
description: |
Due to improper HTTP header santization, a malicious user can spoof their
source IP address by setting the X-Forwarded-For header. This may allow
diff --git a/data/reports/GO-2021-0053.yaml b/data/reports/GO-2021-0053.yaml
index b424d26..ad232b3 100644
--- a/data/reports/GO-2021-0053.yaml
+++ b/data/reports/GO-2021-0053.yaml
@@ -1,7 +1,9 @@
-packages:
+modules:
- module: github.com/gogo/protobuf
versions:
- fixed: 1.3.2
+ packages:
+ - package: github.com/gogo/protobuf
description: |
Due to improper bounds checking, maliciously crafted input to generated
Unmarshal methods can cause an out-of-bounds panic. If parsing messages
diff --git a/data/reports/GO-2021-0054.yaml b/data/reports/GO-2021-0054.yaml
index f1e8771..3030b05 100644
--- a/data/reports/GO-2021-0054.yaml
+++ b/data/reports/GO-2021-0054.yaml
@@ -1,11 +1,13 @@
-packages:
+modules:
- module: github.com/tidwall/gjson
- symbols:
- - unwrap
- derived_symbols:
- - Result.ForEach
versions:
- fixed: 1.6.6
+ packages:
+ - package: github.com/tidwall/gjson
+ symbols:
+ - unwrap
+ derived_symbols:
+ - Result.ForEach
description: |
Due to improper bounds checking, maliciously crafted JSON objects
can cause an out-of-bounds panic. If parsing user input, this may
diff --git a/data/reports/GO-2021-0057.yaml b/data/reports/GO-2021-0057.yaml
index 9e985a3..7728a6b 100644
--- a/data/reports/GO-2021-0057.yaml
+++ b/data/reports/GO-2021-0057.yaml
@@ -1,30 +1,32 @@
-packages:
+modules:
- module: github.com/buger/jsonparser
- symbols:
- - searchKeys
- derived_symbols:
- - ArrayEach
- - Delete
- - EachKey
- - FuzzDelete
- - FuzzEachKey
- - FuzzGetBoolean
- - FuzzGetFloat
- - FuzzGetInt
- - FuzzGetString
- - FuzzGetUnsafeString
- - FuzzObjectEach
- - FuzzSet
- - Get
- - GetBoolean
- - GetFloat
- - GetInt
- - GetString
- - GetUnsafeString
- - ObjectEach
- - Set
versions:
- fixed: 1.1.1
+ packages:
+ - package: github.com/buger/jsonparser
+ symbols:
+ - searchKeys
+ derived_symbols:
+ - ArrayEach
+ - Delete
+ - EachKey
+ - FuzzDelete
+ - FuzzEachKey
+ - FuzzGetBoolean
+ - FuzzGetFloat
+ - FuzzGetInt
+ - FuzzGetString
+ - FuzzGetUnsafeString
+ - FuzzObjectEach
+ - FuzzSet
+ - Get
+ - GetBoolean
+ - GetFloat
+ - GetInt
+ - GetString
+ - GetUnsafeString
+ - ObjectEach
+ - Set
description: |
Due to improper bounds checking, maliciously crafted JSON objects
can cause an out-of-bounds panic. If parsing user input, this may
diff --git a/data/reports/GO-2021-0058.yaml b/data/reports/GO-2021-0058.yaml
index 86a1a90..941fe79 100644
--- a/data/reports/GO-2021-0058.yaml
+++ b/data/reports/GO-2021-0058.yaml
@@ -1,24 +1,20 @@
-packages:
+modules:
- module: github.com/crewjam/saml
- symbols:
- - IdpAuthnRequest.Validate
- - ServiceProvider.ParseXMLResponse
- - ServiceProvider.ValidateLogoutResponseForm
- - ServiceProvider.ValidateLogoutResponseRedirect
- derived_symbols:
- - IdentityProvider.ServeSSO
- - ServiceProvider.ParseResponse
- - ServiceProvider.ValidateLogoutResponseRequest
versions:
- fixed: 0.4.3
- - module: github.com/crewjam/saml
- package: github.com/crewjam/saml/samlidp
- versions:
- - fixed: 0.4.3
- - module: github.com/crewjam/saml
- package: github.com/crewjam/saml/samlsp
- versions:
- - fixed: 0.4.3
+ packages:
+ - package: github.com/crewjam/saml
+ symbols:
+ - IdpAuthnRequest.Validate
+ - ServiceProvider.ParseXMLResponse
+ - ServiceProvider.ValidateLogoutResponseForm
+ - ServiceProvider.ValidateLogoutResponseRedirect
+ derived_symbols:
+ - IdentityProvider.ServeSSO
+ - ServiceProvider.ParseResponse
+ - ServiceProvider.ValidateLogoutResponseRequest
+ - package: github.com/crewjam/saml/samlidp
+ - package: github.com/crewjam/saml/samlsp
description: |
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
diff --git a/data/reports/GO-2021-0059.yaml b/data/reports/GO-2021-0059.yaml
index 5ed5225..ab2c3fa 100644
--- a/data/reports/GO-2021-0059.yaml
+++ b/data/reports/GO-2021-0059.yaml
@@ -1,9 +1,11 @@
-packages:
+modules:
- module: github.com/tidwall/gjson
- symbols:
- - sqaush
versions:
- fixed: 1.6.4
+ packages:
+ - package: github.com/tidwall/gjson
+ symbols:
+ - sqaush
description: |
Due to improper bounds checking, maliciously crafted JSON objects
can cause an out-of-bounds panic. If parsing user input, this may
diff --git a/data/reports/GO-2021-0060.yaml b/data/reports/GO-2021-0060.yaml
index 2d61ee7..4a44d1e 100644
--- a/data/reports/GO-2021-0060.yaml
+++ b/data/reports/GO-2021-0060.yaml
@@ -1,14 +1,16 @@
-packages:
+modules:
- module: github.com/russellhaering/gosaml2
- symbols:
- - parseResponse
- derived_symbols:
- - SAMLServiceProvider.RetrieveAssertionInfo
- - SAMLServiceProvider.ValidateEncodedLogoutRequestPOST
- - SAMLServiceProvider.ValidateEncodedLogoutResponsePOST
- - SAMLServiceProvider.ValidateEncodedResponse
versions:
- fixed: 0.6.0
+ packages:
+ - package: github.com/russellhaering/gosaml2
+ symbols:
+ - parseResponse
+ derived_symbols:
+ - SAMLServiceProvider.RetrieveAssertionInfo
+ - SAMLServiceProvider.ValidateEncodedLogoutRequestPOST
+ - SAMLServiceProvider.ValidateEncodedLogoutResponsePOST
+ - SAMLServiceProvider.ValidateEncodedResponse
description: |
Due to the behavior of encoding/xml, a crafted XML document may cause
XML Digital Signature validation to be entirely bypassed, causing an
diff --git a/data/reports/GO-2021-0061.yaml b/data/reports/GO-2021-0061.yaml
index de46616..9409125 100644
--- a/data/reports/GO-2021-0061.yaml
+++ b/data/reports/GO-2021-0061.yaml
@@ -1,29 +1,33 @@
-packages:
+modules:
- module: gopkg.in/yaml.v2
- symbols:
- - decoder.unmarshal
- derived_symbols:
- - Decoder.Decode
- - Unmarshal
- - UnmarshalStrict
versions:
- fixed: 2.2.3
+ packages:
+ - package: gopkg.in/yaml.v2
+ symbols:
+ - decoder.unmarshal
+ derived_symbols:
+ - Decoder.Decode
+ - Unmarshal
+ - UnmarshalStrict
- module: github.com/go-yaml/yaml
- symbols:
- - decoder.unmarshal
- derived_symbols:
- - Decoder.Decode
- - Unmarshal
- - UnmarshalStrict
+ packages:
+ - package: github.com/go-yaml/yaml
+ symbols:
+ - decoder.unmarshal
+ derived_symbols:
+ - Decoder.Decode
+ - Unmarshal
+ - UnmarshalStrict
description: |
Due to unbounded alias chasing, a maliciously crafted YAML file
can cause the system to consume significant system resources. If
parsing user input, this may be used as a denial of service vector.
-cve_metadata:
- id: CVE-2021-4235
- cwe: "CWE 400: Uncontrolled Resource Consumption"
published: 2021-04-14T20:04:52Z
credit: '@simonferquel'
links:
pr: https://github.com/go-yaml/yaml/pull/375
commit: https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241
+cve_metadata:
+ id: CVE-2021-4235
+ cwe: 'CWE 400: Uncontrolled Resource Consumption'
diff --git a/data/reports/GO-2021-0063.yaml b/data/reports/GO-2021-0063.yaml
index 618b6a1..7109bbb 100644
--- a/data/reports/GO-2021-0063.yaml
+++ b/data/reports/GO-2021-0063.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: github.com/ethereum/go-ethereum
- package: github.com/ethereum/go-ethereum/les
- symbols:
- - serverHandler.handleMsg
- derived_symbols:
- - PrivateLightServerAPI.Benchmark
versions:
- fixed: 1.9.25
+ packages:
+ - package: github.com/ethereum/go-ethereum/les
+ symbols:
+ - serverHandler.handleMsg
+ derived_symbols:
+ - PrivateLightServerAPI.Benchmark
description: |
Due to a nil pointer dereference, a malicously crafted RPC message
can cause a panic. If handling RPC messages from untrusted clients,
diff --git a/data/reports/GO-2021-0064.yaml b/data/reports/GO-2021-0064.yaml
index 094502a..c3c009f 100644
--- a/data/reports/GO-2021-0064.yaml
+++ b/data/reports/GO-2021-0064.yaml
@@ -1,16 +1,18 @@
-packages:
+modules:
- module: k8s.io/client-go
- package: k8s.io/client-go/transport
- symbols:
- - requestInfo.toCurl
versions:
- fixed: 0.20.0-alpha.2
+ packages:
+ - package: k8s.io/client-go/transport
+ symbols:
+ - requestInfo.toCurl
- module: k8s.io/kubernetes
- package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
- symbols:
- - requestInfo.toCurl
versions:
- fixed: 1.20.0-alpha.2
+ packages:
+ - package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
+ symbols:
+ - requestInfo.toCurl
description: |
Authorization tokens may be inappropriately logged if the verbosity
level is set to a debug level.
diff --git a/data/reports/GO-2021-0065.yaml b/data/reports/GO-2021-0065.yaml
index d587e0b..48eba98 100644
--- a/data/reports/GO-2021-0065.yaml
+++ b/data/reports/GO-2021-0065.yaml
@@ -1,16 +1,18 @@
-packages:
+modules:
- module: k8s.io/client-go
- package: k8s.io/client-go/transport
- symbols:
- - debuggingRoundTripper.RoundTrip
versions:
- fixed: 0.17.0
+ packages:
+ - package: k8s.io/client-go/transport
+ symbols:
+ - debuggingRoundTripper.RoundTrip
- module: k8s.io/kubernetes
- package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
- symbols:
- - debuggingRoundTripper.RoundTrip
versions:
- fixed: 1.16.0-beta.1
+ packages:
+ - package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
+ symbols:
+ - debuggingRoundTripper.RoundTrip
description: |
Authorization tokens may be inappropriately logged if the verbosity
level is set to a debug level.
diff --git a/data/reports/GO-2021-0066.yaml b/data/reports/GO-2021-0066.yaml
index 2dd8805..f2ed075 100644
--- a/data/reports/GO-2021-0066.yaml
+++ b/data/reports/GO-2021-0066.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: k8s.io/kubernetes
- package: k8s.io/kubernetes/pkg/credentialprovider
- symbols:
- - readDockerConfigFileFromBytes
- - readDockerConfigJSONFileFromBytes
versions:
- fixed: 1.20.0-alpha.1
+ packages:
+ - package: k8s.io/kubernetes/pkg/credentialprovider
+ symbols:
+ - readDockerConfigFileFromBytes
+ - readDockerConfigJSONFileFromBytes
description: |
Attempting to read a malformed .dockercfg may cause secrets to be
inappropriately logged.
diff --git a/data/reports/GO-2021-0067.yaml b/data/reports/GO-2021-0067.yaml
index 90745b8..abf06ff 100644
--- a/data/reports/GO-2021-0067.yaml
+++ b/data/reports/GO-2021-0067.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: std
- package: archive/zip
- symbols:
- - toValidName
versions:
- introduced: 1.16.0
fixed: 1.16.1
+ packages:
+ - package: archive/zip
+ symbols:
+ - toValidName
description: |
Using Reader.Open on an archive containing a file with a path
prefixed by "../" will cause a panic due to a stack overflow.
diff --git a/data/reports/GO-2021-0068.yaml b/data/reports/GO-2021-0068.yaml
index 43df550..b3141b5 100644
--- a/data/reports/GO-2021-0068.yaml
+++ b/data/reports/GO-2021-0068.yaml
@@ -1,11 +1,14 @@
do_not_export: true
-packages:
+modules:
- module: std
- package: cmd/go
versions:
- fixed: 1.14.14
- introduced: 1.15.0
fixed: 1.15.7
+ packages:
+ - package: cmd/go
+ goos:
+ - windows
description: |
The go command may execute arbitrary code at build time when using cgo on Windows.
This can be triggered by running go get on a malicious module, or any other time
@@ -14,8 +17,6 @@
cves:
- CVE-2021-3115
credit: RyotaK
-os:
- - windows
links:
pr: https://go.dev/cl/284783
commit: https://go.googlesource.com/go/+/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0
@@ -24,3 +25,5 @@
- https://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ
- https://go.dev/cl/284780
- https://go.googlesource.com/go/+/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0
+os:
+ - windows
diff --git a/data/reports/GO-2021-0069.yaml b/data/reports/GO-2021-0069.yaml
index 0c77646..c7b5cb3 100644
--- a/data/reports/GO-2021-0069.yaml
+++ b/data/reports/GO-2021-0069.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: math/big
- symbols:
- - nat.divRecursiveStep
versions:
- introduced: 1.14.0
fixed: 1.14.12
- introduced: 1.15.0
fixed: 1.15.5
+ packages:
+ - package: math/big
+ symbols:
+ - nat.divRecursiveStep
description: |
A number of math/big.Int methods can panic when provided large inputs due
to a flawed division method.
diff --git a/data/reports/GO-2021-0070.yaml b/data/reports/GO-2021-0070.yaml
index 0b5c5c1..55cfb94 100644
--- a/data/reports/GO-2021-0070.yaml
+++ b/data/reports/GO-2021-0070.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: github.com/opencontainers/runc
- package: github.com/opencontainers/runc/libcontainer/user
- symbols:
- - GetExecUser
- derived_symbols:
- - GetExecUserPath
versions:
- fixed: 0.1.0
+ packages:
+ - package: github.com/opencontainers/runc/libcontainer/user
+ symbols:
+ - GetExecUser
+ derived_symbols:
+ - GetExecUserPath
description: |
GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will
improperly interpret numeric UIDs as usernames. If the method is used without
diff --git a/data/reports/GO-2021-0071.yaml b/data/reports/GO-2021-0071.yaml
index 621201c..1d9d6ab 100644
--- a/data/reports/GO-2021-0071.yaml
+++ b/data/reports/GO-2021-0071.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: github.com/lxc/lxd
- package: github.com/lxc/lxd/shared
- symbols:
- - IdmapSet.doUidshiftIntoContainer
versions:
- fixed: 0.0.0-20151004155856-19c6961cc101
+ packages:
+ - package: github.com/lxc/lxd/shared
+ symbols:
+ - IdmapSet.doUidshiftIntoContainer
description: |
A race between chown and chmod operations during a container
filesystem shift may allow a user who can modify the filesystem to
diff --git a/data/reports/GO-2021-0072.yaml b/data/reports/GO-2021-0072.yaml
index eb0f8fe..de83cc1 100644
--- a/data/reports/GO-2021-0072.yaml
+++ b/data/reports/GO-2021-0072.yaml
@@ -1,32 +1,30 @@
-packages:
+modules:
- module: github.com/docker/distribution
- package: github.com/docker/distribution/registry/handlers
- symbols:
- - copyFullPayload
- derived_symbols:
- - blobUploadHandler.PatchBlobData
- - blobUploadHandler.PutBlobUploadComplete
- - imageManifestHandler.GetImageManifest
- - imageManifestHandler.PutImageManifest
versions:
- fixed: 2.7.0-rc.0+incompatible
- - module: github.com/docker/distribution
- package: github.com/docker/distribution/registry/storage
- symbols:
- - blobStore.Get
- derived_symbols:
- - PurgeUploads
- - Walk
- - blobStore.Enumerate
- - blobStore.Get
- - linkedBlobStore.Enumerate
- - linkedBlobStore.Get
- - manifestStore.Enumerate
- - manifestStore.Get
- - registry.Enumerate
- - registry.Repositories
- versions:
- - fixed: 2.7.0-rc.0+incompatible
+ packages:
+ - package: github.com/docker/distribution/registry/handlers
+ symbols:
+ - copyFullPayload
+ derived_symbols:
+ - blobUploadHandler.PatchBlobData
+ - blobUploadHandler.PutBlobUploadComplete
+ - imageManifestHandler.GetImageManifest
+ - imageManifestHandler.PutImageManifest
+ - package: github.com/docker/distribution/registry/storage
+ symbols:
+ - blobStore.Get
+ derived_symbols:
+ - PurgeUploads
+ - Walk
+ - blobStore.Enumerate
+ - blobStore.Get
+ - linkedBlobStore.Enumerate
+ - linkedBlobStore.Get
+ - manifestStore.Enumerate
+ - manifestStore.Get
+ - registry.Enumerate
+ - registry.Repositories
description: |
Various storage methods do not impose limits on how much content is accepted
from user requests, allowing a malicious user to force the caller to allocate
diff --git a/data/reports/GO-2021-0073.yaml b/data/reports/GO-2021-0073.yaml
index 4ae6b36..f807bdc 100644
--- a/data/reports/GO-2021-0073.yaml
+++ b/data/reports/GO-2021-0073.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: github.com/git-lfs/git-lfs
- package: github.com/git-lfs/git-lfs/lfsapi
- symbols:
- - sshGetLFSExeAndArgs
versions:
- fixed: 2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
+ packages:
+ - package: github.com/git-lfs/git-lfs/lfsapi
+ symbols:
+ - sshGetLFSExeAndArgs
description: |
Arbitrary command execution can be triggered by improperly
sanitized SSH URLs in LFS configuration files. This can be
diff --git a/data/reports/GO-2021-0075.yaml b/data/reports/GO-2021-0075.yaml
index 03fe9da..debf0d8 100644
--- a/data/reports/GO-2021-0075.yaml
+++ b/data/reports/GO-2021-0075.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: github.com/ethereum/go-ethereum
- package: github.com/ethereum/go-ethereum/les
- symbols:
- - protocolManager.handleMsg
versions:
- fixed: 1.8.11
+ packages:
+ - package: github.com/ethereum/go-ethereum/les
+ symbols:
+ - protocolManager.handleMsg
description: |
Due to improper argument validation in RPC messages, a maliciously crafted
message can cause a panic, leading to denial of service.
diff --git a/data/reports/GO-2021-0076.yaml b/data/reports/GO-2021-0076.yaml
index 744146f..0ccb351 100644
--- a/data/reports/GO-2021-0076.yaml
+++ b/data/reports/GO-2021-0076.yaml
@@ -1,9 +1,11 @@
-packages:
+modules:
- module: github.com/evanphx/json-patch
- symbols:
- - partialArray.add
versions:
- fixed: 0.5.2
+ packages:
+ - package: github.com/evanphx/json-patch
+ symbols:
+ - partialArray.add
description: |
A malicious JSON patch can cause a panic due to an out-of-bounds
write attempt. This can be used as a denial of service vector if
diff --git a/data/reports/GO-2021-0077.yaml b/data/reports/GO-2021-0077.yaml
index 4c578d7..e9d064f 100644
--- a/data/reports/GO-2021-0077.yaml
+++ b/data/reports/GO-2021-0077.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: go.etcd.io/etcd
- package: go.etcd.io/etcd/auth
- symbols:
- - authStore.AuthInfoFromTLS
versions:
- fixed: 0.5.0-alpha.5.0.20190108173120-83c051b701d3
+ packages:
+ - package: go.etcd.io/etcd/auth
+ symbols:
+ - authStore.AuthInfoFromTLS
description: |
A user can use a valid client certificate that contains a CommonName that matches a
valid RBAC username to authenticate themselves as that user, despite lacking the
diff --git a/data/reports/GO-2021-0078.yaml b/data/reports/GO-2021-0078.yaml
index e83f3c3..dfb6216 100644
--- a/data/reports/GO-2021-0078.yaml
+++ b/data/reports/GO-2021-0078.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: golang.org/x/net
- package: golang.org/x/net/html
- symbols:
- - inBodyIM
- - inFramesetIM
versions:
- fixed: 0.0.0-20180816102801-aaf60122140d
+ packages:
+ - package: golang.org/x/net/html
+ symbols:
+ - inBodyIM
+ - inFramesetIM
description: |
The HTML parser does not properly handle "in frameset" insertion mode, and can be made
to panic when operating on malformed HTML that contains <template> tags. If operating
diff --git a/data/reports/GO-2021-0079.yaml b/data/reports/GO-2021-0079.yaml
index bddd543..9b364e8 100644
--- a/data/reports/GO-2021-0079.yaml
+++ b/data/reports/GO-2021-0079.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: github.com/bytom/bytom
- package: github.com/bytom/bytom/p2p/discover
- symbols:
- - Network.checkTopicRegister
versions:
- fixed: 1.0.4-0.20180831054840-1ac3c8ac4f2b
+ packages:
+ - package: github.com/bytom/bytom/p2p/discover
+ symbols:
+ - Network.checkTopicRegister
description: |
A malformed query can cause an out-of-bounds panic due to improper
validation of arguments. If processing queries from untrusted
diff --git a/data/reports/GO-2021-0081.yaml b/data/reports/GO-2021-0081.yaml
index 33c9e234..dcaff88 100644
--- a/data/reports/GO-2021-0081.yaml
+++ b/data/reports/GO-2021-0081.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: github.com/containers/image
- package: github.com/containers/image/docker
- symbols:
- - dockerClient.getBearerToken
versions:
- fixed: 2.0.2-0.20190802080134-634605d06e73+incompatible
+ packages:
+ - package: github.com/containers/image/docker
+ symbols:
+ - dockerClient.getBearerToken
description: |
The HTTP client used to connect to the container registry authorization
service explicitly disables TLS verification, allowing an attacker that
diff --git a/data/reports/GO-2021-0082.yaml b/data/reports/GO-2021-0082.yaml
index 97b4a2e..5c38eae 100644
--- a/data/reports/GO-2021-0082.yaml
+++ b/data/reports/GO-2021-0082.yaml
@@ -1,8 +1,9 @@
-packages:
+modules:
- module: github.com/facebook/fbthrift
- package: github.com/facebook/fbthrift/thrift/lib/go/thrift
versions:
- fixed: 0.31.1-0.20200311080807-483ed864d69f
+ packages:
+ - package: github.com/facebook/fbthrift/thrift/lib/go/thrift
description: |
Thirft Servers preallocate memory for the declared size of messages before
checking the actual size of the message. This allows a malicious user to
diff --git a/data/reports/GO-2021-0083.yaml b/data/reports/GO-2021-0083.yaml
index 7f227b5..c26ecf3 100644
--- a/data/reports/GO-2021-0083.yaml
+++ b/data/reports/GO-2021-0083.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: github.com/hybridgroup/gobot
- package: github.com/hybridgroup/gobot/platforms/mqtt
- symbols:
- - Adaptor.newTLSConfig
versions:
- fixed: 1.12.1-0.20190521122906-c1aa4f867846
+ packages:
+ - package: github.com/hybridgroup/gobot/platforms/mqtt
+ symbols:
+ - Adaptor.newTLSConfig
description: |
TLS certificate verification is skipped when connecting to a MQTT server.
This allows an attacker who can MITM the connection to read, or forge,
diff --git a/data/reports/GO-2021-0084.yaml b/data/reports/GO-2021-0084.yaml
index b10d145..b561223 100644
--- a/data/reports/GO-2021-0084.yaml
+++ b/data/reports/GO-2021-0084.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: github.com/astaxie/beego
- package: github.com/astaxie/beego/session
- symbols:
- - FileProvider.SessionRead
- - FileProvider.SessionRegenerate
versions:
- fixed: 1.12.2-0.20200613154013-bac2b31afecc
+ packages:
+ - package: github.com/astaxie/beego/session
+ symbols:
+ - FileProvider.SessionRead
+ - FileProvider.SessionRegenerate
description: |
Session data is stored using permissive permissions, allowing local users
with filesystem access to read arbitrary data.
diff --git a/data/reports/GO-2021-0085.yaml b/data/reports/GO-2021-0085.yaml
index 02d0264..f0b19ce 100644
--- a/data/reports/GO-2021-0085.yaml
+++ b/data/reports/GO-2021-0085.yaml
@@ -1,12 +1,14 @@
-packages:
+modules:
- module: github.com/opencontainers/runc
- package: github.com/opencontainers/runc/libcontainer
versions:
- fixed: 1.0.0-rc8.0.20190930145003-cad42f6e0932
+ packages:
+ - package: github.com/opencontainers/runc/libcontainer
- module: github.com/opencontainers/selinux
- package: github.com/opencontainers/selinux/go-selinux
versions:
- fixed: 1.3.1-0.20190929122143-5215b1806f52
+ packages:
+ - package: github.com/opencontainers/selinux/go-selinux
description: |
AppArmor restrictions may be bypassed due to improper validation of mount
targets, allowing a malicious image to mount volumes over e.g. /proc.
diff --git a/data/reports/GO-2021-0086.yaml b/data/reports/GO-2021-0086.yaml
index f8bc6cf..f557865 100644
--- a/data/reports/GO-2021-0086.yaml
+++ b/data/reports/GO-2021-0086.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: github.com/documize/community
- package: github.com/documize/community/domain/section/markdown
- symbols:
- - Provider.Render
versions:
- fixed: 1.76.3-0.20191119114751-a4384210d4d0
+ packages:
+ - package: github.com/documize/community/domain/section/markdown
+ symbols:
+ - Provider.Render
description: |
HTML content in markdown is not santized during rendering, possibly allowing
XSS if used to render untrusted user input.
diff --git a/data/reports/GO-2021-0087.yaml b/data/reports/GO-2021-0087.yaml
index 2411ba0..b23cafe 100644
--- a/data/reports/GO-2021-0087.yaml
+++ b/data/reports/GO-2021-0087.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: github.com/opencontainers/runc
- package: github.com/opencontainers/runc/libcontainer
- symbols:
- - mountToRootfs
versions:
- fixed: 1.0.0-rc9.0.20200122160610-2fc03cc11c77
+ packages:
+ - package: github.com/opencontainers/runc/libcontainer
+ symbols:
+ - mountToRootfs
description: |
A race while mounting volumes allows a possible symlink-exchange
attack, allowing a user whom can start multiple containers with
diff --git a/data/reports/GO-2021-0088.yaml b/data/reports/GO-2021-0088.yaml
index fdf57a3..2d290dc 100644
--- a/data/reports/GO-2021-0088.yaml
+++ b/data/reports/GO-2021-0088.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: github.com/facebook/fbthrift
- package: github.com/facebook/fbthrift/thrift/lib/go/thrift
- symbols:
- - Skip
versions:
- fixed: 0.31.1-0.20190225164308-c461c1bd1a3e
+ packages:
+ - package: github.com/facebook/fbthrift/thrift/lib/go/thrift
+ symbols:
+ - Skip
description: |
Skip ignores unknown fields, rather than failing. A malicious user can craft small
messages with unknown fields which can take significant resources to parse. If a
diff --git a/data/reports/GO-2021-0089.yaml b/data/reports/GO-2021-0089.yaml
index 635fb42..e9814e3 100644
--- a/data/reports/GO-2021-0089.yaml
+++ b/data/reports/GO-2021-0089.yaml
@@ -1,9 +1,11 @@
-packages:
+modules:
- module: github.com/buger/jsonparser
- symbols:
- - findKeyStart
versions:
- fixed: 0.0.0-20200321185410-91ac96899e49
+ packages:
+ - package: github.com/buger/jsonparser
+ symbols:
+ - findKeyStart
description: |
Parsing malformed JSON which contain opening brackets, but not closing brackets,
leads to an infinite loop. If operating on untrusted user input this can be
diff --git a/data/reports/GO-2021-0090.yaml b/data/reports/GO-2021-0090.yaml
index 9e980b2..b2a0ef4 100644
--- a/data/reports/GO-2021-0090.yaml
+++ b/data/reports/GO-2021-0090.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: github.com/tendermint/tendermint
- package: github.com/tendermint/tendermint/types
- symbols:
- - VoteSet.MakeCommit
- derived_symbols:
- - MakeCommit
versions:
- introduced: 0.33.0
fixed: 0.34.0-dev1.0.20200702134149-480b995a3172
+ packages:
+ - package: github.com/tendermint/tendermint/types
+ symbols:
+ - VoteSet.MakeCommit
+ derived_symbols:
+ - MakeCommit
description: |
Proposed commits may contain signatures for blocks not contained
within the commit. Instead of skipping these signatures, they
diff --git a/data/reports/GO-2021-0091.yaml b/data/reports/GO-2021-0091.yaml
index 990abd6..f967de9 100644
--- a/data/reports/GO-2021-0091.yaml
+++ b/data/reports/GO-2021-0091.yaml
@@ -1,9 +1,11 @@
-packages:
+modules:
- module: github.com/gofiber/fiber
- symbols:
- - Ctx.Attachment
versions:
- fixed: 1.12.6-0.20200710202935-a8ad5454363f
+ packages:
+ - package: github.com/gofiber/fiber
+ symbols:
+ - Ctx.Attachment
description: |
Due to improper input validation when uploading a file, a malicious user may
force the server to return arbitrary HTTP headers when the uploaded
diff --git a/data/reports/GO-2021-0092.yaml b/data/reports/GO-2021-0092.yaml
index ffc427e..151bd3c 100644
--- a/data/reports/GO-2021-0092.yaml
+++ b/data/reports/GO-2021-0092.yaml
@@ -1,12 +1,14 @@
-packages:
+modules:
- module: github.com/ory/fosite
- symbols:
- - Fosite.AuthenticateClient
- derived_symbols:
- - Fosite.NewAccessRequest
- - Fosite.NewRevocationRequest
versions:
- fixed: 0.31.0
+ packages:
+ - package: github.com/ory/fosite
+ symbols:
+ - Fosite.AuthenticateClient
+ derived_symbols:
+ - Fosite.NewAccessRequest
+ - Fosite.NewRevocationRequest
description: |
Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
replayed.
diff --git a/data/reports/GO-2021-0094.yaml b/data/reports/GO-2021-0094.yaml
index 4b24f56..5c2cc4a 100644
--- a/data/reports/GO-2021-0094.yaml
+++ b/data/reports/GO-2021-0094.yaml
@@ -1,9 +1,11 @@
-packages:
+modules:
- module: github.com/hashicorp/go-slug
- symbols:
- - Unpack
versions:
- fixed: 0.5.0
+ packages:
+ - package: github.com/hashicorp/go-slug
+ symbols:
+ - Unpack
description: |
Protections against directory traversal during archive extraction can be
bypassed by chaining multiple symbolic links within the archive. This allows
diff --git a/data/reports/GO-2021-0095.yaml b/data/reports/GO-2021-0095.yaml
index 3d2357c..86bb866 100644
--- a/data/reports/GO-2021-0095.yaml
+++ b/data/reports/GO-2021-0095.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: github.com/google/go-tpm
- package: github.com/google/go-tpm/tpm
- symbols:
- - CreateWrapKey
versions:
- fixed: 0.3.0
+ packages:
+ - package: github.com/google/go-tpm/tpm
+ symbols:
+ - CreateWrapKey
description: |
Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport
is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,
diff --git a/data/reports/GO-2021-0096.yaml b/data/reports/GO-2021-0096.yaml
index eff1bd5..3e5c7bc 100644
--- a/data/reports/GO-2021-0096.yaml
+++ b/data/reports/GO-2021-0096.yaml
@@ -1,7 +1,9 @@
-packages:
+modules:
- module: github.com/proglottis/gpgme
versions:
- fixed: 0.1.1
+ packages:
+ - package: github.com/proglottis/gpgme
description: |
Due to improper setting of finalizers, memory passed to C may be freed before it is used,
leading to crashes due to memory corruption or possible code execution.
diff --git a/data/reports/GO-2021-0097.yaml b/data/reports/GO-2021-0097.yaml
index 7972c81..3a72c59 100644
--- a/data/reports/GO-2021-0097.yaml
+++ b/data/reports/GO-2021-0097.yaml
@@ -1,12 +1,14 @@
-packages:
+modules:
- module: github.com/dhowden/tag
- symbols:
- - readPICFrame
- - readAPICFrame
- - readTextWithDescrFrame
- - readAtomData
versions:
- fixed: 0.0.0-20201120070457-d52dcb253c63
+ packages:
+ - package: github.com/dhowden/tag
+ symbols:
+ - readPICFrame
+ - readAPICFrame
+ - readTextWithDescrFrame
+ - readAtomData
description: |
Due to improper bounds checking, a number of methods can trigger a panic due to attempted
out-of-bounds reads. If the package is used to parse user supplied input, this may be
diff --git a/data/reports/GO-2021-0098.yaml b/data/reports/GO-2021-0098.yaml
index ed43b18..2d87a40 100644
--- a/data/reports/GO-2021-0098.yaml
+++ b/data/reports/GO-2021-0098.yaml
@@ -1,29 +1,29 @@
-packages:
+modules:
- module: github.com/git-lfs/git-lfs
- package: github.com/git-lfs/git-lfs/commands
- symbols:
- - PipeCommand
versions:
- fixed: 1.5.1-0.20210113180018-fc664697ed2c
- - module: github.com/git-lfs/git-lfs
- package: github.com/git-lfs/git-lfs/creds
- symbols:
- - AskPassCredentialHelper.getFromProgram
- - commandCredentialHelper.Approve
- versions:
- - fixed: 1.5.1-0.20210113180018-fc664697ed2c
- - module: github.com/git-lfs/git-lfs
- package: github.com/git-lfs/git-lfs/lfs
- symbols:
- - pipeExtensions
- versions:
- - fixed: 1.5.1-0.20210113180018-fc664697ed2c
- - module: github.com/git-lfs/git-lfs
- package: github.com/git-lfs/git-lfs/lfshttp
- symbols:
- - sshAuthClient.Resolve
- versions:
- - fixed: 1.5.1-0.20210113180018-fc664697ed2c
+ packages:
+ - package: github.com/git-lfs/git-lfs/commands
+ goos:
+ - windows
+ symbols:
+ - PipeCommand
+ - package: github.com/git-lfs/git-lfs/creds
+ goos:
+ - windows
+ symbols:
+ - AskPassCredentialHelper.getFromProgram
+ - commandCredentialHelper.Approve
+ - package: github.com/git-lfs/git-lfs/lfs
+ goos:
+ - windows
+ symbols:
+ - pipeExtensions
+ - package: github.com/git-lfs/git-lfs/lfshttp
+ goos:
+ - windows
+ symbols:
+ - sshAuthClient.Resolve
description: |
Due to the standard library behavior of exec.LookPath on Windows a number of methods may
result in arbitrary code execution when cloning or operating on untrusted Git repositories.
@@ -33,9 +33,9 @@
ghsas:
- GHSA-cx3w-xqmc-84g5
credit: '@Ry0taK'
-os:
- - windows
links:
commit: https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a
context:
- https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5
+os:
+ - windows
diff --git a/data/reports/GO-2021-0099.yaml b/data/reports/GO-2021-0099.yaml
index ebf71a3..761ec19 100644
--- a/data/reports/GO-2021-0099.yaml
+++ b/data/reports/GO-2021-0099.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: github.com/deislabs/oras
- package: github.com/deislabs/oras/pkg/content
- symbols:
- - extractTarDirectory
- derived_symbols:
- - fileWriter.Commit
versions:
- fixed: 0.9.0
+ packages:
+ - package: github.com/deislabs/oras/pkg/content
+ symbols:
+ - extractTarDirectory
+ derived_symbols:
+ - fileWriter.Commit
description: |
Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore
content store may result in directory traversal during archive extraction, allowing a
diff --git a/data/reports/GO-2021-0100.yaml b/data/reports/GO-2021-0100.yaml
index 9956951..0a27d5e 100644
--- a/data/reports/GO-2021-0100.yaml
+++ b/data/reports/GO-2021-0100.yaml
@@ -1,24 +1,25 @@
-packages:
+modules:
- module: github.com/containers/storage
- package: github.com/containers/storage/pkg/archive
- symbols:
- - cmdStream
- derived_symbols:
- - ApplyLayer
- - ApplyUncompressedLayer
- - Archiver.CopyFileWithTar
- - Archiver.CopyWithTar
- - Archiver.TarUntar
- - Archiver.UntarPath
- - CopyResource
- - CopyTo
- - DecompressStream
- - IsArchivePath
- - Untar
- - UntarPath
- - UntarUncompressed
versions:
- fixed: 1.28.1
+ packages:
+ - package: github.com/containers/storage/pkg/archive
+ symbols:
+ - cmdStream
+ derived_symbols:
+ - ApplyLayer
+ - ApplyUncompressedLayer
+ - Archiver.CopyFileWithTar
+ - Archiver.CopyWithTar
+ - Archiver.TarUntar
+ - Archiver.UntarPath
+ - CopyResource
+ - CopyTo
+ - DecompressStream
+ - IsArchivePath
+ - Untar
+ - UntarPath
+ - UntarUncompressed
description: |
Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream
on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker
diff --git a/data/reports/GO-2021-0101.yaml b/data/reports/GO-2021-0101.yaml
index 1eec48f..5ac6b2c 100644
--- a/data/reports/GO-2021-0101.yaml
+++ b/data/reports/GO-2021-0101.yaml
@@ -1,58 +1,59 @@
-packages:
+modules:
- module: github.com/apache/thrift
- package: github.com/apache/thrift/lib/go/thrift
- symbols:
- - TSimpleJSONProtocol.safePeekContains
- derived_symbols:
- - Skip
- - SkipDefaultDepth
- - TJSONProtocol.ParseElemListBegin
- - TJSONProtocol.ReadBool
- - TJSONProtocol.ReadByte
- - TJSONProtocol.ReadDouble
- - TJSONProtocol.ReadFieldBegin
- - TJSONProtocol.ReadFieldEnd
- - TJSONProtocol.ReadI16
- - TJSONProtocol.ReadI32
- - TJSONProtocol.ReadI64
- - TJSONProtocol.ReadListBegin
- - TJSONProtocol.ReadListEnd
- - TJSONProtocol.ReadMapBegin
- - TJSONProtocol.ReadMapEnd
- - TJSONProtocol.ReadMessageBegin
- - TJSONProtocol.ReadMessageEnd
- - TJSONProtocol.ReadSetBegin
- - TJSONProtocol.ReadSetEnd
- - TJSONProtocol.ReadStructBegin
- - TJSONProtocol.ReadStructEnd
- - TSimpleJSONProtocol.ParseElemListBegin
- - TSimpleJSONProtocol.ParseF64
- - TSimpleJSONProtocol.ParseI64
- - TSimpleJSONProtocol.ParseListBegin
- - TSimpleJSONProtocol.ParseListEnd
- - TSimpleJSONProtocol.ParseObjectEnd
- - TSimpleJSONProtocol.ParseObjectStart
- - TSimpleJSONProtocol.ReadByte
- - TSimpleJSONProtocol.ReadDouble
- - TSimpleJSONProtocol.ReadI16
- - TSimpleJSONProtocol.ReadI32
- - TSimpleJSONProtocol.ReadI64
- - TSimpleJSONProtocol.ReadListBegin
- - TSimpleJSONProtocol.ReadListEnd
- - TSimpleJSONProtocol.ReadMapBegin
- - TSimpleJSONProtocol.ReadMapEnd
- - TSimpleJSONProtocol.ReadMessageBegin
- - TSimpleJSONProtocol.ReadMessageEnd
- - TSimpleJSONProtocol.ReadSetBegin
- - TSimpleJSONProtocol.ReadSetEnd
- - TSimpleJSONProtocol.ReadStructBegin
- - TSimpleJSONProtocol.ReadStructEnd
- - TStandardClient.Call
- - TStandardClient.Recv
- - tApplicationException.Read
versions:
- introduced: 0.0.0-20151001171628-53dd39833a08
- fixed: 0.13.0
+ packages:
+ - package: github.com/apache/thrift/lib/go/thrift
+ symbols:
+ - TSimpleJSONProtocol.safePeekContains
+ derived_symbols:
+ - Skip
+ - SkipDefaultDepth
+ - TJSONProtocol.ParseElemListBegin
+ - TJSONProtocol.ReadBool
+ - TJSONProtocol.ReadByte
+ - TJSONProtocol.ReadDouble
+ - TJSONProtocol.ReadFieldBegin
+ - TJSONProtocol.ReadFieldEnd
+ - TJSONProtocol.ReadI16
+ - TJSONProtocol.ReadI32
+ - TJSONProtocol.ReadI64
+ - TJSONProtocol.ReadListBegin
+ - TJSONProtocol.ReadListEnd
+ - TJSONProtocol.ReadMapBegin
+ - TJSONProtocol.ReadMapEnd
+ - TJSONProtocol.ReadMessageBegin
+ - TJSONProtocol.ReadMessageEnd
+ - TJSONProtocol.ReadSetBegin
+ - TJSONProtocol.ReadSetEnd
+ - TJSONProtocol.ReadStructBegin
+ - TJSONProtocol.ReadStructEnd
+ - TSimpleJSONProtocol.ParseElemListBegin
+ - TSimpleJSONProtocol.ParseF64
+ - TSimpleJSONProtocol.ParseI64
+ - TSimpleJSONProtocol.ParseListBegin
+ - TSimpleJSONProtocol.ParseListEnd
+ - TSimpleJSONProtocol.ParseObjectEnd
+ - TSimpleJSONProtocol.ParseObjectStart
+ - TSimpleJSONProtocol.ReadByte
+ - TSimpleJSONProtocol.ReadDouble
+ - TSimpleJSONProtocol.ReadI16
+ - TSimpleJSONProtocol.ReadI32
+ - TSimpleJSONProtocol.ReadI64
+ - TSimpleJSONProtocol.ReadListBegin
+ - TSimpleJSONProtocol.ReadListEnd
+ - TSimpleJSONProtocol.ReadMapBegin
+ - TSimpleJSONProtocol.ReadMapEnd
+ - TSimpleJSONProtocol.ReadMessageBegin
+ - TSimpleJSONProtocol.ReadMessageEnd
+ - TSimpleJSONProtocol.ReadSetBegin
+ - TSimpleJSONProtocol.ReadSetEnd
+ - TSimpleJSONProtocol.ReadStructBegin
+ - TSimpleJSONProtocol.ReadStructEnd
+ - TStandardClient.Call
+ - TStandardClient.Recv
+ - tApplicationException.Read
description: |
Due to an improper bounds check, parsing maliciously crafted messages can cause panics. If
this package is used to parse untrusted input, this may be used as a vector for a denial of
diff --git a/data/reports/GO-2021-0102.yaml b/data/reports/GO-2021-0102.yaml
index 92c0f27..c76f1d4 100644
--- a/data/reports/GO-2021-0102.yaml
+++ b/data/reports/GO-2021-0102.yaml
@@ -1,16 +1,18 @@
-packages:
+modules:
- module: code.cloudfoundry.org/gorouter
- package: code.cloudfoundry.org/gorouter/common/secure
- symbols:
- - AesGCM.Decrypt
versions:
- fixed: 0.0.0-20191101214924-b1b5c44e050f
+ packages:
+ - package: code.cloudfoundry.org/gorouter/common/secure
+ symbols:
+ - AesGCM.Decrypt
- module: github.com/cloudfoundry/gorouter
- package: github.com/cloudfoundry/gorouter/common/secure
- symbols:
- - AesGCM.Decrypt
versions:
- fixed: 0.0.0-20191101214924-b1b5c44e050f
+ packages:
+ - package: github.com/cloudfoundry/gorouter/common/secure
+ symbols:
+ - AesGCM.Decrypt
description: |
Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect
nonce size. If this package is used to decrypt user supplied messages without checking the size of
diff --git a/data/reports/GO-2021-0103.yaml b/data/reports/GO-2021-0103.yaml
index e18889d..e991144 100644
--- a/data/reports/GO-2021-0103.yaml
+++ b/data/reports/GO-2021-0103.yaml
@@ -1,17 +1,19 @@
-packages:
+modules:
- module: github.com/holiman/uint256
- symbols:
- - udivrem
- derived_symbols:
- - Int.AddMod
- - Int.Div
- - Int.Mod
- - Int.MulMod
- - Int.SDiv
- - Int.SMod
versions:
- introduced: 0.1.0
- fixed: 1.1.1
+ packages:
+ - package: github.com/holiman/uint256
+ symbols:
+ - udivrem
+ derived_symbols:
+ - Int.AddMod
+ - Int.Div
+ - Int.Mod
+ - Int.MulMod
+ - Int.SDiv
+ - Int.SMod
description: |
Due to improper bounds checking, certain mathmatical operations can cause a panic via an
out of bounds read. If this package is used to process untrusted user inputs, this may be used
diff --git a/data/reports/GO-2021-0104.yaml b/data/reports/GO-2021-0104.yaml
index 19f127f..66890f8 100644
--- a/data/reports/GO-2021-0104.yaml
+++ b/data/reports/GO-2021-0104.yaml
@@ -1,18 +1,20 @@
-packages:
+modules:
- module: github.com/pion/webrtc/v3
- symbols:
- - DTLSTransport.Start
- derived_symbols:
- - PeerConnection.AddTrack
- - PeerConnection.AddTransceiverFromTrack
- - PeerConnection.CreateDataChannel
- - PeerConnection.RemoveTrack
- - PeerConnection.SetLocalDescription
- - PeerConnection.SetRemoteDescription
- - operations.Done
- - operations.Enqueue
versions:
- fixed: 3.0.15
+ packages:
+ - package: github.com/pion/webrtc/v3
+ symbols:
+ - DTLSTransport.Start
+ derived_symbols:
+ - PeerConnection.AddTrack
+ - PeerConnection.AddTransceiverFromTrack
+ - PeerConnection.CreateDataChannel
+ - PeerConnection.RemoveTrack
+ - PeerConnection.SetLocalDescription
+ - PeerConnection.SetRemoteDescription
+ - operations.Done
+ - operations.Enqueue
description: |
Due to improper error handling, DTLS connections were not killed when certificate verification
failed, causing users who did not check the connection state to continue to use the connection.
diff --git a/data/reports/GO-2021-0105.yaml b/data/reports/GO-2021-0105.yaml
index 4119cfb..2f6c4a5 100644
--- a/data/reports/GO-2021-0105.yaml
+++ b/data/reports/GO-2021-0105.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: github.com/ethereum/go-ethereum
- package: github.com/ethereum/go-ethereum/core
- symbols:
- - StateDB.createObject
versions:
- introduced: 1.9.4
- fixed: 1.9.20
+ packages:
+ - package: github.com/ethereum/go-ethereum/core
+ symbols:
+ - StateDB.createObject
description: |
Due to an incorrect state calculation, a specific set of
transactions could cause a consensus disagreement,
diff --git a/data/reports/GO-2021-0106.yaml b/data/reports/GO-2021-0106.yaml
index 8c7f13a..50e079f 100644
--- a/data/reports/GO-2021-0106.yaml
+++ b/data/reports/GO-2021-0106.yaml
@@ -1,18 +1,21 @@
-packages:
+modules:
- module: github.com/whyrusleeping/tar-utils
- symbols:
- - Extractor.outputPath
versions:
- fixed: 0.0.0-20201201191210-20a61371de5b
+ packages:
+ - package: github.com/whyrusleeping/tar-utils
+ symbols:
+ - Extractor.outputPath
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.
published: 2021-07-28T18:08:05Z
-cve_metadata:
- id: CVE-2020-36566
- cwe: "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
links:
commit: https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227
context:
- https://snyk.io/research/zip-slip-vulnerability
+cve_metadata:
+ id: CVE-2020-36566
+ cwe: 'CWE 22: Improper Limitation of a Pathname to a Restricted Directory (''Path
+ Traversal'')'
diff --git a/data/reports/GO-2021-0107.yaml b/data/reports/GO-2021-0107.yaml
index 4d5e5e7..7e8ce4d 100644
--- a/data/reports/GO-2021-0107.yaml
+++ b/data/reports/GO-2021-0107.yaml
@@ -1,20 +1,22 @@
-packages:
+modules:
- module: github.com/ecnepsnai/web
- symbols:
- - Server.socketHandler
- derived_symbols:
- - Server.Socket
versions:
- fixed: 1.5.2
+ packages:
+ - package: github.com/ecnepsnai/web
+ symbols:
+ - Server.socketHandler
+ derived_symbols:
+ - Server.Socket
description: |
Web Sockets do not execute any AuthenticateMethod methods which may be set,leading to a
nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or
authentication bypass.
published: 2021-07-28T18:08:05Z
-cve_metadata:
- id: CVE-2021-4236
- cwe: 'CWE-400: Uncontrolled Resource Consumption'
ghsas:
- GHSA-5gjg-jgh4-gppm
links:
commit: https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
+cve_metadata:
+ id: CVE-2021-4236
+ cwe: 'CWE-400: Uncontrolled Resource Consumption'
diff --git a/data/reports/GO-2021-0108.yaml b/data/reports/GO-2021-0108.yaml
index d3e3b04..e20d312 100644
--- a/data/reports/GO-2021-0108.yaml
+++ b/data/reports/GO-2021-0108.yaml
@@ -1,9 +1,11 @@
-packages:
+modules:
- module: github.com/gofiber/fiber
- symbols:
- - Ctx.Attachment
versions:
- fixed: 1.12.6
+ packages:
+ - package: github.com/gofiber/fiber
+ symbols:
+ - Ctx.Attachment
description: |
Due to improper input sanitization, a maliciously constructed filename could cause a file
download to use an attacker controlled filename, as well as injecting additional headers
diff --git a/data/reports/GO-2021-0109.yaml b/data/reports/GO-2021-0109.yaml
index 3935dd7..162ea72 100644
--- a/data/reports/GO-2021-0109.yaml
+++ b/data/reports/GO-2021-0109.yaml
@@ -1,9 +1,11 @@
-packages:
+modules:
- module: github.com/ory/fosite
- symbols:
- - TokenRevocationHandler.RevokeToken
versions:
- fixed: 0.34.0
+ packages:
+ - package: github.com/ory/fosite
+ symbols:
+ - TokenRevocationHandler.RevokeToken
description: |
Due to improper error handling, an error with the underlying token storage may cause a user
to believe a token has been successfully revoked when it is in fact still valid. An attackers
@@ -15,4 +17,3 @@
- GHSA-7mqr-2v3q-v2wm
links:
commit: https://github.com/ory/fosite/commit/03dd55813f5521985f7dd64277b7ba0cf1441319
-
diff --git a/data/reports/GO-2021-0110.yaml b/data/reports/GO-2021-0110.yaml
index ce3243a..152c5f0 100644
--- a/data/reports/GO-2021-0110.yaml
+++ b/data/reports/GO-2021-0110.yaml
@@ -1,12 +1,14 @@
-packages:
+modules:
- module: github.com/ory/fosite
- symbols:
- - Fosite.AuthenticateClient
- derived_symbols:
- - Fosite.NewAccessRequest
- - Fosite.NewRevocationRequest
versions:
- fixed: 0.31.0
+ packages:
+ - package: github.com/ory/fosite
+ symbols:
+ - Fosite.AuthenticateClient
+ derived_symbols:
+ - Fosite.NewAccessRequest
+ - Fosite.NewRevocationRequest
description: |
Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
replayed.
diff --git a/data/reports/GO-2021-0111.yaml b/data/reports/GO-2021-0111.yaml
index 08b8cb5..d50344e 100644
--- a/data/reports/GO-2021-0111.yaml
+++ b/data/reports/GO-2021-0111.yaml
@@ -1,47 +1,48 @@
-packages:
+modules:
- module: go.mongodb.org/mongo-driver
- package: go.mongodb.org/mongo-driver/bson/bsonrw
- symbols:
- - valueWriter.writeElementHeader
- derived_symbols:
- - Copier.AppendArrayBytes
- - Copier.AppendDocumentBytes
- - Copier.AppendValueBytes
- - Copier.CopyArrayFromBytes
- - Copier.CopyBytesToArrayWriter
- - Copier.CopyBytesToDocumentWriter
- - Copier.CopyDocument
- - Copier.CopyDocumentFromBytes
- - Copier.CopyDocumentToBytes
- - Copier.CopyValue
- - Copier.CopyValueFromBytes
- - Copier.CopyValueToBytes
- - CopyDocument
- - valueWriter.WriteArray
- - valueWriter.WriteBinary
- - valueWriter.WriteBinaryWithSubtype
- - valueWriter.WriteBoolean
- - valueWriter.WriteCodeWithScope
- - valueWriter.WriteDBPointer
- - valueWriter.WriteDateTime
- - valueWriter.WriteDecimal128
- - valueWriter.WriteDocument
- - valueWriter.WriteDouble
- - valueWriter.WriteInt32
- - valueWriter.WriteInt64
- - valueWriter.WriteJavascript
- - valueWriter.WriteMaxKey
- - valueWriter.WriteMinKey
- - valueWriter.WriteNull
- - valueWriter.WriteObjectID
- - valueWriter.WriteRegex
- - valueWriter.WriteString
- - valueWriter.WriteSymbol
- - valueWriter.WriteTimestamp
- - valueWriter.WriteUndefined
- - valueWriter.WriteValueBytes
versions:
- fixed: 1.5.1
+ packages:
+ - package: go.mongodb.org/mongo-driver/bson/bsonrw
+ symbols:
+ - valueWriter.writeElementHeader
+ derived_symbols:
+ - Copier.AppendArrayBytes
+ - Copier.AppendDocumentBytes
+ - Copier.AppendValueBytes
+ - Copier.CopyArrayFromBytes
+ - Copier.CopyBytesToArrayWriter
+ - Copier.CopyBytesToDocumentWriter
+ - Copier.CopyDocument
+ - Copier.CopyDocumentFromBytes
+ - Copier.CopyDocumentToBytes
+ - Copier.CopyValue
+ - Copier.CopyValueFromBytes
+ - Copier.CopyValueToBytes
+ - CopyDocument
+ - valueWriter.WriteArray
+ - valueWriter.WriteBinary
+ - valueWriter.WriteBinaryWithSubtype
+ - valueWriter.WriteBoolean
+ - valueWriter.WriteCodeWithScope
+ - valueWriter.WriteDBPointer
+ - valueWriter.WriteDateTime
+ - valueWriter.WriteDecimal128
+ - valueWriter.WriteDocument
+ - valueWriter.WriteDouble
+ - valueWriter.WriteInt32
+ - valueWriter.WriteInt64
+ - valueWriter.WriteJavascript
+ - valueWriter.WriteMaxKey
+ - valueWriter.WriteMinKey
+ - valueWriter.WriteNull
+ - valueWriter.WriteObjectID
+ - valueWriter.WriteRegex
+ - valueWriter.WriteString
+ - valueWriter.WriteSymbol
+ - valueWriter.WriteTimestamp
+ - valueWriter.WriteUndefined
+ - valueWriter.WriteValueBytes
description: |
Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed
Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are
diff --git a/data/reports/GO-2021-0112.yaml b/data/reports/GO-2021-0112.yaml
index 803eb32..25538af 100644
--- a/data/reports/GO-2021-0112.yaml
+++ b/data/reports/GO-2021-0112.yaml
@@ -1,86 +1,87 @@
-packages:
+modules:
- module: go.mongodb.org/mongo-driver
- package: go.mongodb.org/mongo-driver/x/bsonx/bsoncore
- symbols:
- - AppendHeader
- - AppendRegex
- derived_symbols:
- - AppendArrayElement
- - AppendArrayElementStart
- - AppendBinaryElement
- - AppendBooleanElement
- - AppendCodeWithScopeElement
- - AppendDBPointerElement
- - AppendDateTimeElement
- - AppendDecimal128Element
- - AppendDocumentElement
- - AppendDocumentElementStart
- - AppendDoubleElement
- - AppendInt32Element
- - AppendInt64Element
- - AppendJavaScriptElement
- - AppendMaxKeyElement
- - AppendMinKeyElement
- - AppendNullElement
- - AppendObjectIDElement
- - AppendRegexElement
- - AppendStringElement
- - AppendSymbolElement
- - AppendTimeElement
- - AppendTimestampElement
- - AppendUndefinedElement
- - AppendValueElement
- - ArrayBuilder.AppendArray
- - ArrayBuilder.AppendBinary
- - ArrayBuilder.AppendBoolean
- - ArrayBuilder.AppendCodeWithScope
- - ArrayBuilder.AppendDBPointer
- - ArrayBuilder.AppendDateTime
- - ArrayBuilder.AppendDecimal128
- - ArrayBuilder.AppendDocument
- - ArrayBuilder.AppendDouble
- - ArrayBuilder.AppendInt32
- - ArrayBuilder.AppendInt64
- - ArrayBuilder.AppendJavaScript
- - ArrayBuilder.AppendMaxKey
- - ArrayBuilder.AppendMinKey
- - ArrayBuilder.AppendNull
- - ArrayBuilder.AppendObjectID
- - ArrayBuilder.AppendRegex
- - ArrayBuilder.AppendString
- - ArrayBuilder.AppendSymbol
- - ArrayBuilder.AppendTimestamp
- - ArrayBuilder.AppendUndefined
- - ArrayBuilder.AppendValue
- - ArrayBuilder.StartArray
- - BuildArray
- - BuildArrayElement
- - BuildDocumentElement
- - DocumentBuilder.AppendArray
- - DocumentBuilder.AppendBinary
- - DocumentBuilder.AppendBoolean
- - DocumentBuilder.AppendCodeWithScope
- - DocumentBuilder.AppendDBPointer
- - DocumentBuilder.AppendDateTime
- - DocumentBuilder.AppendDecimal128
- - DocumentBuilder.AppendDocument
- - DocumentBuilder.AppendDouble
- - DocumentBuilder.AppendInt32
- - DocumentBuilder.AppendInt64
- - DocumentBuilder.AppendJavaScript
- - DocumentBuilder.AppendMaxKey
- - DocumentBuilder.AppendMinKey
- - DocumentBuilder.AppendNull
- - DocumentBuilder.AppendObjectID
- - DocumentBuilder.AppendRegex
- - DocumentBuilder.AppendString
- - DocumentBuilder.AppendSymbol
- - DocumentBuilder.AppendTimestamp
- - DocumentBuilder.AppendUndefined
- - DocumentBuilder.AppendValue
- - DocumentBuilder.StartDocument
versions:
- fixed: 1.5.1
+ packages:
+ - package: go.mongodb.org/mongo-driver/x/bsonx/bsoncore
+ symbols:
+ - AppendHeader
+ - AppendRegex
+ derived_symbols:
+ - AppendArrayElement
+ - AppendArrayElementStart
+ - AppendBinaryElement
+ - AppendBooleanElement
+ - AppendCodeWithScopeElement
+ - AppendDBPointerElement
+ - AppendDateTimeElement
+ - AppendDecimal128Element
+ - AppendDocumentElement
+ - AppendDocumentElementStart
+ - AppendDoubleElement
+ - AppendInt32Element
+ - AppendInt64Element
+ - AppendJavaScriptElement
+ - AppendMaxKeyElement
+ - AppendMinKeyElement
+ - AppendNullElement
+ - AppendObjectIDElement
+ - AppendRegexElement
+ - AppendStringElement
+ - AppendSymbolElement
+ - AppendTimeElement
+ - AppendTimestampElement
+ - AppendUndefinedElement
+ - AppendValueElement
+ - ArrayBuilder.AppendArray
+ - ArrayBuilder.AppendBinary
+ - ArrayBuilder.AppendBoolean
+ - ArrayBuilder.AppendCodeWithScope
+ - ArrayBuilder.AppendDBPointer
+ - ArrayBuilder.AppendDateTime
+ - ArrayBuilder.AppendDecimal128
+ - ArrayBuilder.AppendDocument
+ - ArrayBuilder.AppendDouble
+ - ArrayBuilder.AppendInt32
+ - ArrayBuilder.AppendInt64
+ - ArrayBuilder.AppendJavaScript
+ - ArrayBuilder.AppendMaxKey
+ - ArrayBuilder.AppendMinKey
+ - ArrayBuilder.AppendNull
+ - ArrayBuilder.AppendObjectID
+ - ArrayBuilder.AppendRegex
+ - ArrayBuilder.AppendString
+ - ArrayBuilder.AppendSymbol
+ - ArrayBuilder.AppendTimestamp
+ - ArrayBuilder.AppendUndefined
+ - ArrayBuilder.AppendValue
+ - ArrayBuilder.StartArray
+ - BuildArray
+ - BuildArrayElement
+ - BuildDocumentElement
+ - DocumentBuilder.AppendArray
+ - DocumentBuilder.AppendBinary
+ - DocumentBuilder.AppendBoolean
+ - DocumentBuilder.AppendCodeWithScope
+ - DocumentBuilder.AppendDBPointer
+ - DocumentBuilder.AppendDateTime
+ - DocumentBuilder.AppendDecimal128
+ - DocumentBuilder.AppendDocument
+ - DocumentBuilder.AppendDouble
+ - DocumentBuilder.AppendInt32
+ - DocumentBuilder.AppendInt64
+ - DocumentBuilder.AppendJavaScript
+ - DocumentBuilder.AppendMaxKey
+ - DocumentBuilder.AppendMinKey
+ - DocumentBuilder.AppendNull
+ - DocumentBuilder.AppendObjectID
+ - DocumentBuilder.AppendRegex
+ - DocumentBuilder.AppendString
+ - DocumentBuilder.AppendSymbol
+ - DocumentBuilder.AppendTimestamp
+ - DocumentBuilder.AppendUndefined
+ - DocumentBuilder.AppendValue
+ - DocumentBuilder.StartDocument
description: |
Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed
Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are
diff --git a/data/reports/GO-2021-0113.yaml b/data/reports/GO-2021-0113.yaml
index 5b935a2..280d9fe 100644
--- a/data/reports/GO-2021-0113.yaml
+++ b/data/reports/GO-2021-0113.yaml
@@ -1,14 +1,15 @@
-packages:
+modules:
- module: golang.org/x/text
- package: golang.org/x/text/language
- symbols:
- - Parse
- derived_symbols:
- - MatchStrings
- - MustParse
- - ParseAcceptLanguage
versions:
- fixed: 0.3.7
+ packages:
+ - package: golang.org/x/text/language
+ symbols:
+ - Parse
+ derived_symbols:
+ - MatchStrings
+ - MustParse
+ - ParseAcceptLanguage
description: |
Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic via an out of bounds read. If Parse is used to process untrusted user inputs,
diff --git a/data/reports/GO-2021-0142.yaml b/data/reports/GO-2021-0142.yaml
index 050f430..7e9f226 100644
--- a/data/reports/GO-2021-0142.yaml
+++ b/data/reports/GO-2021-0142.yaml
@@ -1,14 +1,15 @@
-packages:
+modules:
- module: std
- package: encoding/binary
- symbols:
- - ReadUvarint
- - ReadVarint
versions:
- fixed: 1.13.15
- introduced: 1.14.0
fixed: 1.14.7
vulnerable_at: 1.14.6
+ packages:
+ - package: encoding/binary
+ symbols:
+ - ReadUvarint
+ - ReadVarint
description: |
ReadUvarint and ReadVarint can read an unlimited number of bytes from
invalid inputs.
diff --git a/data/reports/GO-2021-0154.yaml b/data/reports/GO-2021-0154.yaml
index 0b57cea..033d189 100644
--- a/data/reports/GO-2021-0154.yaml
+++ b/data/reports/GO-2021-0154.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: crypto/tls
- symbols:
- - checkForResumption
- - decryptTicket
versions:
- introduced: 1.1.0
fixed: 1.3.2
+ packages:
+ - package: crypto/tls
+ symbols:
+ - checkForResumption
+ - decryptTicket
description: |
When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle
attackers to spoof clients via unspecified vectors.
diff --git a/data/reports/GO-2021-0157.yaml b/data/reports/GO-2021-0157.yaml
index baec4b3..c314365 100644
--- a/data/reports/GO-2021-0157.yaml
+++ b/data/reports/GO-2021-0157.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: std
- package: net/textproto
- symbols:
- - CanonicalMIMEHeaderKey
- - canonicalMIMEHeaderKey
versions:
- fixed: 1.4.3
+ packages:
+ - package: net/textproto
+ symbols:
+ - CanonicalMIMEHeaderKey
+ - canonicalMIMEHeaderKey
description: |
The MIME header parser treated spaces and hyphens
as equivalent, which can permit HTTP request smuggling.
diff --git a/data/reports/GO-2021-0159.yaml b/data/reports/GO-2021-0159.yaml
index 4aa6e06..7c5f062 100644
--- a/data/reports/GO-2021-0159.yaml
+++ b/data/reports/GO-2021-0159.yaml
@@ -1,18 +1,19 @@
-packages:
+modules:
- module: std
- package: net/http
- symbols:
- - CanonicalMIMEHeaderKey
- - body.readLocked
- - canonicalMIMEHeaderKey
- - chunkWriter.writeHeader
- - fixLength
- - fixTransferEncoding
- - readTransfer
- - transferWriter.shouldSendContentLength
- - validHeaderFieldByte
versions:
- fixed: 1.4.3
+ packages:
+ - package: net/http
+ symbols:
+ - CanonicalMIMEHeaderKey
+ - body.readLocked
+ - canonicalMIMEHeaderKey
+ - chunkWriter.writeHeader
+ - fixLength
+ - fixTransferEncoding
+ - readTransfer
+ - transferWriter.shouldSendContentLength
+ - validHeaderFieldByte
description: |
HTTP headers were not properly parsed, which allows remote attackers to
conduct HTTP request smuggling attacks via a request that contains
diff --git a/data/reports/GO-2021-0160.yaml b/data/reports/GO-2021-0160.yaml
index 874f06e..5fc5035 100644
--- a/data/reports/GO-2021-0160.yaml
+++ b/data/reports/GO-2021-0160.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: math/big
- symbols:
- - nat.expNNMontgomery
- - nat.montgomery
versions:
- introduced: 1.5.0
fixed: 1.5.3
+ packages:
+ - package: math/big
+ symbols:
+ - nat.expNNMontgomery
+ - nat.montgomery
description: |
Int.Exp Montgomery mishandled carry propagation and produced an incorrect
output, which makes it easier for attackers to obtain private RSA keys via
diff --git a/data/reports/GO-2021-0163.yaml b/data/reports/GO-2021-0163.yaml
index 37e90c3..5f37f0a 100644
--- a/data/reports/GO-2021-0163.yaml
+++ b/data/reports/GO-2021-0163.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: syscall
- symbols:
- - LoadLibrary
versions:
- fixed: 1.5.4
- introduced: 1.6.0
fixed: 1.6.1
+ packages:
+ - package: syscall
+ symbols:
+ - LoadLibrary
description: |
Untrusted search path vulnerability on Windows related to LoadLibrary allows
local users to gain privileges via a malicious DLL in the current working
diff --git a/data/reports/GO-2021-0172.yaml b/data/reports/GO-2021-0172.yaml
index e517344..4f824b6 100644
--- a/data/reports/GO-2021-0172.yaml
+++ b/data/reports/GO-2021-0172.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: mime/multipart
- symbols:
- - Reader.readForm
versions:
- fixed: 1.6.4
- introduced: 1.7.0
fixed: 1.7.4
+ packages:
+ - package: mime/multipart
+ symbols:
+ - Reader.readForm
description: |
When parsing large multipart/form-data, an attacker can
cause a HTTP server to open a large number of file
diff --git a/data/reports/GO-2021-0178.yaml b/data/reports/GO-2021-0178.yaml
index f3263c6..1314099 100644
--- a/data/reports/GO-2021-0178.yaml
+++ b/data/reports/GO-2021-0178.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: net/smtp
- symbols:
- - plainAuth.Start
versions:
- introduced: 1.1.0
fixed: 1.8.4
- introduced: 1.9.0
fixed: 1.9.1
+ packages:
+ - package: net/smtp
+ symbols:
+ - plainAuth.Start
description: |
SMTP clients using net/smtp can use the PLAIN authentication scheme on
network connections not secured with TLS, exposing passwords to
diff --git a/data/reports/GO-2021-0223.yaml b/data/reports/GO-2021-0223.yaml
index 3634ea5..b002c0b 100644
--- a/data/reports/GO-2021-0223.yaml
+++ b/data/reports/GO-2021-0223.yaml
@@ -1,12 +1,15 @@
-packages:
+modules:
- module: std
- package: crypto/x509
- symbols:
- - Certificate.systemVerify
versions:
- fixed: 1.13.13
- introduced: 1.14.0
fixed: 1.14.5
+ packages:
+ - package: crypto/x509
+ goos:
+ - windows
+ symbols:
+ - Certificate.systemVerify
description: |
On Windows, if VerifyOptions.Roots is nil, Certificate.Verify
does not check the EKU requirements specified in VerifyOptions.KeyUsages.
@@ -15,11 +18,11 @@
cves:
- CVE-2020-14039
credit: Niall Newman
-os:
- - windows
links:
pr: https://go.dev/cl/242597
commit: https://go.googlesource.com/go/+/82175e699a2e2cd83d3aa34949e9b922d66d52f5
context:
- https://go.dev/issue/39360
- https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w
+os:
+ - windows
diff --git a/data/reports/GO-2021-0224.yaml b/data/reports/GO-2021-0224.yaml
index 0c057ad..fa0d710 100644
--- a/data/reports/GO-2021-0224.yaml
+++ b/data/reports/GO-2021-0224.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: net/http
- symbols:
- - expectContinueReader.Read
versions:
- fixed: 1.13.13
- introduced: 1.14.0
fixed: 1.14.5
+ packages:
+ - package: net/http
+ symbols:
+ - expectContinueReader.Read
description: |
HTTP servers where the Handler concurrently reads the request
body and writes a response can encounter a data race and crash.
diff --git a/data/reports/GO-2021-0226.yaml b/data/reports/GO-2021-0226.yaml
index 1d20f61..69e4a42 100644
--- a/data/reports/GO-2021-0226.yaml
+++ b/data/reports/GO-2021-0226.yaml
@@ -1,24 +1,20 @@
-packages:
+modules:
- module: std
- package: net/http/cgi
- symbols:
- - response.Write
- - response.WriteHeader
- - response.writeCGIHeader
versions:
- fixed: 1.14.8
- introduced: 1.15.0
fixed: 1.15.1
- - module: std
- package: net/http/fcgi
- symbols:
- - response.Write
- - response.WriteHeader
- - response.writeCGIHeader
- versions:
- - fixed: 1.14.8
- - introduced: 1.15.0
- fixed: 1.15.1
+ packages:
+ - package: net/http/cgi
+ symbols:
+ - response.Write
+ - response.WriteHeader
+ - response.writeCGIHeader
+ - package: net/http/fcgi
+ symbols:
+ - response.Write
+ - response.WriteHeader
+ - response.writeCGIHeader
description: |
When a Handler does not explicitly set the Content-Type header, the the
package would default to “text/html”, which could cause a Cross-Site Scripting
diff --git a/data/reports/GO-2021-0227.yaml b/data/reports/GO-2021-0227.yaml
index 1270d73..85f7fb5 100644
--- a/data/reports/GO-2021-0227.yaml
+++ b/data/reports/GO-2021-0227.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: golang.org/x/crypto
- package: golang.org/x/crypto/ssh
- symbols:
- - connection.serverAuthenticate
versions:
- fixed: 0.0.0-20201216223049-8b5274cf687f
+ packages:
+ - package: golang.org/x/crypto/ssh
+ symbols:
+ - connection.serverAuthenticate
description: |
Clients can cause a panic in SSH servers. An attacker can craft
an authentication request message for the “gssapi-with-mic” method
diff --git a/data/reports/GO-2021-0228.yaml b/data/reports/GO-2021-0228.yaml
index 849cdb0..f53a068 100644
--- a/data/reports/GO-2021-0228.yaml
+++ b/data/reports/GO-2021-0228.yaml
@@ -1,26 +1,27 @@
-packages:
+modules:
- module: github.com/unknwon/cae
- package: github.com/unknwon/cae/zip
- symbols:
- - TzArchive.syncFiles
- - TzArchive.ExtractToFunc
- - ZipArchive.Open
- - ZipArchive.ExtractToFunc
- derived_symbols:
- - Create
- - ExtractTo
- - ExtractToFunc
- - Open
- - OpenFile
- - TzArchive.ExtractToFunc
- - TzArchive.syncFiles
- - ZipArchive.Close
- - ZipArchive.ExtractTo
- - ZipArchive.ExtractToFunc
- - ZipArchive.Flush
- - ZipArchive.Open
versions:
- fixed: 1.0.1
+ packages:
+ - package: github.com/unknwon/cae/zip
+ symbols:
+ - TzArchive.syncFiles
+ - TzArchive.ExtractToFunc
+ - ZipArchive.Open
+ - ZipArchive.ExtractToFunc
+ derived_symbols:
+ - Create
+ - ExtractTo
+ - ExtractToFunc
+ - Open
+ - OpenFile
+ - TzArchive.ExtractToFunc
+ - TzArchive.syncFiles
+ - ZipArchive.Close
+ - ZipArchive.ExtractTo
+ - ZipArchive.ExtractToFunc
+ - ZipArchive.Flush
+ - ZipArchive.Open
description: |
The ExtractTo function doesn't securely escape file paths in zip archives
which include leading or non-leading "..". This allows an attacker to add or
diff --git a/data/reports/GO-2021-0234.yaml b/data/reports/GO-2021-0234.yaml
index 95c3b6d..c1d1a25 100644
--- a/data/reports/GO-2021-0234.yaml
+++ b/data/reports/GO-2021-0234.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: encoding/xml
- symbols:
- - Decoder.Token
versions:
- fixed: 1.15.9
- introduced: 1.16.0
fixed: 1.16.1
+ packages:
+ - package: encoding/xml
+ symbols:
+ - Decoder.Token
description: |
The Decode, DecodeElement, and Skip methods of an xml.Decoder
provided by xml.NewTokenDecoder may enter an infinite loop when
diff --git a/data/reports/GO-2021-0235.yaml b/data/reports/GO-2021-0235.yaml
index 14bc074..c39eedf 100644
--- a/data/reports/GO-2021-0235.yaml
+++ b/data/reports/GO-2021-0235.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: crypto/elliptic
- symbols:
- - p224Contract
versions:
- fixed: 1.14.14
- introduced: 1.15.0
fixed: 1.15.7
+ packages:
+ - package: crypto/elliptic
+ symbols:
+ - p224Contract
description: |
The P224() Curve implementation can in rare circumstances generate
incorrect outputs, including returning invalid points from
diff --git a/data/reports/GO-2021-0237.yaml b/data/reports/GO-2021-0237.yaml
index f73d1fb..0d80c75 100644
--- a/data/reports/GO-2021-0237.yaml
+++ b/data/reports/GO-2021-0237.yaml
@@ -1,9 +1,11 @@
-packages:
+modules:
- module: github.com/AndrewBurian/powermux
- symbols:
- - Route.execute
versions:
- fixed: 1.1.1
+ packages:
+ - package: github.com/AndrewBurian/powermux
+ symbols:
+ - Route.execute
description: |
Attackers may be able to craft phishing links and other open
redirects by exploiting PowerMux's trailing slash redirection
diff --git a/data/reports/GO-2021-0238.yaml b/data/reports/GO-2021-0238.yaml
index df27303..1a1c4fe 100644
--- a/data/reports/GO-2021-0238.yaml
+++ b/data/reports/GO-2021-0238.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: golang.org/x/net
- package: golang.org/x/net/html
- symbols:
- - inHeadIM
versions:
- fixed: 0.0.0-20210520170846-37e1c6afe023
+ packages:
+ - package: golang.org/x/net/html
+ symbols:
+ - inHeadIM
description: |
An attacker can craft an input to ParseFragment that causes it
to enter an infinite loop and never return.
diff --git a/data/reports/GO-2021-0239.yaml b/data/reports/GO-2021-0239.yaml
index e1a807c..140e08a 100644
--- a/data/reports/GO-2021-0239.yaml
+++ b/data/reports/GO-2021-0239.yaml
@@ -1,16 +1,17 @@
-packages:
+modules:
- module: std
- package: net
- symbols:
- - Resolver.LookupAddr
- - Resolver.LookupCNAME
- - Resolver.LookupMX
- - Resolver.LookupNS
- - Resolver.LookupSRV
versions:
- fixed: 1.15.13
- introduced: 1.16.0
fixed: 1.16.5
+ packages:
+ - package: net
+ symbols:
+ - Resolver.LookupAddr
+ - Resolver.LookupCNAME
+ - Resolver.LookupMX
+ - Resolver.LookupNS
+ - Resolver.LookupSRV
description: |
The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr
functions and their respective methods on the Resolver type may
diff --git a/data/reports/GO-2021-0240.yaml b/data/reports/GO-2021-0240.yaml
index 0a523b7..9554672 100644
--- a/data/reports/GO-2021-0240.yaml
+++ b/data/reports/GO-2021-0240.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: archive/zip
- symbols:
- - Reader.init
versions:
- fixed: 1.15.13
- introduced: 1.16.0
fixed: 1.16.5
+ packages:
+ - package: archive/zip
+ symbols:
+ - Reader.init
description: |
NewReader and OpenReader can cause a panic or an unrecoverable
fatal error when reading an archive that claims to contain a large
diff --git a/data/reports/GO-2021-0241.yaml b/data/reports/GO-2021-0241.yaml
index ef7cc23..fe0c6ea 100644
--- a/data/reports/GO-2021-0241.yaml
+++ b/data/reports/GO-2021-0241.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: net/http/httputil
- symbols:
- - ReverseProxy.ServeHTTP
versions:
- fixed: 1.15.13
- introduced: 1.16.0
fixed: 1.16.5
+ packages:
+ - package: net/http/httputil
+ symbols:
+ - ReverseProxy.ServeHTTP
description: |
ReverseProxy can be made to forward certain hop-by-hop headers,
including Connection. If the target of the ReverseProxy is
diff --git a/data/reports/GO-2021-0242.yaml b/data/reports/GO-2021-0242.yaml
index 8bbf809..e8d362e 100644
--- a/data/reports/GO-2021-0242.yaml
+++ b/data/reports/GO-2021-0242.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: math/big
- symbols:
- - Rat.SetString
versions:
- fixed: 1.15.13
- introduced: 1.16.0
fixed: 1.16.5
+ packages:
+ - package: math/big
+ symbols:
+ - Rat.SetString
description: |
Rat.SetString and Rat.UnmarshalText may cause a panic or an
unrecoverable fatal error if passed inputs with very large
diff --git a/data/reports/GO-2021-0243.yaml b/data/reports/GO-2021-0243.yaml
index 6281fc8..fc7e9ff 100644
--- a/data/reports/GO-2021-0243.yaml
+++ b/data/reports/GO-2021-0243.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: crypto/tls
- symbols:
- - rsaKeyAgreement.generateClientKeyExchange
versions:
- fixed: 1.15.14
- introduced: 1.16.0
fixed: 1.16.6
+ packages:
+ - package: crypto/tls
+ symbols:
+ - rsaKeyAgreement.generateClientKeyExchange
description: |
crypto/tls clients can panic when provided a certificate of the
wrong type for the negotiated parameters. net/http clients
diff --git a/data/reports/GO-2021-0245.yaml b/data/reports/GO-2021-0245.yaml
index a629c68..d035118 100644
--- a/data/reports/GO-2021-0245.yaml
+++ b/data/reports/GO-2021-0245.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: net/http/httputil
- symbols:
- - ReverseProxy.ServeHTTP
versions:
- fixed: 1.15.15
- introduced: 1.16.0
fixed: 1.16.7
+ packages:
+ - package: net/http/httputil
+ symbols:
+ - ReverseProxy.ServeHTTP
description: |
ReverseProxy can panic after encountering a problem copying
a proxied response body.
diff --git a/data/reports/GO-2021-0258.yaml b/data/reports/GO-2021-0258.yaml
index 47d8f00..b7d89b7 100644
--- a/data/reports/GO-2021-0258.yaml
+++ b/data/reports/GO-2021-0258.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: github.com/pomerium/pomerium
- package: github.com/pomerium/pomerium/internal/identity/manager
- symbols:
- - Manager.onUpdateRecords
- derived_symbols:
- - Manager.Run
versions:
- fixed: 0.15.6
vulnerable_at: 0.15.5
+ packages:
+ - package: github.com/pomerium/pomerium/internal/identity/manager
+ symbols:
+ - Manager.onUpdateRecords
+ derived_symbols:
+ - Manager.Run
description: |
Pomerium is an open source identity-aware access proxy. Changes to the OIDC
claims of a user after initial login are not reflected in policy evaluation
diff --git a/data/reports/GO-2021-0263.yaml b/data/reports/GO-2021-0263.yaml
index 1ba9861..2ae3600 100644
--- a/data/reports/GO-2021-0263.yaml
+++ b/data/reports/GO-2021-0263.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: debug/macho
- symbols:
- - NewFile
versions:
- fixed: 1.16.10
- introduced: 1.17.0
fixed: 1.17.3
+ packages:
+ - package: debug/macho
+ symbols:
+ - NewFile
description: |
Calling File.ImportedSymbols on a loaded file which contains an invalid
dynamic symbol table command can cause a panic, in particular if the encoded
diff --git a/data/reports/GO-2021-0264.yaml b/data/reports/GO-2021-0264.yaml
index d3d95fb..767dbde 100644
--- a/data/reports/GO-2021-0264.yaml
+++ b/data/reports/GO-2021-0264.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: archive/zip
- symbols:
- - split
- - Reader.Open
versions:
- fixed: 1.16.10
- introduced: 1.17.0
fixed: 1.17.3
+ packages:
+ - package: archive/zip
+ symbols:
+ - split
+ - Reader.Open
description: |
Previously, opening a zip with (*Reader).Open could result in a panic if the
zip contained a file whose name was exclusively made up of slash characters or
diff --git a/data/reports/GO-2021-0265.yaml b/data/reports/GO-2021-0265.yaml
index 42b5089..af918c6 100644
--- a/data/reports/GO-2021-0265.yaml
+++ b/data/reports/GO-2021-0265.yaml
@@ -1,9 +1,11 @@
-packages:
+modules:
- module: github.com/tidwall/gjson
- symbols:
- - match.Match
versions:
- fixed: 1.9.3
+ packages:
+ - package: github.com/tidwall/gjson
+ symbols:
+ - match.Match
description: |
GJSON allowed a ReDoS (regular expression denial of service) attack.
published: 2022-01-14T17:30:24Z
diff --git a/data/reports/GO-2021-0317.yaml b/data/reports/GO-2021-0317.yaml
index 3a456ff..e47328c 100644
--- a/data/reports/GO-2021-0317.yaml
+++ b/data/reports/GO-2021-0317.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: math/big
- symbols:
- - Rat.SetString
versions:
- fixed: 1.16.14
- introduced: 1.17.0
fixed: 1.17.7
+ packages:
+ - package: math/big
+ symbols:
+ - Rat.SetString
description: |
Rat.SetString had an overflow issue that can lead to uncontrolled memory consumption.
published: 2022-05-23T22:15:42Z
diff --git a/data/reports/GO-2021-0319.yaml b/data/reports/GO-2021-0319.yaml
index c78c6a3..4051aa7 100644
--- a/data/reports/GO-2021-0319.yaml
+++ b/data/reports/GO-2021-0319.yaml
@@ -1,14 +1,15 @@
-packages:
+modules:
- module: std
- package: crypto/elliptic
- symbols:
- - CurveParams.IsOnCurve
- - p384PointFromAffine
- - p521PointFromAffine
versions:
- fixed: 1.16.14
- introduced: 1.17.0
fixed: 1.17.7
+ packages:
+ - package: crypto/elliptic
+ symbols:
+ - CurveParams.IsOnCurve
+ - p384PointFromAffine
+ - p521PointFromAffine
description: |
Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
diff --git a/data/reports/GO-2021-0321.yaml b/data/reports/GO-2021-0321.yaml
index 00c9b32..5da93db 100644
--- a/data/reports/GO-2021-0321.yaml
+++ b/data/reports/GO-2021-0321.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: mellium.im/xmpp
- package: mellium.im/xmpp/websocket
- symbols:
- - Dialer.config
versions:
- introduced: 0.18.0
fixed: 0.21.1
+ packages:
+ - package: mellium.im/xmpp/websocket
+ symbols:
+ - Dialer.config
description: |
An attacker capable of spoofing DNS TXT records can redirect a
WebSocket connection request to a server under their control without
diff --git a/data/reports/GO-2021-0347.yaml b/data/reports/GO-2021-0347.yaml
index 5600579..053092c 100644
--- a/data/reports/GO-2021-0347.yaml
+++ b/data/reports/GO-2021-0347.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: regexp
- symbols:
- - regexp.Compile
versions:
- fixed: 1.16.15
- introduced: 1.17.0
fixed: 1.17.8
+ packages:
+ - package: regexp
+ symbols:
+ - regexp.Compile
description: |
On 64-bit platforms, an extremely deeply nested expression can
cause regexp.Compile to cause goroutine stack exhaustion, forcing
diff --git a/data/reports/GO-2021-0356.yaml b/data/reports/GO-2021-0356.yaml
index c0cbee5..39afa37 100644
--- a/data/reports/GO-2021-0356.yaml
+++ b/data/reports/GO-2021-0356.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: golang.org/x/crypto
- package: golang.org/x/crypto/ssh
- symbols:
- - ServerConfig.AddHostKey
- derived_symbols:
- - ServerConfig.AddHostKey
versions:
- fixed: 0.0.0-20220314234659-1baeb1ce4c0b
+ packages:
+ - package: golang.org/x/crypto/ssh
+ symbols:
+ - ServerConfig.AddHostKey
+ derived_symbols:
+ - ServerConfig.AddHostKey
description: |
Attackers can cause a crash in SSH servers when the server has been
configured by passing a Signer to ServerConfig.AddHostKey such that
diff --git a/data/reports/GO-2021-0412.yaml b/data/reports/GO-2021-0412.yaml
index c0f0601..6d82ee9 100644
--- a/data/reports/GO-2021-0412.yaml
+++ b/data/reports/GO-2021-0412.yaml
@@ -1,10 +1,11 @@
-packages:
+modules:
- module: github.com/containerd/imgcrypt
- package: github.com/containerd/imgcrypt/images/encryption
- symbols:
- - cryptManifestList
versions:
- fixed: 1.1.4
+ packages:
+ - package: github.com/containerd/imgcrypt/images/encryption
+ symbols:
+ - cryptManifestList
description: |
The imgcrypt library provides API exensions for containerd to
support encrypted container images and implements the ctd-decoder
diff --git a/data/reports/GO-2022-0166.yaml b/data/reports/GO-2022-0166.yaml
index 693564f..d0255fc 100644
--- a/data/reports/GO-2022-0166.yaml
+++ b/data/reports/GO-2022-0166.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: crypto/dsa
- symbols:
- - Verify
versions:
- fixed: 1.5.4
- introduced: 1.6.0
fixed: 1.6.1
+ packages:
+ - package: crypto/dsa
+ symbols:
+ - Verify
description: |
The Verify function in crypto/dsa passed certain parameters unchecked to
the underlying big integer library, possibly leading to extremely
diff --git a/data/reports/GO-2022-0171.yaml b/data/reports/GO-2022-0171.yaml
index 00f3c97..4d6e9f1 100644
--- a/data/reports/GO-2022-0171.yaml
+++ b/data/reports/GO-2022-0171.yaml
@@ -1,13 +1,16 @@
-packages:
+modules:
- module: std
- package: crypto/x509
- symbols:
- - FetchPEMRoots
- - execSecurityRoots
versions:
- fixed: 1.6.4
- introduced: 1.7.0
fixed: 1.7.4
+ packages:
+ - package: crypto/x509
+ goos:
+ - darwin
+ symbols:
+ - FetchPEMRoots
+ - execSecurityRoots
description: |
On Darwin, user's trust preferences for root certificates were not honored.
If the user had a root certificate loaded in their Keychain that was
@@ -17,11 +20,11 @@
cves:
- CVE-2017-1000097
credit: Xy Ziemba
-os:
- - darwin
links:
pr: https://go.dev/cl/33721
commit: https://go.googlesource.com/go/+/7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a
context:
- https://go.dev/issue/18141
- https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ
+os:
+ - darwin
diff --git a/data/reports/GO-2022-0177.yaml b/data/reports/GO-2022-0177.yaml
index c018df2..1aff63b 100644
--- a/data/reports/GO-2022-0177.yaml
+++ b/data/reports/GO-2022-0177.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: std
- package: cmd/go
versions:
- fixed: 1.8.4
- introduced: 1.9.0
fixed: 1.9.1
vulnerable_at: 1.9.0
+ packages:
+ - package: cmd/go
description: |
The "go get" command allows remote command execution.
diff --git a/data/reports/GO-2022-0187.yaml b/data/reports/GO-2022-0187.yaml
index 9bb24fb..cba29eb 100644
--- a/data/reports/GO-2022-0187.yaml
+++ b/data/reports/GO-2022-0187.yaml
@@ -1,14 +1,17 @@
-packages:
+modules:
- module: std
- package: crypto/elliptic
- symbols:
- - p256SubInternal
versions:
- introduced: 1.6.0
fixed: 1.7.6
- introduced: 1.8.0
fixed: 1.8.2
vulnerable_at: 1.8.1
+ packages:
+ - package: crypto/elliptic
+ goarch:
+ - amd64
+ symbols:
+ - p256SubInternal
description: |
The ScalarMult implementation of curve P-256 for amd64 architectures
generates incorrect results for certain specific input points.
@@ -20,11 +23,11 @@
cves:
- CVE-2017-8932
credit: Vlad Krasnov and Filippo Valsorda at Cloudflare
-arch:
- - amd64
links:
pr: https://go.dev/cl/41070
commit: https://go.googlesource.com/go/+/9294fa2749ffee7edbbb817a0ef9fe633136fa9c
context:
- https://go.dev/issue/20040
- https://groups.google.com/g/golang-announce/c/B5ww0iFt1_Q/m/TgUFJV14BgAJ
+arch:
+ - amd64
diff --git a/data/reports/GO-2022-0189.yaml b/data/reports/GO-2022-0189.yaml
index 8a19923..03e5046 100644
--- a/data/reports/GO-2022-0189.yaml
+++ b/data/reports/GO-2022-0189.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: cmd/go/internal/get
- symbols:
- - downloadPackage
versions:
- fixed: 1.10.6
- introduced: 1.11.0
fixed: 1.11.3
vulnerable_at: 1.11.2
+ packages:
+ - package: cmd/go/internal/get
+ symbols:
+ - downloadPackage
description: |
The "go get" command is vulnerable to remote code execution when executed
with the -u flag and the import path of a malicious Go package, or a
diff --git a/data/reports/GO-2022-0190.yaml b/data/reports/GO-2022-0190.yaml
index b327002..8c073b2 100644
--- a/data/reports/GO-2022-0190.yaml
+++ b/data/reports/GO-2022-0190.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: cmd/go/internal/get
- symbols:
- - downloadPackage
versions:
- fixed: 1.10.6
- introduced: 1.11.0
fixed: 1.11.3
vulnerable_at: 1.11.2
+ packages:
+ - package: cmd/go/internal/get
+ symbols:
+ - downloadPackage
description: |
The "go get" command is vulnerable to directory traversal when executed
with the import path of a malicious Go package which contains curly brace
diff --git a/data/reports/GO-2022-0191.yaml b/data/reports/GO-2022-0191.yaml
index a812d32..9125d0b 100644
--- a/data/reports/GO-2022-0191.yaml
+++ b/data/reports/GO-2022-0191.yaml
@@ -1,14 +1,15 @@
-packages:
+modules:
- module: std
- package: crypto/x509
- symbols:
- - CertPool.findVerifiedParents
- - Certificate.buildChains
versions:
- fixed: 1.10.6
- introduced: 1.11.0
fixed: 1.11.3
vulnerable_at: 1.11.2
+ packages:
+ - package: crypto/x509
+ symbols:
+ - CertPool.findVerifiedParents
+ - Certificate.buildChains
description: |
The crypto/x509 package does not limit the amount of work
performed for each chain verification, which might allow attackers
diff --git a/data/reports/GO-2022-0192.yaml b/data/reports/GO-2022-0192.yaml
index 1505095..b03ec6a 100644
--- a/data/reports/GO-2022-0192.yaml
+++ b/data/reports/GO-2022-0192.yaml
@@ -1,14 +1,15 @@
-packages:
+modules:
- module: golang.org/x/net
- package: golang.org/x/net/html
- symbols:
- - parser.resetInsertionMode
- derived_symbols:
- - Parse
- - ParseFragment
versions:
- fixed: 0.0.0-20180925071336-cf3bd585ca2a
vulnerable_at: 0.0.0-20180921000356-2f5d2388922f
+ packages:
+ - package: golang.org/x/net/html
+ symbols:
+ - parser.resetInsertionMode
+ derived_symbols:
+ - Parse
+ - ParseFragment
description: |
The Parse function can panic on some invalid inputs.
diff --git a/data/reports/GO-2022-0193.yaml b/data/reports/GO-2022-0193.yaml
index 1ae3a30..1c74edf 100644
--- a/data/reports/GO-2022-0193.yaml
+++ b/data/reports/GO-2022-0193.yaml
@@ -1,14 +1,15 @@
-packages:
+modules:
- module: golang.org/x/net
- package: golang.org/x/net/html
- symbols:
- - inBodyIM
- derived_symbols:
- - Parse
- - ParseFragment
versions:
- fixed: 0.0.0-20180921000356-2f5d2388922f
vulnerable_at: 0.0.0-20180911220305-26e67e76b6c3
+ packages:
+ - package: golang.org/x/net/html
+ symbols:
+ - inBodyIM
+ derived_symbols:
+ - Parse
+ - ParseFragment
description: |
The Parse function can panic on some invalid inputs.
diff --git a/data/reports/GO-2022-0197.yaml b/data/reports/GO-2022-0197.yaml
index ff6543d..897a236 100644
--- a/data/reports/GO-2022-0197.yaml
+++ b/data/reports/GO-2022-0197.yaml
@@ -1,14 +1,15 @@
-packages:
+modules:
- module: golang.org/x/net
- package: golang.org/x/net/html
- symbols:
- - nodeStack.contains
- derived_symbols:
- - Parse
- - ParseFragment
versions:
- fixed: 0.0.0-20190125002852-4b62a64f59f7
vulnerable_at: 0.0.0-20190119204137-ed066c81e75e
+ packages:
+ - package: golang.org/x/net/html
+ symbols:
+ - nodeStack.contains
+ derived_symbols:
+ - Parse
+ - ParseFragment
description: |
The Parse function can panic on some invalid inputs.
diff --git a/data/reports/GO-2022-0201.yaml b/data/reports/GO-2022-0201.yaml
index b160d05..0590ac3 100644
--- a/data/reports/GO-2022-0201.yaml
+++ b/data/reports/GO-2022-0201.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: std
- package: cmd/go
versions:
- fixed: 1.8.7
- introduced: 1.9.0
fixed: 1.9.4
vulnerable_at: 1.9.3
+ packages:
+ - package: cmd/go
description: |
The "go get" command with cgo is vulnerable to remote command execution
by leveraging the gcc or clang plugin feature.
diff --git a/data/reports/GO-2022-0203.yaml b/data/reports/GO-2022-0203.yaml
index 17b5a15..d0e22a4 100644
--- a/data/reports/GO-2022-0203.yaml
+++ b/data/reports/GO-2022-0203.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: std
- package: cmd/go
versions:
- fixed: 1.9.5
- introduced: 1.10.0
fixed: 1.10.1
vulnerable_at: 1.10.0
+ packages:
+ - package: cmd/go
description: |
The "go get" command is vulnerable to remote code execution.
diff --git a/data/reports/GO-2022-0209.yaml b/data/reports/GO-2022-0209.yaml
index 5c05ec6..6fb2434 100644
--- a/data/reports/GO-2022-0209.yaml
+++ b/data/reports/GO-2022-0209.yaml
@@ -1,11 +1,14 @@
-packages:
+modules:
- module: golang.org/x/crypto
- package: golang.org/x/crypto/salsa20/salsa
- symbols:
- - XORKeyStream
versions:
- fixed: 0.0.0-20190320223903-b7391e95e576
vulnerable_at: 0.0.0-20190313024323-a1f597ede03a
+ packages:
+ - package: golang.org/x/crypto/salsa20/salsa
+ goarch:
+ - amd64
+ symbols:
+ - XORKeyStream
description: |
XORKeyStream generates incorrect and insecure output for very
large inputs.
@@ -26,11 +29,11 @@
cves:
- CVE-2019-11840
credit: Michael McLoughlin
-arch:
- - amd64
links:
pr: https://go.dev/cl/168406
commit: https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
context:
- https://go.dev/issue/30965
- https://groups.google.com/g/golang-announce/c/tjyNcJxb2vQ/m/n0NRBziSCAAJ
+arch:
+ - amd64
diff --git a/data/reports/GO-2022-0211.yaml b/data/reports/GO-2022-0211.yaml
index abe5ec8..dc6a504 100644
--- a/data/reports/GO-2022-0211.yaml
+++ b/data/reports/GO-2022-0211.yaml
@@ -1,15 +1,16 @@
-packages:
+modules:
- module: std
- package: net/url
- symbols:
- - parseHost
- - URL.Hostname
- - URL.Port
versions:
- fixed: 1.11.13
- introduced: 1.12.0
fixed: 1.12.8
vulnerable_at: 1.12.7
+ packages:
+ - package: net/url
+ symbols:
+ - parseHost
+ - URL.Hostname
+ - URL.Port
description: |
The url.Parse function accepts URLs with malformed hosts, such that the Host
field can have arbitrary suffixes that appear in neither Hostname() nor Port(),
diff --git a/data/reports/GO-2022-0212.yaml b/data/reports/GO-2022-0212.yaml
index 16ff231..68cc9a7 100644
--- a/data/reports/GO-2022-0212.yaml
+++ b/data/reports/GO-2022-0212.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: net/textproto
- symbols:
- - Reader.ReadMimeHeader
versions:
- fixed: 1.12.10
- introduced: 1.13.0
fixed: 1.13.1
+ packages:
+ - package: net/textproto
+ symbols:
+ - Reader.ReadMimeHeader
description: |
net/http (through net/textproto) used to accept and normalize invalid
HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.
diff --git a/data/reports/GO-2022-0213.yaml b/data/reports/GO-2022-0213.yaml
index 900a27f..53b78be 100644
--- a/data/reports/GO-2022-0213.yaml
+++ b/data/reports/GO-2022-0213.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: crypto/dsa
- symbols:
- - Verify
versions:
- fixed: 1.12.11
- introduced: 1.13.0
fixed: 1.13.2
+ packages:
+ - package: crypto/dsa
+ symbols:
+ - Verify
description: |
Invalid DSA public keys can cause a panic in dsa.Verify. In particular,
using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a
diff --git a/data/reports/GO-2022-0217.yaml b/data/reports/GO-2022-0217.yaml
index b50ae60..b735dca 100644
--- a/data/reports/GO-2022-0217.yaml
+++ b/data/reports/GO-2022-0217.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: crypto/elliptic
- symbols:
- - curve.doubleJacobian
versions:
- fixed: 1.10.8
- introduced: 1.11.0
fixed: 1.11.5
+ packages:
+ - package: crypto/elliptic
+ symbols:
+ - curve.doubleJacobian
description: |
A DoS vulnerability in the crypto/elliptic implementations of the P-521 and
P-384 elliptic curves may let an attacker craft inputs that consume
diff --git a/data/reports/GO-2022-0220.yaml b/data/reports/GO-2022-0220.yaml
index b6ffc4a..955f418 100644
--- a/data/reports/GO-2022-0220.yaml
+++ b/data/reports/GO-2022-0220.yaml
@@ -1,22 +1,22 @@
-packages:
+modules:
- module: std
- package: runtime
- symbols:
- - loadOptionalSyscalls
- - osinit
- - syscall_loadsystemlibrary
versions:
- fixed: 1.11.10
- introduced: 1.12.0
fixed: 1.12.2
- - module: std
- package: syscall
- symbols:
- - LoadDLL
- versions:
- - fixed: 1.11.10
- - introduced: 1.12.0
- fixed: 1.12.2
+ packages:
+ - package: runtime
+ goos:
+ - windows
+ symbols:
+ - loadOptionalSyscalls
+ - osinit
+ - syscall_loadsystemlibrary
+ - package: syscall
+ goos:
+ - windows
+ symbols:
+ - LoadDLL
description: |
Go on Windows misused certain LoadLibrary functionality, leading to DLL
injection.
@@ -24,11 +24,11 @@
cves:
- CVE-2019-9634
credit: Samuel Cochran, Jason Donenfeld
-os:
- - windows
links:
pr: https://go.dev/cl/165798
commit: https://go.googlesource.com/go/+/9b6e9f0c8c66355c0f0575d808b32f52c8c6d21c
context:
- https://go.dev/issue/28978
- https://groups.google.com/g/golang-announce/c/z9eTD34GEIs/m/Z_XmhTrVAwAJ
+os:
+ - windows
diff --git a/data/reports/GO-2022-0229.yaml b/data/reports/GO-2022-0229.yaml
index 8f18236..c20b8be 100644
--- a/data/reports/GO-2022-0229.yaml
+++ b/data/reports/GO-2022-0229.yaml
@@ -1,16 +1,18 @@
-packages:
+modules:
- module: std
- package: crypto/x509
versions:
- fixed: 1.12.16
- introduced: 1.13.0
fixed: 1.13.7
vulnerable_at: 1.13.6
+ packages:
+ - package: crypto/x509
- module: golang.org/x/crypto
- package: golang.org/x/crypto/cryptobyte
versions:
- fixed: 0.0.0-20200124225646-8b5121be2f68
vulnerable_at: 0.0.0-20200115085410-6d4e4cb37c7d
+ packages:
+ - package: golang.org/x/crypto/cryptobyte
description: |
On 32-bit architectures, a malformed input to crypto/x509 or
the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte
diff --git a/data/reports/GO-2022-0230.yaml b/data/reports/GO-2022-0230.yaml
index 2c78eb2..256e14e 100644
--- a/data/reports/GO-2022-0230.yaml
+++ b/data/reports/GO-2022-0230.yaml
@@ -1,16 +1,17 @@
-packages:
+modules:
- module: github.com/containernetworking/cni
- package: github.com/containernetworking/cni/pkg/invoke
- symbols:
- - FindInPath
- derived_symbols:
- - DelegateAdd
- - DelegateCheck
- - DelegateDel
- - RawExec.FindInPath
versions:
- fixed: 0.8.1
vulnerable_at: 0.8.0
+ packages:
+ - package: github.com/containernetworking/cni/pkg/invoke
+ symbols:
+ - FindInPath
+ derived_symbols:
+ - DelegateAdd
+ - DelegateCheck
+ - DelegateDel
+ - RawExec.FindInPath
description: |
The FindInPath function is vulnerable to directory traversal attacks,
potentially permitting attackers to execute arbitrary binaries.
diff --git a/data/reports/GO-2022-0233.yaml b/data/reports/GO-2022-0233.yaml
index 7149cbd..1fb97d2 100644
--- a/data/reports/GO-2022-0233.yaml
+++ b/data/reports/GO-2022-0233.yaml
@@ -1,10 +1,12 @@
-packages:
+modules:
- module: github.com/pires/go-proxyproto
- symbols:
- - Listener.Accept
versions:
- fixed: 0.6.1
vulnerable_at: 0.5.0
+ packages:
+ - package: github.com/pires/go-proxyproto
+ symbols:
+ - Listener.Accept
description: |
The PROXY protocol server does not impose a timeout on reading the header
from new connections, allowing a malicious client to cause resource
diff --git a/data/reports/GO-2022-0236.yaml b/data/reports/GO-2022-0236.yaml
index 15ddf5e..257fcab 100644
--- a/data/reports/GO-2022-0236.yaml
+++ b/data/reports/GO-2022-0236.yaml
@@ -1,25 +1,27 @@
-packages:
+modules:
- module: std
- package: net/http
- symbols:
- - http2clientStream.writeRequest
- - http2isConnectionCloseRequest
- - isProtocolSwitchHeader
- - shouldClose
versions:
- fixed: 1.15.12
- introduced: 1.16.0
fixed: 1.16.4
vulnerable_at: 1.16.3
+ packages:
+ - package: net/http
+ symbols:
+ - http2clientStream.writeRequest
+ - http2isConnectionCloseRequest
+ - isProtocolSwitchHeader
+ - shouldClose
- module: golang.org/x/net
- package: golang.org/x/net/http/httpguts
- symbols:
- - headerValueContainsToken
- derived_symbols:
- - HeaderValuesContainsToken
versions:
- fixed: 0.0.0-20210428140749-89ef3d95e781
vulnerable_at: 0.0.0-20210427231257-85d9c07bbe3a
+ packages:
+ - package: golang.org/x/net/http/httpguts
+ symbols:
+ - headerValueContainsToken
+ derived_symbols:
+ - HeaderValuesContainsToken
description: |
A malicious HTTP server or client can cause the net/http client
or server to panic.
diff --git a/data/reports/GO-2022-0244.yaml b/data/reports/GO-2022-0244.yaml
index dfa00b6..1f1e6b9 100644
--- a/data/reports/GO-2022-0244.yaml
+++ b/data/reports/GO-2022-0244.yaml
@@ -1,19 +1,21 @@
-packages:
+modules:
- module: github.com/satori/go.uuid
- symbols:
- - rfc4122Generator.NewV4
- - rfc4122Generator.getClockSequence
- - rfc4122Generator.getHardwareAddr
- derived_symbols:
- - NewV1
- - NewV2
- - NewV4
- - rfc4122Generator.NewV1
- - rfc4122Generator.NewV2
versions:
- introduced: 1.2.1-0.20180103161547-0ef6afb2f6cd
fixed: 1.2.1-0.20180404165556-75cca531ea76
vulnerable_at: 1.2.1-0.20180103161547-0ef6afb2f6cd
+ packages:
+ - package: github.com/satori/go.uuid
+ symbols:
+ - rfc4122Generator.NewV4
+ - rfc4122Generator.getClockSequence
+ - rfc4122Generator.getHardwareAddr
+ derived_symbols:
+ - NewV1
+ - NewV2
+ - NewV4
+ - rfc4122Generator.NewV1
+ - rfc4122Generator.NewV2
description: |
Random data used to create UUIDs can contain zeros, resulting in
predictable UUIDs and possible collisions.
diff --git a/data/reports/GO-2022-0246.yaml b/data/reports/GO-2022-0246.yaml
index e434133..402a049 100644
--- a/data/reports/GO-2022-0246.yaml
+++ b/data/reports/GO-2022-0246.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: github.com/cloudflare/cfrpki
- package: github.com/cloudflare/cfrpki/validator/lib
- symbols:
- - ROAEntry.Validate
- derived_symbols:
- - RPKIROA.ValidateEntries
versions:
- fixed: 1.3.0
vulnerable_at: 1.2.2
+ packages:
+ - package: github.com/cloudflare/cfrpki/validator/lib
+ symbols:
+ - ROAEntry.Validate
+ derived_symbols:
+ - RPKIROA.ValidateEntries
description: |
The ROAEntry.Validate function fails to perform bounds checks on
the MaxLength field, allowing invalid values to pass validation.
diff --git a/data/reports/GO-2022-0247.yaml b/data/reports/GO-2022-0247.yaml
index 4ec31a6..fe17e07 100644
--- a/data/reports/GO-2022-0247.yaml
+++ b/data/reports/GO-2022-0247.yaml
@@ -1,20 +1,24 @@
-packages:
+modules:
- module: std
- package: cmd/link
- symbols:
- - Link.address
versions:
- fixed: 1.16.9
- introduced: 1.17.0
fixed: 1.17.2
- - module: std
- package: misc/wasm
- symbols:
- - run
- versions:
- - fixed: 1.16.9
- - introduced: 1.17.0
- fixed: 1.17.2
+ packages:
+ - package: cmd/link
+ goos:
+ - js
+ goarch:
+ - wasm
+ symbols:
+ - Link.address
+ - package: misc/wasm
+ goos:
+ - js
+ goarch:
+ - wasm
+ symbols:
+ - run
description: |
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js,
passing very large arguments can cause portions of the module to be
@@ -28,13 +32,13 @@
cves:
- CVE-2021-38297
credit: Ben Lubar
-os:
- - js
-arch:
- - wasm
links:
pr: https://go.dev/cl/354571
commit: https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4
context:
- https://go.dev/issue/48797
- https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A
+os:
+ - js
+arch:
+ - wasm
diff --git a/data/reports/GO-2022-0248.yaml b/data/reports/GO-2022-0248.yaml
index 8f83586..69e49a6 100644
--- a/data/reports/GO-2022-0248.yaml
+++ b/data/reports/GO-2022-0248.yaml
@@ -1,16 +1,17 @@
-packages:
+modules:
- module: github.com/cloudflare/cfrpki
- package: github.com/cloudflare/cfrpki/validator/pki
- symbols:
- - ExtractPathManifest
- derived_symbols:
- - SimpleManager.Explore
- - SimpleManager.ExploreAdd
- - Validator.AddManifest
- - Validator.AddResource
versions:
- fixed: 1.4.3
vulnerable_at: 1.4.2
+ packages:
+ - package: github.com/cloudflare/cfrpki/validator/pki
+ symbols:
+ - ExtractPathManifest
+ derived_symbols:
+ - SimpleManager.Explore
+ - SimpleManager.ExploreAdd
+ - Validator.AddManifest
+ - Validator.AddResource
description: |
Manifest path extraction is vulnerable to directory traversal attacks.
diff --git a/data/reports/GO-2022-0251.yaml b/data/reports/GO-2022-0251.yaml
index 82a94bd..7c4bebd 100644
--- a/data/reports/GO-2022-0251.yaml
+++ b/data/reports/GO-2022-0251.yaml
@@ -1,15 +1,16 @@
-packages:
+modules:
- module: github.com/cloudflare/cfrpki
- package: github.com/cloudflare/cfrpki/validator/lib
- symbols:
- - readObject
- derived_symbols:
- - BER2DER
- - DecodeManifest
- - DecoderConfig.DecodeManifest
versions:
- fixed: 1.4.0
vulnerable_at: 1.3.0
+ packages:
+ - package: github.com/cloudflare/cfrpki/validator/lib
+ symbols:
+ - readObject
+ derived_symbols:
+ - BER2DER
+ - DecodeManifest
+ - DecoderConfig.DecodeManifest
description: |
Invalid input data can cause a panic.
published: 2022-07-15T23:07:28Z
diff --git a/data/reports/GO-2022-0252.yaml b/data/reports/GO-2022-0252.yaml
index 5ed97e1..1a5bdb0 100644
--- a/data/reports/GO-2022-0252.yaml
+++ b/data/reports/GO-2022-0252.yaml
@@ -1,19 +1,20 @@
-packages:
+modules:
- module: github.com/cloudflare/cfrpki
- package: github.com/cloudflare/cfrpki/validator/lib
- symbols:
- - IPNet.GetRange
- - ValidateIPCertificateList
- - GetRangeIP
- - ValidateIPRoaCertificateList
- derived_symbols:
- - DecodeROA
- - DecoderConfig.DecodeROA
- - RPKICertificate.ValidateIPCertificate
- - RPKIROA.ValidateIPRoaCertificate
versions:
- fixed: 1.4.0
vulnerable_at: 1.3.0
+ packages:
+ - package: github.com/cloudflare/cfrpki/validator/lib
+ symbols:
+ - IPNet.GetRange
+ - ValidateIPCertificateList
+ - GetRangeIP
+ - ValidateIPRoaCertificateList
+ derived_symbols:
+ - DecodeROA
+ - DecoderConfig.DecodeROA
+ - RPKICertificate.ValidateIPCertificate
+ - RPKIROA.ValidateIPRoaCertificate
description: |
Invalid input data can cause a panic.
published: 2022-07-15T23:07:41Z
diff --git a/data/reports/GO-2022-0253.yaml b/data/reports/GO-2022-0253.yaml
index 11467e9..393b409 100644
--- a/data/reports/GO-2022-0253.yaml
+++ b/data/reports/GO-2022-0253.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: github.com/cloudflare/cfrpki
- package: github.com/cloudflare/cfrpki/sync/lib
- symbols:
- - HTTPFetcher.GetXML
versions:
- fixed: 1.4.0
vulnerable_at: 1.3.0
+ packages:
+ - package: github.com/cloudflare/cfrpki/sync/lib
+ symbols:
+ - HTTPFetcher.GetXML
description: |
The HTTPFetcher.GetXML function reads a response of unlimited size into
memory, permitting resource exhausion.
diff --git a/data/reports/GO-2022-0254.yaml b/data/reports/GO-2022-0254.yaml
index 64b3746..fbd50e3 100644
--- a/data/reports/GO-2022-0254.yaml
+++ b/data/reports/GO-2022-0254.yaml
@@ -1,22 +1,23 @@
-packages:
+modules:
- module: github.com/ethereum/go-ethereum
- package: github.com/ethereum/go-ethereum/core/vm
- symbols:
- - opCall
- - opCallCode
- - opDelegateCall
- - opStaticCall
- - EVMInterpreter.Run
- derived_symbols:
- - EVM.Call
- - EVM.CallCode
- - EVM.Create
- - EVM.Create2
- - EVM.DelegateCall
- - EVM.StaticCall
versions:
- fixed: 1.10.8
vulnerable_at: 1.10.7
+ packages:
+ - package: github.com/ethereum/go-ethereum/core/vm
+ symbols:
+ - opCall
+ - opCallCode
+ - opDelegateCall
+ - opStaticCall
+ - EVMInterpreter.Run
+ derived_symbols:
+ - EVM.Call
+ - EVM.CallCode
+ - EVM.Create
+ - EVM.Create2
+ - EVM.DelegateCall
+ - EVM.StaticCall
description: |
A vulnerability in the Geth EVM can cause a node to reject the
canonical chain.
diff --git a/data/reports/GO-2022-0256.yaml b/data/reports/GO-2022-0256.yaml
index 5df82af..d002e0a 100644
--- a/data/reports/GO-2022-0256.yaml
+++ b/data/reports/GO-2022-0256.yaml
@@ -1,21 +1,18 @@
-packages:
+modules:
- module: github.com/ethereum/go-ethereum
- package: github.com/ethereum/go-ethereum/eth/protocols/snap
- symbols:
- - handleMessage
versions:
- fixed: 1.10.9
vulnerable_at: 1.10.8
- - module: github.com/ethereum/go-ethereum
- package: github.com/ethereum/go-ethereum/trie
- symbols:
- - Trie.tryGetNode
- derived_symbols:
- - SecureTrie.TryGetNode
- - Trie.TryGetNode
- versions:
- - fixed: 1.10.9
- vulnerable_at: 1.10.8
+ packages:
+ - package: github.com/ethereum/go-ethereum/eth/protocols/snap
+ symbols:
+ - handleMessage
+ - package: github.com/ethereum/go-ethereum/trie
+ symbols:
+ - Trie.tryGetNode
+ derived_symbols:
+ - SecureTrie.TryGetNode
+ - Trie.TryGetNode
description: |
A maliciously crafted snap/1 protocol message can cause a panic.
published: 2022-07-15T23:08:03Z
diff --git a/data/reports/GO-2022-0272.yaml b/data/reports/GO-2022-0272.yaml
index c32a0d7..2c602f7 100644
--- a/data/reports/GO-2022-0272.yaml
+++ b/data/reports/GO-2022-0272.yaml
@@ -1,16 +1,18 @@
-packages:
+modules:
- module: github.com/kataras/iris/v12
- package: github.com/kataras/iris/v12/context
- symbols:
- - Context.UploadFormFiles
versions:
- fixed: 12.2.0-alpha8
vulnerable_at: 12.1.8
+ packages:
+ - package: github.com/kataras/iris/v12/context
+ symbols:
+ - Context.UploadFormFiles
- module: github.com/kataras/iris
- package: github.com/kataras/iris/context
- symbols:
- - Context.UploadFormFiles
vulnerable_at: 0.0.2
+ packages:
+ - package: github.com/kataras/iris/context
+ symbols:
+ - Context.UploadFormFiles
description: |
The Context.UploadFormFiles function is vulnerable to directory
traversal attacks, and can be made to write to arbitrary locations
diff --git a/data/reports/GO-2022-0273.yaml b/data/reports/GO-2022-0273.yaml
index 886d3d1..c5e3b69 100644
--- a/data/reports/GO-2022-0273.yaml
+++ b/data/reports/GO-2022-0273.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: archive/zip
- symbols:
- - NewReader
- - OpenReader
versions:
- fixed: 1.16.8
- introduced: "1.17"
fixed: 1.17.1
+ packages:
+ - package: archive/zip
+ symbols:
+ - NewReader
+ - OpenReader
description: |
The NewReader and OpenReader functions in archive/zip can cause a panic or
an unrecoverable fatal error when reading an archive that claims to contain
diff --git a/data/reports/GO-2022-0274.yaml b/data/reports/GO-2022-0274.yaml
index 4efcf10..b5ff0ae 100644
--- a/data/reports/GO-2022-0274.yaml
+++ b/data/reports/GO-2022-0274.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: github.com/opencontainers/runc
- package: github.com/opencontainers/runc/libcontainer
- symbols:
- - Bytemsg.Serialize
versions:
- introduced: 1.0.1-0.20211012131345-9c444070ec7b
fixed: 1.1.0
vulnerable_at: 1.0.1-0.20211012131345-9c444070ec7b
+ packages:
+ - package: github.com/opencontainers/runc/libcontainer
+ symbols:
+ - Bytemsg.Serialize
description: |
An attacker with partial control over the bind mount sources of a new
container can bypass namespace restrictions.
diff --git a/data/reports/GO-2022-0288.yaml b/data/reports/GO-2022-0288.yaml
index 11683fd..3ec8f51 100644
--- a/data/reports/GO-2022-0288.yaml
+++ b/data/reports/GO-2022-0288.yaml
@@ -1,22 +1,24 @@
-packages:
+modules:
- module: std
- package: net/http
- symbols:
- - http2serverConn.canonicalHeader
versions:
- fixed: 1.16.12
- introduced: 1.17.0
fixed: 1.17.5
vulnerable_at: 1.17.4
+ packages:
+ - package: net/http
+ symbols:
+ - http2serverConn.canonicalHeader
- module: golang.org/x/net
- package: golang.org/x/net/http2
- symbols:
- - serverConn.canonicalHeader
- derived_symbols:
- - Server.ServeConn
versions:
- fixed: 0.0.0-20211209124913-491a49abca63
vulnerable_at: 0.0.0-20211208012354-db4efeb81f4b
+ packages:
+ - package: golang.org/x/net/http2
+ symbols:
+ - serverConn.canonicalHeader
+ derived_symbols:
+ - Server.ServeConn
description: |
An attacker can cause unbounded memory growth in servers accepting
HTTP/2 requests.
diff --git a/data/reports/GO-2022-0289.yaml b/data/reports/GO-2022-0289.yaml
index 7de2c72..b651b81 100644
--- a/data/reports/GO-2022-0289.yaml
+++ b/data/reports/GO-2022-0289.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: syscall
- symbols:
- - ForkExec
versions:
- fixed: 1.16.12
- introduced: "1.17"
fixed: 1.17.5
+ packages:
+ - package: syscall
+ symbols:
+ - ForkExec
description: |
When a Go program running on a Unix system is out of file descriptors and
calls syscall.ForkExec (including indirectly by using the os/exec package),
diff --git a/data/reports/GO-2022-0294.yaml b/data/reports/GO-2022-0294.yaml
index 484fe6c..9fa12bc 100644
--- a/data/reports/GO-2022-0294.yaml
+++ b/data/reports/GO-2022-0294.yaml
@@ -1,15 +1,16 @@
-packages:
+modules:
- module: github.com/google/go-attestation
- package: github.com/google/go-attestation/attest
- symbols:
- - AKPublic.validate12Quote
- - AKPublic.validate20Quote
- derived_symbols:
- - AKPublic.Verify
- - TPM.AttestPlatform
versions:
- fixed: 0.4.0
vulnerable_at: 0.3.2
+ packages:
+ - package: github.com/google/go-attestation/attest
+ symbols:
+ - AKPublic.validate12Quote
+ - AKPublic.validate20Quote
+ derived_symbols:
+ - AKPublic.Verify
+ - TPM.AttestPlatform
description: |
A local attacker can defeat remotely-attested measured boot.
diff --git a/data/reports/GO-2022-0300.yaml b/data/reports/GO-2022-0300.yaml
index 4dfcd72..e72e78e 100644
--- a/data/reports/GO-2022-0300.yaml
+++ b/data/reports/GO-2022-0300.yaml
@@ -1,17 +1,19 @@
-packages:
+modules:
- module: github.com/graph-gophers/graphql-go
- symbols:
- - Schema.ValidateWithVariables
- - Schema.exec
- - Schema.subscribe
- derived_symbols:
- - Schema.Exec
- - Schema.Subscribe
- - Schema.ToJSON
- - Schema.Validate
versions:
- fixed: 1.3.0
vulnerable_at: 1.2.0
+ packages:
+ - package: github.com/graph-gophers/graphql-go
+ symbols:
+ - Schema.ValidateWithVariables
+ - Schema.exec
+ - Schema.subscribe
+ derived_symbols:
+ - Schema.Exec
+ - Schema.Subscribe
+ - Schema.ToJSON
+ - Schema.Validate
description: |
Malicious inputs can cause a panic.
diff --git a/data/reports/GO-2022-0316.yaml b/data/reports/GO-2022-0316.yaml
index f709a47..1cb89ac 100644
--- a/data/reports/GO-2022-0316.yaml
+++ b/data/reports/GO-2022-0316.yaml
@@ -1,16 +1,17 @@
-packages:
+modules:
- module: github.com/open-policy-agent/opa
- package: github.com/open-policy-agent/opa/format
- symbols:
- - groupIterable
- derived_symbols:
- - Ast
- - MustAst
- - Source
versions:
- introduced: 0.33.1
fixed: 0.37.2
vulnerable_at: 0.33.1
+ packages:
+ - package: github.com/open-policy-agent/opa/format
+ symbols:
+ - groupIterable
+ derived_symbols:
+ - Ast
+ - MustAst
+ - Source
description: |
Pretty-printing an AST that contains synthetic nodes can change the logic
of some statements by reordering array literals.
diff --git a/data/reports/GO-2022-0318.yaml b/data/reports/GO-2022-0318.yaml
index 94e7324..3763a65 100644
--- a/data/reports/GO-2022-0318.yaml
+++ b/data/reports/GO-2022-0318.yaml
@@ -1,14 +1,15 @@
-packages:
+modules:
- module: std
- package: cmd/go/internal/modfetch
- symbols:
- - codeRepo.convert
- - codeRepo.validatePseudoVersion
versions:
- fixed: 1.16.14
- introduced: 1.17.0
fixed: 1.17.7
vulnerable_at: 1.17.6
+ packages:
+ - package: cmd/go/internal/modfetch
+ symbols:
+ - codeRepo.convert
+ - codeRepo.validatePseudoVersion
description: |
Incorrect access control is possible in the go command.
diff --git a/data/reports/GO-2022-0322.yaml b/data/reports/GO-2022-0322.yaml
index c6e526d..03b7abc 100644
--- a/data/reports/GO-2022-0322.yaml
+++ b/data/reports/GO-2022-0322.yaml
@@ -1,26 +1,27 @@
-packages:
+modules:
- module: github.com/prometheus/client_golang
- package: github.com/prometheus/client_golang/prometheus/promhttp
- symbols:
- - sanitizeMethod
- derived_symbols:
- - Handler
- - HandlerFor
- - InstrumentHandlerCounter
- - InstrumentHandlerDuration
- - InstrumentHandlerRequestSize
- - InstrumentHandlerResponseSize
- - InstrumentHandlerTimeToWriteHeader
- - InstrumentMetricHandler
- - InstrumentRoundTripperCounter
- - InstrumentRoundTripperDuration
- - flusherDelegator.Flush
- - readerFromDelegator.ReadFrom
- - responseWriterDelegator.Write
- - responseWriterDelegator.WriteHeader
versions:
- fixed: 1.11.1
vulnerable_at: 1.11.0
+ packages:
+ - package: github.com/prometheus/client_golang/prometheus/promhttp
+ symbols:
+ - sanitizeMethod
+ derived_symbols:
+ - Handler
+ - HandlerFor
+ - InstrumentHandlerCounter
+ - InstrumentHandlerDuration
+ - InstrumentHandlerRequestSize
+ - InstrumentHandlerResponseSize
+ - InstrumentHandlerTimeToWriteHeader
+ - InstrumentMetricHandler
+ - InstrumentRoundTripperCounter
+ - InstrumentRoundTripperDuration
+ - flusherDelegator.Flush
+ - readerFromDelegator.ReadFrom
+ - responseWriterDelegator.Write
+ - responseWriterDelegator.WriteHeader
description: |
The Prometheus client_golang HTTP server is vulnerable to a denial of
service attack when handling requests with non-standard HTTP methods.
diff --git a/data/reports/GO-2022-0345.yaml b/data/reports/GO-2022-0345.yaml
index a545d68..1937fe8 100644
--- a/data/reports/GO-2022-0345.yaml
+++ b/data/reports/GO-2022-0345.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: github.com/containers/buildah
- package: github.com/containers/buildah/chroot
- symbols:
- - RunUsingChroot
versions:
- fixed: 1.22.0
vulnerable_at: 1.21.0
+ packages:
+ - package: github.com/containers/buildah/chroot
+ symbols:
+ - RunUsingChroot
description: |
The RunUsingChroot function unintentionally propagates environment
variables from the current process to the child process.
diff --git a/data/reports/GO-2022-0346.yaml b/data/reports/GO-2022-0346.yaml
index 19a0e9a..c585f82 100644
--- a/data/reports/GO-2022-0346.yaml
+++ b/data/reports/GO-2022-0346.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: github.com/quay/claircore
- package: github.com/quay/claircore/rpm
- symbols:
- - Scanner.Scan
versions:
- fixed: 1.1.0
vulnerable_at: 1.1.0-rc.0
+ packages:
+ - package: github.com/quay/claircore/rpm
+ symbols:
+ - Scanner.Scan
description: |
A maliciously crafted RPM file can cause the Scanner.Scan function to
write files with arbitrary contents to arbitrary locations on the local
diff --git a/data/reports/GO-2022-0355.yaml b/data/reports/GO-2022-0355.yaml
index 3f73624..f05f154 100644
--- a/data/reports/GO-2022-0355.yaml
+++ b/data/reports/GO-2022-0355.yaml
@@ -1,10 +1,12 @@
-packages:
+modules:
- module: github.com/valyala/fasthttp
- symbols:
- - FS.NewRequestHandler
versions:
- fixed: 1.34.0
vulnerable_at: 1.33.0
+ packages:
+ - package: github.com/valyala/fasthttp
+ symbols:
+ - FS.NewRequestHandler
description: |
The fasthttp.FS request handler is vulnerable to directory traversal
attacks on Windows systems, and can serve files from outside the
diff --git a/data/reports/GO-2022-0370.yaml b/data/reports/GO-2022-0370.yaml
index 4596d69..41d1623 100644
--- a/data/reports/GO-2022-0370.yaml
+++ b/data/reports/GO-2022-0370.yaml
@@ -1,18 +1,19 @@
-packages:
+modules:
- module: mellium.im/xmpp
- package: mellium.im/xmpp/websocket
- symbols:
- - Dialer.config
- derived_symbols:
- - Dial
- - DialDirect
- - DialSession
- - Dialer.Dial
- - Dialer.DialDirect
- - NewClient
versions:
- fixed: 0.21.1
vulnerable_at: 0.21.0
+ packages:
+ - package: mellium.im/xmpp/websocket
+ symbols:
+ - Dialer.config
+ derived_symbols:
+ - Dial
+ - DialDirect
+ - DialSession
+ - Dialer.Dial
+ - Dialer.DialDirect
+ - NewClient
description: |
Websocket client connections are vulnerable to man-in-the-middle
attacks via DNS spoofing.
diff --git a/data/reports/GO-2022-0379.yaml b/data/reports/GO-2022-0379.yaml
index 562cefe..eca56ae 100644
--- a/data/reports/GO-2022-0379.yaml
+++ b/data/reports/GO-2022-0379.yaml
@@ -1,10 +1,12 @@
-packages:
+modules:
- module: github.com/docker/distribution
- symbols:
- - UnmarshalManifest
versions:
- fixed: 2.8.0+incompatible
vulnerable_at: 2.7.1+incompatible
+ packages:
+ - package: github.com/docker/distribution
+ symbols:
+ - UnmarshalManifest
description: |
Systems that rely on digest equivalence for image attestations may be
vulnerable to type confusion.
diff --git a/data/reports/GO-2022-0380.yaml b/data/reports/GO-2022-0380.yaml
index c50fb75..f70aa27 100644
--- a/data/reports/GO-2022-0380.yaml
+++ b/data/reports/GO-2022-0380.yaml
@@ -1,11 +1,13 @@
-packages:
+modules:
- module: github.com/nats-io/jwt
- symbols:
- - AccountClaims.IsRevoked
- - Export.IsRevoked
versions:
- fixed: 1.1.0
vulnerable_at: 1.0.1
+ packages:
+ - package: github.com/nats-io/jwt
+ symbols:
+ - AccountClaims.IsRevoked
+ - Export.IsRevoked
description: |
The AccountClaims.IsRevoked and Export.IsRevoked functions improperly
validate expired credentials using the current system time rather than
diff --git a/data/reports/GO-2022-0384.yaml b/data/reports/GO-2022-0384.yaml
index 0243532..f19e328 100644
--- a/data/reports/GO-2022-0384.yaml
+++ b/data/reports/GO-2022-0384.yaml
@@ -1,15 +1,16 @@
-packages:
+modules:
- module: helm.sh/helm/v3
- package: helm.sh/helm/v3/pkg/downloader
- symbols:
- - ChartDownloader.ResolveChartVersion
- derived_symbols:
- - ChartDownloader.DownloadTo
- - Manager.Build
- - Manager.Update
versions:
- fixed: 3.6.1
vulnerable_at: 3.6.0
+ packages:
+ - package: helm.sh/helm/v3/pkg/downloader
+ symbols:
+ - ChartDownloader.ResolveChartVersion
+ derived_symbols:
+ - ChartDownloader.DownloadTo
+ - Manager.Build
+ - Manager.Update
description: |
The username and password credentials associated with a Helm repository
can be passed to another domain referenced by that Helm repository.
diff --git a/data/reports/GO-2022-0385.yaml b/data/reports/GO-2022-0385.yaml
index 9c200f7..1b25c66 100644
--- a/data/reports/GO-2022-0385.yaml
+++ b/data/reports/GO-2022-0385.yaml
@@ -1,13 +1,15 @@
-packages:
+modules:
- module: github.com/ecnepsnai/web
- symbols:
- - Server.socketHandler
- derived_symbols:
- - Server.Socket
versions:
- introduced: 1.4.0
fixed: 1.5.2
vulnerable_at: 1.5.1
+ packages:
+ - package: github.com/ecnepsnai/web
+ symbols:
+ - Server.socketHandler
+ derived_symbols:
+ - Server.Socket
description: |
The AuthenticateMethod authentication hook is not called for WebSocket
connections, allowing unauthenticated access.
diff --git a/data/reports/GO-2022-0386.yaml b/data/reports/GO-2022-0386.yaml
index 88c7a88..7454f46 100644
--- a/data/reports/GO-2022-0386.yaml
+++ b/data/reports/GO-2022-0386.yaml
@@ -1,25 +1,29 @@
-packages:
+modules:
- module: github.com/nats-io/jwt
- symbols:
- - ActivationClaims.Validate
- - Import.Validate
- derived_symbols:
- - Account.Validate
- - AccountClaims.Validate
- - Imports.Validate
versions:
- fixed: 1.2.3-0.20210314221642-a826c77dc9d2
vulnerable_at: 1.2.2
+ packages:
+ - package: github.com/nats-io/jwt
+ symbols:
+ - ActivationClaims.Validate
+ - Import.Validate
+ derived_symbols:
+ - Account.Validate
+ - AccountClaims.Validate
+ - Imports.Validate
- module: github.com/nats-io/jwt/v2
- symbols:
- - Import.Validate
- derived_symbols:
- - Account.Validate
- - AccountClaims.Validate
- - Imports.Validate
versions:
- fixed: 2.0.1
vulnerable_at: 2.0.0
+ packages:
+ - package: github.com/nats-io/jwt/v2
+ symbols:
+ - Import.Validate
+ derived_symbols:
+ - Account.Validate
+ - AccountClaims.Validate
+ - Imports.Validate
description: |
Import tokens valid for one account may be used for any other account.
diff --git a/data/reports/GO-2022-0391.yaml b/data/reports/GO-2022-0391.yaml
index 6f3110f..91fb7b0 100644
--- a/data/reports/GO-2022-0391.yaml
+++ b/data/reports/GO-2022-0391.yaml
@@ -1,23 +1,24 @@
-packages:
+modules:
- module: github.com/aws/aws-sdk-go
- package: github.com/aws/aws-sdk-go/service/s3/s3crypto
- symbols:
- - encodeMeta
- derived_symbols:
- - DecryptionClient.GetObject
- - DecryptionClient.GetObjectWithContext
- - EncryptionClient.PutObject
- - EncryptionClient.PutObjectWithContext
- - S3LoadStrategy.Load
- - S3SaveStrategy.Save
- - defaultV2LoadStrategy.Load
- - kmsKeyHandler.DecryptKey
- - kmsKeyHandler.DecryptKeyWithContext
- - kmsKeyHandler.GenerateCipherData
- - kmsKeyHandler.GenerateCipherDataWithContext
versions:
- fixed: 1.34.0
vulnerable_at: 1.30.0
+ packages:
+ - package: github.com/aws/aws-sdk-go/service/s3/s3crypto
+ symbols:
+ - encodeMeta
+ derived_symbols:
+ - DecryptionClient.GetObject
+ - DecryptionClient.GetObjectWithContext
+ - EncryptionClient.PutObject
+ - EncryptionClient.PutObjectWithContext
+ - S3LoadStrategy.Load
+ - S3SaveStrategy.Save
+ - defaultV2LoadStrategy.Load
+ - kmsKeyHandler.DecryptKey
+ - kmsKeyHandler.DecryptKeyWithContext
+ - kmsKeyHandler.GenerateCipherData
+ - kmsKeyHandler.GenerateCipherDataWithContext
description: |
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside
the ciphertext as a metadata field. This hash can be used to brute force
diff --git a/data/reports/GO-2022-0400.yaml b/data/reports/GO-2022-0400.yaml
index b7ee35e..a15a13a 100644
--- a/data/reports/GO-2022-0400.yaml
+++ b/data/reports/GO-2022-0400.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: github.com/ntbosscher/gobase
- package: github.com/ntbosscher/gobase/auth/httpauth
- symbols:
- - Setup
- - middleware
versions:
- fixed: 0.7.2
vulnerable_at: 0.7.1
+ packages:
+ - package: github.com/ntbosscher/gobase/auth/httpauth
+ symbols:
+ - Setup
+ - middleware
description: A race condition can cause incorrect HTTP request routing.
published: 2022-07-01T20:10:50Z
ghsas:
diff --git a/data/reports/GO-2022-0402.yaml b/data/reports/GO-2022-0402.yaml
index 16a44e5..8f8d91a 100644
--- a/data/reports/GO-2022-0402.yaml
+++ b/data/reports/GO-2022-0402.yaml
@@ -1,16 +1,18 @@
-packages:
+modules:
- module: github.com/nats-io/jwt
- symbols:
- - Export.Validate
- - Import.Validate
- - Imports.Validate
- derived_symbols:
- - Account.Validate
- - AccountClaims.Validate
- - Exports.Validate
versions:
- fixed: 1.1.0
vulnerable_at: 1.0.1
+ packages:
+ - package: github.com/nats-io/jwt
+ symbols:
+ - Export.Validate
+ - Import.Validate
+ - Imports.Validate
+ derived_symbols:
+ - Account.Validate
+ - AccountClaims.Validate
+ - Exports.Validate
description: |
A malicious account can create and sign a User JWT which causes a panic
when decoded by the NATS JWT library.
diff --git a/data/reports/GO-2022-0411.yaml b/data/reports/GO-2022-0411.yaml
index ce177c1..27b6572 100644
--- a/data/reports/GO-2022-0411.yaml
+++ b/data/reports/GO-2022-0411.yaml
@@ -1,11 +1,13 @@
-packages:
+modules:
- module: github.com/Masterminds/goutils
- symbols:
- - RandomAlphaNumeric
- - CryptoRandomAlphaNumeric
versions:
- fixed: 1.1.1
vulnerable_at: 1.1.0
+ packages:
+ - package: github.com/Masterminds/goutils
+ symbols:
+ - RandomAlphaNumeric
+ - CryptoRandomAlphaNumeric
description: |
Randomly-generated alphanumeric strings contain significantly less entropy
than expected.
diff --git a/data/reports/GO-2022-0414.yaml b/data/reports/GO-2022-0414.yaml
index efb3f3a..32e5c7b 100644
--- a/data/reports/GO-2022-0414.yaml
+++ b/data/reports/GO-2022-0414.yaml
@@ -1,26 +1,28 @@
-packages:
+modules:
- module: github.com/Masterminds/vcs
- symbols:
- - BzrRepo.Get
- - BzrRepo.Init
- - BzrRepo.Ping
- - BzrRepo.ExportDir
- - GitRepo.Get
- - GitRepo.Init
- - GitRepo.Update
- - HgRepo.Get
- - HgRepo.Init
- - HgRepo.Ping
- - HgRepo.ExportDir
- - NewSvnRepo
- - SvnRepo.Get
- - SvnRepo.Ping
- - SvnRepo.ExportDir
- derived_symbols:
- - NewRepo
versions:
- fixed: 1.13.3
vulnerable_at: 1.13.1
+ packages:
+ - package: github.com/Masterminds/vcs
+ symbols:
+ - BzrRepo.Get
+ - BzrRepo.Init
+ - BzrRepo.Ping
+ - BzrRepo.ExportDir
+ - GitRepo.Get
+ - GitRepo.Init
+ - GitRepo.Update
+ - HgRepo.Get
+ - HgRepo.Init
+ - HgRepo.Ping
+ - HgRepo.ExportDir
+ - NewSvnRepo
+ - SvnRepo.Get
+ - SvnRepo.Ping
+ - SvnRepo.ExportDir
+ derived_symbols:
+ - NewRepo
description: |
Passing untrusted inputs to VCS functions can permit an attacker
to execute arbitrary commands.
diff --git a/data/reports/GO-2022-0417.yaml b/data/reports/GO-2022-0417.yaml
index 61167f5..7905a13 100644
--- a/data/reports/GO-2022-0417.yaml
+++ b/data/reports/GO-2022-0417.yaml
@@ -1,18 +1,16 @@
-packages:
+modules:
- module: github.com/containers/buildah
- symbols:
- - setupCapAdd
- - setupCapDrop
versions:
- fixed: 1.25.0
vulnerable_at: 1.24.0
- - module: github.com/containers/buildah
- package: github.com/containers/buildah/chroot
- symbols:
- - setCapabilities
- versions:
- - fixed: 1.25.0
- vulnerable_at: 1.24.0
+ packages:
+ - package: github.com/containers/buildah
+ symbols:
+ - setupCapAdd
+ - setupCapDrop
+ - package: github.com/containers/buildah/chroot
+ symbols:
+ - setCapabilities
description: |
Containers are created with non-empty inheritable Linux process
capabilities, permitting programs with inheritable file capabilities
diff --git a/data/reports/GO-2022-0422.yaml b/data/reports/GO-2022-0422.yaml
index decba15..f7fff22 100644
--- a/data/reports/GO-2022-0422.yaml
+++ b/data/reports/GO-2022-0422.yaml
@@ -1,14 +1,16 @@
-packages:
+modules:
- module: github.com/ipld/go-codec-dagpb
- symbols:
- - DecodeBytes
- derived_symbols:
- - Decode
- - Decoder
- - Unmarshal
versions:
- fixed: 1.3.1
vulnerable_at: 1.3.0
+ packages:
+ - package: github.com/ipld/go-codec-dagpb
+ symbols:
+ - DecodeBytes
+ derived_symbols:
+ - Decode
+ - Decoder
+ - Unmarshal
description: The dag-pb codec can panic when decoding invalid blocks.
published: 2022-07-01T20:08:04Z
ghsas:
diff --git a/data/reports/GO-2022-0425.yaml b/data/reports/GO-2022-0425.yaml
index 5bb67ef..d198531 100644
--- a/data/reports/GO-2022-0425.yaml
+++ b/data/reports/GO-2022-0425.yaml
@@ -1,16 +1,18 @@
-packages:
+modules:
- module: github.com/flynn/noise
- symbols:
- - CipherState.Encrypt
- - CipherState.Decrypt
- - symmetricState.EncryptAndHash
- derived_symbols:
- - HandshakeState.ReadMessage
- - HandshakeState.WriteMessage
- - symmetricState.DecryptAndHash
versions:
- fixed: 1.0.0
vulnerable_at: 0.0.0-20210422170017-fc2bb37e287b
+ packages:
+ - package: github.com/flynn/noise
+ symbols:
+ - CipherState.Encrypt
+ - CipherState.Decrypt
+ - symmetricState.EncryptAndHash
+ derived_symbols:
+ - HandshakeState.ReadMessage
+ - HandshakeState.WriteMessage
+ - symmetricState.DecryptAndHash
description: |
The Noise protocol implementation suffers from weakened
cryptographic security after encrypting 2^64 messages, and a
@@ -29,8 +31,8 @@
last_modified: 2022-04-12T22:48:22Z
ghsas:
- GHSA-g9mp-8g3h-3c5c
-cve_metadata:
- id: CVE-2021-4239
- cwe: "CWE 400: Uncontrolled Resource Consumption"
links:
pr: https://github.com/flynn/noise/pull/44
+cve_metadata:
+ id: CVE-2021-4239
+ cwe: 'CWE 400: Uncontrolled Resource Consumption'
diff --git a/data/reports/GO-2022-0433.yaml b/data/reports/GO-2022-0433.yaml
index 5c2c946..c153613 100644
--- a/data/reports/GO-2022-0433.yaml
+++ b/data/reports/GO-2022-0433.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: std
- package: encoding/pem
- symbols:
- - Decode
versions:
- fixed: 1.17.9
- introduced: 1.18.0
fixed: 1.18.1
+ packages:
+ - package: encoding/pem
+ symbols:
+ - Decode
description: |
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has
a Decode stack overflow via a large amount of PEM data.
diff --git a/data/reports/GO-2022-0434.yaml b/data/reports/GO-2022-0434.yaml
index 8632173..c3c88ae 100644
--- a/data/reports/GO-2022-0434.yaml
+++ b/data/reports/GO-2022-0434.yaml
@@ -1,11 +1,14 @@
-packages:
+modules:
- module: std
- package: crypto/x509
- symbols:
- - Certificate.Verify
versions:
- introduced: 1.18.0
fixed: 1.18.1
+ packages:
+ - package: crypto/x509
+ goos:
+ - darwin
+ symbols:
+ - Certificate.Verify
description: |
Verifying certificate chains containing certificates which are not compliant
with RFC 5280 causes Certificate.Verify to panic on macOS.
@@ -16,11 +19,11 @@
cves:
- CVE-2022-27536
credit: Tailscale
-os:
- - darwin
links:
pr: https://go.dev/cl/393655
commit: https://go.googlesource.com/go/+/0fca8a8f25cf4636fd980e72ba0bded4230922de
context:
- https://go.dev/issue/51759
- https://groups.google.com/g/golang-announce/c/oecdBNLOml8
+os:
+ - darwin
diff --git a/data/reports/GO-2022-0435.yaml b/data/reports/GO-2022-0435.yaml
index 12e7afc..d87cdcc 100644
--- a/data/reports/GO-2022-0435.yaml
+++ b/data/reports/GO-2022-0435.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: crypto/elliptic
- symbols:
- - P256.ScalarMult
- - P256.ScalarBaseMult
versions:
- fixed: 1.17.9
- introduced: "1.18"
fixed: 1.18.1
+ packages:
+ - package: crypto/elliptic
+ symbols:
+ - P256.ScalarMult
+ - P256.ScalarBaseMult
description: |
A crafted scalar input longer than 32 bytes can cause P256().ScalarMult
or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
diff --git a/data/reports/GO-2022-0438.yaml b/data/reports/GO-2022-0438.yaml
index 3e827a4..6767a98 100644
--- a/data/reports/GO-2022-0438.yaml
+++ b/data/reports/GO-2022-0438.yaml
@@ -1,17 +1,19 @@
-packages:
+modules:
- module: github.com/hashicorp/go-getter
- symbols:
- - RedactURL
- derived_symbols:
- - Client.Get
- - FolderStorage.Get
- - Get
- - GetAny
- - GetFile
- - HttpGetter.Get
versions:
- fixed: 1.5.11
vulnerable_at: 1.5.10
+ packages:
+ - package: github.com/hashicorp/go-getter
+ symbols:
+ - RedactURL
+ derived_symbols:
+ - Client.Get
+ - FolderStorage.Get
+ - Get
+ - GetAny
+ - GetFile
+ - HttpGetter.Get
description: |
The getter package can write SSH credentials to its logfile,
exposing credentials to local users able to read the logfile.
diff --git a/data/reports/GO-2022-0444.yaml b/data/reports/GO-2022-0444.yaml
index 793d2c8..cba65b7 100644
--- a/data/reports/GO-2022-0444.yaml
+++ b/data/reports/GO-2022-0444.yaml
@@ -1,28 +1,25 @@
-packages:
+modules:
- module: github.com/theupdateframework/go-tuf
- package: github.com/theupdateframework/go-tuf/client
- symbols:
- - Client.Update
- - Client.UpdateRoots
- - Client.downloadMetaFromSnapshot
- - Client.downloadMetaFromTimestamp
- - Client.decodeRoot
- - Client.decodeTargets
- - Client.decodeTimestamp
- derived_symbols:
- - Client.Download
- - Client.Init
- - Client.Target
versions:
- fixed: 0.3.0
vulnerable_at: 0.2.0
- - module: github.com/theupdateframework/go-tuf
- package: github.com/theupdateframework/go-tuf/util
- symbols:
- - TimestampFileMetaEqual
- versions:
- - fixed: 0.3.0
- vulnerable_at: 0.2.0
+ packages:
+ - package: github.com/theupdateframework/go-tuf/client
+ symbols:
+ - Client.Update
+ - Client.UpdateRoots
+ - Client.downloadMetaFromSnapshot
+ - Client.downloadMetaFromTimestamp
+ - Client.decodeRoot
+ - Client.decodeTargets
+ - Client.decodeTimestamp
+ derived_symbols:
+ - Client.Download
+ - Client.Init
+ - Client.Target
+ - package: github.com/theupdateframework/go-tuf/util
+ symbols:
+ - TimestampFileMetaEqual
description: |
The TUF client is vulnerable to rollback attacks, in which an
attacker causes a client to install software older than the software
diff --git a/data/reports/GO-2022-0460.yaml b/data/reports/GO-2022-0460.yaml
index aa00198..eca2459 100644
--- a/data/reports/GO-2022-0460.yaml
+++ b/data/reports/GO-2022-0460.yaml
@@ -1,20 +1,22 @@
-packages:
+modules:
- module: github.com/pion/dtls/v2
- symbols:
- - fragmentBuffer.pop
- derived_symbols:
- - Client
- - ClientWithContext
- - Dial
- - DialWithContext
- - Resume
- - Server
- - ServerWithContext
- - handshakeFSM.Run
- - listener.Accept
versions:
- fixed: 2.1.4
vulnerable_at: 2.1.3
+ packages:
+ - package: github.com/pion/dtls/v2
+ symbols:
+ - fragmentBuffer.pop
+ derived_symbols:
+ - Client
+ - ClientWithContext
+ - Dial
+ - DialWithContext
+ - Resume
+ - Server
+ - ServerWithContext
+ - handshakeFSM.Run
+ - listener.Accept
description: |
An attacker can send packets that send the DTLS server or client
into an infinite loop.
diff --git a/data/reports/GO-2022-0461.yaml b/data/reports/GO-2022-0461.yaml
index 8c13550..84d6314 100644
--- a/data/reports/GO-2022-0461.yaml
+++ b/data/reports/GO-2022-0461.yaml
@@ -1,20 +1,22 @@
-packages:
+modules:
- module: github.com/pion/dtls/v2
- symbols:
- - fragmentBuffer.push
- derived_symbols:
- - Client
- - ClientWithContext
- - Dial
- - DialWithContext
- - Resume
- - Server
- - ServerWithContext
- - handshakeFSM.Run
- - listener.Accept
versions:
- fixed: 2.1.4
vulnerable_at: 2.1.3
+ packages:
+ - package: github.com/pion/dtls/v2
+ symbols:
+ - fragmentBuffer.push
+ derived_symbols:
+ - Client
+ - ClientWithContext
+ - Dial
+ - DialWithContext
+ - Resume
+ - Server
+ - ServerWithContext
+ - handshakeFSM.Run
+ - listener.Accept
description: |
Attacker can cause unbounded memory consumption.
diff --git a/data/reports/GO-2022-0462.yaml b/data/reports/GO-2022-0462.yaml
index 7946c5b..aea3f46 100644
--- a/data/reports/GO-2022-0462.yaml
+++ b/data/reports/GO-2022-0462.yaml
@@ -1,20 +1,22 @@
-packages:
+modules:
- module: github.com/pion/dtls/v2
- symbols:
- - flight4Parse
- derived_symbols:
- - Client
- - ClientWithContext
- - Dial
- - DialWithContext
- - Resume
- - Server
- - ServerWithContext
- - handshakeFSM.Run
- - listener.Accept
versions:
- fixed: 2.1.5
vulnerable_at: 2.1.4
+ packages:
+ - package: github.com/pion/dtls/v2
+ symbols:
+ - flight4Parse
+ derived_symbols:
+ - Client
+ - ClientWithContext
+ - Dial
+ - DialWithContext
+ - Resume
+ - Server
+ - ServerWithContext
+ - handshakeFSM.Run
+ - listener.Accept
description: |
Client-provided certificates are not correctly validated,
and must not be trusted.
diff --git a/data/reports/GO-2022-0463.yaml b/data/reports/GO-2022-0463.yaml
index eb7d11e..49eb35f 100644
--- a/data/reports/GO-2022-0463.yaml
+++ b/data/reports/GO-2022-0463.yaml
@@ -1,206 +1,209 @@
-packages:
+modules:
- module: github.com/beego/beego
- symbols:
- - Tree.match
- derived_symbols:
- - App.Run
- - ControllerRegister.FindPolicy
- - ControllerRegister.FindRouter
- - ControllerRegister.ServeHTTP
- - FilterRouter.ValidRouter
- - InitBeegoBeforeTest
- - Run
- - RunWithMiddleWares
- - TestBeegoInit
- - Tree.Match
- - adminApp.Run
versions:
- fixed: 1.12.9
vulnerable_at: 1.12.8
+ packages:
+ - package: github.com/beego/beego
+ symbols:
+ - Tree.match
+ derived_symbols:
+ - App.Run
+ - ControllerRegister.FindPolicy
+ - ControllerRegister.FindRouter
+ - ControllerRegister.ServeHTTP
+ - FilterRouter.ValidRouter
+ - InitBeegoBeforeTest
+ - Run
+ - RunWithMiddleWares
+ - TestBeegoInit
+ - Tree.Match
+ - adminApp.Run
- module: github.com/beego/beego/v2
- package: github.com/beego/beego/v2/server/web
- symbols:
- - Tree.match
- derived_symbols:
- - AddNamespace
- - Any
- - AutoPrefix
- - AutoRouter
- - Compare
- - CompareNot
- - Controller.Bind
- - Controller.BindForm
- - Controller.BindXML
- - Controller.BindYAML
- - Controller.GetSecureCookie
- - Controller.ParseForm
- - Controller.Render
- - Controller.RenderBytes
- - Controller.RenderString
- - Controller.Resp
- - Controller.SaveToFile
- - Controller.ServeFormatted
- - Controller.ServeXML
- - Controller.ServeYAML
- - Controller.SetSecureCookie
- - Controller.Trace
- - Controller.URLFor
- - Controller.XMLResp
- - Controller.XSRFFormHTML
- - Controller.XSRFToken
- - Controller.YamlResp
- - ControllerRegister.Add
- - ControllerRegister.AddAuto
- - ControllerRegister.AddAutoPrefix
- - ControllerRegister.AddMethod
- - ControllerRegister.AddRouterMethod
- - ControllerRegister.Any
- - ControllerRegister.CtrlAny
- - ControllerRegister.CtrlDelete
- - ControllerRegister.CtrlGet
- - ControllerRegister.CtrlHead
- - ControllerRegister.CtrlOptions
- - ControllerRegister.CtrlPatch
- - ControllerRegister.CtrlPost
- - ControllerRegister.CtrlPut
- - ControllerRegister.Delete
- - ControllerRegister.FindPolicy
- - ControllerRegister.FindRouter
- - ControllerRegister.Get
- - ControllerRegister.Handler
- - ControllerRegister.Head
- - ControllerRegister.Include
- - ControllerRegister.Init
- - ControllerRegister.InsertFilter
- - ControllerRegister.Options
- - ControllerRegister.Patch
- - ControllerRegister.Post
- - ControllerRegister.Put
- - ControllerRegister.ServeHTTP
- - ControllerRegister.URLFor
- - CtrlAny
- - CtrlDelete
- - CtrlGet
- - CtrlHead
- - CtrlOptions
- - CtrlPatch
- - CtrlPost
- - CtrlPut
- - Date
- - DateParse
- - Delete
- - Exception
- - ExecuteTemplate
- - ExecuteViewPathTemplate
- - FilterRouter.ValidRouter
- - FlashData.Error
- - FlashData.Notice
- - FlashData.Set
- - FlashData.Store
- - FlashData.Success
- - FlashData.Warning
- - Get
- - GetConfig
- - HTML2str
- - Handler
- - Head
- - Htmlquote
- - Htmlunquote
- - HttpServer.Any
- - HttpServer.AutoPrefix
- - HttpServer.AutoRouter
- - HttpServer.CtrlAny
- - HttpServer.CtrlDelete
- - HttpServer.CtrlGet
- - HttpServer.CtrlHead
- - HttpServer.CtrlOptions
- - HttpServer.CtrlPatch
- - HttpServer.CtrlPost
- - HttpServer.CtrlPut
- - HttpServer.Delete
- - HttpServer.Get
- - HttpServer.Handler
- - HttpServer.Head
- - HttpServer.Include
- - HttpServer.InsertFilter
- - HttpServer.Options
- - HttpServer.Patch
- - HttpServer.Post
- - HttpServer.PrintTree
- - HttpServer.Put
- - HttpServer.RESTRouter
- - HttpServer.Router
- - HttpServer.RouterWithOpts
- - HttpServer.Run
- - Include
- - InitBeegoBeforeTest
- - InsertFilter
- - LoadAppConfig
- - MapGet
- - Namespace.Any
- - Namespace.AutoPrefix
- - Namespace.AutoRouter
- - Namespace.Cond
- - Namespace.CtrlAny
- - Namespace.CtrlDelete
- - Namespace.CtrlGet
- - Namespace.CtrlHead
- - Namespace.CtrlOptions
- - Namespace.CtrlPatch
- - Namespace.CtrlPost
- - Namespace.CtrlPut
- - Namespace.Delete
- - Namespace.Filter
- - Namespace.Get
- - Namespace.Handler
- - Namespace.Head
- - Namespace.Include
- - Namespace.Namespace
- - Namespace.Options
- - Namespace.Patch
- - Namespace.Post
- - Namespace.Put
- - Namespace.Router
- - NewControllerRegister
- - NewControllerRegisterWithCfg
- - NewHttpServerWithCfg
- - NewHttpSever
- - NewNamespace
- - NotNil
- - Options
- - ParseForm
- - Patch
- - Policy
- - Post
- - PrintTree
- - Put
- - RESTRouter
- - ReadFromRequest
- - RenderForm
- - Router
- - RouterWithOpts
- - Run
- - RunWithMiddleWares
- - TestBeegoInit
- - Tree.AddRouter
- - Tree.AddTree
- - Tree.Match
- - URLFor
- - URLMap.GetMap
- - URLMap.GetMapData
- - adminApp.Run
- - adminController.AdminIndex
- - adminController.Healthcheck
- - adminController.ListConf
- - adminController.ProfIndex
- - adminController.PrometheusMetrics
- - adminController.QpsIndex
- - adminController.TaskStatus
- - beegoAppConfig.Bool
- - beegoAppConfig.DefaultBool
versions:
- fixed: 2.0.3
vulnerable_at: 2.0.2
+ packages:
+ - package: github.com/beego/beego/v2/server/web
+ symbols:
+ - Tree.match
+ derived_symbols:
+ - AddNamespace
+ - Any
+ - AutoPrefix
+ - AutoRouter
+ - Compare
+ - CompareNot
+ - Controller.Bind
+ - Controller.BindForm
+ - Controller.BindXML
+ - Controller.BindYAML
+ - Controller.GetSecureCookie
+ - Controller.ParseForm
+ - Controller.Render
+ - Controller.RenderBytes
+ - Controller.RenderString
+ - Controller.Resp
+ - Controller.SaveToFile
+ - Controller.ServeFormatted
+ - Controller.ServeXML
+ - Controller.ServeYAML
+ - Controller.SetSecureCookie
+ - Controller.Trace
+ - Controller.URLFor
+ - Controller.XMLResp
+ - Controller.XSRFFormHTML
+ - Controller.XSRFToken
+ - Controller.YamlResp
+ - ControllerRegister.Add
+ - ControllerRegister.AddAuto
+ - ControllerRegister.AddAutoPrefix
+ - ControllerRegister.AddMethod
+ - ControllerRegister.AddRouterMethod
+ - ControllerRegister.Any
+ - ControllerRegister.CtrlAny
+ - ControllerRegister.CtrlDelete
+ - ControllerRegister.CtrlGet
+ - ControllerRegister.CtrlHead
+ - ControllerRegister.CtrlOptions
+ - ControllerRegister.CtrlPatch
+ - ControllerRegister.CtrlPost
+ - ControllerRegister.CtrlPut
+ - ControllerRegister.Delete
+ - ControllerRegister.FindPolicy
+ - ControllerRegister.FindRouter
+ - ControllerRegister.Get
+ - ControllerRegister.Handler
+ - ControllerRegister.Head
+ - ControllerRegister.Include
+ - ControllerRegister.Init
+ - ControllerRegister.InsertFilter
+ - ControllerRegister.Options
+ - ControllerRegister.Patch
+ - ControllerRegister.Post
+ - ControllerRegister.Put
+ - ControllerRegister.ServeHTTP
+ - ControllerRegister.URLFor
+ - CtrlAny
+ - CtrlDelete
+ - CtrlGet
+ - CtrlHead
+ - CtrlOptions
+ - CtrlPatch
+ - CtrlPost
+ - CtrlPut
+ - Date
+ - DateParse
+ - Delete
+ - Exception
+ - ExecuteTemplate
+ - ExecuteViewPathTemplate
+ - FilterRouter.ValidRouter
+ - FlashData.Error
+ - FlashData.Notice
+ - FlashData.Set
+ - FlashData.Store
+ - FlashData.Success
+ - FlashData.Warning
+ - Get
+ - GetConfig
+ - HTML2str
+ - Handler
+ - Head
+ - Htmlquote
+ - Htmlunquote
+ - HttpServer.Any
+ - HttpServer.AutoPrefix
+ - HttpServer.AutoRouter
+ - HttpServer.CtrlAny
+ - HttpServer.CtrlDelete
+ - HttpServer.CtrlGet
+ - HttpServer.CtrlHead
+ - HttpServer.CtrlOptions
+ - HttpServer.CtrlPatch
+ - HttpServer.CtrlPost
+ - HttpServer.CtrlPut
+ - HttpServer.Delete
+ - HttpServer.Get
+ - HttpServer.Handler
+ - HttpServer.Head
+ - HttpServer.Include
+ - HttpServer.InsertFilter
+ - HttpServer.Options
+ - HttpServer.Patch
+ - HttpServer.Post
+ - HttpServer.PrintTree
+ - HttpServer.Put
+ - HttpServer.RESTRouter
+ - HttpServer.Router
+ - HttpServer.RouterWithOpts
+ - HttpServer.Run
+ - Include
+ - InitBeegoBeforeTest
+ - InsertFilter
+ - LoadAppConfig
+ - MapGet
+ - Namespace.Any
+ - Namespace.AutoPrefix
+ - Namespace.AutoRouter
+ - Namespace.Cond
+ - Namespace.CtrlAny
+ - Namespace.CtrlDelete
+ - Namespace.CtrlGet
+ - Namespace.CtrlHead
+ - Namespace.CtrlOptions
+ - Namespace.CtrlPatch
+ - Namespace.CtrlPost
+ - Namespace.CtrlPut
+ - Namespace.Delete
+ - Namespace.Filter
+ - Namespace.Get
+ - Namespace.Handler
+ - Namespace.Head
+ - Namespace.Include
+ - Namespace.Namespace
+ - Namespace.Options
+ - Namespace.Patch
+ - Namespace.Post
+ - Namespace.Put
+ - Namespace.Router
+ - NewControllerRegister
+ - NewControllerRegisterWithCfg
+ - NewHttpServerWithCfg
+ - NewHttpSever
+ - NewNamespace
+ - NotNil
+ - Options
+ - ParseForm
+ - Patch
+ - Policy
+ - Post
+ - PrintTree
+ - Put
+ - RESTRouter
+ - ReadFromRequest
+ - RenderForm
+ - Router
+ - RouterWithOpts
+ - Run
+ - RunWithMiddleWares
+ - TestBeegoInit
+ - Tree.AddRouter
+ - Tree.AddTree
+ - Tree.Match
+ - URLFor
+ - URLMap.GetMap
+ - URLMap.GetMapData
+ - adminApp.Run
+ - adminController.AdminIndex
+ - adminController.Healthcheck
+ - adminController.ListConf
+ - adminController.ProfIndex
+ - adminController.PrometheusMetrics
+ - adminController.QpsIndex
+ - adminController.TaskStatus
+ - beegoAppConfig.Bool
+ - beegoAppConfig.DefaultBool
description: |
Routes in the beego HTTP router can match unintended patterns.
This overly-broad matching may permit an attacker to bypass access
diff --git a/data/reports/GO-2022-0470.yaml b/data/reports/GO-2022-0470.yaml
index 7981145..d95b24c 100644
--- a/data/reports/GO-2022-0470.yaml
+++ b/data/reports/GO-2022-0470.yaml
@@ -1,34 +1,36 @@
-packages:
+modules:
- module: github.com/blevesearch/bleve
- package: github.com/blevesearch/bleve/http
- symbols:
- - AliasHandler.ServeHTTP
- - CreateIndexHandler.ServeHTTP
- - DebugDocumentHandler.ServeHTTP
- - DeleteIndexHandler.ServeHTTP
- - DocCountHandler.ServeHTTP
- - DocDeleteHandler.ServeHTTP
- - DocGetHandler.ServeHTTP
- - DocIndexHandler.ServeHTTP
- - GetIndexHandler.ServeHTTP
- - ListFieldsHandler.ServeHTTP
- - SearchHandler.ServeHTTP
vulnerable_at: 1.0.14
+ packages:
+ - package: github.com/blevesearch/bleve/http
+ symbols:
+ - AliasHandler.ServeHTTP
+ - CreateIndexHandler.ServeHTTP
+ - DebugDocumentHandler.ServeHTTP
+ - DeleteIndexHandler.ServeHTTP
+ - DocCountHandler.ServeHTTP
+ - DocDeleteHandler.ServeHTTP
+ - DocGetHandler.ServeHTTP
+ - DocIndexHandler.ServeHTTP
+ - GetIndexHandler.ServeHTTP
+ - ListFieldsHandler.ServeHTTP
+ - SearchHandler.ServeHTTP
- module: github.com/blevesearch/bleve/v2
- package: github.com/blevesearch/bleve/v2/http
- symbols:
- - AliasHandler.ServeHTTP
- - CreateIndexHandler.ServeHTTP
- - DebugDocumentHandler.ServeHTTP
- - DeleteIndexHandler.ServeHTTP
- - DocCountHandler.ServeHTTP
- - DocDeleteHandler.ServeHTTP
- - DocGetHandler.ServeHTTP
- - DocIndexHandler.ServeHTTP
- - GetIndexHandler.ServeHTTP
- - ListFieldsHandler.ServeHTTP
- - SearchHandler.ServeHTTP
vulnerable_at: 2.3.2
+ packages:
+ - package: github.com/blevesearch/bleve/v2/http
+ symbols:
+ - AliasHandler.ServeHTTP
+ - CreateIndexHandler.ServeHTTP
+ - DebugDocumentHandler.ServeHTTP
+ - DeleteIndexHandler.ServeHTTP
+ - DocCountHandler.ServeHTTP
+ - DocDeleteHandler.ServeHTTP
+ - DocGetHandler.ServeHTTP
+ - DocIndexHandler.ServeHTTP
+ - GetIndexHandler.ServeHTTP
+ - ListFieldsHandler.ServeHTTP
+ - SearchHandler.ServeHTTP
description: |
HTTP handlers provide unauthenticated access to the local filesystem.
diff --git a/data/reports/GO-2022-0475.yaml b/data/reports/GO-2022-0475.yaml
index 98e34f9..dc6d215 100644
--- a/data/reports/GO-2022-0475.yaml
+++ b/data/reports/GO-2022-0475.yaml
@@ -1,22 +1,17 @@
-packages:
+modules:
- module: std
- package: cmd/go
- symbols:
- - Builder.cgo
versions:
- fixed: 1.14.12
- introduced: 1.15.0
fixed: 1.15.5
vulnerable_at: 1.15.4
- - module: std
- package: cmd/cgo
- symbols:
- - dynimport
- versions:
- - fixed: 1.14.12
- - introduced: 1.15.0
- fixed: 1.15.5
- vulnerable_at: 1.15.4
+ packages:
+ - package: cmd/go
+ symbols:
+ - Builder.cgo
+ - package: cmd/cgo
+ symbols:
+ - dynimport
description: |
The go command may execute arbitrary code at build time when cgo is in use.
This may occur when running go get on a malicious package, or any other
diff --git a/data/reports/GO-2022-0476.yaml b/data/reports/GO-2022-0476.yaml
index a111e82..249e3b1 100644
--- a/data/reports/GO-2022-0476.yaml
+++ b/data/reports/GO-2022-0476.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: cmd/go
- symbols:
- - validCompilerFlags
versions:
- fixed: 1.14.12
- introduced: 1.15.0
fixed: 1.15.5
vulnerable_at: 1.15.4
+ packages:
+ - package: cmd/go
+ symbols:
+ - validCompilerFlags
description: |
The go command may execute arbitrary code at build time when cgo is in use.
This may occur when running go get on a malicious package, or any other
diff --git a/data/reports/GO-2022-0477.yaml b/data/reports/GO-2022-0477.yaml
index 23f5110..a5f1643 100644
--- a/data/reports/GO-2022-0477.yaml
+++ b/data/reports/GO-2022-0477.yaml
@@ -1,19 +1,20 @@
-packages:
+modules:
- module: std
- package: crypto/rand
- symbols:
- - Read
versions:
- fixed: 1.17.11
- introduced: 1.18.0
fixed: 1.18.3
+ packages:
+ - package: crypto/rand
+ goos:
+ - windows
+ symbols:
+ - Read
description: |
On Windows, rand.Read will hang indefinitely if passed a buffer larger than
1 << 32 - 1 bytes.
published: 2022-06-09T01:43:37Z
credit: Davis Goodin and Quim Muntal of Microsoft
-os:
- - windows
links:
pr: https://go.dev/cl/402257
commit: https://go.googlesource.com/go/+/bb1f4416180511231de6d17a1f2f55c82aafc863
@@ -27,3 +28,5 @@
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on
Windows allows attacker to cause an indefinite hang by passing a buffer
larger than 1 << 32 - 1 bytes.
+os:
+ - windows
diff --git a/data/reports/GO-2022-0492.yaml b/data/reports/GO-2022-0492.yaml
index 82e5294..ff46f8d 100644
--- a/data/reports/GO-2022-0492.yaml
+++ b/data/reports/GO-2022-0492.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: github.com/argoproj/argo-events
- package: github.com/argoproj/argo-events/sensors/artifacts
- symbols:
- - NewGitReader
- derived_symbols:
- - GetArtifactReader
versions:
- fixed: 1.7.1
vulnerable_at: 1.7.0
+ packages:
+ - package: github.com/argoproj/argo-events/sensors/artifacts
+ symbols:
+ - NewGitReader
+ derived_symbols:
+ - GetArtifactReader
description: |
GitArtifactReader is vulnerable to directory traversal attacks.
diff --git a/data/reports/GO-2022-0493.yaml b/data/reports/GO-2022-0493.yaml
index 3e6f397..0dae4f5 100644
--- a/data/reports/GO-2022-0493.yaml
+++ b/data/reports/GO-2022-0493.yaml
@@ -1,20 +1,22 @@
-packages:
+modules:
- module: std
- package: syscall
- symbols:
- - Faccessat
versions:
- fixed: 1.17.10
- introduced: 1.18.0
fixed: 1.18.2
vulnerable_at: 1.18.1
+ packages:
+ - package: syscall
+ symbols:
+ - Faccessat
- module: golang.org/x/sys
- package: golang.org/x/sys/unix
- symbols:
- - Faccessat
versions:
- fixed: 0.0.0-20220412211240-33da011f77ad
vulnerable_at: 0.0.0-20220412071739-889880a91fd5
+ packages:
+ - package: golang.org/x/sys/unix
+ symbols:
+ - Faccessat
description: |
When called with a non-zero flags parameter, the Faccessat function
can incorrectly report that a file is accessible.
diff --git a/data/reports/GO-2022-0503.yaml b/data/reports/GO-2022-0503.yaml
index 240db8f..4d040ee 100644
--- a/data/reports/GO-2022-0503.yaml
+++ b/data/reports/GO-2022-0503.yaml
@@ -1,30 +1,20 @@
-packages:
+modules:
- module: github.com/ipld/go-car
versions:
- fixed: 0.4.0
vulnerable_at: 0.3.3
- - module: github.com/ipld/go-car
- package: github.com/ipld/go-car/util
- versions:
- - fixed: 0.4.0
- vulnerable_at: 0.3.3
+ packages:
+ - package: github.com/ipld/go-car
+ - package: github.com/ipld/go-car/util
- module: github.com/ipld/go-car/v2
versions:
- introduced: 2.0.0
fixed: 2.4.0
vulnerable_at: 2.3.0
- - module: github.com/ipld/go-car/v2
- package: github.com/ipld/go-car/v2/blockstore
- versions:
- - introduced: 2.0.0
- fixed: 2.4.0
- vulnerable_at: 2.3.0
- - module: github.com/ipld/go-car/v2
- package: github.com/ipld/go-car/v2/index
- versions:
- - introduced: 2.0.0
- fixed: 2.4.0
- vulnerable_at: 2.3.0
+ packages:
+ - package: github.com/ipld/go-car/v2
+ - package: github.com/ipld/go-car/v2/blockstore
+ - package: github.com/ipld/go-car/v2/index
description: |
Decoding malformed CAR data can cause panics or excessive memory usage.
published: 2022-07-30T03:50:50Z
diff --git a/data/reports/GO-2022-0515.yaml b/data/reports/GO-2022-0515.yaml
index 7a63cc0..ac3f677 100644
--- a/data/reports/GO-2022-0515.yaml
+++ b/data/reports/GO-2022-0515.yaml
@@ -1,22 +1,23 @@
-packages:
+modules:
- module: std
- package: go/parser
- symbols:
- - ParseFile
- - ParseExprFrom
- - parser.tryIdentOrType
- - parser.parsePrimaryExpr
- - parser.parseUnaryExpr
- - parser.parseBinaryExpr
- - parser.parseIfStmt
- - parser.parseStmt
- - resolver.openScope
- - resolver.closeScope
versions:
- fixed: 1.17.12
- introduced: 1.18.0
fixed: 1.18.4
vulnerable_at: 1.18.3
+ packages:
+ - package: go/parser
+ symbols:
+ - ParseFile
+ - ParseExprFrom
+ - parser.tryIdentOrType
+ - parser.parsePrimaryExpr
+ - parser.parseUnaryExpr
+ - parser.parseBinaryExpr
+ - parser.parseIfStmt
+ - parser.parseStmt
+ - resolver.openScope
+ - resolver.closeScope
description: |
Calling any of the Parse functions on Go source code which contains deeply
nested types or declarations can cause a panic due to stack exhaustion.
diff --git a/data/reports/GO-2022-0519.yaml b/data/reports/GO-2022-0519.yaml
index 469a961..c8a68f7 100644
--- a/data/reports/GO-2022-0519.yaml
+++ b/data/reports/GO-2022-0519.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: github.com/flyteorg/flyteadmin
- package: github.com/flyteorg/flyteadmin/auth/authzserver
- symbols:
- - ResourceServer.ValidateAccessToken
versions:
- fixed: 1.1.31
vulnerable_at: 1.1.30
+ packages:
+ - package: github.com/flyteorg/flyteadmin/auth/authzserver
+ symbols:
+ - ResourceServer.ValidateAccessToken
description: |
Improper validation of access tokens can permit use of expired tokens.
published: 2022-07-30T03:51:07Z
diff --git a/data/reports/GO-2022-0520.yaml b/data/reports/GO-2022-0520.yaml
index 17ae2ce..915290b 100644
--- a/data/reports/GO-2022-0520.yaml
+++ b/data/reports/GO-2022-0520.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: net/http
- symbols:
- - Header.Clone
versions:
- fixed: 1.17.12
- introduced: 1.18.0
fixed: 1.18.4
vulnerable_at: 1.18.3
+ packages:
+ - package: net/http
+ symbols:
+ - Header.Clone
description: |
Client IP adresses may be unintentionally exposed via X-Forwarded-For
headers.
diff --git a/data/reports/GO-2022-0521.yaml b/data/reports/GO-2022-0521.yaml
index 3277b76..dbbc373 100644
--- a/data/reports/GO-2022-0521.yaml
+++ b/data/reports/GO-2022-0521.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: encoding/xml
- symbols:
- - Decoder.Skip
versions:
- fixed: 1.17.12
- introduced: 1.18.0
fixed: 1.18.4
vulnerable_at: 1.18.3
+ packages:
+ - package: encoding/xml
+ symbols:
+ - Decoder.Skip
description: |
Calling Decoder.Skip when parsing a deeply nested XML document can cause a
panic due to stack exhaustion.
diff --git a/data/reports/GO-2022-0522.yaml b/data/reports/GO-2022-0522.yaml
index c0350b9..6643315 100644
--- a/data/reports/GO-2022-0522.yaml
+++ b/data/reports/GO-2022-0522.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: path/filepath
- symbols:
- - Glob
versions:
- fixed: 1.17.12
- introduced: 1.18.0
fixed: 1.18.4
vulnerable_at: 1.18.3
+ packages:
+ - package: path/filepath
+ symbols:
+ - Glob
description: |
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
diff --git a/data/reports/GO-2022-0523.yaml b/data/reports/GO-2022-0523.yaml
index 33e3576..6665c80 100644
--- a/data/reports/GO-2022-0523.yaml
+++ b/data/reports/GO-2022-0523.yaml
@@ -1,15 +1,16 @@
-packages:
+modules:
- module: std
- package: encoding/xml
- symbols:
- - Decoder.DecodeElement
- - Decoder.unmarshal
- - Decoder.unmarshalPath
versions:
- fixed: 1.17.12
- introduced: 1.18.0
fixed: 1.18.4
vulnerable_at: 1.18.3
+ packages:
+ - package: encoding/xml
+ symbols:
+ - Decoder.DecodeElement
+ - Decoder.unmarshal
+ - Decoder.unmarshalPath
description: |
Unmarshaling an XML document into a Go struct which has a nested
field that uses the 'any' field tag can panic due to stack
diff --git a/data/reports/GO-2022-0524.yaml b/data/reports/GO-2022-0524.yaml
index 7b80495..9cae6bb 100644
--- a/data/reports/GO-2022-0524.yaml
+++ b/data/reports/GO-2022-0524.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: compress/gzip
- symbols:
- - Reader.Read
versions:
- fixed: 1.17.12
- introduced: 1.18.0
fixed: 1.18.4
vulnerable_at: 1.18.3
+ packages:
+ - package: compress/gzip
+ symbols:
+ - Reader.Read
description: |
Calling Reader.Read on an archive containing a large number of concatenated
0-length compressed files can cause a panic due to stack exhaustion.
diff --git a/data/reports/GO-2022-0525.yaml b/data/reports/GO-2022-0525.yaml
index 6ac1d81..e523568 100644
--- a/data/reports/GO-2022-0525.yaml
+++ b/data/reports/GO-2022-0525.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: net/http
- symbols:
- - transferReader.parseTransferEncoding
versions:
- fixed: 1.17.12
- introduced: 1.18.0
fixed: 1.18.4
vulnerable_at: 1.18.3
+ packages:
+ - package: net/http
+ symbols:
+ - transferReader.parseTransferEncoding
description: |
The HTTP/1 client accepted some invalid Transfer-Encoding headers as
indicating a "chunked" encoding. This could potentially allow for request
diff --git a/data/reports/GO-2022-0526.yaml b/data/reports/GO-2022-0526.yaml
index cc7d649..06cc3ff 100644
--- a/data/reports/GO-2022-0526.yaml
+++ b/data/reports/GO-2022-0526.yaml
@@ -1,15 +1,16 @@
-packages:
+modules:
- module: std
- package: encoding/gob
- symbols:
- - Decoder.decIgnoreOpFor
- - Decoder.compileIgnoreSingle
- - Decoder.compileDec
versions:
- fixed: 1.17.12
- introduced: 1.18.0
fixed: 1.18.4
vulnerable_at: 1.18.3
+ packages:
+ - package: encoding/gob
+ symbols:
+ - Decoder.decIgnoreOpFor
+ - Decoder.compileIgnoreSingle
+ - Decoder.compileDec
description: |
Calling Decoder.Decode on a message which contains deeply nested structures
can cause a panic due to stack exhaustion.
diff --git a/data/reports/GO-2022-0527.yaml b/data/reports/GO-2022-0527.yaml
index 7ee61e6..b1c5d86 100644
--- a/data/reports/GO-2022-0527.yaml
+++ b/data/reports/GO-2022-0527.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: io/fs
- symbols:
- - Glob
versions:
- fixed: 1.17.12
- introduced: 1.18.0
fixed: 1.18.4
vulnerable_at: 1.18.3
+ packages:
+ - package: io/fs
+ symbols:
+ - Glob
description: |
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
diff --git a/data/reports/GO-2022-0528.yaml b/data/reports/GO-2022-0528.yaml
index 4ed7da6..1e727a6 100644
--- a/data/reports/GO-2022-0528.yaml
+++ b/data/reports/GO-2022-0528.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: github.com/containrrr/shoutrrr
- package: github.com/containrrr/shoutrrr/pkg/util
- symbols:
- - PartitionMessage
versions:
- fixed: 0.6.0
vulnerable_at: 0.5.3
+ packages:
+ - package: github.com/containrrr/shoutrrr/pkg/util
+ symbols:
+ - PartitionMessage
description: |
Sending a message exactly 2000, 4000, or 6000 characters in length
to Discord causes a panic.
diff --git a/data/reports/GO-2022-0531.yaml b/data/reports/GO-2022-0531.yaml
index fa48429..8feb0fc 100644
--- a/data/reports/GO-2022-0531.yaml
+++ b/data/reports/GO-2022-0531.yaml
@@ -1,13 +1,14 @@
-packages:
+modules:
- module: std
- package: crypto/tls
- symbols:
- - serverHandshakeStateTLS13.sendSessionTickets
versions:
- fixed: 1.17.11
- introduced: 1.18.0
fixed: 1.18.3
vulnerable_at: 1.18.2
+ packages:
+ - package: crypto/tls
+ symbols:
+ - serverHandshakeStateTLS13.sendSessionTickets
description: |
An attacker can correlate a resumed TLS session with a previous connection.
diff --git a/data/reports/GO-2022-0532.yaml b/data/reports/GO-2022-0532.yaml
index 64cf959..f1333a9 100644
--- a/data/reports/GO-2022-0532.yaml
+++ b/data/reports/GO-2022-0532.yaml
@@ -1,13 +1,16 @@
-packages:
+modules:
- module: std
- package: os/exec
- symbols:
- - Cmd.Start
versions:
- fixed: 1.17.11
- introduced: 1.18.0
fixed: 1.18.3
vulnerable_at: 1.18.2
+ packages:
+ - package: os/exec
+ goos:
+ - windows
+ symbols:
+ - Cmd.Start
description: |
On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput
when Cmd.Path is unset will unintentionally trigger execution of any
@@ -16,8 +19,6 @@
credit: |
Chris Darroch (chrisd8088@github.com), brian m. carlson (bk2204@github.com),
and Mikhail Shcherbakov (https://twitter.com/yu5k3)
-os:
- - windows
links:
pr: https://go.dev/cl/403759
commit: https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
@@ -32,3 +33,5 @@
allows execution of any binaries in the working directory named either
"..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or
Cmd.CombinedOutput when Cmd.Path is unset.
+os:
+ - windows
diff --git a/data/reports/GO-2022-0533.yaml b/data/reports/GO-2022-0533.yaml
index df6704e..417c7ea 100644
--- a/data/reports/GO-2022-0533.yaml
+++ b/data/reports/GO-2022-0533.yaml
@@ -1,13 +1,16 @@
-packages:
+modules:
- module: std
- package: path/filepath
- symbols:
- - Clean
versions:
- fixed: 1.17.11
- introduced: 1.18.0
fixed: 1.18.3
vulnerable_at: 1.18.2
+ packages:
+ - package: path/filepath
+ goos:
+ - windows
+ symbols:
+ - Clean
description: |
On Windows, the filepath.Clean function can convert certain invalid paths
to valid, absolute paths, potentially allowing a directory traversal
@@ -16,8 +19,6 @@
For example, Clean(`.\c:`) returns `c:`.
published: 2022-07-28T17:25:07Z
credit: Unrud
-os:
- - windows
links:
pr: https://go.dev/cl/401595
commit: https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290
@@ -32,3 +33,5 @@
Incorrect conversion of certain invalid paths to valid, absolute paths
in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows
allows potential directory traversal attack.
+os:
+ - windows
diff --git a/data/reports/GO-2022-0534.yaml b/data/reports/GO-2022-0534.yaml
index 1994875..b4da05a 100644
--- a/data/reports/GO-2022-0534.yaml
+++ b/data/reports/GO-2022-0534.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: github.com/runatlantis/atlantis
- package: github.com/runatlantis/atlantis/server/controllers/events
- symbols:
- - DefaultGitlabRequestParserValidator.ParseAndValidate
versions:
- fixed: 0.19.7
vulnerable_at: 0.19.6
+ packages:
+ - package: github.com/runatlantis/atlantis/server/controllers/events
+ symbols:
+ - DefaultGitlabRequestParserValidator.ParseAndValidate
description: |
Validation of Gitlab requests can leak secrets.
diff --git a/data/reports/GO-2022-0535.yaml b/data/reports/GO-2022-0535.yaml
index ce0f6dd..85369eb 100644
--- a/data/reports/GO-2022-0535.yaml
+++ b/data/reports/GO-2022-0535.yaml
@@ -1,13 +1,16 @@
-packages:
+modules:
- module: std
- package: crypto/x509
- symbols:
- - Certificate.systemVerify
versions:
- fixed: 1.12.16
- introduced: 1.13.0
fixed: 1.13.7
vulnerable_at: 1.13.6
+ packages:
+ - package: crypto/x509
+ goos:
+ - windows
+ symbols:
+ - Certificate.systemVerify
description: |
A Windows vulnerability allows attackers to spoof valid certificate chains
when the system root store is in use.
@@ -22,11 +25,11 @@
published: 2022-08-01T22:21:17Z
cves:
- CVE-2020-0601
-os:
- - windows
links:
pr: https://go.dev/cl/215905
commit: https://go.googlesource.com/go/+/953bc8f391a63adf00bac2515dba62abe8a1e2c2
context:
- https://go.dev/issue/36834
- https://groups.google.com/g/golang-announce/c/Hsw4mHYc470/m/WJeW5wguEgAJ
+os:
+ - windows
diff --git a/data/reports/GO-2022-0536.yaml b/data/reports/GO-2022-0536.yaml
index d58cb05..fb49fb3 100644
--- a/data/reports/GO-2022-0536.yaml
+++ b/data/reports/GO-2022-0536.yaml
@@ -1,23 +1,25 @@
-packages:
+modules:
- module: std
- package: net/http
- symbols:
- - http2serverConn.serve
- - http2serverConn.writeFrame
- - http2serverConn.scheduleFrameWrite
versions:
- fixed: 1.11.13
- introduced: 1.12.0
fixed: 1.12.8
vulnerable_at: 1.12.7
+ packages:
+ - package: net/http
+ symbols:
+ - http2serverConn.serve
+ - http2serverConn.writeFrame
+ - http2serverConn.scheduleFrameWrite
- module: golang.org/x/net
- package: golang.org/x/net/http
- symbols:
- - serverConn.serve
- - serverConn.writeFrame
- - serverConn.scheduleFrameWrite
versions:
- fixed: 0.0.0-20190813141303-74dc4d7220e7
+ packages:
+ - package: golang.org/x/net/http
+ symbols:
+ - serverConn.serve
+ - serverConn.writeFrame
+ - serverConn.scheduleFrameWrite
description: |
Some HTTP/2 implementations are vulnerable to a reset flood, potentially
leading to a denial of service.
diff --git a/data/reports/GO-2022-0537.yaml b/data/reports/GO-2022-0537.yaml
index 4207138..d68e37f 100644
--- a/data/reports/GO-2022-0537.yaml
+++ b/data/reports/GO-2022-0537.yaml
@@ -1,14 +1,15 @@
-packages:
+modules:
- module: std
- package: math/big
- symbols:
- - Float.GobDecode
- - Rat.GobDecode
versions:
- fixed: 1.17.13
- introduced: 1.18.0
fixed: 1.18.5
vulnerable_at: 1.18.4
+ packages:
+ - package: math/big
+ symbols:
+ - Float.GobDecode
+ - Rat.GobDecode
description: |
Decoding big.Float and big.Rat types can panic if the encoded message is
too short, potentially allowing a denial of service.
diff --git a/data/reports/GO-2022-0563.yaml b/data/reports/GO-2022-0563.yaml
index bbf7b5b..e953862 100644
--- a/data/reports/GO-2022-0563.yaml
+++ b/data/reports/GO-2022-0563.yaml
@@ -1,11 +1,12 @@
-packages:
+modules:
- module: github.com/filebrowser/filebrowser/v2
- package: github.com/filebrowser/filebrowser/v2/http
- symbols:
- - NewHandler
versions:
- fixed: 2.18.0
vulnerable_at: 2.17.2
+ packages:
+ - package: github.com/filebrowser/filebrowser/v2/http
+ symbols:
+ - NewHandler
description: |
A Cross-Site Request Forgery vulnerability exists in Filebrowser
that allows attackers to create a backdoor user with admin privilege
diff --git a/data/reports/GO-2022-0564.yaml b/data/reports/GO-2022-0564.yaml
index 5dd4869..9566800 100644
--- a/data/reports/GO-2022-0564.yaml
+++ b/data/reports/GO-2022-0564.yaml
@@ -1,8 +1,10 @@
-packages:
+modules:
- module: github.com/biscuit-auth/biscuit-go
versions:
- fixed: 1.0.1-0.20220327202226-f061134c2a1e
vulnerable_at: 1.0.1
+ packages:
+ - package: github.com/biscuit-auth/biscuit-go
description: |
An attacker can forge Biscuit v1 tokens with any access level.
diff --git a/data/reports/GO-2022-0574.yaml b/data/reports/GO-2022-0574.yaml
index 5bfe3b2..16a393a 100644
--- a/data/reports/GO-2022-0574.yaml
+++ b/data/reports/GO-2022-0574.yaml
@@ -1,67 +1,68 @@
-packages:
+modules:
- module: github.com/open-policy-agent/opa
- package: github.com/open-policy-agent/opa/ast
- symbols:
- - rewriteDeclaredVarsInTerm
- derived_symbols:
- - Args.Copy
- - Array.Foreach
- - Array.Iter
- - Array.Until
- - CompileModules
- - CompileModulesWithOpt
- - Compiler.Compile
- - Copy
- - GenericVisitor.Walk
- - Head.Copy
- - Import.Copy
- - Module.Copy
- - MustCompileModules
- - MustCompileModulesWithOpts
- - MustParseBody
- - MustParseBodyWithOpts
- - MustParseImports
- - MustParseModule
- - MustParseModuleWithOpts
- - MustParsePackage
- - MustParseRule
- - MustParseStatement
- - MustParseStatements
- - ParseBodyWithOpts
- - ParseImports
- - ParseModule
- - ParseModuleWithOpts
- - ParsePackage
- - ParseRule
- - ParseStatement
- - ParseStatements
- - ParseStatementsWithOpts
- - Parser.Parse
- - QueryContext.Copy
- - Ref.Extend
- - Rule.Copy
- - Term.Copy
- - ValueToInterface
- - VarVisitor.Walk
- - WalkWiths
- - baseDocEqIndex.AllRules
- - baseDocEqIndex.Lookup
- - object.Iter
- - queryCompiler.Compile
- - ruleWalker.Do
- - set.Copy
- - set.Diff
- - set.Foreach
- - set.Intersect
- - set.Iter
- - set.Reduce
- - set.Union
- - trieNode.Do
- - trieNode.Traverse
- - trieTraversalResult.Add
versions:
- fixed: 0.42.0
vulnerable_at: 0.41.0
+ packages:
+ - package: github.com/open-policy-agent/opa/ast
+ symbols:
+ - rewriteDeclaredVarsInTerm
+ derived_symbols:
+ - Args.Copy
+ - Array.Foreach
+ - Array.Iter
+ - Array.Until
+ - CompileModules
+ - CompileModulesWithOpt
+ - Compiler.Compile
+ - Copy
+ - GenericVisitor.Walk
+ - Head.Copy
+ - Import.Copy
+ - Module.Copy
+ - MustCompileModules
+ - MustCompileModulesWithOpts
+ - MustParseBody
+ - MustParseBodyWithOpts
+ - MustParseImports
+ - MustParseModule
+ - MustParseModuleWithOpts
+ - MustParsePackage
+ - MustParseRule
+ - MustParseStatement
+ - MustParseStatements
+ - ParseBodyWithOpts
+ - ParseImports
+ - ParseModule
+ - ParseModuleWithOpts
+ - ParsePackage
+ - ParseRule
+ - ParseStatement
+ - ParseStatements
+ - ParseStatementsWithOpts
+ - Parser.Parse
+ - QueryContext.Copy
+ - Ref.Extend
+ - Rule.Copy
+ - Term.Copy
+ - ValueToInterface
+ - VarVisitor.Walk
+ - WalkWiths
+ - baseDocEqIndex.AllRules
+ - baseDocEqIndex.Lookup
+ - object.Iter
+ - queryCompiler.Compile
+ - ruleWalker.Do
+ - set.Copy
+ - set.Diff
+ - set.Foreach
+ - set.Intersect
+ - set.Iter
+ - set.Reduce
+ - set.Union
+ - trieNode.Do
+ - trieNode.Traverse
+ - trieTraversalResult.Add
description: |
An issue in the AST parser of Open Policy Agent makes it possible for
attackers to cause a Denial of Service attack from a crafted input.
diff --git a/data/reports/GO-2022-0586.yaml b/data/reports/GO-2022-0586.yaml
index 3d5d84d..61d42ec 100644
--- a/data/reports/GO-2022-0586.yaml
+++ b/data/reports/GO-2022-0586.yaml
@@ -1,12 +1,16 @@
-packages:
+modules:
- module: github.com/hashicorp/go-getter
versions:
- introduced: 1.5.11
fixed: 1.6.1
+ packages:
+ - package: github.com/hashicorp/go-getter
- module: github.com/hashicorp/go-getter/v2
versions:
- introduced: 2.0.2
fixed: 2.1.0
+ packages:
+ - package: github.com/hashicorp/go-getter/v2
description: |
Malicious HTTP responses can cause a number of misbehaviors,
including overwriting local files, resource exhaustion, and panics.
diff --git a/data/reports/GO-2022-0587.yaml b/data/reports/GO-2022-0587.yaml
index 79ef36b..0477104 100644
--- a/data/reports/GO-2022-0587.yaml
+++ b/data/reports/GO-2022-0587.yaml
@@ -1,33 +1,34 @@
-packages:
+modules:
- module: github.com/open-policy-agent/opa
- package: github.com/open-policy-agent/opa/ast
- symbols:
- - Parser.parseSome
- - Parser.parseEvery
- derived_symbols:
- - CompileModules
- - CompileModulesWithOpt
- - MustCompileModules
- - MustCompileModulesWithOpts
- - MustParseImports
- - MustParseModule
- - MustParseModuleWithOpts
- - MustParsePackage
- - MustParseRule
- - MustParseStatement
- - MustParseStatements
- - ParseImports
- - ParseModule
- - ParseModuleWithOpts
- - ParsePackage
- - ParseRule
- - ParseStatement
- - ParseStatements
- - ParseStatementsWithOpts
- - Parser.Parse
versions:
- fixed: 0.40.0
vulnerable_at: 0.39.0
+ packages:
+ - package: github.com/open-policy-agent/opa/ast
+ symbols:
+ - Parser.parseSome
+ - Parser.parseEvery
+ derived_symbols:
+ - CompileModules
+ - CompileModulesWithOpt
+ - MustCompileModules
+ - MustCompileModulesWithOpts
+ - MustParseImports
+ - MustParseModule
+ - MustParseModuleWithOpts
+ - MustParsePackage
+ - MustParseRule
+ - MustParseStatement
+ - MustParseStatements
+ - ParseImports
+ - ParseModule
+ - ParseModuleWithOpts
+ - ParsePackage
+ - ParseRule
+ - ParseStatement
+ - ParseStatements
+ - ParseStatementsWithOpts
+ - Parser.Parse
description: |
An issue in ast.Parser in Open Policy Agent causes the application to
incorrectly interpret expressions, allowing a Denial of Service (DoS)
diff --git a/data/reports/GO-2022-0588.yaml b/data/reports/GO-2022-0588.yaml
index efac6da..0bfaa69 100644
--- a/data/reports/GO-2022-0588.yaml
+++ b/data/reports/GO-2022-0588.yaml
@@ -1,15 +1,17 @@
-packages:
+modules:
- module: github.com/microcosm-cc/bluemonday
- symbols:
- - Policy.AllowElements
- - Policy.AllowElementsMatching
- derived_symbols:
- - Policy.AllowLists
- - Policy.AllowTables
- - UGCPolicy
versions:
- fixed: 1.0.16
vulnerable_at: 1.0.15
+ packages:
+ - package: github.com/microcosm-cc/bluemonday
+ symbols:
+ - Policy.AllowElements
+ - Policy.AllowElementsMatching
+ derived_symbols:
+ - Policy.AllowLists
+ - Policy.AllowTables
+ - UGCPolicy
description: |
The bluemonday HTML sanitizer can leak the contents of a "style" element
into HTML output, potentially causing XSS vulnerabilities.
diff --git a/data/reports/GO-2022-0592.yaml b/data/reports/GO-2022-0592.yaml
index b267c55..910bd57 100644
--- a/data/reports/GO-2022-0592.yaml
+++ b/data/reports/GO-2022-0592.yaml
@@ -1,16 +1,18 @@
-packages:
+modules:
- module: github.com/tidwall/gjson
- symbols:
- - queryMatches
- derived_symbols:
- - Get
- - GetBytes
- - GetMany
- - GetManyBytes
- - Result.Get
versions:
- fixed: 1.9.3
vulnerable_at: 1.9.2
+ packages:
+ - package: github.com/tidwall/gjson
+ symbols:
+ - queryMatches
+ derived_symbols:
+ - Get
+ - GetBytes
+ - GetMany
+ - GetManyBytes
+ - Result.Get
description: |
A maliciously crafted path can cause Get and other query functions
to consume excessive amounts of CPU and time.
diff --git a/data/reports/GO-2022-0619.yaml b/data/reports/GO-2022-0619.yaml
index 344da55..36440f9 100644
--- a/data/reports/GO-2022-0619.yaml
+++ b/data/reports/GO-2022-0619.yaml
@@ -1,29 +1,35 @@
-packages:
+modules:
- module: github.com/emicklei/go-restful
- symbols:
- - CrossOriginResourceSharing.isOriginAllowed
- derived_symbols:
- - CrossOriginResourceSharing.Filter
versions:
- fixed: 2.16.0+incompatible
vulnerable_at: 2.15.0+incompatible
+ packages:
+ - package: github.com/emicklei/go-restful
+ symbols:
+ - CrossOriginResourceSharing.isOriginAllowed
+ derived_symbols:
+ - CrossOriginResourceSharing.Filter
- module: github.com/emicklei/go-restful/v2
- symbols:
- - CrossOriginResourceSharing.isOriginAllowed
- derived_symbols:
- - CrossOriginResourceSharing.Filter
versions:
- introduced: 2.7.1
vulnerable_at: 2.7.1
+ packages:
+ - package: github.com/emicklei/go-restful/v2
+ symbols:
+ - CrossOriginResourceSharing.isOriginAllowed
+ derived_symbols:
+ - CrossOriginResourceSharing.Filter
- module: github.com/emicklei/go-restful/v3
- symbols:
- - CrossOriginResourceSharing.isOriginAllowed
- derived_symbols:
- - CrossOriginResourceSharing.Filter
versions:
- introduced: 3.0.0
fixed: 3.8.0
vulnerable_at: 3.7.4
+ packages:
+ - package: github.com/emicklei/go-restful/v3
+ symbols:
+ - CrossOriginResourceSharing.isOriginAllowed
+ derived_symbols:
+ - CrossOriginResourceSharing.Filter
description: |
CORS filters that use an AllowedDomains configuration parameter
can match domains outside the specified set, permitting an attacker
diff --git a/data/reports/GO-2022-0621.yaml b/data/reports/GO-2022-0621.yaml
index f295a5b..89f89d6 100644
--- a/data/reports/GO-2022-0621.yaml
+++ b/data/reports/GO-2022-0621.yaml
@@ -1,12 +1,13 @@
-packages:
+modules:
- module: k8s.io/kube-state-metrics
- package: k8s.io/kube-state-metrics/internal/store
- symbols:
- - kubeAnnotationsToPrometheusLabels
versions:
- introduced: 1.7.0
fixed: 1.7.2
vulnerable_at: 1.7.0
+ packages:
+ - package: k8s.io/kube-state-metrics/internal/store
+ symbols:
+ - kubeAnnotationsToPrometheusLabels
description: |
Exposing annotations as metrics can leak secrets.
diff --git a/data/reports/GO-2022-0629.yaml b/data/reports/GO-2022-0629.yaml
index b51c211..4c7fda2 100644
--- a/data/reports/GO-2022-0629.yaml
+++ b/data/reports/GO-2022-0629.yaml
@@ -1,32 +1,23 @@
-packages:
+modules:
- module: sigs.k8s.io/secrets-store-csi-driver
- package: sigs.k8s.io/secrets-store-csi-driver/controllers
- symbols:
- - SecretProviderClassPodStatusReconciler.Reconcile
versions:
- introduced: 0.0.15
fixed: 0.0.17
vulnerable_at: 0.0.16
- - module: sigs.k8s.io/secrets-store-csi-driver
- package: sigs.k8s.io/secrets-store-csi-driver/pkg/rotation
- symbols:
- - Reconciler.reconcile
- derived_symbols:
- - Reconciler.Run
- versions:
- - introduced: 0.0.15
- fixed: 0.0.17
- vulnerable_at: 0.0.16
- - module: sigs.k8s.io/secrets-store-csi-driver
- package: sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store
- symbols:
- - nodeServer.NodeUnpublishVolume
- derived_symbols:
- - SecretsStore.Run
- versions:
- - introduced: 0.0.15
- fixed: 0.0.17
- vulnerable_at: 0.0.16
+ packages:
+ - package: sigs.k8s.io/secrets-store-csi-driver/controllers
+ symbols:
+ - SecretProviderClassPodStatusReconciler.Reconcile
+ - package: sigs.k8s.io/secrets-store-csi-driver/pkg/rotation
+ symbols:
+ - Reconciler.reconcile
+ derived_symbols:
+ - Reconciler.Run
+ - package: sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store
+ symbols:
+ - nodeServer.NodeUnpublishVolume
+ derived_symbols:
+ - SecretsStore.Run
description: |
Modifying pod status allows host directory traversal.
diff --git a/data/reports/GO-2022-0646.yaml b/data/reports/GO-2022-0646.yaml
index bf312ed..c1625fd 100644
--- a/data/reports/GO-2022-0646.yaml
+++ b/data/reports/GO-2022-0646.yaml
@@ -1,34 +1,35 @@
-packages:
+modules:
- module: github.com/aws/aws-sdk-go
- package: github.com/aws/aws-sdk-go/service/s3/s3crypto
- symbols:
- - DecryptionClient.GetObjectRequest
- - DecryptionClient.GetObjectWithContext
- - EncryptionClient.PutObject
- - EncryptionClient.PutObjectRequest
- - EncryptionClient.PutObjectWithContext
- - NewKMSKeyGeneratorWithMatDesc
- - NewKMSKeyGeneratorWithMatDesc
- - cekFromEnvelope
- - contentCipherFromEnvelope
- - generateBytes
- derived_symbols:
- - DecryptionClient.GetObject
- - DecryptionClientV2.GetObject
- - DecryptionClientV2.GetObjectWithContext
- - EncryptionClientV2.PutObject
- - EncryptionClientV2.PutObjectWithContext
- - NewKMSKeyGenerator
- - S3SaveStrategy.Save
- - kmsKeyHandler.DecryptKey
- - kmsKeyHandler.DecryptKeyWithContext
- - kmsKeyHandler.GenerateCipherData
- - kmsKeyHandler.GenerateCipherDataWithCEKAlg
- - kmsKeyHandler.GenerateCipherDataWithCEKAlgWithContext
- - kmsKeyHandler.GenerateCipherDataWithContext
versions:
- fixed: 1.34.0
vulnerable_at: 1.33.21
+ packages:
+ - package: github.com/aws/aws-sdk-go/service/s3/s3crypto
+ symbols:
+ - DecryptionClient.GetObjectRequest
+ - DecryptionClient.GetObjectWithContext
+ - EncryptionClient.PutObject
+ - EncryptionClient.PutObjectRequest
+ - EncryptionClient.PutObjectWithContext
+ - NewKMSKeyGeneratorWithMatDesc
+ - NewKMSKeyGeneratorWithMatDesc
+ - cekFromEnvelope
+ - contentCipherFromEnvelope
+ - generateBytes
+ derived_symbols:
+ - DecryptionClient.GetObject
+ - DecryptionClientV2.GetObject
+ - DecryptionClientV2.GetObjectWithContext
+ - EncryptionClientV2.PutObject
+ - EncryptionClientV2.PutObjectWithContext
+ - NewKMSKeyGenerator
+ - S3SaveStrategy.Save
+ - kmsKeyHandler.DecryptKey
+ - kmsKeyHandler.DecryptKeyWithContext
+ - kmsKeyHandler.GenerateCipherData
+ - kmsKeyHandler.GenerateCipherDataWithCEKAlg
+ - kmsKeyHandler.GenerateCipherDataWithCEKAlgWithContext
+ - kmsKeyHandler.GenerateCipherDataWithContext
description: |-
The Go AWS S3 Crypto SDK has a vulnerability that can result in loss of
confidentiality and message forgery. The attack requires write access to the
diff --git a/data/reports/GO-2022-0701.yaml b/data/reports/GO-2022-0701.yaml
index fc1a996..8a9d461 100644
--- a/data/reports/GO-2022-0701.yaml
+++ b/data/reports/GO-2022-0701.yaml
@@ -1,41 +1,27 @@
-packages:
+modules:
- module: k8s.io/kubernetes
- package: k8s.io/kubernetes/pkg/api/rest
- symbols:
- - BeforeCreate
versions:
- fixed: 1.1.1
- - module: k8s.io/kubernetes
- package: k8s.io/kubernetes/pkg/registry/generic/etcd
- symbols:
- - NamespaceKeyFunc
- versions:
- - fixed: 1.1.1
- - module: k8s.io/kubernetes
- package: k8s.io/kubernetes/pkg/storage
- symbols:
- - NamespaceKeyFunc
- - NoNamespaceKeyFunc
- versions:
- - fixed: 1.1.1
- - module: k8s.io/kubernetes
- package: k8s.io/kubernetes/pkg/registry/namespace/etcd
- symbols:
- - NewREST
- versions:
- - fixed: 1.1.1
- - module: k8s.io/kubernetes
- package: k8s.io/kubernetes/pkg/registry/node/etcd
- symbols:
- - NewREST
- versions:
- - fixed: 1.1.1
- - module: k8s.io/kubernetes
- package: k8s.io/kubernetes/pkg/registry/persistentvolume/etcd
- symbols:
- - NewREST
- versions:
- - fixed: 1.1.1
+ packages:
+ - package: k8s.io/kubernetes/pkg/api/rest
+ symbols:
+ - BeforeCreate
+ - package: k8s.io/kubernetes/pkg/registry/generic/etcd
+ symbols:
+ - NamespaceKeyFunc
+ - package: k8s.io/kubernetes/pkg/storage
+ symbols:
+ - NamespaceKeyFunc
+ - NoNamespaceKeyFunc
+ - package: k8s.io/kubernetes/pkg/registry/namespace/etcd
+ symbols:
+ - NewREST
+ - package: k8s.io/kubernetes/pkg/registry/node/etcd
+ symbols:
+ - NewREST
+ - package: k8s.io/kubernetes/pkg/registry/persistentvolume/etcd
+ symbols:
+ - NewREST
description: |
Crafted object type names can cause directory traversal in Kubernetes.
diff --git a/data/reports/GO-2022-0755.yaml b/data/reports/GO-2022-0755.yaml
index db4c542..ec7846d 100644
--- a/data/reports/GO-2022-0755.yaml
+++ b/data/reports/GO-2022-0755.yaml
@@ -1,18 +1,15 @@
-packages:
+modules:
- module: github.com/rancher/rancher
- package: github.com/rancher/rancher/server
- symbols:
- - Start
versions:
- fixed: 2.2.5-rc6.0.20190621200032-0ddffe484adc+incompatible
vulnerable_at: 2.2.5-rc6.0.20190621195844-88e9e38dc862+incompatible
- - module: github.com/rancher/rancher
- package: github.com/rancher/rancher/pkg/clusterrouter
- symbols:
- - Router.ServeHTTP
- versions:
- - fixed: 2.2.5-rc6.0.20190621200032-0ddffe484adc+incompatible
- vulnerable_at: 2.2.5-rc6.0.20190621195844-88e9e38dc862+incompatible
+ packages:
+ - package: github.com/rancher/rancher/server
+ symbols:
+ - Start
+ - package: github.com/rancher/rancher/pkg/clusterrouter
+ symbols:
+ - Router.ServeHTTP
description: |
Rancher 2 is vulnerable to a Cross-Site Websocket Hijacking
attack that allows an exploiter to gain access to clusters managed by
@@ -25,7 +22,7 @@
- GHSA-xhg2-rvm8-w2jh
credit: Matt Belisle and Alex Stevenson at Workiva
links:
- advisory: https://github.com/advisories/GHSA-xhg2-rvm8-w2jh
commit: https://github.com/rancher/rancher/commit/0ddffe484adccb9e37d9432e8e625d8ebbfb0088
+ advisory: https://github.com/advisories/GHSA-xhg2-rvm8-w2jh
context:
- https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801
diff --git a/data/reports/GO-2022-0761.yaml b/data/reports/GO-2022-0761.yaml
index 38c828c..3b6b655 100644
--- a/data/reports/GO-2022-0761.yaml
+++ b/data/reports/GO-2022-0761.yaml
@@ -1,18 +1,15 @@
-packages:
+modules:
- module: std
- package: net/http
- symbols:
- - Handler.ServeHTTP
versions:
- fixed: 1.6.3
vulnerable_at: 1.6.2
- - module: std
- package: net/http/cgi
- symbols:
- - ProxyFromEnvironment
- versions:
- - fixed: 1.6.3
- vulnerable_at: 1.6.2
+ packages:
+ - package: net/http
+ symbols:
+ - Handler.ServeHTTP
+ - package: net/http/cgi
+ symbols:
+ - ProxyFromEnvironment
description: |
An input validation flaw in the CGI components allows the HTTP_PROXY
environment variable to be set by the incoming Proxy header, which changes
diff --git a/data/reports/GO-2022-0762.yaml b/data/reports/GO-2022-0762.yaml
index a53142c..181e681 100644
--- a/data/reports/GO-2022-0762.yaml
+++ b/data/reports/GO-2022-0762.yaml
@@ -1,14 +1,16 @@
-packages:
+modules:
- module: github.com/microcosm-cc/bluemonday
- symbols:
- - Policy.sanitize
- derived_symbols:
- - Policy.Sanitize
- - Policy.SanitizeBytes
- - Policy.SanitizeReader
versions:
- fixed: 1.0.5
vulnerable_at: 1.0.4
+ packages:
+ - package: github.com/microcosm-cc/bluemonday
+ symbols:
+ - Policy.sanitize
+ derived_symbols:
+ - Policy.Sanitize
+ - Policy.SanitizeBytes
+ - Policy.SanitizeReader
description: |
An XSS injection was possible because the sanitization of the Cyrillic
character i bypass a protection mechanism against user-inputted HTML elements
