| id: GO-2021-0102 |
| modules: |
| - module: code.cloudfoundry.org/gorouter |
| versions: |
| - fixed: 0.0.0-20191101214924-b1b5c44e050f |
| vulnerable_at: 0.0.0-20191101214739-a658664ae1e3 |
| packages: |
| - package: code.cloudfoundry.org/gorouter/common/secure |
| symbols: |
| - AesGCM.Decrypt |
| - module: github.com/cloudfoundry/gorouter |
| versions: |
| - fixed: 0.0.0-20191101214924-b1b5c44e050f |
| vulnerable_at: 0.0.0-20191101214739-a658664ae1e3 |
| packages: |
| - package: github.com/cloudfoundry/gorouter/common/secure |
| symbols: |
| - AesGCM.Decrypt |
| summary: Panic in decryption in code.cloudfoundry.org/gorouter |
| description: |- |
| Due to improper input validation, a maliciously crafted input can cause a panic, |
| due to incorrect nonce size. If this package is used to decrypt user supplied |
| messages without checking the size of supplied nonces, this may be used as a |
| vector for a denial of service attack. |
| published: 2021-07-28T18:08:05Z |
| cves: |
| - CVE-2019-11289 |
| ghsas: |
| - GHSA-5796-p3m6-9qj4 |
| references: |
| - fix: https://github.com/cloudfoundry/gorouter/commit/b1b5c44e050f73b399b379ca63a42a2c5780a83f |
| - web: https://www.cloudfoundry.org/blog/cve-2019-11289/ |
| review_status: REVIEWED |