blob: b9ff4f0de0d22422e52fa29c8274491e0e61b875 [file] [log] [blame]
id: GO-2022-0470
modules:
- module: github.com/blevesearch/bleve
vulnerable_at: 1.0.14
packages:
- package: github.com/blevesearch/bleve/http
symbols:
- AliasHandler.ServeHTTP
- CreateIndexHandler.ServeHTTP
- DebugDocumentHandler.ServeHTTP
- DeleteIndexHandler.ServeHTTP
- DocCountHandler.ServeHTTP
- DocDeleteHandler.ServeHTTP
- DocGetHandler.ServeHTTP
- DocIndexHandler.ServeHTTP
- GetIndexHandler.ServeHTTP
- ListFieldsHandler.ServeHTTP
- SearchHandler.ServeHTTP
- module: github.com/blevesearch/bleve/v2
vulnerable_at: 2.3.2
packages:
- package: github.com/blevesearch/bleve/v2/http
symbols:
- AliasHandler.ServeHTTP
- CreateIndexHandler.ServeHTTP
- DebugDocumentHandler.ServeHTTP
- DeleteIndexHandler.ServeHTTP
- DocCountHandler.ServeHTTP
- DocDeleteHandler.ServeHTTP
- DocGetHandler.ServeHTTP
- DocIndexHandler.ServeHTTP
- GetIndexHandler.ServeHTTP
- ListFieldsHandler.ServeHTTP
- SearchHandler.ServeHTTP
summary: No access control in github.com/blevesearch/bleve and bleve/v2
description: |-
HTTP handlers provide unauthenticated access to the local filesystem.
The Bleve http package is intended for demonstration purposes and contains no
authentication, authorization, or validation of user inputs. Exposing handlers
from this package can permit attackers to create files and delete directories.
published: 2022-07-15T23:29:55Z
cves:
- CVE-2022-31022
ghsas:
- GHSA-9w9f-6mg8-jp7w
references:
- fix: https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff
review_status: REVIEWED