| id: GO-2022-0587 |
| modules: |
| - module: github.com/open-policy-agent/opa |
| versions: |
| - fixed: 0.40.0 |
| vulnerable_at: 0.39.0 |
| packages: |
| - package: github.com/open-policy-agent/opa/ast |
| symbols: |
| - Parser.parseSome |
| - Parser.parseEvery |
| derived_symbols: |
| - CompileModules |
| - CompileModulesWithOpt |
| - MustCompileModules |
| - MustCompileModulesWithOpts |
| - MustParseBody |
| - MustParseBodyWithOpts |
| - MustParseExpr |
| - MustParseImports |
| - MustParseModule |
| - MustParseModuleWithOpts |
| - MustParsePackage |
| - MustParseRef |
| - MustParseRule |
| - MustParseStatement |
| - MustParseStatements |
| - MustParseTerm |
| - ParseBody |
| - ParseBodyWithOpts |
| - ParseExpr |
| - ParseImports |
| - ParseModule |
| - ParseModuleWithOpts |
| - ParsePackage |
| - ParseRef |
| - ParseRule |
| - ParseStatement |
| - ParseStatements |
| - ParseStatementsWithOpts |
| - ParseTerm |
| - Parser.Parse |
| - metadataParser.Parse |
| summary: Out of bounds memory access in github.com/open-policy-agent/opa |
| description: |- |
| An issue in ast.Parser in Open Policy Agent causes the application to |
| incorrectly interpret expressions, allowing a Denial of Service (DoS) via |
| triggering out-of-range memory access. |
| published: 2022-05-20T00:00:26Z |
| cves: |
| - CVE-2022-28946 |
| ghsas: |
| - GHSA-x7f3-62pm-9p38 |
| credits: |
| - Norbert Szetei of Doyensec |
| references: |
| - fix: https://github.com/open-policy-agent/opa/pull/4548 |
| - fix: https://github.com/open-policy-agent/opa/commit/e9d3828db670cbe11129885f37f08cbf04935264 |
| review_status: REVIEWED |