data/reports/GO-2020-0005.yaml

id: GO-2020-0005
modules:
    - module: go.etcd.io/etcd
      versions:
        - fixed: 0.5.0-alpha.5.0.20200423152442-f4b650b51dc4
      vulnerable_at: 0.5.0-alpha.5.0.20200422225029-2369cb367873
      packages:
        - package: go.etcd.io/etcd/wal
          symbols:
            - WAL.ReadAll
            - decoder.decodeRecord
          derived_symbols:
            - Create
            - Repair
            - Verify
summary: Panic due to malformed WALs in go.etcd.io/etcd
description: |-
    Malformed WALs can be constructed such that WAL.ReadAll can cause attempted out
    of bounds reads, or creation of arbitrarily sized slices, which may be used as a
    DoS vector.
published: 2021-04-14T20:04:52Z
cves:
    - CVE-2020-15106
    - CVE-2020-15112
ghsas:
    - GHSA-m332-53r6-2w93
    - GHSA-p4g4-wgrh-qrg2
credits:
    - Trail of Bits
references:
    - fix: https://github.com/etcd-io/etcd/pull/11793
    - fix: https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07
    - web: https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf