data/reports: add GO-2024-2631.yaml
Aliases: CVE-2024-28180, GHSA-c5q2-7r4c-mv6g
Fixes golang/vulndb#2631
Change-Id: I601a1fe9ac5e66b47b5aace5efe5e70a41b56fe0
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/571735
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2024-2631.json b/data/osv/GO-2024-2631.json
new file mode 100644
index 0000000..949f3ae
--- /dev/null
+++ b/data/osv/GO-2024-2631.json
@@ -0,0 +1,164 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2631",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-28180",
+ "GHSA-c5q2-7r4c-mv6g"
+ ],
+ "summary": "Decompression bomb vulnerability in github.com/go-jose/go-jose",
+ "details": "An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/go-jose/go-jose/v4",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "4.0.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/go-jose/go-jose/v4",
+ "symbols": [
+ "JSONWebEncryption.Decrypt",
+ "JSONWebEncryption.DecryptMulti",
+ "inflate"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "github.com/go-jose/go-jose/v3",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.0.3"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/go-jose/go-jose/v3",
+ "symbols": [
+ "JSONWebEncryption.Decrypt",
+ "JSONWebEncryption.DecryptMulti",
+ "inflate"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "gopkg.in/go-jose/go-jose.v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.6.3"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "gopkg.in/go-jose/go-jose.v2",
+ "symbols": [
+ "JSONWebEncryption.Decrypt",
+ "JSONWebEncryption.DecryptMulti",
+ "inflate"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "gopkg.in/square/go-jose.v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "gopkg.in/square/go-jose.v2",
+ "symbols": [
+ "JSONWebEncryption.Decrypt",
+ "JSONWebEncryption.DecryptMulti",
+ "inflate"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502"
+ }
+ ],
+ "credits": [
+ {
+ "name": "zer0yu"
+ },
+ {
+ "name": "chenjj"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2631"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2631.yaml b/data/reports/GO-2024-2631.yaml
new file mode 100644
index 0000000..7db2e15
--- /dev/null
+++ b/data/reports/GO-2024-2631.yaml
@@ -0,0 +1,60 @@
+id: GO-2024-2631
+modules:
+ - module: github.com/go-jose/go-jose/v4
+ versions:
+ - fixed: 4.0.1
+ vulnerable_at: 4.0.0
+ packages:
+ - package: github.com/go-jose/go-jose/v4
+ symbols:
+ - inflate
+ derived_symbols:
+ - JSONWebEncryption.Decrypt
+ - JSONWebEncryption.DecryptMulti
+ - module: github.com/go-jose/go-jose/v3
+ versions:
+ - fixed: 3.0.3
+ vulnerable_at: 3.0.2
+ packages:
+ - package: github.com/go-jose/go-jose/v3
+ symbols:
+ - inflate
+ derived_symbols:
+ - JSONWebEncryption.Decrypt
+ - JSONWebEncryption.DecryptMulti
+ - module: gopkg.in/go-jose/go-jose.v2
+ versions:
+ - fixed: 2.6.3
+ vulnerable_at: 2.6.2
+ packages:
+ - package: gopkg.in/go-jose/go-jose.v2
+ symbols:
+ - inflate
+ derived_symbols:
+ - JSONWebEncryption.Decrypt
+ - JSONWebEncryption.DecryptMulti
+ - module: gopkg.in/square/go-jose.v2
+ vulnerable_at: 2.6.0
+ packages:
+ - package: gopkg.in/square/go-jose.v2
+ symbols:
+ - inflate
+ derived_symbols:
+ - JSONWebEncryption.Decrypt
+ - JSONWebEncryption.DecryptMulti
+summary: Decompression bomb vulnerability in github.com/go-jose/go-jose
+description: |-
+ An attacker could send a JWE containing compressed data that used large amounts
+ of memory and CPU when decompressed by Decrypt or DecryptMulti.
+cves:
+ - CVE-2024-28180
+ghsas:
+ - GHSA-c5q2-7r4c-mv6g
+credits:
+ - zer0yu
+ - chenjj
+references:
+ - advisory: https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
+ - fix: https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298
+ - fix: https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
+ - fix: https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502
