data/reports: add vulnerable_at to GO-2020-0023.yaml
Aliases: CVE-2015-10004, GHSA-5vw4-v588-pgv8
Updates golang/vulndb#23
Change-Id: Ib44d2eb05a3f6a041b8eee4f6031b6b0c88de656
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/462075
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/data/cve/v5/GO-2020-0023.json b/data/cve/v5/GO-2020-0023.json
index d41680b..de75f9c 100644
--- a/data/cve/v5/GO-2020-0023.json
+++ b/data/cve/v5/GO-2020-0023.json
@@ -32,6 +32,9 @@
"programRoutines": [
{
"name": "Algorithm.validateSignature"
+ },
+ {
+ "name": "Algorithm.Validate"
}
],
"defaultStatus": "unaffected"
diff --git a/data/osv/GO-2020-0023.json b/data/osv/GO-2020-0023.json
index fabb93b..c25e1cc 100644
--- a/data/osv/GO-2020-0023.json
+++ b/data/osv/GO-2020-0023.json
@@ -34,6 +34,7 @@
{
"path": "github.com/robbert229/jwt",
"symbols": [
+ "Algorithm.Validate",
"Algorithm.validateSignature"
]
}
diff --git a/data/reports/GO-2020-0023.yaml b/data/reports/GO-2020-0023.yaml
index a4be45f..173ec97 100644
--- a/data/reports/GO-2020-0023.yaml
+++ b/data/reports/GO-2020-0023.yaml
@@ -2,10 +2,13 @@
- module: github.com/robbert229/jwt
versions:
- fixed: 0.0.0-20170426191122-ca1404ee6e83
+ vulnerable_at: 0.0.0-20170303194658-2eb16e9a008d
packages:
- package: github.com/robbert229/jwt
symbols:
- Algorithm.validateSignature
+ derived_symbols:
+ - Algorithm.Validate
description: |
Token validation methods are susceptible to a timing side-channel
during HMAC comparison. With a large enough number of requests
