data/reports/GO-2022-0470.yaml - vulndb - Git at Google

 id: GO-2022-0470
 modules:
     - module: github.com/blevesearch/bleve
       vulnerable_at: 1.0.14
       packages:
         - package: github.com/blevesearch/bleve/http
           symbols:
             - AliasHandler.ServeHTTP
             - CreateIndexHandler.ServeHTTP
             - DebugDocumentHandler.ServeHTTP
             - DeleteIndexHandler.ServeHTTP
             - DocCountHandler.ServeHTTP
             - DocDeleteHandler.ServeHTTP
             - DocGetHandler.ServeHTTP
             - DocIndexHandler.ServeHTTP
             - GetIndexHandler.ServeHTTP
             - ListFieldsHandler.ServeHTTP
             - SearchHandler.ServeHTTP
     - module: github.com/blevesearch/bleve/v2
       vulnerable_at: 2.3.2
       packages:
         - package: github.com/blevesearch/bleve/v2/http
           symbols:
             - AliasHandler.ServeHTTP
             - CreateIndexHandler.ServeHTTP
             - DebugDocumentHandler.ServeHTTP
             - DeleteIndexHandler.ServeHTTP
             - DocCountHandler.ServeHTTP
             - DocDeleteHandler.ServeHTTP
             - DocGetHandler.ServeHTTP
             - DocIndexHandler.ServeHTTP
             - GetIndexHandler.ServeHTTP
             - ListFieldsHandler.ServeHTTP
             - SearchHandler.ServeHTTP
 summary: No access control in github.com/blevesearch/bleve and bleve/v2
 description: |-
     HTTP handlers provide unauthenticated access to the local filesystem.

     The Bleve http package is intended for demonstration purposes and contains no
     authentication, authorization, or validation of user inputs. Exposing handlers
     from this package can permit attackers to create files and delete directories.
 published: 2022-07-15T23:29:55Z
 cves:
     - CVE-2022-31022
 ghsas:
     - GHSA-9w9f-6mg8-jp7w
 references:
     - fix: https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff
	id: GO-2022-0470
	modules:
	- module: github.com/blevesearch/bleve
	vulnerable_at: 1.0.14
	packages:
	- package: github.com/blevesearch/bleve/http
	symbols:
	- AliasHandler.ServeHTTP
	- CreateIndexHandler.ServeHTTP
	- DebugDocumentHandler.ServeHTTP
	- DeleteIndexHandler.ServeHTTP
	- DocCountHandler.ServeHTTP
	- DocDeleteHandler.ServeHTTP
	- DocGetHandler.ServeHTTP
	- DocIndexHandler.ServeHTTP
	- GetIndexHandler.ServeHTTP
	- ListFieldsHandler.ServeHTTP
	- SearchHandler.ServeHTTP
	- module: github.com/blevesearch/bleve/v2
	vulnerable_at: 2.3.2
	packages:
	- package: github.com/blevesearch/bleve/v2/http
	symbols:
	- AliasHandler.ServeHTTP
	- CreateIndexHandler.ServeHTTP
	- DebugDocumentHandler.ServeHTTP
	- DeleteIndexHandler.ServeHTTP
	- DocCountHandler.ServeHTTP
	- DocDeleteHandler.ServeHTTP
	- DocGetHandler.ServeHTTP
	- DocIndexHandler.ServeHTTP
	- GetIndexHandler.ServeHTTP
	- ListFieldsHandler.ServeHTTP
	- SearchHandler.ServeHTTP
	summary: No access control in github.com/blevesearch/bleve and bleve/v2
	description: \|-
	HTTP handlers provide unauthenticated access to the local filesystem.

	The Bleve http package is intended for demonstration purposes and contains no
	authentication, authorization, or validation of user inputs. Exposing handlers
	from this package can permit attackers to create files and delete directories.
	published: 2022-07-15T23:29:55Z
	cves:
	- CVE-2022-31022
	ghsas:
	- GHSA-9w9f-6mg8-jp7w
	references:
	- fix: https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff