reports: add a handful of CVEs

Results of testing new CVE triaging tooling. Also adds a file which tracks which CVEs have been triaged. Still need to add all of the false positives, but would like to fine tune the triage tooling first to hopefully cut down the number of them. Change-Id: I7591b10f5abc5e73b6a3291beeaedca0032ad02f Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1053804 Reviewed-by: Roland Shoemaker <bracewell@google.com>
2021-04-13 10:50:27 -07:00 · 2021-04-13 10:50:27 -07:00 · 91bf12f5f8
--- a/reports/GO-2020-0005.toml
+++ b/reports/GO-2020-0005.toml
@ -14,9 +14,6 @@ credit = "Trail of Bits"
 symbols = ["WAL.ReadAll"]

 [[versions]]
-# Do we also need a way to indicate "fixed after this version, but also these specific
-# earlier point releases are also fixed"? In this case >= 3.4.10 is fixed, but so was
-# 3.3.23
 fixed = "v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4"

 [links]
--- a/reports/GO-2021-0056.toml
+++ b/reports/GO-2021-0056.toml
@ -1,4 +1,5 @@
-module = "github.com/russellhaering/goxmldsig"
+module = "github.com/dexidp/dex"
+package = "github.com/dexidp/dex/connector/saml"

 description = """
 An XML message can be maliciously crafted such that signature
@ -9,11 +10,11 @@ cve = "CVE-2020-15216"

 credit = "Juho Nurminen (Mattermost)"

-symbols = ["ValidationContext.findSignature"]
+symbols = ["provider.HandlePOST"]

 [[versions]]
-fixed = "v1.1.0"
+fixed = "v0.0.0-20201214082111-324b1c886b40"

 [links]
 commit = "https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8"
-context = ["https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"]
+context = ["https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5"]
--- a/reports/GO-2021-0070.toml
+++ b/reports/GO-2021-0070.toml
@ -0,0 +1,26 @@
+module = "github.com/opencontainers/runc"
+package = "github.com/opencontainers/runc/libcontainer/user"
+
+description = """
+GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will
+improperly interpred numeric UIDs as usernames. If the method is used without
+verify usernames are formatted as expected, it may allow a user to gain unexpected
+privileges.
+"""
+
+cve = "CVE-2016-3697"
+
+symbols = ["GetExecUser"]
+
+[[versions]]
+fixed = "v0.1.0"
+
+[links]
+commit = "https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091"
+pr = "https://github.com/opencontainers/runc/pull/708"
+context = [
+    "https://github.com/docker/docker/issues/21436",
+    "http://rhn.redhat.com/errata/RHSA-2016-1034.html",
+    "http://rhn.redhat.com/errata/RHSA-2016-2634.html",
+    "https://security.gentoo.org/glsa/201612-28"
+]
--- a/reports/GO-2021-0071.toml
+++ b/reports/GO-2021-0071.toml
@ -0,0 +1,22 @@
+module = "github.com/lxc/lxd"
+package = "github.com/lxc/lxd/shared"
+
+description = """
+A race between chown and chmod operations during a container filesystem shift
+may allow a user who can modify the filesystem to chmod an arbitary path of
+their choice, rather than the expected path.
+"""
+
+cve = "CVE-2015-1340"
+
+credit = "Seth Arnold"
+
+symbols = ["IdmapSet.doUidshiftIntoContainer"]
+
+[[versions]]
+fixed = "v0.0.0-20151004155856-19c6961cc101"
+
+[links]
+commit = "https://github.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4"
+pr = "https://github.com/lxc/lxd/pull/1189"
+context = ["https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1502270"]
--- a/reports/GO-2021-0072.toml
+++ b/reports/GO-2021-0072.toml
@ -0,0 +1,30 @@
+module = "github.com/docker/distribution"
+package = "github.com/docker/distribution/registry/handlers"
+
+description = """
+Various storage methods do not impose limits on how much content is accepted
+from user requests, allowing a malicious user to force the caller to allocate
+an arbitary amount of memory.
+"""
+
+cve = "CVE-2017-11468"
+
+symbols = ["copyFullPayload"]
+
+[[versions]]
+fixed = "v2.7.0-rc.0+incompatible"
+
+[[additional_packages]]
+module = "github.com/docker/distribution"
+package = "github.com/docker/distribution/registry/storage"
+symbols = ["blobStore.Get"]
+[[additional_packages.versions]]
+fixed = "v2.7.0-rc.0+incompatible"
+
+[links]
+commit = "https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f"
+pr = "https://github.com/distribution/distribution/pull/2340"
+context = [
+    "https://access.redhat.com/errata/RHSA-2017:2603",
+    "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html"
+]
--- a/reports/GO-2021-0073.toml
+++ b/reports/GO-2021-0073.toml
@ -0,0 +1,24 @@
+module = "github.com/git-lfs/git-lfs"
+package = "github.com/git-lfs/git-lfs/lfsapi"
+
+description = """
+Arbitary command execution can be triggered by improperly
+sanitized SSH URLs in LFS configuration files. This can be
+triggered by cloning a malicious repoistory.
+"""
+
+cve = "CVE-2017-17831"
+
+symbols = ["sshGetLFSExeAndArgs"]
+
+[[versions]]
+fixed = "v2.1.1-0.20170519163204-f913f5f9c7c6+incompatible"
+
+[links]
+commit = "https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19"
+pr = "https://github.com/git-lfs/git-lfs/pull/2241"
+context = [
+    "http://blog.recurity-labs.com/2017-08-10/scm-vulns",
+    "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html",
+    "http://www.securityfocus.com/bid/102926"
+]
--- a/reports/GO-2021-0075.toml
+++ b/reports/GO-2021-0075.toml
@ -0,0 +1,19 @@
+module = "github.com/ethereum/go-ethereum"
+package = "github.com/ethereum/go-ethereum/les"
+
+description = """
+Due to improper argument validation in RPC messages, a maliciously crafted
+message can cause a panic, leading to denial of service.
+"""
+
+cve = "CVE-2018-12018"
+
+symbols = ["protocolManager.handleMsg"]
+
+[[versions]]
+fixed = "v1.8.11"
+
+[links]
+commit = "https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4"
+pr = "https://github.com/ethereum/go-ethereum/pull/16891"
+context = ["https://peckshield.com/2018/06/27/EPoD/"]
--- a/reports/GO-2021-0076.toml
+++ b/reports/GO-2021-0076.toml
@ -0,0 +1,18 @@
+module = "github.com/evanphx/json-patch"
+
+description = """
+A malicious JSON patch can cause a panic due to an out-of-bounds
+write attempt. This can be used as a denial of service vector if
+exposed to arbitary user input.
+"""
+
+cve = "CVE-2018-14632"
+
+symbols = ["partialArray.add"]
+
+[[versions]]
+fixed = "v0.5.2"
+
+[links]
+commit = "https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03"
+pr = "https://github.com/evanphx/json-patch/pull/57"
--- a/reports/GO-2021-0077.toml
+++ b/reports/GO-2021-0077.toml
@ -0,0 +1,20 @@
+module = "go.etcd.io/etcd"
+package = "go.etcd.io/etcd/auth"
+
+description = """
+A user can use a valid client certificate that contains a CommonName that matches a
+valid RBAC username to authenticate themselves as that user, despite lacking the
+required credentials. This may allow authentication bypass, but requires a certificate
+that is issued by a CA trusted by the server.
+"""
+
+cve = "CVE-2018-16886"
+
+symbols = ["authStore.AuthInfoFromTLS"]
+
+[[versions]]
+fixed = "v0.5.0-alpha.5.0.20190108173120-83c051b701d3"
+
+[links]
+commit = "https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2"
+pr = "https://github.com/etcd-io/etcd/pull/10366"
--- a/reports/GO-2021-0078.toml
+++ b/reports/GO-2021-0078.toml
@ -0,0 +1,26 @@
+module = "golang.org/x/net"
+package = "golang.org/x/net/html"
+
+description = """
+The HTML parser does not properly handle "in frameset" insertion mode, and can be made
+to panic when operating on malformed HTML that contains <template> tags. If operating
+on user input, this may be a vector for a denial of service attack.
+"""
+
+cve = "CVE-2018-17075"
+
+credit = "Kunpei Sakai"
+
+symbols = ["inBodyIM", "inFramesetIM"]
+
+[[versions]]
+fixed = "v0.0.0-20180816102801-aaf60122140d"
+
+[links]
+commit = "https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50"
+pr = "https://go-review.googlesource.com/123776"
+context = [
+    "https://github.com/golang/go/issues/27016",
+    "https://bugs.chromium.org/p/chromium/issues/detail?id=829668",
+    "https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906"
+]
--- a/reports/GO-2021-0079.toml
+++ b/reports/GO-2021-0079.toml
@ -0,0 +1,22 @@
+module = "github.com/bytom/bytom"
+package = "github.com/bytom/bytom/p2p/discover"
+
+description = """
+A malformed query can cause an out-of-bounds panic due to improper
+validation of arguments. If processing queries from untrusted
+parties, this may be used as a vector for denial of service
+attacks.
+"""
+
+cve = "CVE-2018-18206"
+
+credit = "@yahtoo"
+
+symbols = ["Network.checkTopicRegister"]
+
+[[versions]]
+fixed = "v1.0.4-0.20180831054840-1ac3c8ac4f2b"
+
+[links]
+commit = "https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42"
+pr = "https://github.com/Bytom/bytom/pull/1307"
--- a/reports/GO-2021-0081.toml
+++ b/reports/GO-2021-0081.toml
@ -0,0 +1,24 @@
+module = "github.com/containers/image"
+package = "github.com/containers/image/docker"
+
+description = """
+The HTTP client used to connect to the container registry authorization
+service explicitly disables TLS verification, allowing an attacker that
+is able to MITM the connection to steal credentials.
+"""
+
+cve = "CVE-2019-10214"
+
+symbols = ["dockerClient.getBearerToken"]
+
+[[versions]]
+introduced = ""
+fixed = "v2.0.2-0.20190802080134-634605d06e73+incompatible"
+
+[links]
+commit = "https://github.com/containers/image/commit/634605d06e738aec8332bcfd69162e7509ac7aaf"
+pr = "https://github.com/containers/image/pull/669"
+context = [
+    "https://github.com/containers/image/issues/654",
+    "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214"
+]
--- a/reports/GO-2021-0082.toml
+++ b/reports/GO-2021-0082.toml
@ -0,0 +1,19 @@
+module = "github.com/facebook/fbthrift"
+package = "github.com/facebook/fbthrift/thrift/lib/go/thrift"
+
+description = """
+Thirft Servers preallocate memory for the declared size of messages before
+checking the actual size of the message. This allows a malicious user to
+send messages that declare that they are significantly larger than they
+actually are, allowing them to force the server to allocate significant
+amounts of memory. This can be used as a denial of service vector.
+"""
+
+cve = "CVE-2019-11939"
+
+[[versions]]
+fixed = "v0.31.1-0.20200311080807-483ed864d69f"
+
+[links]
+commit = "https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757"
+context = ["https://www.facebook.com/security/advisories/cve-2019-11939"]
--- a/reports/GO-2021-0083.toml
+++ b/reports/GO-2021-0083.toml
@ -0,0 +1,19 @@
+module = "github.com/hybridgroup/gobot"
+package = "github.com/hybridgroup/gobot/platforms/mqtt"
+
+description = """
+TLS certificate verification is skipped when connecting to a MQTT server.
+This allows an attacker who can MITM the connection to read, or forge,
+messages passed between the client and server.
+"""
+
+cve = "CVE-2019-12496"
+
+symbols = ["Adaptor.newTLSConfig"]
+
+[[versions]]
+fixed = "v1.12.1-0.20190521122906-c1aa4f867846"
+
+[links]
+commit = "https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f"
+context = ["https://github.com/hybridgroup/gobot/releases/tag/v1.13.0"]
--- a/reports/GO-2021-0084.toml
+++ b/reports/GO-2021-0084.toml
@ -0,0 +1,21 @@
+module = "github.com/astaxie/beego"
+package = "github.com/astaxie/beego/session"
+
+description = """
+Session data is stored using permissive permissions, allowing local users
+with filesystem access to read arbitary data.
+"""
+
+cve = "CVE-2019-16354"
+
+credit = "@nicowaisman"
+
+symbols = ["FileProvider.SessionRead", "FileProvider.SessionRegenerate"]
+
+[[versions]]
+fixed = "v1.12.2-0.20200613154013-bac2b31afecc"
+
+[links]
+commit = "https://github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1"
+pr = "https://github.com/beego/beego/pull/3975"
+context = ["https://github.com/beego/beego/issues/3763"]
--- a/reports/GO-2021-0085.toml
+++ b/reports/GO-2021-0085.toml
@ -0,0 +1,25 @@
+module = "github.com/opencontainers/runc"
+package = "github.com/opencontainers/runc/libcontainer"
+
+description = """
+AppArmor restrictions may be bypassed due to improper validation of mount
+targets, allowing a malicious image to mount volumes over e.g. /proc.
+"""
+
+cve = "CVE-2019-16884"
+
+credit = "Leopold Schabel"
+
+[[versions]]
+fixed = "v1.0.0-rc8.0.20190930145003-cad42f6e0932"
+
+[[additional_packages]]
+module = "github.com/opencontainers/selinux"
+package = "github.com/opencontainers/selinux/go-selinux"
+[[additional_packages.versions]]
+fixed = "v1.3.1-0.20190929122143-5215b1806f52"
+
+[links]
+commit = "https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4"
+pr = "https://github.com/opencontainers/runc/pull/2130"
+context = ["https://github.com/opencontainers/runc/issues/2128"]
--- a/reports/GO-2021-0086.toml
+++ b/reports/GO-2021-0086.toml
@ -0,0 +1,17 @@
+module = "github.com/documize/community"
+package = "github.com/documize/community/domain/section/markdown"
+
+description = """
+HTML content in mardkwon is not santized during rendering, possibly allowing
+XSS if used to render untrusted user input.
+"""
+
+cve = "CVE-2019-19619"
+
+symbols = ["Provider.Render"]
+
+[[versions]]
+fixed = "v1.76.3-0.20191119114751-a4384210d4d0"
+
+[links]
+commit = "https://github.com/documize/community/commit/a4384210d4d0d6b18e6fdb7e155de96d4a1cf9f3"
--- a/reports/GO-2021-0087.toml
+++ b/reports/GO-2021-0087.toml
@ -0,0 +1,23 @@
+module = "github.com/opencontainers/runc"
+package = "github.com/opencontainers/runc/libcontainer"
+
+description = """
+A race while mounting volumes allows a possible symlink-exchange
+attack, allowing a user whom can start multiple containers with
+custom volume mount configurations to escape the container.
+
+"""
+
+cve = "CVE-2019-19921"
+
+credit = "Leopold Schabel"
+
+symbols = ["mountToRootfs"]
+
+[[versions]]
+fixed = "v1.0.0-rc9.0.20200122160610-2fc03cc11c77"
+
+[links]
+commit = "https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0"
+pr = "https://github.com/opencontainers/runc/pull/2207"
+context = ["https://github.com/opencontainers/runc/issues/2197"]
--- a/reports/GO-2021-0088.toml
+++ b/reports/GO-2021-0088.toml
@ -0,0 +1,20 @@
+module = "github.com/facebook/fbthrift"
+package = "github.com/facebook/fbthrift/thrift/lib/go/thrift"
+
+description = """
+Skip ignores unknown fields, rather than failing. A malicious user can craft small
+messages with unknown fields which can take significant resources to parse. If a
+server accepts messages from an untrusted user, it may be used as a denial of service
+vector.
+"""
+
+cve = "CVE-2019-3564"
+
+symbols = ["Skip"]
+
+[[versions]]
+fixed = "v0.31.1-0.20190225164308-c461c1bd1a3e"
+
+[links]
+commit = "https://github.com/facebook/fbthrift/commit/c461c1bd1a3e130b181aa9c854da3030cd4b5156"
+context = ["https://www.facebook.com/security/advisories/cve-2019-3564"]
--- a/reports/GO-2021-0089.toml
+++ b/reports/GO-2021-0089.toml
@ -0,0 +1,21 @@
+module = "github.com/buger/jsonparser"
+
+description = """
+Parsing malformed JSON which contain opening brackets, but not closing brackes,
+leads to an infinite loop. If operating on untrusted user input this can be
+used as a denial of service vector.
+"""
+
+cve = "CVE-2020-10675"
+
+credit = "Cong Wang"
+
+symbols = ["findKeyStart"]
+
+[[versions]]
+fixed = "v0.0.0-20200321185410-91ac96899e49"
+
+[links]
+commit = "https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717"
+pr = "https://github.com/buger/jsonparser/pull/192"
+context = ["https://github.com/buger/jsonparser/issues/188"]
--- a/reports/GO-2021-0090.toml
+++ b/reports/GO-2021-0090.toml
@ -0,0 +1,23 @@
+module = "github.com/tendermint/tendermint"
+package = "github.com/tendermint/tendermint/types"
+
+description = """
+Proposed commits may contain signatures for blocks not contained within the commit. Instead of skipping
+these signatures, they cause failure during verification. A malicious proposer can use this to force
+consensus failures.
+"""
+
+cve = "CVE-2020-15091"
+
+credit = "Neeraj Murarka"
+
+symbols = ["VoteSet.MakeCommit"]
+
+[[versions]]
+introduced = "v0.33.0"
+fixed = "v0.34.0-dev1.0.20200702134149-480b995a3172"
+
+[links]
+commit = "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340"
+pr = "https://github.com/tendermint/tendermint/pull/5426"
+context = ["https://github.com/tendermint/tendermint/issues/4926"]
--- a/reports/GO-2021-0091.toml
+++ b/reports/GO-2021-0091.toml
@ -0,0 +1,21 @@
+module = "github.com/gofiber/fiber"
+
+description = """
+Due to improper input validation when uploading a file, a malicious user may
+force the server to return arbitary HTTP headers when the uploaded file
+is downloaded.
+"""
+
+cve = "CVE-2020-15111"
+
+credit = "Hasibul Hasan and Abdullah Shaleh"
+
+symbols = ["Ctx.Attachment"]
+
+[[versions]]
+fixed = "v1.12.6-0.20200710202935-a8ad5454363f"
+
+[links]
+commit = "https://github.com/gofiber/fiber/commit/a8ad5454363f627c3f9469c56c5faaf1b943f06a"
+pr = "github.com/gofiber/fiber/pull/579"
+context = ["https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh"]
--- a/reports/GO-2021-0092.toml
+++ b/reports/GO-2021-0092.toml
@ -0,0 +1,17 @@
+module = "github.com/ory/fosite"
+
+description = """
+Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
+replayed.
+"""
+
+cve = "CVE-2020-15222"
+
+symbols = ["Fosite.AuthenticateClient"]
+
+[[versions]]
+fixed = "v0.31.0"
+
+[links]
+commit = "https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9"
+context = ["https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43"]
--- a/reports/GO-2021-0094.toml
+++ b/reports/GO-2021-0094.toml
@ -0,0 +1,22 @@
+module = "github.com/hashicorp/go-slug"
+
+description = """
+Protections against directory traversal during archive extraction can be
+bypassed by chaining multiple symbolic links within the archive. This allows
+a malicious attacker to cause files to be created outside of the target
+directory. Additionally if the attacker is able to read extracted files
+they may create symbolic links to arbitary files on the system which the
+unpacker has permissions to read.
+"""
+
+cve = "CVE-2020-29529"
+
+symbols = ["Unpack"]
+
+[[versions]]
+fixed = "v0.5.0"
+
+[links]
+commit = "https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f"
+pr = "https://github.com/hashicorp/go-slug/pull/12"
+context = ["https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug"]
--- a/reports/GO-2021-0095.toml
+++ b/reports/GO-2021-0095.toml
@ -0,0 +1,22 @@
+module = "github.com/google/go-tpm"
+package = "github.com/google/go-tpm/tpm"
+
+description = """
+Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport
+is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,
+allowing them to use the created key.
+"""
+
+cve = "CVE-2020-8918"
+
+credit = "Chris Fenner"
+
+symbols = ["CreateWrapKey"]
+
+[[versions]]
+fixed = "v0.3.0"
+
+[links]
+commit = "https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141"
+pr = "https://github.com/google/go-tpm/pull/195"
+context = ["https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"]
--- a/reports/GO-2021-0096.toml
+++ b/reports/GO-2021-0096.toml
@ -0,0 +1,17 @@
+module = "github.com/proglottis/gpgme"
+
+description = """
+Due to improper setting of finalizers, memory passed to C may be freed before it is used,
+leading to crashes due to memory corruption or possible code execution.
+"""
+
+cve = "CVE-2020-8945"
+
+credit = "Ulrich Obergfell"
+
+[[versions]]
+fixed = "v0.1.1"
+
+[links]
+commit = "https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733"
+pr = "https://github.com/proglottis/gpgme/pull/23"
--- a/1
+++ b/1
@ -1,3 +1,4 @@
+module = ""
 package = ""

 description = """
--- a/77
+++ b/77
@ -0,0 +1,77 @@
+# This file contains a list of CVEs identified by cmd/cve-triage which may be
+# related to Go modules. It tracks which CVEs have already been triaged, which
+# are false positives, and which are pending triaging.
+#
+# The format of each line is as follows:
+#   <CVE-ID> <state> <comma separated list of reports linked to CVE>
+#
+# <state> may be one of the following: false-positive, triaged, pending
+#
+# When <state> is false-positive, lines may end with a comment which indicates
+# why they have been flagged so, e.g. "# non-importable code" or "# not go code".
+
+CVE-2018-17846 triaged GO-2020-0014
+CVE-2020-35381 triaged GO-2021-0057
+CVE-2019-12496 triaged GO-2021-0083
+CVE-2017-3204 triaged GO-2020-0013
+CVE-2020-25614 triaged GO-2020-0048
+CVE-2019-11250 triaged GO-2021-0065
+CVE-2020-8564 triaged GO-2021-0066
+CVE-2018-18206 triaged GO-2021-0079
+CVE-2019-19619 triaged GO-2021-0086
+CVE-2019-3564 triaged GO-2021-0088
+CVE-2017-18367 triaged GO-2020-0007
+CVE-2020-28362 triaged GO-2021-0069
+CVE-2018-1103 triaged GO-2020-0026
+CVE-2020-14040 triaged GO-2020-0015
+CVE-2014-8681 triaged GO-2020-0021
+CVE-2019-11254 triaged GO-2020-0036
+CVE-2019-16354 triaged GO-2021-0084
+CVE-2019-16884 triaged GO-2021-0085
+CVE-2020-15091 triaged GO-2021-0090
+CVE-2016-9123 triaged GO-2020-0009
+CVE-2020-28483 triaged GO-2021-0052
+CVE-2020-29509 triaged GO-2021-0060
+CVE-2020-29529 triaged GO-2021-0094
+CVE-2020-26160 triaged GO-2020-0017
+CVE-2019-11253 triaged GO-2021-0062
+CVE-2016-3697 triaged GO-2021-0070
+CVE-2020-7711 triaged GO-2020-0046
+CVE-2020-15216 triaged GO-2020-0050,GO-2021-0056
+CVE-2017-11468 triaged GO-2021-0072
+CVE-2020-8945 triaged GO-2020-0002,GO-2020-0031,GO-2021-0096
+CVE-2021-3115 triaged GO-2021-0068
+CVE-2019-11939 triaged GO-2021-0082
+CVE-2020-8565 triaged GO-2021-0064
+CVE-2020-12666 triaged GO-2020-0039
+CVE-2020-35380 triaged GO-2021-0059
+CVE-2018-17419 triaged GO-2020-0028
+CVE-2021-27919 triaged GO-2021-0067
+CVE-2020-10675 triaged GO-2021-0089
+CVE-2020-15111 triaged GO-2021-0091
+CVE-2020-15106 triaged GO-2020-0005
+CVE-2018-16886 triaged GO-2021-0077
+CVE-2020-8918 triaged GO-2021-0095
+CVE-2015-1340 triaged GO-2021-0071
+CVE-2019-20786 triaged GO-2020-0038
+CVE-2018-6558 triaged GO-2020-0027
+CVE-2017-17831 triaged GO-2021-0073
+CVE-2018-14632 triaged GO-2021-0076
+CVE-2018-17075 triaged GO-2021-0078
+CVE-2019-19921 triaged GO-2021-0087
+CVE-2020-27813 triaged GO-2020-0019
+CVE-2016-9122 triaged GO-2020-0011
+CVE-2020-7667 triaged GO-2020-0042
+CVE-2020-36067 triaged GO-2021-0054
+CVE-2020-27846 triaged GO-2021-0058
+CVE-2020-26264 triaged GO-2021-0063
+CVE-2018-12018 triaged GO-2021-0075
+CVE-2020-15222 triaged GO-2021-0092
+CVE-2016-9121 triaged GO-2020-0010
+CVE-2019-19794 triaged GO-2020-0008
+CVE-2020-9283 triaged GO-2020-0012
+CVE-2020-7668 triaged GO-2020-0041
+CVE-2018-21246 triaged GO-2020-0043
+CVE-2021-3121 triaged GO-2021-0053
+CVE-2019-10214 triaged GO-2021-0081
+CVE-2017-15133 triaged GO-2020-0006