reports: add a handful of CVEs

Results of testing new CVE triaging tooling. Also adds a file which
tracks which CVEs have been triaged. Still need to add all of the
false positives, but would like to fine tune the triage tooling first
to hopefully cut down the number of them.

Change-Id: I7591b10f5abc5e73b6a3291beeaedca0032ad02f
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1053804
Reviewed-by: Roland Shoemaker <bracewell@google.com>
This commit is contained in:
Roland Shoemaker 2021-04-13 10:50:27 -07:00 коммит произвёл Roland Shoemaker
Родитель 0cb7a210b0
Коммит 91bf12f5f8
28 изменённых файлов: 601 добавлений и 7 удалений

Просмотреть файл

@ -14,9 +14,6 @@ credit = "Trail of Bits"
symbols = ["WAL.ReadAll"] symbols = ["WAL.ReadAll"]
[[versions]] [[versions]]
# Do we also need a way to indicate "fixed after this version, but also these specific
# earlier point releases are also fixed"? In this case >= 3.4.10 is fixed, but so was
# 3.3.23
fixed = "v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4" fixed = "v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4"
[links] [links]

Просмотреть файл

@ -1,4 +1,5 @@
module = "github.com/russellhaering/goxmldsig" module = "github.com/dexidp/dex"
package = "github.com/dexidp/dex/connector/saml"
description = """ description = """
An XML message can be maliciously crafted such that signature An XML message can be maliciously crafted such that signature
@ -9,11 +10,11 @@ cve = "CVE-2020-15216"
credit = "Juho Nurminen (Mattermost)" credit = "Juho Nurminen (Mattermost)"
symbols = ["ValidationContext.findSignature"] symbols = ["provider.HandlePOST"]
[[versions]] [[versions]]
fixed = "v1.1.0" fixed = "v0.0.0-20201214082111-324b1c886b40"
[links] [links]
commit = "https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8" commit = "https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8"
context = ["https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"] context = ["https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5"]

26
reports/GO-2021-0070.toml Normal file
Просмотреть файл

@ -0,0 +1,26 @@
module = "github.com/opencontainers/runc"
package = "github.com/opencontainers/runc/libcontainer/user"
description = """
GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will
improperly interpred numeric UIDs as usernames. If the method is used without
verify usernames are formatted as expected, it may allow a user to gain unexpected
privileges.
"""
cve = "CVE-2016-3697"
symbols = ["GetExecUser"]
[[versions]]
fixed = "v0.1.0"
[links]
commit = "https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091"
pr = "https://github.com/opencontainers/runc/pull/708"
context = [
"https://github.com/docker/docker/issues/21436",
"http://rhn.redhat.com/errata/RHSA-2016-1034.html",
"http://rhn.redhat.com/errata/RHSA-2016-2634.html",
"https://security.gentoo.org/glsa/201612-28"
]

22
reports/GO-2021-0071.toml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
module = "github.com/lxc/lxd"
package = "github.com/lxc/lxd/shared"
description = """
A race between chown and chmod operations during a container filesystem shift
may allow a user who can modify the filesystem to chmod an arbitary path of
their choice, rather than the expected path.
"""
cve = "CVE-2015-1340"
credit = "Seth Arnold"
symbols = ["IdmapSet.doUidshiftIntoContainer"]
[[versions]]
fixed = "v0.0.0-20151004155856-19c6961cc101"
[links]
commit = "https://github.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4"
pr = "https://github.com/lxc/lxd/pull/1189"
context = ["https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1502270"]

30
reports/GO-2021-0072.toml Normal file
Просмотреть файл

@ -0,0 +1,30 @@
module = "github.com/docker/distribution"
package = "github.com/docker/distribution/registry/handlers"
description = """
Various storage methods do not impose limits on how much content is accepted
from user requests, allowing a malicious user to force the caller to allocate
an arbitary amount of memory.
"""
cve = "CVE-2017-11468"
symbols = ["copyFullPayload"]
[[versions]]
fixed = "v2.7.0-rc.0+incompatible"
[[additional_packages]]
module = "github.com/docker/distribution"
package = "github.com/docker/distribution/registry/storage"
symbols = ["blobStore.Get"]
[[additional_packages.versions]]
fixed = "v2.7.0-rc.0+incompatible"
[links]
commit = "https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f"
pr = "https://github.com/distribution/distribution/pull/2340"
context = [
"https://access.redhat.com/errata/RHSA-2017:2603",
"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html"
]

24
reports/GO-2021-0073.toml Normal file
Просмотреть файл

@ -0,0 +1,24 @@
module = "github.com/git-lfs/git-lfs"
package = "github.com/git-lfs/git-lfs/lfsapi"
description = """
Arbitary command execution can be triggered by improperly
sanitized SSH URLs in LFS configuration files. This can be
triggered by cloning a malicious repoistory.
"""
cve = "CVE-2017-17831"
symbols = ["sshGetLFSExeAndArgs"]
[[versions]]
fixed = "v2.1.1-0.20170519163204-f913f5f9c7c6+incompatible"
[links]
commit = "https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19"
pr = "https://github.com/git-lfs/git-lfs/pull/2241"
context = [
"http://blog.recurity-labs.com/2017-08-10/scm-vulns",
"https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html",
"http://www.securityfocus.com/bid/102926"
]

19
reports/GO-2021-0075.toml Normal file
Просмотреть файл

@ -0,0 +1,19 @@
module = "github.com/ethereum/go-ethereum"
package = "github.com/ethereum/go-ethereum/les"
description = """
Due to improper argument validation in RPC messages, a maliciously crafted
message can cause a panic, leading to denial of service.
"""
cve = "CVE-2018-12018"
symbols = ["protocolManager.handleMsg"]
[[versions]]
fixed = "v1.8.11"
[links]
commit = "https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4"
pr = "https://github.com/ethereum/go-ethereum/pull/16891"
context = ["https://peckshield.com/2018/06/27/EPoD/"]

18
reports/GO-2021-0076.toml Normal file
Просмотреть файл

@ -0,0 +1,18 @@
module = "github.com/evanphx/json-patch"
description = """
A malicious JSON patch can cause a panic due to an out-of-bounds
write attempt. This can be used as a denial of service vector if
exposed to arbitary user input.
"""
cve = "CVE-2018-14632"
symbols = ["partialArray.add"]
[[versions]]
fixed = "v0.5.2"
[links]
commit = "https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03"
pr = "https://github.com/evanphx/json-patch/pull/57"

20
reports/GO-2021-0077.toml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
module = "go.etcd.io/etcd"
package = "go.etcd.io/etcd/auth"
description = """
A user can use a valid client certificate that contains a CommonName that matches a
valid RBAC username to authenticate themselves as that user, despite lacking the
required credentials. This may allow authentication bypass, but requires a certificate
that is issued by a CA trusted by the server.
"""
cve = "CVE-2018-16886"
symbols = ["authStore.AuthInfoFromTLS"]
[[versions]]
fixed = "v0.5.0-alpha.5.0.20190108173120-83c051b701d3"
[links]
commit = "https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2"
pr = "https://github.com/etcd-io/etcd/pull/10366"

26
reports/GO-2021-0078.toml Normal file
Просмотреть файл

@ -0,0 +1,26 @@
module = "golang.org/x/net"
package = "golang.org/x/net/html"
description = """
The HTML parser does not properly handle "in frameset" insertion mode, and can be made
to panic when operating on malformed HTML that contains <template> tags. If operating
on user input, this may be a vector for a denial of service attack.
"""
cve = "CVE-2018-17075"
credit = "Kunpei Sakai"
symbols = ["inBodyIM", "inFramesetIM"]
[[versions]]
fixed = "v0.0.0-20180816102801-aaf60122140d"
[links]
commit = "https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50"
pr = "https://go-review.googlesource.com/123776"
context = [
"https://github.com/golang/go/issues/27016",
"https://bugs.chromium.org/p/chromium/issues/detail?id=829668",
"https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906"
]

22
reports/GO-2021-0079.toml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
module = "github.com/bytom/bytom"
package = "github.com/bytom/bytom/p2p/discover"
description = """
A malformed query can cause an out-of-bounds panic due to improper
validation of arguments. If processing queries from untrusted
parties, this may be used as a vector for denial of service
attacks.
"""
cve = "CVE-2018-18206"
credit = "@yahtoo"
symbols = ["Network.checkTopicRegister"]
[[versions]]
fixed = "v1.0.4-0.20180831054840-1ac3c8ac4f2b"
[links]
commit = "https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42"
pr = "https://github.com/Bytom/bytom/pull/1307"

24
reports/GO-2021-0081.toml Normal file
Просмотреть файл

@ -0,0 +1,24 @@
module = "github.com/containers/image"
package = "github.com/containers/image/docker"
description = """
The HTTP client used to connect to the container registry authorization
service explicitly disables TLS verification, allowing an attacker that
is able to MITM the connection to steal credentials.
"""
cve = "CVE-2019-10214"
symbols = ["dockerClient.getBearerToken"]
[[versions]]
introduced = ""
fixed = "v2.0.2-0.20190802080134-634605d06e73+incompatible"
[links]
commit = "https://github.com/containers/image/commit/634605d06e738aec8332bcfd69162e7509ac7aaf"
pr = "https://github.com/containers/image/pull/669"
context = [
"https://github.com/containers/image/issues/654",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214"
]

19
reports/GO-2021-0082.toml Normal file
Просмотреть файл

@ -0,0 +1,19 @@
module = "github.com/facebook/fbthrift"
package = "github.com/facebook/fbthrift/thrift/lib/go/thrift"
description = """
Thirft Servers preallocate memory for the declared size of messages before
checking the actual size of the message. This allows a malicious user to
send messages that declare that they are significantly larger than they
actually are, allowing them to force the server to allocate significant
amounts of memory. This can be used as a denial of service vector.
"""
cve = "CVE-2019-11939"
[[versions]]
fixed = "v0.31.1-0.20200311080807-483ed864d69f"
[links]
commit = "https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757"
context = ["https://www.facebook.com/security/advisories/cve-2019-11939"]

19
reports/GO-2021-0083.toml Normal file
Просмотреть файл

@ -0,0 +1,19 @@
module = "github.com/hybridgroup/gobot"
package = "github.com/hybridgroup/gobot/platforms/mqtt"
description = """
TLS certificate verification is skipped when connecting to a MQTT server.
This allows an attacker who can MITM the connection to read, or forge,
messages passed between the client and server.
"""
cve = "CVE-2019-12496"
symbols = ["Adaptor.newTLSConfig"]
[[versions]]
fixed = "v1.12.1-0.20190521122906-c1aa4f867846"
[links]
commit = "https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f"
context = ["https://github.com/hybridgroup/gobot/releases/tag/v1.13.0"]

21
reports/GO-2021-0084.toml Normal file
Просмотреть файл

@ -0,0 +1,21 @@
module = "github.com/astaxie/beego"
package = "github.com/astaxie/beego/session"
description = """
Session data is stored using permissive permissions, allowing local users
with filesystem access to read arbitary data.
"""
cve = "CVE-2019-16354"
credit = "@nicowaisman"
symbols = ["FileProvider.SessionRead", "FileProvider.SessionRegenerate"]
[[versions]]
fixed = "v1.12.2-0.20200613154013-bac2b31afecc"
[links]
commit = "https://github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1"
pr = "https://github.com/beego/beego/pull/3975"
context = ["https://github.com/beego/beego/issues/3763"]

25
reports/GO-2021-0085.toml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
module = "github.com/opencontainers/runc"
package = "github.com/opencontainers/runc/libcontainer"
description = """
AppArmor restrictions may be bypassed due to improper validation of mount
targets, allowing a malicious image to mount volumes over e.g. /proc.
"""
cve = "CVE-2019-16884"
credit = "Leopold Schabel"
[[versions]]
fixed = "v1.0.0-rc8.0.20190930145003-cad42f6e0932"
[[additional_packages]]
module = "github.com/opencontainers/selinux"
package = "github.com/opencontainers/selinux/go-selinux"
[[additional_packages.versions]]
fixed = "v1.3.1-0.20190929122143-5215b1806f52"
[links]
commit = "https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4"
pr = "https://github.com/opencontainers/runc/pull/2130"
context = ["https://github.com/opencontainers/runc/issues/2128"]

17
reports/GO-2021-0086.toml Normal file
Просмотреть файл

@ -0,0 +1,17 @@
module = "github.com/documize/community"
package = "github.com/documize/community/domain/section/markdown"
description = """
HTML content in mardkwon is not santized during rendering, possibly allowing
XSS if used to render untrusted user input.
"""
cve = "CVE-2019-19619"
symbols = ["Provider.Render"]
[[versions]]
fixed = "v1.76.3-0.20191119114751-a4384210d4d0"
[links]
commit = "https://github.com/documize/community/commit/a4384210d4d0d6b18e6fdb7e155de96d4a1cf9f3"

23
reports/GO-2021-0087.toml Normal file
Просмотреть файл

@ -0,0 +1,23 @@
module = "github.com/opencontainers/runc"
package = "github.com/opencontainers/runc/libcontainer"
description = """
A race while mounting volumes allows a possible symlink-exchange
attack, allowing a user whom can start multiple containers with
custom volume mount configurations to escape the container.
"""
cve = "CVE-2019-19921"
credit = "Leopold Schabel"
symbols = ["mountToRootfs"]
[[versions]]
fixed = "v1.0.0-rc9.0.20200122160610-2fc03cc11c77"
[links]
commit = "https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0"
pr = "https://github.com/opencontainers/runc/pull/2207"
context = ["https://github.com/opencontainers/runc/issues/2197"]

20
reports/GO-2021-0088.toml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
module = "github.com/facebook/fbthrift"
package = "github.com/facebook/fbthrift/thrift/lib/go/thrift"
description = """
Skip ignores unknown fields, rather than failing. A malicious user can craft small
messages with unknown fields which can take significant resources to parse. If a
server accepts messages from an untrusted user, it may be used as a denial of service
vector.
"""
cve = "CVE-2019-3564"
symbols = ["Skip"]
[[versions]]
fixed = "v0.31.1-0.20190225164308-c461c1bd1a3e"
[links]
commit = "https://github.com/facebook/fbthrift/commit/c461c1bd1a3e130b181aa9c854da3030cd4b5156"
context = ["https://www.facebook.com/security/advisories/cve-2019-3564"]

21
reports/GO-2021-0089.toml Normal file
Просмотреть файл

@ -0,0 +1,21 @@
module = "github.com/buger/jsonparser"
description = """
Parsing malformed JSON which contain opening brackets, but not closing brackes,
leads to an infinite loop. If operating on untrusted user input this can be
used as a denial of service vector.
"""
cve = "CVE-2020-10675"
credit = "Cong Wang"
symbols = ["findKeyStart"]
[[versions]]
fixed = "v0.0.0-20200321185410-91ac96899e49"
[links]
commit = "https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717"
pr = "https://github.com/buger/jsonparser/pull/192"
context = ["https://github.com/buger/jsonparser/issues/188"]

23
reports/GO-2021-0090.toml Normal file
Просмотреть файл

@ -0,0 +1,23 @@
module = "github.com/tendermint/tendermint"
package = "github.com/tendermint/tendermint/types"
description = """
Proposed commits may contain signatures for blocks not contained within the commit. Instead of skipping
these signatures, they cause failure during verification. A malicious proposer can use this to force
consensus failures.
"""
cve = "CVE-2020-15091"
credit = "Neeraj Murarka"
symbols = ["VoteSet.MakeCommit"]
[[versions]]
introduced = "v0.33.0"
fixed = "v0.34.0-dev1.0.20200702134149-480b995a3172"
[links]
commit = "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340"
pr = "https://github.com/tendermint/tendermint/pull/5426"
context = ["https://github.com/tendermint/tendermint/issues/4926"]

21
reports/GO-2021-0091.toml Normal file
Просмотреть файл

@ -0,0 +1,21 @@
module = "github.com/gofiber/fiber"
description = """
Due to improper input validation when uploading a file, a malicious user may
force the server to return arbitary HTTP headers when the uploaded file
is downloaded.
"""
cve = "CVE-2020-15111"
credit = "Hasibul Hasan and Abdullah Shaleh"
symbols = ["Ctx.Attachment"]
[[versions]]
fixed = "v1.12.6-0.20200710202935-a8ad5454363f"
[links]
commit = "https://github.com/gofiber/fiber/commit/a8ad5454363f627c3f9469c56c5faaf1b943f06a"
pr = "github.com/gofiber/fiber/pull/579"
context = ["https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh"]

17
reports/GO-2021-0092.toml Normal file
Просмотреть файл

@ -0,0 +1,17 @@
module = "github.com/ory/fosite"
description = """
Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
replayed.
"""
cve = "CVE-2020-15222"
symbols = ["Fosite.AuthenticateClient"]
[[versions]]
fixed = "v0.31.0"
[links]
commit = "https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9"
context = ["https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43"]

22
reports/GO-2021-0094.toml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
module = "github.com/hashicorp/go-slug"
description = """
Protections against directory traversal during archive extraction can be
bypassed by chaining multiple symbolic links within the archive. This allows
a malicious attacker to cause files to be created outside of the target
directory. Additionally if the attacker is able to read extracted files
they may create symbolic links to arbitary files on the system which the
unpacker has permissions to read.
"""
cve = "CVE-2020-29529"
symbols = ["Unpack"]
[[versions]]
fixed = "v0.5.0"
[links]
commit = "https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f"
pr = "https://github.com/hashicorp/go-slug/pull/12"
context = ["https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug"]

22
reports/GO-2021-0095.toml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
module = "github.com/google/go-tpm"
package = "github.com/google/go-tpm/tpm"
description = """
Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport
is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,
allowing them to use the created key.
"""
cve = "CVE-2020-8918"
credit = "Chris Fenner"
symbols = ["CreateWrapKey"]
[[versions]]
fixed = "v0.3.0"
[links]
commit = "https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141"
pr = "https://github.com/google/go-tpm/pull/195"
context = ["https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"]

17
reports/GO-2021-0096.toml Normal file
Просмотреть файл

@ -0,0 +1,17 @@
module = "github.com/proglottis/gpgme"
description = """
Due to improper setting of finalizers, memory passed to C may be freed before it is used,
leading to crashes due to memory corruption or possible code execution.
"""
cve = "CVE-2020-8945"
credit = "Ulrich Obergfell"
[[versions]]
fixed = "v0.1.1"
[links]
commit = "https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733"
pr = "https://github.com/proglottis/gpgme/pull/23"

Просмотреть файл

@ -1,3 +1,4 @@
module = ""
package = "" package = ""
description = """ description = """

77
triaged-cve-list Normal file
Просмотреть файл

@ -0,0 +1,77 @@
# This file contains a list of CVEs identified by cmd/cve-triage which may be
# related to Go modules. It tracks which CVEs have already been triaged, which
# are false positives, and which are pending triaging.
#
# The format of each line is as follows:
# <CVE-ID> <state> <comma separated list of reports linked to CVE>
#
# <state> may be one of the following: false-positive, triaged, pending
#
# When <state> is false-positive, lines may end with a comment which indicates
# why they have been flagged so, e.g. "# non-importable code" or "# not go code".
CVE-2018-17846 triaged GO-2020-0014
CVE-2020-35381 triaged GO-2021-0057
CVE-2019-12496 triaged GO-2021-0083
CVE-2017-3204 triaged GO-2020-0013
CVE-2020-25614 triaged GO-2020-0048
CVE-2019-11250 triaged GO-2021-0065
CVE-2020-8564 triaged GO-2021-0066
CVE-2018-18206 triaged GO-2021-0079
CVE-2019-19619 triaged GO-2021-0086
CVE-2019-3564 triaged GO-2021-0088
CVE-2017-18367 triaged GO-2020-0007
CVE-2020-28362 triaged GO-2021-0069
CVE-2018-1103 triaged GO-2020-0026
CVE-2020-14040 triaged GO-2020-0015
CVE-2014-8681 triaged GO-2020-0021
CVE-2019-11254 triaged GO-2020-0036
CVE-2019-16354 triaged GO-2021-0084
CVE-2019-16884 triaged GO-2021-0085
CVE-2020-15091 triaged GO-2021-0090
CVE-2016-9123 triaged GO-2020-0009
CVE-2020-28483 triaged GO-2021-0052
CVE-2020-29509 triaged GO-2021-0060
CVE-2020-29529 triaged GO-2021-0094
CVE-2020-26160 triaged GO-2020-0017
CVE-2019-11253 triaged GO-2021-0062
CVE-2016-3697 triaged GO-2021-0070
CVE-2020-7711 triaged GO-2020-0046
CVE-2020-15216 triaged GO-2020-0050,GO-2021-0056
CVE-2017-11468 triaged GO-2021-0072
CVE-2020-8945 triaged GO-2020-0002,GO-2020-0031,GO-2021-0096
CVE-2021-3115 triaged GO-2021-0068
CVE-2019-11939 triaged GO-2021-0082
CVE-2020-8565 triaged GO-2021-0064
CVE-2020-12666 triaged GO-2020-0039
CVE-2020-35380 triaged GO-2021-0059
CVE-2018-17419 triaged GO-2020-0028
CVE-2021-27919 triaged GO-2021-0067
CVE-2020-10675 triaged GO-2021-0089
CVE-2020-15111 triaged GO-2021-0091
CVE-2020-15106 triaged GO-2020-0005
CVE-2018-16886 triaged GO-2021-0077
CVE-2020-8918 triaged GO-2021-0095
CVE-2015-1340 triaged GO-2021-0071
CVE-2019-20786 triaged GO-2020-0038
CVE-2018-6558 triaged GO-2020-0027
CVE-2017-17831 triaged GO-2021-0073
CVE-2018-14632 triaged GO-2021-0076
CVE-2018-17075 triaged GO-2021-0078
CVE-2019-19921 triaged GO-2021-0087
CVE-2020-27813 triaged GO-2020-0019
CVE-2016-9122 triaged GO-2020-0011
CVE-2020-7667 triaged GO-2020-0042
CVE-2020-36067 triaged GO-2021-0054
CVE-2020-27846 triaged GO-2021-0058
CVE-2020-26264 triaged GO-2021-0063
CVE-2018-12018 triaged GO-2021-0075
CVE-2020-15222 triaged GO-2021-0092
CVE-2016-9121 triaged GO-2020-0010
CVE-2019-19794 triaged GO-2020-0008
CVE-2020-9283 triaged GO-2020-0012
CVE-2020-7668 triaged GO-2020-0041
CVE-2018-21246 triaged GO-2020-0043
CVE-2021-3121 triaged GO-2021-0053
CVE-2019-10214 triaged GO-2021-0081
CVE-2017-15133 triaged GO-2020-0006