vulndb/data/reports/GO-2021-0084.yaml

modules:
  - module: github.com/astaxie/beego
    versions:
      - fixed: 1.12.2-0.20200613154013-bac2b31afecc
    vulnerable_at: 1.12.2-0.20200610083815-4ad699b7b813
    packages:
      - package: github.com/astaxie/beego/session
        symbols:
          - FileProvider.SessionRead
          - FileProvider.SessionRegenerate
summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
description: |
    Session data is stored using permissive permissions, allowing local users
    with filesystem access to read arbitrary data.
published: 2021-04-14T20:04:52Z
cves:
  - CVE-2019-16354
ghsas:
  - GHSA-f6px-w8rh-7r89
credit: '@nicowaisman'
references:
  - fix: https://github.com/beego/beego/pull/3975
  - fix: https://github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1
  - web: https://github.com/beego/beego/issues/3763
data: update reports for OSV schema changes Change-Id: I381c0225514627719d103395580f3b2d8d8efc2d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/424899 Reviewed-by: Julie Qiu <julieqiu@google.com> 2022-08-19 01:09:12 +03:00			`modules:`
all: refactor report packages into a list Combine the Report.{Module,Package,...} fields with the Report.AdditionalPackages field into a single Report.Packages field with a list of affected packages. Fixes #52836. Change-Id: I84432f242fdbdac5d8609f0406d1f12f925108be Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/405574 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Jonathan Amsterdam <jba@google.com> 2022-05-11 01:03:50 +03:00			`- module: github.com/astaxie/beego`
			`versions:`
all: use unprefixed SemVer 2.0.0 versions in reports Standardize on the same version syntax as OSV: X.Y.Z, no "v" prefix. Avoids confusion about what a "go"-prefixed version is: A tag (in which case we need to support "go1.19rc1") or a weird semver version? Fixes golang/go#52877. Change-Id: I4053e765f93d8c20a890d5481d264f009831b5b8 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/406155 Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Damien Neil <dneil@google.com> 2022-05-13 02:02:17 +03:00			`- fixed: 1.12.2-0.20200613154013-bac2b31afecc`
data/reports: batch add vulnerable_at Change-Id: Id7e733dd37ca9462d6001d7db510cfdf7e0cc80b Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/462716 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 2023-01-18 23:44:49 +03:00			`vulnerable_at: 1.12.2-0.20200610083815-4ad699b7b813`
data: update reports for OSV schema changes Change-Id: I381c0225514627719d103395580f3b2d8d8efc2d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/424899 Reviewed-by: Julie Qiu <julieqiu@google.com> 2022-08-19 01:09:12 +03:00			`packages:`
			`- package: github.com/astaxie/beego/session`
			`symbols:`
			`- FileProvider.SessionRead`
			`- FileProvider.SessionRegenerate`
internal/report, data/reports: require summary field in YAML Adds a lint check to require a non-empty summary field in YAML reports, and backfills summary field for all old reports with a TODO. (This TODO is OK because the summary field is not yet published to OSV.) For golang/go#56443 Change-Id: I368d48ceca35ed74a0461550d5386ae7ff85be1a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/493595 Reviewed-by: Tim King <taking@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-05-08 20:11:54 +03:00			`summary: 'TODO(https://go.dev/issue/56443): fill in summary field'`
all: switch from toml to yaml Change-Id: I9fb36a246d0d532e44a28903998b9750cf794a85 Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1055925 Reviewed-by: Roland Shoemaker <bracewell@google.com> 2021-04-14 22:59:24 +03:00			`description: \|`
reports: reformat Run `vulnreport format` on all reports. Change-Id: I442d0a3b12bf9a6e2e6b5c3ff5e201313d3929a1 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/382515 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Julie Qiu <julie@golang.org> 2022-02-02 20:53:36 +03:00			`Session data is stored using permissive permissions, allowing local users`
			`with filesystem access to read arbitrary data.`
reports: add published date Change-Id: Ifb5126cfe601f7d2df9df92dbfc3b1a21e4f01bd Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/384835 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org> 2022-02-10 16:53:15 +03:00			`published: 2021-04-14T20:04:52Z`
reports: replace cve field with cves The CVE field will be deprecated for the CVEs field in a future CL, since having both fields is redundant. Change-Id: I4db220107a0899ae94d813ab8e0cde8af9b8a497 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/375394 Trust: Julie Qiu <julie@golang.org> Run-TryBot: Julie Qiu <julie@golang.org> Reviewed-by: Jonathan Amsterdam <jba@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2022-01-04 23:37:42 +03:00			`cves:`
			`- CVE-2019-16354`
reports: add GitHub Security Advisories Using vulnreport fix, populate the GHSA IDs for all existing reports. Change-Id: I09cabc16895994ccff1e2cab628a6c7b9d6a4bf4 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/388677 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: kokoro <noreply+kokoro@google.com> 2022-03-01 18:04:31 +03:00			`ghsas:`
			`- GHSA-f6px-w8rh-7r89`
reports: reformat Run `vulnreport format` on all reports. Change-Id: I442d0a3b12bf9a6e2e6b5c3ff5e201313d3929a1 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/382515 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Julie Qiu <julie@golang.org> 2022-02-02 20:53:36 +03:00			`credit: '@nicowaisman'`
data/reports: change links to references Update all reports to use the new reference format. Change-Id: I9050d6bb35392c3ba451e5388b1e970a7640db76 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/426036 Reviewed-by: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Damien Neil <dneil@google.com> 2022-08-27 00:59:35 +03:00			`references:`
			`- fix: https://github.com/beego/beego/pull/3975`
			`- fix: https://github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1`
			`- web: https://github.com/beego/beego/issues/3763`