vulndb/data/osv/GO-2023-1295.json

{
  "schema_version": "1.3.1",
  "id": "GO-2023-1295",
  "modified": "0001-01-01T00:00:00Z",
  "published": "0001-01-01T00:00:00Z",
  "aliases": [
    "CVE-2020-36645",
    "GHSA-3hc7-2xcc-7p8f"
  ],
  "summary": "SQL injection in github.com/square/squalor",
  "details": "There is a potential for SQL injection in the table name parameter.",
  "affected": [
    {
      "package": {
        "name": "github.com/square/squalor",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20200306154055-f6f0a47cc344"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/square/squalor",
            "symbols": [
              "AliasedTableExpr.Serialize",
              "AndExpr.Serialize",
              "BinaryExpr.Serialize",
              "ColName.Serialize",
              "Columns.Serialize",
              "ComparisonExpr.Serialize",
              "DB.BindModel",
              "DB.Delete",
              "DB.DeleteContext",
              "DB.Exec",
              "DB.ExecContext",
              "DB.Get",
              "DB.GetContext",
              "DB.Insert",
              "DB.InsertContext",
              "DB.InsertIgnore",
              "DB.InsertIgnoreContext",
              "DB.MustBindModel",
              "DB.Query",
              "DB.QueryContext",
              "DB.QueryRow",
              "DB.QueryRowContext",
              "DB.Replace",
              "DB.ReplaceContext",
              "DB.Select",
              "DB.SelectContext",
              "DB.Update",
              "DB.UpdateContext",
              "DB.Upsert",
              "DB.UpsertContext",
              "Delete.Serialize",
              "FuncExpr.Serialize",
              "GroupBy.Serialize",
              "Insert.Serialize",
              "JoinTableExpr.Serialize",
              "Limit.Serialize",
              "LoadTable",
              "NonStarExpr.Serialize",
              "NotExpr.Serialize",
              "NullCheck.Serialize",
              "OnDup.Serialize",
              "OnJoinCond.Serialize",
              "OrExpr.Serialize",
              "Order.Serialize",
              "OrderBy.Serialize",
              "ParenBoolExpr.Serialize",
              "RangeCond.Serialize",
              "Select.Serialize",
              "SelectExprs.Serialize",
              "Serialize",
              "StandardLogger.Log",
              "StarExpr.Serialize",
              "Table.loadColumns",
              "Table.loadKeys",
              "TableExprs.Serialize",
              "TableName.Serialize",
              "TableNames.Serialize",
              "Tx.Delete",
              "Tx.DeleteContext",
              "Tx.Exec",
              "Tx.ExecContext",
              "Tx.Get",
              "Tx.GetContext",
              "Tx.Insert",
              "Tx.InsertContext",
              "Tx.InsertIgnore",
              "Tx.InsertIgnoreContext",
              "Tx.Query",
              "Tx.QueryContext",
              "Tx.QueryRow",
              "Tx.QueryRowContext",
              "Tx.Replace",
              "Tx.ReplaceContext",
              "Tx.Select",
              "Tx.SelectContext",
              "Tx.Update",
              "Tx.UpdateContext",
              "Tx.Upsert",
              "Tx.UpsertContext",
              "Update.Serialize",
              "UpdateExpr.Serialize",
              "UpdateExprs.Serialize",
              "UsingJoinCond.Serialize",
              "ValExprs.Serialize",
              "ValTuple.Serialize",
              "Values.Serialize",
              "Where.Serialize",
              "quoteName"
            ]
          }
        ]
      }
    }
  ],
  "references": [
    {
      "type": "REPORT",
      "url": "https://github.com/square/squalor/pull/76"
    },
    {
      "type": "FIX",
      "url": "https://github.com/square/squalor/pull/76/commits/033350b8596b397c6cefa066b1f2c83d35fc8c4a"
    }
  ],
  "database_specific": {
    "url": "https://pkg.go.dev/vuln/GO-2023-1295",
    "review_status": "REVIEWED"
  }
}
data/reports: add GO-2023-1295.yaml Aliases: CVE-2020-36645, GHSA-3hc7-2xcc-7p8f Fixes golang/vulndb#1295 Change-Id: I9947d523e7f9aa3b28e0a5b7641e140a858d1216 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464302 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Julie Qiu <julieqiu@google.com> Auto-Submit: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Julie Qiu <julie@golang.org> Reviewed-by: Julie Qiu <julieqiu@google.com> 2023-02-01 06:13:35 +03:00			`{`
internal/osv, all: move DatabaseSpecific osv field Moves DatabaseSpecific to be a field of the top-level osv.Entry, instead of a subfield of the Affected field. Change-Id: I8c80f8af268b51d57833268b89947838c53e407a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/481136 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-03-31 23:44:23 +03:00			`"schema_version": "1.3.1",`
data/reports: add GO-2023-1295.yaml Aliases: CVE-2020-36645, GHSA-3hc7-2xcc-7p8f Fixes golang/vulndb#1295 Change-Id: I9947d523e7f9aa3b28e0a5b7641e140a858d1216 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464302 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Julie Qiu <julieqiu@google.com> Auto-Submit: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Julie Qiu <julie@golang.org> Reviewed-by: Julie Qiu <julieqiu@google.com> 2023-02-01 06:13:35 +03:00			`"id": "GO-2023-1295",`
			`"modified": "0001-01-01T00:00:00Z",`
internal/osv, all: move DatabaseSpecific osv field Moves DatabaseSpecific to be a field of the top-level osv.Entry, instead of a subfield of the Affected field. Change-Id: I8c80f8af268b51d57833268b89947838c53e407a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/481136 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-03-31 23:44:23 +03:00			`"published": "0001-01-01T00:00:00Z",`
data/reports: add GO-2023-1295.yaml Aliases: CVE-2020-36645, GHSA-3hc7-2xcc-7p8f Fixes golang/vulndb#1295 Change-Id: I9947d523e7f9aa3b28e0a5b7641e140a858d1216 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464302 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Julie Qiu <julieqiu@google.com> Auto-Submit: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Julie Qiu <julie@golang.org> Reviewed-by: Julie Qiu <julieqiu@google.com> 2023-02-01 06:13:35 +03:00			`"aliases": [`
			`"CVE-2020-36645",`
			`"GHSA-3hc7-2xcc-7p8f"`
			`],`
internal/{osv,report}, data: publish summaries to OSV Modify ToOSV to publish the summary from the YAML report to OSV, and apply this change to each existing OSV report. For golang/go#56443 Change-Id: Iee78fe75f42fe9a52c6e4023ee9ad8dfa5feba8d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/501203 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> 2023-06-06 21:13:32 +03:00			`"summary": "SQL injection in github.com/square/squalor",`
data/reports: add GO-2023-1295.yaml Aliases: CVE-2020-36645, GHSA-3hc7-2xcc-7p8f Fixes golang/vulndb#1295 Change-Id: I9947d523e7f9aa3b28e0a5b7641e140a858d1216 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464302 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Julie Qiu <julieqiu@google.com> Auto-Submit: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Julie Qiu <julie@golang.org> Reviewed-by: Julie Qiu <julieqiu@google.com> 2023-02-01 06:13:35 +03:00			`"details": "There is a potential for SQL injection in the table name parameter.",`
			`"affected": [`
			`{`
			`"package": {`
			`"name": "github.com/square/squalor",`
			`"ecosystem": "Go"`
			`},`
			`"ranges": [`
			`{`
			`"type": "SEMVER",`
			`"events": [`
			`{`
			`"introduced": "0"`
			`},`
			`{`
			`"fixed": "0.0.0-20200306154055-f6f0a47cc344"`
			`}`
			`]`
			`}`
			`],`
			`"ecosystem_specific": {`
			`"imports": [`
			`{`
			`"path": "github.com/square/squalor",`
			`"symbols": [`
data/reports: update GO-2023-1295.yaml Add missing symbols Fixes golang/vulndb#1295 Change-Id: I76718ce23a11c2ea4dc64fee322ebea67e9f11bd Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464537 Auto-Submit: Julie Qiu <julieqiu@google.com> Run-TryBot: Julie Qiu <julieqiu@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 2023-02-02 02:23:56 +03:00			`"AliasedTableExpr.Serialize",`
			`"AndExpr.Serialize",`
			`"BinaryExpr.Serialize",`
			`"ColName.Serialize",`
			`"Columns.Serialize",`
			`"ComparisonExpr.Serialize",`
data/reports: add GO-2023-1295.yaml Aliases: CVE-2020-36645, GHSA-3hc7-2xcc-7p8f Fixes golang/vulndb#1295 Change-Id: I9947d523e7f9aa3b28e0a5b7641e140a858d1216 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464302 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Julie Qiu <julieqiu@google.com> Auto-Submit: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Julie Qiu <julie@golang.org> Reviewed-by: Julie Qiu <julieqiu@google.com> 2023-02-01 06:13:35 +03:00			`"DB.BindModel",`
data/reports: update GO-2023-1295.yaml Add missing symbols Fixes golang/vulndb#1295 Change-Id: I76718ce23a11c2ea4dc64fee322ebea67e9f11bd Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464537 Auto-Submit: Julie Qiu <julieqiu@google.com> Run-TryBot: Julie Qiu <julieqiu@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 2023-02-02 02:23:56 +03:00			`"DB.Delete",`
			`"DB.DeleteContext",`
			`"DB.Exec",`
			`"DB.ExecContext",`
			`"DB.Get",`
			`"DB.GetContext",`
			`"DB.Insert",`
			`"DB.InsertContext",`
			`"DB.InsertIgnore",`
			`"DB.InsertIgnoreContext",`
data/reports: add GO-2023-1295.yaml Aliases: CVE-2020-36645, GHSA-3hc7-2xcc-7p8f Fixes golang/vulndb#1295 Change-Id: I9947d523e7f9aa3b28e0a5b7641e140a858d1216 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464302 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Julie Qiu <julieqiu@google.com> Auto-Submit: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Julie Qiu <julie@golang.org> Reviewed-by: Julie Qiu <julieqiu@google.com> 2023-02-01 06:13:35 +03:00			`"DB.MustBindModel",`
data/reports: update GO-2023-1295.yaml Add missing symbols Fixes golang/vulndb#1295 Change-Id: I76718ce23a11c2ea4dc64fee322ebea67e9f11bd Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464537 Auto-Submit: Julie Qiu <julieqiu@google.com> Run-TryBot: Julie Qiu <julieqiu@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 2023-02-02 02:23:56 +03:00			`"DB.Query",`
			`"DB.QueryContext",`
			`"DB.QueryRow",`
			`"DB.QueryRowContext",`
			`"DB.Replace",`
			`"DB.ReplaceContext",`
			`"DB.Select",`
			`"DB.SelectContext",`
			`"DB.Update",`
			`"DB.UpdateContext",`
			`"DB.Upsert",`
			`"DB.UpsertContext",`
			`"Delete.Serialize",`
			`"FuncExpr.Serialize",`
			`"GroupBy.Serialize",`
			`"Insert.Serialize",`
			`"JoinTableExpr.Serialize",`
			`"Limit.Serialize",`
data/reports: add GO-2023-1295.yaml Aliases: CVE-2020-36645, GHSA-3hc7-2xcc-7p8f Fixes golang/vulndb#1295 Change-Id: I9947d523e7f9aa3b28e0a5b7641e140a858d1216 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464302 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Julie Qiu <julieqiu@google.com> Auto-Submit: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Julie Qiu <julie@golang.org> Reviewed-by: Julie Qiu <julieqiu@google.com> 2023-02-01 06:13:35 +03:00			`"LoadTable",`
data/reports: update GO-2023-1295.yaml Add missing symbols Fixes golang/vulndb#1295 Change-Id: I76718ce23a11c2ea4dc64fee322ebea67e9f11bd Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464537 Auto-Submit: Julie Qiu <julieqiu@google.com> Run-TryBot: Julie Qiu <julieqiu@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 2023-02-02 02:23:56 +03:00			`"NonStarExpr.Serialize",`
			`"NotExpr.Serialize",`
			`"NullCheck.Serialize",`
			`"OnDup.Serialize",`
			`"OnJoinCond.Serialize",`
			`"OrExpr.Serialize",`
			`"Order.Serialize",`
			`"OrderBy.Serialize",`
			`"ParenBoolExpr.Serialize",`
			`"RangeCond.Serialize",`
			`"Select.Serialize",`
			`"SelectExprs.Serialize",`
			`"Serialize",`
			`"StandardLogger.Log",`
			`"StarExpr.Serialize",`
data/reports: add GO-2023-1295.yaml Aliases: CVE-2020-36645, GHSA-3hc7-2xcc-7p8f Fixes golang/vulndb#1295 Change-Id: I9947d523e7f9aa3b28e0a5b7641e140a858d1216 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464302 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Julie Qiu <julieqiu@google.com> Auto-Submit: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Julie Qiu <julie@golang.org> Reviewed-by: Julie Qiu <julieqiu@google.com> 2023-02-01 06:13:35 +03:00			`"Table.loadColumns",`
data/reports: update GO-2023-1295.yaml Add missing symbols Fixes golang/vulndb#1295 Change-Id: I76718ce23a11c2ea4dc64fee322ebea67e9f11bd Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464537 Auto-Submit: Julie Qiu <julieqiu@google.com> Run-TryBot: Julie Qiu <julieqiu@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 2023-02-02 02:23:56 +03:00			`"Table.loadKeys",`
			`"TableExprs.Serialize",`
			`"TableName.Serialize",`
			`"TableNames.Serialize",`
			`"Tx.Delete",`
			`"Tx.DeleteContext",`
			`"Tx.Exec",`
			`"Tx.ExecContext",`
			`"Tx.Get",`
			`"Tx.GetContext",`
			`"Tx.Insert",`
			`"Tx.InsertContext",`
			`"Tx.InsertIgnore",`
			`"Tx.InsertIgnoreContext",`
			`"Tx.Query",`
			`"Tx.QueryContext",`
			`"Tx.QueryRow",`
			`"Tx.QueryRowContext",`
			`"Tx.Replace",`
			`"Tx.ReplaceContext",`
			`"Tx.Select",`
			`"Tx.SelectContext",`
			`"Tx.Update",`
			`"Tx.UpdateContext",`
			`"Tx.Upsert",`
			`"Tx.UpsertContext",`
			`"Update.Serialize",`
			`"UpdateExpr.Serialize",`
			`"UpdateExprs.Serialize",`
			`"UsingJoinCond.Serialize",`
			`"ValExprs.Serialize",`
			`"ValTuple.Serialize",`
			`"Values.Serialize",`
			`"Where.Serialize",`
			`"quoteName"`
data/reports: add GO-2023-1295.yaml Aliases: CVE-2020-36645, GHSA-3hc7-2xcc-7p8f Fixes golang/vulndb#1295 Change-Id: I9947d523e7f9aa3b28e0a5b7641e140a858d1216 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464302 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Julie Qiu <julieqiu@google.com> Auto-Submit: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Julie Qiu <julie@golang.org> Reviewed-by: Julie Qiu <julieqiu@google.com> 2023-02-01 06:13:35 +03:00			`]`
			`}`
			`]`
			`}`
			`}`
			`],`
			`"references": [`
			`{`
			`"type": "REPORT",`
			`"url": "https://github.com/square/squalor/pull/76"`
			`},`
			`{`
			`"type": "FIX",`
			`"url": "https://github.com/square/squalor/pull/76/commits/033350b8596b397c6cefa066b1f2c83d35fc8c4a"`
			`}`
			`],`
internal/osv, all: move DatabaseSpecific osv field Moves DatabaseSpecific to be a field of the top-level osv.Entry, instead of a subfield of the Affected field. Change-Id: I8c80f8af268b51d57833268b89947838c53e407a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/481136 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-03-31 23:44:23 +03:00			`"database_specific": {`
data: apply REVIEWED status to all existing reports and osv Change-Id: I862c5bb24b9c08c29f0d437fd1be61da0319ef0d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585517 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> 2024-05-14 22:19:00 +03:00			`"url": "https://pkg.go.dev/vuln/GO-2023-1295",`
			`"review_status": "REVIEWED"`
internal/osv, all: move DatabaseSpecific osv field Moves DatabaseSpecific to be a field of the top-level osv.Entry, instead of a subfield of the Affected field. Change-Id: I8c80f8af268b51d57833268b89947838c53e407a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/481136 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-03-31 23:44:23 +03:00			`}`
data/reports: add GO-2023-1295.yaml Aliases: CVE-2020-36645, GHSA-3hc7-2xcc-7p8f Fixes golang/vulndb#1295 Change-Id: I9947d523e7f9aa3b28e0a5b7641e140a858d1216 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464302 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Julie Qiu <julieqiu@google.com> Auto-Submit: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Julie Qiu <julie@golang.org> Reviewed-by: Julie Qiu <julieqiu@google.com> 2023-02-01 06:13:35 +03:00			`}`