data/reports: add GO-2022-1175.yaml

Aliases: CVE-2022-23536, GHSA-cq2g-pw6q-hf7j Fixes golang/vulndb#1175 Change-Id: I1527417621a442abfc6e2fb0632ef7ecebd8edcd Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/459115 Auto-Submit: Tim King <taking@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Tim King <taking@google.com>
2022-12-21 17:08:50 -08:00 · 2022-12-21 17:08:50 -08:00 · 6253c3ade9
--- a/data/osv/GO-2022-1175.json
+++ b/data/osv/GO-2022-1175.json
@ -0,0 +1,71 @@
+{
+  "id": "GO-2022-1175",
+  "published": "0001-01-01T00:00:00Z",
+  "modified": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2022-23536",
+    "GHSA-cq2g-pw6q-hf7j"
+  ],
+  "details": "A malicious actor could remotely read local files by submitting to the Alertmanager Set Configuration API maliciously crafted inputs. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/cortexproject/cortex",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.13.0"
+            },
+            {
+              "fixed": "1.13.2"
+            },
+            {
+              "introduced": "1.14.0"
+            },
+            {
+              "fixed": "1.14.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "url": "https://pkg.go.dev/vuln/GO-2022-1175"
+      },
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cortexproject/cortex/pkg/alertmanager",
+            "symbols": [
+              "validateAlertmanagerConfig",
+              "validateGlobalConfig"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cortexproject/cortex/commit/03e023d8b012887b31cc268d0d011b01e1e65506"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cortexmetrics.io/docs/api/#set-alertmanager-configuration"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Austin Robertson with Amazon Web Services"
+    }
+  ],
+  "schema_version": "1.3.1"
+}
--- a/data/reports/GO-2022-1175.yaml
+++ b/data/reports/GO-2022-1175.yaml
@ -0,0 +1,26 @@
+modules:
+  - module: github.com/cortexproject/cortex
+    versions:
+      - introduced: 1.13.0
+        fixed: 1.13.2
+      - introduced: 1.14.0
+        fixed: 1.14.1
+    packages:
+      - package: github.com/cortexproject/cortex/pkg/alertmanager
+        symbols:
+          - validateAlertmanagerConfig
+          - validateGlobalConfig
+description: |
+    A malicious actor could remotely read local files by submitting to the
+    Alertmanager Set Configuration API maliciously crafted inputs. Only users
+    of the Alertmanager service where `-experimental.alertmanager.enable-api`
+    or `enable_api: true` is configured are affected.
+cves:
+  - CVE-2022-23536
+ghsas:
+  - GHSA-cq2g-pw6q-hf7j
+credit: Austin Robertson with Amazon Web Services
+references:
+  - advisory: https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j
+  - fix: https://github.com/cortexproject/cortex/commit/03e023d8b012887b31cc268d0d011b01e1e65506
+  - web: https://cortexmetrics.io/docs/api/#set-alertmanager-configuration