data/reports: add published date to all reports

The move of reports from reports/ to data/reports broke lookups of
the publication date from the git history. Set the publication
date for all existing reports based on the history from the old
location.

Change-Id: I7a4dd9121894d037c689db7398311b234bdf270b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/424377
Reviewed-by: Julie Qiu <julieqiu@google.com>
This commit is contained in:
Damien Neil 2022-08-17 15:39:45 -07:00
Родитель e3d6083508
Коммит 95a417dbb7
105 изменённых файлов: 215 добавлений и 90 удалений

Просмотреть файл

@ -19,6 +19,7 @@ description: |
input than expected when the caller is reading directly from a
network and depends on ReadUvarint or ReadVarint only consuming a
small, bounded number of bytes, even from invalid inputs.
published: 2022-07-01T20:11:09Z
cves:
- CVE-2020-16845
ghsas:

Просмотреть файл

@ -8,13 +8,14 @@ packages:
- introduced: 1.1.0
fixed: 1.3.2
description: |
When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle
attackers to spoof clients via unspecified vectors.
When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle
attackers to spoof clients via unspecified vectors.
If the server enables TLS client authentication using certificates (this is
rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,
then a malicious client can falsely assert ownership of any client
certificate it wishes.
If the server enables TLS client authentication using certificates (this is
rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,
then a malicious client can falsely assert ownership of any client
certificate it wishes.
published: 2022-05-25T21:11:41Z
cves:
- CVE-2014-7189
credit: Go Team

Просмотреть файл

@ -8,13 +8,14 @@ packages:
- introduced: 1.17.0
fixed: 1.17.7
description: |
Rat.SetString had an overflow issue that can lead to uncontrolled memory consumption.
Rat.SetString had an overflow issue that can lead to uncontrolled memory consumption.
published: 2022-05-23T22:15:42Z
cves:
- CVE-2022-23772
credit: Emmanuel Odeke
links:
pr: https://go.dev/cl/379537
commit: https://go.googlesource.com/go/+/ad345c265916bbf6c646865e4642eafce6d39e78
context:
- https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
- https://go.dev/issue/50699
pr: https://go.dev/cl/379537
commit: https://go.googlesource.com/go/+/ad345c265916bbf6c646865e4642eafce6d39e78
context:
- https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
- https://go.dev/issue/50699

Просмотреть файл

@ -10,16 +10,17 @@ packages:
- introduced: 1.17.0
fixed: 1.17.7
description: |
Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.
Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.
published: 2022-05-23T22:15:21Z
cves:
- CVE-2022-23806
credit: Guido Vranken
links:
pr: https://go.dev/cl/382455
commit: https://go.googlesource.com/go/+/7f9494c277a471f6f47f4af3036285c0b1419816
context:
- https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
- https://go.dev/issue/50974
pr: https://go.dev/cl/382455
commit: https://go.googlesource.com/go/+/7f9494c277a471f6f47f4af3036285c0b1419816
context:
- https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
- https://go.dev/issue/50974

Просмотреть файл

@ -11,6 +11,7 @@ description: |
WebSocket connection request to a server under their control without
causing TLS certificate verification to fail. This occurs because
the wrong host name is selected during this verification.
published: 2022-03-15T19:38:30Z
cves:
- CVE-2022-24968
ghsas:

Просмотреть файл

@ -1,23 +1,24 @@
packages:
- module: std
package: regexp
symbols:
- regexp.Compile
versions:
- fixed: 1.16.15
- introduced: 1.17.0
fixed: 1.17.8
symbols:
- regexp.Compile
description: |
On 64-bit platforms, an extremely deeply nested expression can
cause regexp.Compile to cause goroutine stack exhaustion, forcing
the program to exit. Note this applies to very large expressions,
on the order of 2MB.
On 64-bit platforms, an extremely deeply nested expression can
cause regexp.Compile to cause goroutine stack exhaustion, forcing
the program to exit. Note this applies to very large expressions,
on the order of 2MB.
published: 2022-05-23T22:15:47Z
cves:
- CVE-2022-24921
credit: Juho Nurminen
links:
pr: https://go.dev/cl/384616
commit: https://go.googlesource.com/go/+/452f24ae94f38afa3704d4361d91d51218405c0a
context:
- https://go.dev/issue/51112
- https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk
pr: https://go.dev/cl/384616
commit: https://go.googlesource.com/go/+/452f24ae94f38afa3704d4361d91d51218405c0a
context:
- https://go.dev/issue/51112
- https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk

Просмотреть файл

@ -16,6 +16,7 @@ description: |
Servers that only use Signer implementations provided by the ssh package are
unaffected.
published: 2022-04-25T20:38:40Z
cves:
- CVE-2022-27191
ghsas:

Просмотреть файл

@ -26,6 +26,7 @@ description: |
that image had previously been decrypted. A patch has been
applied to imgcrypt 1.1.4. Workarounds may include usage of
different namespaces for each remote user.
published: 2022-04-28T23:35:11Z
cves:
- CVE-2022-24778
ghsas:

Просмотреть файл

@ -13,6 +13,7 @@ description: |
long-running computations, which in turn makes Go programs vulnerable to
remote denial of service attacks. Programs using HTTPS client certificates
or the Go SSH server libraries are both exposed to this vulnerability.
published: 2022-05-24T22:06:33Z
cves:
- CVE-2016-3959
credit: David Wong

Просмотреть файл

@ -13,6 +13,7 @@ description: |
If the user had a root certificate loaded in their Keychain that was
explicitly not trusted, a Go program would still verify a connection using
that root certificate.
published: 2022-05-24T20:17:59Z
cves:
- CVE-2017-1000097
credit: Xy Ziemba

Просмотреть файл

@ -17,6 +17,7 @@ description: |
get" can be tricked into reusing this Git checkout for the fetch of code
from pkg2. If the Subversion repository's Git checkout has malicious
commands in .git/hooks/, they will execute on the system running "go get".
published: 2022-08-09T17:31:35Z
cves:
- CVE-2017-15041
credit: Simon Rawet

Просмотреть файл

@ -9,8 +9,6 @@ packages:
- introduced: 1.8.0
fixed: 1.8.2
vulnerable_at: 1.8.1
arch:
- amd64
description: |
The ScalarMult implementation of curve P-256 for amd64 architectures
generates incorrect results for certain specific input points.
@ -18,9 +16,12 @@ description: |
ScalarMult by submitting crafted points and observing failures to
derive correct output. This leads to a full key recovery attack
against static ECDH, as used in popular JWT libraries.
published: 2022-07-01T20:11:15Z
cves:
- CVE-2017-8932
credit: Vlad Krasnov and Filippo Valsorda at Cloudflare
arch:
- amd64
links:
pr: https://go.dev/cl/41070
commit: https://go.googlesource.com/go/+/9294fa2749ffee7edbbb817a0ef9fe633136fa9c

Просмотреть файл

@ -29,6 +29,7 @@ description: |
Note that forbidding import paths with a .git element might not be
sufficient to mitigate this issue, as on certain systems there can be other
aliases for VCS state folders.
published: 2022-08-04T21:30:35Z
cves:
- CVE-2018-16873
credit: Etienne Stalmans of Heroku

Просмотреть файл

@ -17,6 +17,7 @@ description: |
(the distinction is documented at
https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause
an arbitrary filesystem write, which can lead to code execution.
published: 2022-08-02T15:44:23Z
cves:
- CVE-2018-16874
credit: ztz of Tencent Security Platform

Просмотреть файл

@ -15,6 +15,7 @@ description: |
to craft pathological inputs leading to a CPU denial of service.
Go TLS servers accepting client certificates and TLS clients
verifying certificates are affected.
published: 2022-07-15T23:03:26Z
cves:
- CVE-2018-16875
credit: Netflix

Просмотреть файл

@ -14,6 +14,7 @@ description: |
For example, the Parse function panics on the input
"<math><template><mo><template>".
published: 2022-07-01T20:11:34Z
cves:
- CVE-2018-17142
credit: '@tr3ee'

Просмотреть файл

@ -14,6 +14,7 @@ description: |
For example, the Parse function panics on the input
"<template><tBody><isindex/action=0>".
published: 2022-07-06T18:14:54Z
cves:
- CVE-2018-17143
credit: '@tr3ee'

Просмотреть файл

@ -14,6 +14,7 @@ description: |
For example, the Parse function panics on the input
"<svg><template><desc><t><svg></template>".
published: 2022-07-01T20:15:19Z
cves:
- CVE-2018-17847
- CVE-2018-17848

Просмотреть файл

@ -19,6 +19,7 @@ description: |
"// #cgo CFLAGS: -fplugin=attack.so" causing the attack plugin to be
loaded into the host C compiler during the build. Gcc and clang plugins are
completely unrestricted in their access to the host system.
published: 2022-08-09T18:15:41Z
cves:
- CVE-2018-6574
credit: Christopher Brown of Mattermost

Просмотреть файл

@ -13,6 +13,7 @@ description: |
the import path (get/vcs.go only checks for "://" anywhere in the string),
which allows remote attackers to execute arbitrary OS commands via a
crafted web site.
published: 2022-08-09T23:19:00Z
cves:
- CVE-2018-7187
credit: Arthur Khashaev

Просмотреть файл

@ -22,11 +22,12 @@ description: |
Architectures other than amd64 and uses that generate less than 256 GiB
of keystream for a single salsa20.XORKeyStream invocation are unaffected.
arch:
- amd64
published: 2022-07-01T20:15:25Z
cves:
- CVE-2019-11840
credit: Michael McLoughlin
arch:
- amd64
links:
pr: https://go.dev/cl/168406
commit: https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d

Просмотреть файл

@ -14,6 +14,7 @@ description: |
The url.Parse function accepts URLs with malformed hosts, such that the Host
field can have arbitrary suffixes that appear in neither Hostname() nor Port(),
allowing authorization bypasses in certain applications.
published: 2022-07-01T20:15:30Z
cves:
- CVE-2019-14809
credit: Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me)

Просмотреть файл

@ -18,6 +18,7 @@ description: |
are multiplexed onto the same upstream connection by the proxy. Such
invalid headers are now rejected by Go servers, and passed without
normalization to Go client applications.
published: 2022-05-23T22:46:20Z
cves:
- CVE-2019-16276
credit: Andrew Stucki, Adam Scarr (99designs.com), and Jan Masarik (masarik.sh)

Просмотреть файл

@ -23,6 +23,7 @@ description: |
client can panic due to a malformed host key, while a server could panic if
either PublicKeyCallback accepts a malformed public key, or if
IsUserAuthority accepts a certificate with a malformed public key.
published: 2022-05-24T20:14:11Z
cves:
- CVE-2019-17596
credit: Daniel Mandragona

Просмотреть файл

@ -15,6 +15,7 @@ description: |
These inputs might be delivered via TLS handshakes, X.509 certificates, JWT
tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private
key is reused more than once, the attack can also lead to key recovery.
published: 2022-05-24T15:21:01Z
cves:
- CVE-2019-6486
credit: Wycheproof Project

Просмотреть файл

@ -20,6 +20,7 @@ packages:
description: |
Go on Windows misused certain LoadLibrary functionality, leading to DLL
injection.
published: 2022-05-25T18:01:46Z
cves:
- CVE-2019-9634
credit: Samuel Cochran, Jason Donenfeld

Просмотреть файл

@ -21,6 +21,7 @@ description: |
certificates. net/http clients can be made to crash by an HTTPS
server, while net/http servers that accept client certificates
will recover the panic and are unaffected.
published: 2022-07-06T18:23:48Z
cves:
- CVE-2020-7919
ghsas:

Просмотреть файл

@ -18,6 +18,7 @@ description: |
This function does not sanitize its plugin parameter, so parameter
names containing "../" or other such elements may reference
arbitrary locations on the filesystem.
published: 2022-07-01T20:17:57Z
cves:
- CVE-2021-20206
ghsas:

Просмотреть файл

@ -14,6 +14,7 @@ description: |
v0.6.0 of the proxyproto package adds support for a user-defined
header timeout. v0.6.1 adds a default timeout of 200ms and v0.6.2
increases the default timeout to 10s.
published: 2022-07-01T20:18:04Z
cves:
- CVE-2021-23409
ghsas:

Просмотреть файл

@ -35,6 +35,7 @@ description: |
This also affects golang.org/x/net/http2/h2c and
HeaderValuesContainsToken in golang.org/x/net/http/httpguts.
published: 2022-07-15T23:04:18Z
cves:
- CVE-2021-31525
credit: Guido Vranken

Просмотреть файл

@ -17,6 +17,7 @@ packages:
description: |
Random data used to create UUIDs can contain zeros, resulting in
predictable UUIDs and possible collisions.
published: 2022-07-15T23:06:26Z
cves:
- CVE-2021-3538
links:

Просмотреть файл

@ -11,6 +11,7 @@ packages:
description: |
The ROAEntry.Validate function fails to perform bounds checks on
the MaxLength field, allowing invalid values to pass validation.
published: 2022-07-15T23:06:38Z
cves:
- CVE-2021-3761
ghsas:

Просмотреть файл

@ -24,13 +24,14 @@ description: |
their copy (as described in
https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any
modules.
published: 2022-05-24T20:14:28Z
cves:
- CVE-2021-38297
os:
- js
arch:
- wasm
credit: Ben Lubar
os:
- js
arch:
- wasm
links:
pr: https://go.dev/cl/354571
commit: https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4

Просмотреть файл

@ -17,6 +17,7 @@ description: |
The ExtractPathManifest function permits file paths containing relative
directory components (".."), permitting files to reference arbitrary
locations on the filesystem.
published: 2022-07-15T23:07:18Z
cves:
- CVE-2021-3907
ghsas:

Просмотреть файл

@ -12,6 +12,7 @@ packages:
vulnerable_at: 1.3.0
description: |
Invalid input data can cause a panic.
published: 2022-07-15T23:07:28Z
cves:
- CVE-2021-3910
ghsas:

Просмотреть файл

@ -16,6 +16,7 @@ packages:
vulnerable_at: 1.3.0
description: |
Invalid input data can cause a panic.
published: 2022-07-15T23:07:41Z
cves:
- CVE-2021-3911
ghsas:

Просмотреть файл

@ -9,6 +9,7 @@ packages:
description: |
The HTTPFetcher.GetXML function reads a response of unlimited size into
memory, permitting resource exhausion.
published: 2022-07-15T23:07:48Z
cves:
- CVE-2021-3912
ghsas:

Просмотреть файл

@ -25,6 +25,7 @@ description: |
error, where vulnerable nodes obtain a different stateRoot when
processing a maliciously crafted transaction. This, in turn,
would lead to the chain being split in two forks.
published: 2022-07-15T23:07:56Z
cves:
- CVE-2021-39137
ghsas:

Просмотреть файл

@ -18,6 +18,7 @@ packages:
vulnerable_at: 1.10.8
description: |
A maliciously crafted snap/1 protocol message can cause a panic.
published: 2022-07-15T23:08:03Z
cves:
- CVE-2021-41173
ghsas:

Просмотреть файл

@ -19,6 +19,7 @@ description: |
This vulnerability only occurs when built with Go versions prior to 1.17.
Go 1.17 and later strip directory paths from filenames returned by
"mime/multipart".Part.FileName, which avoids this issue.
published: 2022-07-15T23:08:12Z
cves:
- CVE-2021-23772
ghsas:

Просмотреть файл

@ -6,13 +6,14 @@ packages:
- OpenReader
versions:
- fixed: 1.16.8
- introduced: 1.17
- introduced: "1.17"
fixed: 1.17.1
description: |
The NewReader and OpenReader functions in archive/zip can cause a panic or
an unrecoverable fatal error when reading an archive that claims to contain
a large number of files, regardless of its actual size. This is
caused by an incomplete fix for CVE-2021-33196.
The NewReader and OpenReader functions in archive/zip can cause a panic or
an unrecoverable fatal error when reading an archive that claims to contain
a large number of files, regardless of its actual size. This is
caused by an incomplete fix for CVE-2021-33196.
published: 2022-05-18T18:23:31Z
cves:
- CVE-2021-39293
credit: OSS-Fuzz Project and Emmanuel Odeke

Просмотреть файл

@ -10,6 +10,7 @@ packages:
description: |
An attacker with partial control over the bind mount sources of a new
container can bypass namespace restrictions.
published: 2022-07-15T23:08:20Z
cves:
- CVE-2021-43784
ghsas:

Просмотреть файл

@ -20,6 +20,7 @@ packages:
description: |
An attacker can cause unbounded memory growth in servers accepting
HTTP/2 requests.
published: 2022-07-15T23:08:33Z
cves:
- CVE-2021-44716
credit: murakmii

Просмотреть файл

@ -5,7 +5,7 @@ packages:
- ForkExec
versions:
- fixed: 1.16.12
- introduced: 1.17
- introduced: "1.17"
fixed: 1.17.5
description: |
When a Go program running on a Unix system is out of file descriptors and
@ -17,6 +17,7 @@ description: |
For users who cannot immediately update to the new release, the bug can be
mitigated by raising the per-process file descriptor limit.
published: 2022-05-18T18:23:23Z
cves:
- CVE-2021-44717
credit: Tomasz Maczukin and Kamil Trzciński of GitLab

Просмотреть файл

@ -19,6 +19,7 @@ description: |
performed by quote verification, meaning a local attacker can couple this
vulnerability with a maliciously-formed TCG log in Eventlog.Verify to spoof
events in the TCG log, defeating remotely-attested measured-boot.
published: 2022-07-15T23:27:21Z
cves:
- CVE-2022-0317
ghsas:

Просмотреть файл

@ -20,6 +20,7 @@ description: |
This issue only occurs when using the graphql.MaxDepth schema option
(which is highly recommended in most cases).
published: 2022-07-15T23:10:20Z
cves:
- CVE-2022-21708
ghsas:

Просмотреть файл

@ -14,12 +14,13 @@ packages:
description: |
Pretty-printing an AST that contains synthetic nodes can change the logic
of some statements by reordering array literals.
published: 2022-07-27T20:27:33Z
cves:
- CVE-2022-23628
ghsas:
- GHSA-hcw3-j74m-qc58
links:
advisory: https://github.com/open-policy-agent/opa/security/advisories/GHSA-hcw3-j74m-qc58
commit: https://github.com/open-policy-agent/opa/commit/932e4ffc37a590ace79e9b75ca4340288c220239
advisory: https://github.com/open-policy-agent/opa/security/advisories/GHSA-hcw3-j74m-qc58
context:
- https://github.com/open-policy-agent/opa/commit/2bd8edab9e10e2dc9cf76ae8335ced0c224f3055

Просмотреть файл

@ -15,6 +15,7 @@ description: |
The go command can misinterpret branch names that falsely appear to be
version tags. This can lead to incorrect access control if an actor is
authorized to create branches but not tags.
published: 2022-08-01T22:20:42Z
cves:
- CVE-2022-23773
links:

Просмотреть файл

@ -31,6 +31,7 @@ description: |
pass a metric with a "method" label name to a middleware; and not
have any firewall/LB/proxy that filters away requests with unknown
"method".
published: 2022-07-15T23:29:02Z
cves:
- CVE-2022-21698
ghsas:

Просмотреть файл

@ -9,6 +9,7 @@ packages:
description: |
The RunUsingChroot function unintentionally propagates environment
variables from the current process to the child process.
published: 2022-07-15T23:30:21Z
cves:
- CVE-2021-3602
ghsas:

Просмотреть файл

@ -10,6 +10,7 @@ description: |
A maliciously crafted RPM file can cause the Scanner.Scan function to
write files with arbitrary contents to arbitrary locations on the local
filestem.
published: 2022-07-15T23:30:27Z
cves:
- CVE-2021-3762
ghsas:

Просмотреть файл

@ -13,6 +13,7 @@ description: |
URL path normalization does not handle Windows path separators
(backslashes), permitting an attacker to construct requests
with relative paths.
published: 2022-07-27T20:26:59Z
cves:
- CVE-2022-21221
ghsas:

Просмотреть файл

@ -26,6 +26,7 @@ description: |
Providing a *tls.Config with a ServerName field set to the
correct destination hostname will avoid this issue.
published: 2022-07-29T20:00:14Z
cves:
- CVE-2022-24968
ghsas:

Просмотреть файл

@ -16,6 +16,7 @@ description: |
This problem has been addressed in newer versions by improving validation
in manifest unmarshaling.
published: 2022-07-29T20:00:03Z
ghsas:
- GHSA-qq97-vm5h-rrhg
links:

Просмотреть файл

@ -16,6 +16,7 @@ description: |
In these versions, the IsRevoked method always return true.
(This advisory is canonically https://advisories.nats.io/CVE/CVE-2020-26892.txt)
published: 2022-07-15T23:29:36Z
cves:
- CVE-2020-26892
ghsas:

Просмотреть файл

@ -21,6 +21,7 @@ description: |
For further details, see
https://github.com/advisories/GHSA-56hp-xqp3-w2jf.
published: 2022-07-15T23:29:45Z
cves:
- CVE-2021-32690
ghsas:

Просмотреть файл

@ -15,10 +15,11 @@ description: |
This issue only affects WebSockets with an AuthenticateMethod hook.
Request handlers that do not explicitly use WebSockets are not
vulnerable.
cve_metadata:
id: CVE-2021-4237
cwe: "CWE 287: Improper Authentication"
published: 2022-07-01T20:11:02Z
ghsas:
- GHSA-5gjg-jgh4-gppm
links:
commit: https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
cve_metadata:
id: CVE-2021-4237
cwe: 'CWE 287: Improper Authentication'

Просмотреть файл

@ -29,6 +29,7 @@ description: |
For further details and mitigation procedures, see
https://advisories.nats.io/CVE/CVE-2021-3127.txt
published: 2022-07-01T20:11:22Z
cves:
- CVE-2021-3127
ghsas:

Просмотреть файл

@ -24,10 +24,11 @@ description: |
the plaintext, if the hash is readable to the attacker.
AWS now blocks this metadata field, but older SDK versions still send it.
cve_metadata:
id: CVE-2022-2582
cwe: "CWE 311: Missing Encryption of Sensitive Data"
published: 2022-07-01T20:10:56Z
ghsas:
- GHSA-76wf-9vgp-pj7w
links:
commit: https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1
cve_metadata:
id: CVE-2022-2582
cwe: 'CWE 311: Missing Encryption of Sensitive Data'

Просмотреть файл

@ -8,10 +8,12 @@ packages:
- fixed: 0.7.2
vulnerable_at: 0.7.1
description: A race condition can cause incorrect HTTP request routing.
published: 2022-07-01T20:10:50Z
ghsas:
- GHSA-h2x7-2ff6-v32p
cve_metadata:
id: CVE-2022-2583
cwe: "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"
links:
commit: https://github.com/ntbosscher/gobase/commit/a8d40bce9c429d324122d18c446924dab809e812
cve_metadata:
id: CVE-2022-2583
cwe: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization
('Race Condition')

Просмотреть файл

@ -14,6 +14,7 @@ packages:
description: |
A malicious account can create and sign a User JWT which causes a panic
when decoded by the NATS JWT library.
published: 2022-07-01T20:10:43Z
cves:
- CVE-2020-26521
ghsas:

Просмотреть файл

@ -13,10 +13,11 @@ description: |
The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return
strings containing at least one digit from 0 to 9. This significantly
reduces the amount of entropy in short strings generated by these functions.
published: 2022-07-01T20:08:24Z
ghsas:
- GHSA-xg2h-wx96-xgxr
cve_metadata:
id: CVE-2021-4238
cwe: "CWE 330: Use of Insufficiently Random Values"
links:
commit: https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1
cve_metadata:
id: CVE-2021-4238
cwe: 'CWE 330: Use of Insufficiently Random Values'

Просмотреть файл

@ -29,6 +29,7 @@ description: |
user-provided arguments. These arguments can be interpreted
as command-line flags, which can be used to perform command
injection.
published: 2022-07-01T20:08:17Z
cves:
- CVE-2022-21235
ghsas:

Просмотреть файл

@ -21,6 +21,7 @@ description: |
This bug does not affect the container security sandbox, as the
inheritable set never contains more capabilities than are included
in the container's bounding set.
published: 2022-07-01T20:08:10Z
cves:
- CVE-2022-27651
ghsas:

Просмотреть файл

@ -10,10 +10,12 @@ packages:
- fixed: 1.3.1
vulnerable_at: 1.3.0
description: The dag-pb codec can panic when decoding invalid blocks.
published: 2022-07-01T20:08:04Z
ghsas:
- GHSA-g3vv-g2j5-45f2
cve_metadata:
id: CVE-2022-2584
cwe: "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"
links:
commit: https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57
cve_metadata:
id: CVE-2022-2584
cwe: 'CWE-119: Improper Restriction of Operations within the Bounds of a Memory
Buffer'

Просмотреть файл

@ -10,6 +10,7 @@ packages:
description: |
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has
a Decode stack overflow via a large amount of PEM data.
published: 2022-05-20T21:17:25Z
cves:
- CVE-2022-24675
credit: Juho Nurminen of Mattermost

Просмотреть файл

@ -12,6 +12,7 @@ description: |
These chains can be delivered through TLS and can cause a crypto/tls or
net/http client to crash.
published: 2022-05-23T21:59:00Z
cves:
- CVE-2022-27536
credit: Tailscale

Просмотреть файл

@ -6,18 +6,19 @@ packages:
- P256.ScalarBaseMult
versions:
- fixed: 1.17.9
- introduced: 1.18
- introduced: "1.18"
fixed: 1.18.1
description: |
A crafted scalar input longer than 32 bytes can cause P256().ScalarMult
or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.
A crafted scalar input longer than 32 bytes can cause P256().ScalarMult
or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.
published: 2022-05-20T21:17:46Z
cves:
- CVE-2022-28327
credit: Project Wycheproof
links:
pr: https://go.dev/cl/397135
commit: https://go.googlesource.com/go/+/37065847d87df92b5eb246c88ba2085efcf0b331
context:
- https://go.dev/issue/52075
- https://groups.google.com/g/golang-announce/c/oecdBNLOml8
pr: https://go.dev/cl/397135
commit: https://go.googlesource.com/go/+/37065847d87df92b5eb246c88ba2085efcf0b331
context:
- https://go.dev/issue/52075
- https://groups.google.com/g/golang-announce/c/oecdBNLOml8

Просмотреть файл

@ -15,6 +15,7 @@ packages:
description: |
The getter package can write SSH credentials to its logfile,
exposing credentials to local users able to read the logfile.
published: 2022-07-01T20:07:52Z
cves:
- CVE-2022-29810
ghsas:

Просмотреть файл

@ -27,6 +27,7 @@ description: |
The TUF client is vulnerable to rollback attacks, in which an
attacker causes a client to install software older than the software
the client previously knew to be available.
published: 2022-07-01T20:07:44Z
cves:
- CVE-2022-29173
ghsas:

Просмотреть файл

@ -18,6 +18,7 @@ packages:
description: |
An attacker can send packets that send the DTLS server or client
into an infinite loop.
published: 2022-07-01T20:07:34Z
cves:
- CVE-2022-29190
ghsas:

Просмотреть файл

@ -21,6 +21,7 @@ description: |
The Pion DTLS client and server buffer handshake data with no
upper limit, permitting an attacker to cause unbounded memory
consumption by sending an unterminated handshake.
published: 2022-07-01T20:07:25Z
cves:
- CVE-2022-29189
ghsas:

Просмотреть файл

@ -23,6 +23,7 @@ description: |
possesses the private key for the certificate. The Pion DTLS server
accepted client certificates unaccompanied by this proof, permitting
an attacker to present any certificate and have it accepted as valid.
published: 2022-07-01T20:07:12Z
cves:
- CVE-2022-29222
ghsas:

Просмотреть файл

@ -208,6 +208,7 @@ description: |
For example, the pattern "/a/b/:name" can match the URL "/a.xml/b/".
This may bypass access control applied to the prefix "/a/".
published: 2022-07-01T20:06:59Z
cves:
- CVE-2022-31259
ghsas:

Просмотреть файл

@ -36,6 +36,7 @@ description: |
contains no authentication, authorization, or validation of user
inputs. Exposing handlers from this package can permit attackers to
create files and delete directories.
published: 2022-07-15T23:29:55Z
cves:
- CVE-2022-31022
ghsas:

Просмотреть файл

@ -24,6 +24,7 @@ description: |
This can be caused by malicious unquoted symbol name in a linked object
file.
published: 2022-07-28T17:24:30Z
credit: Chris Brown and Tempus Ex
links:
pr: https://go.dev/cl/269658

Просмотреть файл

@ -14,6 +14,7 @@ description: |
command that builds untrusted code.
This can be caused by malicious gcc flags specified via a cgo directive.
published: 2022-07-28T17:24:43Z
credit: Imre Rad
links:
pr: https://go.dev/cl/267277

Просмотреть файл

@ -10,13 +10,7 @@ packages:
description: |
On Windows, rand.Read will hang indefinitely if passed a buffer larger than
1 << 32 - 1 bytes.
cve_metadata:
id: CVE-2022-30634
cwe: "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"
description: |
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on
Windows allows attacker to cause an indefinite hang by passing a buffer
larger than 1 << 32 - 1 bytes.
published: 2022-06-09T01:43:37Z
credit: Davis Goodin and Quim Muntal of Microsoft
os:
- windows
@ -26,3 +20,10 @@ links:
context:
- https://go.dev/issue/52561
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
cve_metadata:
id: CVE-2022-30634
cwe: 'CWE-835: Loop with Unreachable Exit Condition (''Infinite Loop'')'
description: |
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on
Windows allows attacker to cause an indefinite hang by passing a buffer
larger than 1 << 32 - 1 bytes.

Просмотреть файл

@ -15,6 +15,7 @@ description: |
contents of a Git repository file. A maliciously crafted repository
can exploit this to cause Read to read from arbitrary files on
the filesystem.
published: 2022-07-15T23:30:03Z
cves:
- CVE-2022-25856
ghsas:

Просмотреть файл

@ -18,6 +18,7 @@ packages:
description: |
When called with a non-zero flags parameter, the Faccessat function
can incorrectly report that a file is accessible.
published: 2022-07-15T23:30:12Z
cves:
- CVE-2022-29526
credit: Joël Gähwiler (@256dpi)

Просмотреть файл

@ -27,6 +27,7 @@ packages:
vulnerable_at: 2.3.0
description: |
Decoding malformed CAR data can cause panics or excessive memory usage.
published: 2022-07-30T03:50:50Z
ghsas:
- GHSA-9x4h-8wgm-8xfg
links:

Просмотреть файл

@ -20,6 +20,7 @@ packages:
description: |
Calling any of the Parse functions on Go source code which contains deeply
nested types or declarations can cause a panic due to stack exhaustion.
published: 2022-07-20T17:01:45Z
credit: Juho Nurminen of Mattermost
links:
pr: https://go.dev/cl/417063

Просмотреть файл

@ -8,6 +8,7 @@ packages:
vulnerable_at: 1.1.30
description: |
Improper validation of access tokens can permit use of expired tokens.
published: 2022-07-30T03:51:07Z
cves:
- CVE-2022-31145
ghsas:

Просмотреть файл

@ -20,6 +20,7 @@ description: |
In the more usual case where a Director function sets the
X-Forwarded-For header value to nil, ReverseProxy leaves the header
unmodified as expected.
published: 2022-07-28T17:23:05Z
credit: Christian Mehlmauer
links:
pr: https://go.dev/cl/412857

Просмотреть файл

@ -11,6 +11,7 @@ packages:
description: |
Calling Decoder.Skip when parsing a deeply nested XML document can cause a
panic due to stack exhaustion.
published: 2022-07-20T17:02:04Z
credit: Go Security Team and Juho Nurminen of Mattermost
links:
pr: https://go.dev/cl/417062

Просмотреть файл

@ -11,6 +11,7 @@ packages:
description: |
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
published: 2022-07-20T17:02:29Z
credit: Juho Nurminen of Mattermost
links:
pr: https://go.dev/cl/417066

Просмотреть файл

@ -14,6 +14,7 @@ description: |
Unmarshaling an XML document into a Go struct which has a nested
field that uses the 'any' field tag can panic due to stack
exhaustion.
published: 2022-07-20T20:52:06Z
links:
pr: https://go.dev/cl/417061
commit: https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08

Просмотреть файл

@ -11,6 +11,7 @@ packages:
description: |
Calling Reader.Read on an archive containing a large number of concatenated
0-length compressed files can cause a panic due to stack exhaustion.
published: 2022-07-20T20:52:11Z
links:
pr: https://go.dev/cl/417067
commit: https://go.googlesource.com/go/+/b2b8872c876201eac2d0707276c6999ff3eb185e

Просмотреть файл

@ -13,6 +13,7 @@ description: |
indicating a "chunked" encoding. This could potentially allow for request
smuggling, but only if combined with an intermediate server that also
improperly failed to reject the header as invalid.
published: 2022-07-25T17:34:18Z
credit: Zeyu Zhang (https://www.zeyu2001.com/)
links:
pr: https://go.dev/cl/409874
@ -23,9 +24,9 @@ links:
- https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
cve_metadata:
id: CVE-2022-1705
cwe: "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"
cwe: 'CWE-444: Inconsistent Interpretation of HTTP Requests (''HTTP Request Smuggling'')'
description: |
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client
in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling
if combined with an intermediate server that also improperly fails to
reject the header as invalid.
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client
in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling
if combined with an intermediate server that also improperly fails to
reject the header as invalid.

Просмотреть файл

@ -13,6 +13,7 @@ packages:
description: |
Calling Decoder.Decode on a message which contains deeply nested structures
can cause a panic due to stack exhaustion.
published: 2022-07-20T20:52:17Z
links:
pr: https://go.dev/cl/417064
commit: https://go.googlesource.com/go/+/6fa37e98ea4382bf881428ee0c150ce591500eb7

Просмотреть файл

@ -11,6 +11,7 @@ packages:
description: |
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
published: 2022-07-20T20:52:22Z
links:
pr: https://go.dev/cl/417065
commit: https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59

Просмотреть файл

@ -9,6 +9,7 @@ packages:
description: |
Sending a message exactly 2000, 4000, or 6000 characters in length
to Discord causes a panic.
published: 2022-07-30T03:51:17Z
cves:
- CVE-2022-25891
ghsas:

Просмотреть файл

@ -15,6 +15,7 @@ description: |
generated ticket_age_add, which allows an attacker that can observe TLS
handshakes to correlate successive connections by comparing ticket ages
during session resumption.
published: 2022-07-28T17:24:57Z
credit: Github user @nervuri
links:
pr: https://go.dev/cl/405994

Просмотреть файл

@ -12,11 +12,12 @@ description: |
On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput
when Cmd.Path is unset will unintentionally trigger execution of any
binaries in the working directory named either "..com" or "..exe".
published: 2022-07-26T21:41:20Z
credit: |
Chris Darroch (chrisd8088@github.com), brian m. carlson (bk2204@github.com),
and Mikhail Shcherbakov (https://twitter.com/yu5k3)
Chris Darroch (chrisd8088@github.com), brian m. carlson (bk2204@github.com),
and Mikhail Shcherbakov (https://twitter.com/yu5k3)
os:
- windows
- windows
links:
pr: https://go.dev/cl/403759
commit: https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
@ -31,4 +32,3 @@ cve_metadata:
allows execution of any binaries in the working directory named either
"..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or
Cmd.CombinedOutput when Cmd.Path is unset.

Просмотреть файл

@ -14,6 +14,7 @@ description: |
attack.
For example, Clean(`.\c:`) returns `c:`.
published: 2022-07-28T17:25:07Z
credit: Unrud
os:
- windows
@ -25,7 +26,8 @@ links:
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
cve_metadata:
id: CVE-2022-29804
cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
Traversal'')'
description: |
Incorrect conversion of certain invalid paths to valid, absolute paths
in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows

Просмотреть файл

@ -13,6 +13,7 @@ description: |
non-constant time comparison for secrets while validating a Gitlab request.
This allows for a timing attack where an attacker can recover a secret and
then forge the request.
published: 2022-08-11T20:54:51Z
cves:
- CVE-2022-24912
ghsas:

Просмотреть файл

@ -19,10 +19,11 @@ description: |
See
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601
for details on the Windows vulnerability.
os:
- windows
published: 2022-08-01T22:21:17Z
cves:
- CVE-2020-0601
os:
- windows
links:
pr: https://go.dev/cl/215905
commit: https://go.googlesource.com/go/+/953bc8f391a63adf00bac2515dba62abe8a1e2c2

Просмотреть файл

@ -28,6 +28,7 @@ description: |
over each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can
consume excess memory, CPU, or both.
published: 2022-08-01T22:20:53Z
cves:
- CVE-2019-9512
- CVE-2019-9514

Просмотреть файл

@ -12,6 +12,7 @@ packages:
description: |
Decoding big.Float and big.Rat types can panic if the encoded message is
too short, potentially allowing a denial of service.
published: 2022-08-01T22:21:06Z
credit: '@catenacyber'
links:
pr: https://go.dev/cl/417774

Просмотреть файл

@ -8,6 +8,7 @@ description: |
There is no known workaround for Biscuit v1. The Biscuit v2 specification
avoids this vulnerability.
published: 2022-08-15T18:02:15Z
cves:
- CVE-2022-31053
ghsas:

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше