data/reports: add published date to all reports

The move of reports from reports/ to data/reports broke lookups of the publication date from the git history. Set the publication date for all existing reports based on the history from the old location. Change-Id: I7a4dd9121894d037c689db7398311b234bdf270b Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/424377 Reviewed-by: Julie Qiu <julieqiu@google.com>
2022-08-17 15:39:45 -07:00 · 2022-08-17 15:39:45 -07:00 · 95a417dbb7
--- a/data/reports/GO-2021-0142.yaml
+++ b/data/reports/GO-2021-0142.yaml
@ -19,6 +19,7 @@ description: |
    input than expected when the caller is reading directly from a
    network and depends on ReadUvarint or ReadVarint only consuming a
    small, bounded number of bytes, even from invalid inputs.
+published: 2022-07-01T20:11:09Z
 cves:
  - CVE-2020-16845
 ghsas:
--- a/data/reports/GO-2021-0154.yaml
+++ b/data/reports/GO-2021-0154.yaml
@ -15,6 +15,7 @@ description: |
    rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,
    then a malicious client can falsely assert ownership of any client
    certificate it wishes.
+published: 2022-05-25T21:11:41Z
 cves:
  - CVE-2014-7189
 credit: Go Team
--- a/data/reports/GO-2021-0317.yaml
+++ b/data/reports/GO-2021-0317.yaml
@ -9,6 +9,7 @@ packages:
        fixed: 1.17.7
 description: |
    Rat.SetString had an overflow issue that can lead to uncontrolled memory consumption.
+published: 2022-05-23T22:15:42Z
 cves:
  - CVE-2022-23772
 credit: Emmanuel Odeke
--- a/data/reports/GO-2021-0319.yaml
+++ b/data/reports/GO-2021-0319.yaml
@ -14,6 +14,7 @@ description: |
    might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
    may cause a panic or an invalid curve operation. Note that Unmarshal will never
    return such values.
+published: 2022-05-23T22:15:21Z
 cves:
  - CVE-2022-23806
 credit: Guido Vranken
--- a/data/reports/GO-2021-0321.yaml
+++ b/data/reports/GO-2021-0321.yaml
@ -11,6 +11,7 @@ description: |
    WebSocket connection request to a server under their control without
    causing TLS certificate verification to fail. This occurs because
    the wrong host name is selected during this verification.
+published: 2022-03-15T19:38:30Z
 cves:
  - CVE-2022-24968
 ghsas:
--- a/data/reports/GO-2021-0347.yaml
+++ b/data/reports/GO-2021-0347.yaml
@ -1,17 +1,18 @@
 packages:
  - module: std
    package: regexp
+    symbols:
+      - regexp.Compile
    versions:
      - fixed: 1.16.15
      - introduced: 1.17.0
        fixed: 1.17.8
-    symbols:
-      - regexp.Compile
 description: |
    On 64-bit platforms, an extremely deeply nested expression can
    cause regexp.Compile to cause goroutine stack exhaustion, forcing
    the program to exit. Note this applies to very large expressions,
    on the order of 2MB.
+published: 2022-05-23T22:15:47Z
 cves:
  - CVE-2022-24921
 credit: Juho Nurminen
--- a/data/reports/GO-2021-0356.yaml
+++ b/data/reports/GO-2021-0356.yaml
@ -16,6 +16,7 @@ description: |

    Servers that only use Signer implementations provided by the ssh package are
    unaffected.
+published: 2022-04-25T20:38:40Z
 cves:
  - CVE-2022-27191
 ghsas:
--- a/data/reports/GO-2021-0412.yaml
+++ b/data/reports/GO-2021-0412.yaml
@ -26,6 +26,7 @@ description: |
    that image had previously been decrypted. A patch has been
    applied to imgcrypt 1.1.4. Workarounds may include usage of
    different namespaces for each remote user.
+published: 2022-04-28T23:35:11Z
 cves:
  - CVE-2022-24778
 ghsas:
--- a/data/reports/GO-2022-0166.yaml
+++ b/data/reports/GO-2022-0166.yaml
@ -13,6 +13,7 @@ description: |
    long-running computations, which in turn makes Go programs vulnerable to
    remote denial of service attacks.  Programs using HTTPS client certificates
    or the Go SSH server libraries are both exposed to this vulnerability.
+published: 2022-05-24T22:06:33Z
 cves:
  - CVE-2016-3959
 credit: David Wong
--- a/data/reports/GO-2022-0171.yaml
+++ b/data/reports/GO-2022-0171.yaml
@ -13,6 +13,7 @@ description: |
    If the user had a root certificate loaded in their Keychain that was
    explicitly not trusted, a Go program would still verify a connection using
    that root certificate.
+published: 2022-05-24T20:17:59Z
 cves:
  - CVE-2017-1000097
 credit: Xy Ziemba
--- a/data/reports/GO-2022-0177.yaml
+++ b/data/reports/GO-2022-0177.yaml
@ -17,6 +17,7 @@ description: |
    get" can be tricked into reusing this Git checkout for the fetch of code
    from pkg2. If the Subversion repository's Git checkout has malicious
    commands in .git/hooks/, they will execute on the system running "go get".
+published: 2022-08-09T17:31:35Z
 cves:
  - CVE-2017-15041
 credit: Simon Rawet
--- a/data/reports/GO-2022-0187.yaml
+++ b/data/reports/GO-2022-0187.yaml
@ -9,8 +9,6 @@ packages:
      - introduced: 1.8.0
        fixed: 1.8.2
    vulnerable_at: 1.8.1
-arch:
-  - amd64
 description: |
    The ScalarMult implementation of curve P-256 for amd64 architectures
    generates incorrect results for certain specific input points.
@ -18,9 +16,12 @@ description: |
    ScalarMult by submitting crafted points and observing failures to
    derive correct output. This leads to a full key recovery attack
    against static ECDH, as used in popular JWT libraries.
+published: 2022-07-01T20:11:15Z
 cves:
  - CVE-2017-8932
 credit: Vlad Krasnov and Filippo Valsorda at Cloudflare
+arch:
+  - amd64
 links:
    pr: https://go.dev/cl/41070
    commit: https://go.googlesource.com/go/+/9294fa2749ffee7edbbb817a0ef9fe633136fa9c
--- a/data/reports/GO-2022-0189.yaml
+++ b/data/reports/GO-2022-0189.yaml
@ -29,6 +29,7 @@ description: |
    Note that forbidding import paths with a .git element might not be
    sufficient to mitigate this issue, as on certain systems there can be other
    aliases for VCS state folders.
+published: 2022-08-04T21:30:35Z
 cves:
  - CVE-2018-16873
 credit: Etienne Stalmans of Heroku
--- a/data/reports/GO-2022-0190.yaml
+++ b/data/reports/GO-2022-0190.yaml
@ -17,6 +17,7 @@ description: |
    (the distinction is documented at
    https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause
    an arbitrary filesystem write, which can lead to code execution.
+published: 2022-08-02T15:44:23Z
 cves:
  - CVE-2018-16874
 credit: ztz of Tencent Security Platform
--- a/data/reports/GO-2022-0191.yaml
+++ b/data/reports/GO-2022-0191.yaml
@ -15,6 +15,7 @@ description: |
    to craft pathological inputs leading to a CPU denial of service.
    Go TLS servers accepting client certificates and TLS clients
    verifying certificates are affected.
+published: 2022-07-15T23:03:26Z
 cves:
  - CVE-2018-16875
 credit: Netflix
--- a/data/reports/GO-2022-0192.yaml
+++ b/data/reports/GO-2022-0192.yaml
@ -14,6 +14,7 @@ description: |

    For example, the Parse function panics on the input
    "<math><template><mo><template>".
+published: 2022-07-01T20:11:34Z
 cves:
  - CVE-2018-17142
 credit: '@tr3ee'
--- a/data/reports/GO-2022-0193.yaml
+++ b/data/reports/GO-2022-0193.yaml
@ -14,6 +14,7 @@ description: |

    For example, the Parse function panics on the input
    "<template><tBody><isindex/action=0>".
+published: 2022-07-06T18:14:54Z
 cves:
  - CVE-2018-17143
 credit: '@tr3ee'
--- a/data/reports/GO-2022-0197.yaml
+++ b/data/reports/GO-2022-0197.yaml
@ -14,6 +14,7 @@ description: |

    For example, the Parse function panics on the input
    "<svg><template><desc><t><svg></template>".
+published: 2022-07-01T20:15:19Z
 cves:
  - CVE-2018-17847
  - CVE-2018-17848
--- a/data/reports/GO-2022-0201.yaml
+++ b/data/reports/GO-2022-0201.yaml
@ -19,6 +19,7 @@ description: |
    "// #cgo CFLAGS: -fplugin=attack.so" causing the attack plugin to be
    loaded into the host C compiler during the build. Gcc and clang plugins are
    completely unrestricted in their access to the host system.
+published: 2022-08-09T18:15:41Z
 cves:
  - CVE-2018-6574
 credit: Christopher Brown of Mattermost
--- a/data/reports/GO-2022-0203.yaml
+++ b/data/reports/GO-2022-0203.yaml
@ -13,6 +13,7 @@ description: |
    the import path (get/vcs.go only checks for "://" anywhere in the string),
    which allows remote attackers to execute arbitrary OS commands via a
    crafted web site.
+published: 2022-08-09T23:19:00Z
 cves:
  - CVE-2018-7187
 credit: Arthur Khashaev
--- a/data/reports/GO-2022-0209.yaml
+++ b/data/reports/GO-2022-0209.yaml
@ -22,11 +22,12 @@ description: |

    Architectures other than amd64 and uses that generate less than 256 GiB
    of keystream for a single salsa20.XORKeyStream invocation are unaffected.
-arch:
-  - amd64
+published: 2022-07-01T20:15:25Z
 cves:
  - CVE-2019-11840
 credit: Michael McLoughlin
+arch:
+  - amd64
 links:
    pr: https://go.dev/cl/168406
    commit: https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
--- a/data/reports/GO-2022-0211.yaml
+++ b/data/reports/GO-2022-0211.yaml
@ -14,6 +14,7 @@ description: |
    The url.Parse function accepts URLs with malformed hosts, such that the Host
    field can have arbitrary suffixes that appear in neither Hostname() nor Port(),
    allowing authorization bypasses in certain applications.
+published: 2022-07-01T20:15:30Z
 cves:
  - CVE-2019-14809
 credit: Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me)
--- a/data/reports/GO-2022-0212.yaml
+++ b/data/reports/GO-2022-0212.yaml
@ -18,6 +18,7 @@ description: |
    are multiplexed onto the same upstream connection by the proxy. Such
    invalid headers are now rejected by Go servers, and passed without
    normalization to Go client applications.
+published: 2022-05-23T22:46:20Z
 cves:
  - CVE-2019-16276
 credit: Andrew Stucki, Adam Scarr (99designs.com), and Jan Masarik (masarik.sh)
--- a/data/reports/GO-2022-0213.yaml
+++ b/data/reports/GO-2022-0213.yaml
@ -23,6 +23,7 @@ description: |
    client can panic due to a malformed host key, while a server could panic if
    either PublicKeyCallback accepts a malformed public key, or if
    IsUserAuthority accepts a certificate with a malformed public key.
+published: 2022-05-24T20:14:11Z
 cves:
  - CVE-2019-17596
 credit: Daniel Mandragona
--- a/data/reports/GO-2022-0217.yaml
+++ b/data/reports/GO-2022-0217.yaml
@ -15,6 +15,7 @@ description: |
    These inputs might be delivered via TLS handshakes, X.509 certificates, JWT
    tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private
    key is reused more than once, the attack can also lead to key recovery.
+published: 2022-05-24T15:21:01Z
 cves:
  - CVE-2019-6486
 credit: Wycheproof Project
--- a/data/reports/GO-2022-0220.yaml
+++ b/data/reports/GO-2022-0220.yaml
@ -20,6 +20,7 @@ packages:
 description: |
    Go on Windows misused certain LoadLibrary functionality, leading to DLL
    injection.
+published: 2022-05-25T18:01:46Z
 cves:
  - CVE-2019-9634
 credit: Samuel Cochran, Jason Donenfeld
--- a/data/reports/GO-2022-0229.yaml
+++ b/data/reports/GO-2022-0229.yaml
@ -21,6 +21,7 @@ description: |
    certificates. net/http clients can be made to crash by an HTTPS
    server, while net/http servers that accept client certificates
    will recover the panic and are unaffected.
+published: 2022-07-06T18:23:48Z
 cves:
  - CVE-2020-7919
 ghsas:
--- a/data/reports/GO-2022-0230.yaml
+++ b/data/reports/GO-2022-0230.yaml
@ -18,6 +18,7 @@ description: |
    This function does not sanitize its plugin parameter, so parameter
    names containing "../" or other such elements may reference
    arbitrary locations on the filesystem.
+published: 2022-07-01T20:17:57Z
 cves:
  - CVE-2021-20206
 ghsas:
--- a/data/reports/GO-2022-0233.yaml
+++ b/data/reports/GO-2022-0233.yaml
@ -14,6 +14,7 @@ description: |
    v0.6.0 of the proxyproto package adds support for a user-defined
    header timeout. v0.6.1 adds a default timeout of 200ms and v0.6.2
    increases the default timeout to 10s.
+published: 2022-07-01T20:18:04Z
 cves:
  - CVE-2021-23409
 ghsas:
--- a/data/reports/GO-2022-0236.yaml
+++ b/data/reports/GO-2022-0236.yaml
@ -35,6 +35,7 @@ description: |

    This also affects golang.org/x/net/http2/h2c and
    HeaderValuesContainsToken in golang.org/x/net/http/httpguts.
+published: 2022-07-15T23:04:18Z
 cves:
  - CVE-2021-31525
 credit: Guido Vranken
--- a/data/reports/GO-2022-0244.yaml
+++ b/data/reports/GO-2022-0244.yaml
@ -17,6 +17,7 @@ packages:
 description: |
    Random data used to create UUIDs can contain zeros, resulting in
    predictable UUIDs and possible collisions.
+published: 2022-07-15T23:06:26Z
 cves:
  - CVE-2021-3538
 links:
--- a/data/reports/GO-2022-0246.yaml
+++ b/data/reports/GO-2022-0246.yaml
@ -11,6 +11,7 @@ packages:
 description: |
    The ROAEntry.Validate function fails to perform bounds checks on
    the MaxLength field, allowing invalid values to pass validation.
+published: 2022-07-15T23:06:38Z
 cves:
  - CVE-2021-3761
 ghsas:
--- a/data/reports/GO-2022-0247.yaml
+++ b/data/reports/GO-2022-0247.yaml
@ -24,13 +24,14 @@ description: |
    their copy (as described in
    https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any
    modules.
+published: 2022-05-24T20:14:28Z
 cves:
  - CVE-2021-38297
+credit: Ben Lubar
 os:
  - js
 arch:
  - wasm
-credit: Ben Lubar
 links:
    pr: https://go.dev/cl/354571
    commit: https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4
--- a/data/reports/GO-2022-0248.yaml
+++ b/data/reports/GO-2022-0248.yaml
@ -17,6 +17,7 @@ description: |
    The ExtractPathManifest function permits file paths containing relative
    directory components (".."), permitting files to reference arbitrary
    locations on the filesystem.
+published: 2022-07-15T23:07:18Z
 cves:
  - CVE-2021-3907
 ghsas:
--- a/data/reports/GO-2022-0251.yaml
+++ b/data/reports/GO-2022-0251.yaml
@ -12,6 +12,7 @@ packages:
    vulnerable_at: 1.3.0
 description: |
    Invalid input data can cause a panic.
+published: 2022-07-15T23:07:28Z
 cves:
  - CVE-2021-3910
 ghsas:
--- a/data/reports/GO-2022-0252.yaml
+++ b/data/reports/GO-2022-0252.yaml
@ -16,6 +16,7 @@ packages:
    vulnerable_at: 1.3.0
 description: |
    Invalid input data can cause a panic.
+published: 2022-07-15T23:07:41Z
 cves:
  - CVE-2021-3911
 ghsas:
--- a/data/reports/GO-2022-0253.yaml
+++ b/data/reports/GO-2022-0253.yaml
@ -9,6 +9,7 @@ packages:
 description: |
    The HTTPFetcher.GetXML function reads a response of unlimited size into
    memory, permitting resource exhausion.
+published: 2022-07-15T23:07:48Z
 cves:
  - CVE-2021-3912
 ghsas:
--- a/data/reports/GO-2022-0254.yaml
+++ b/data/reports/GO-2022-0254.yaml
@ -25,6 +25,7 @@ description: |
    error, where vulnerable nodes obtain a different stateRoot when
    processing a maliciously crafted transaction. This, in turn,
    would lead to the chain being split in two forks.
+published: 2022-07-15T23:07:56Z
 cves:
  - CVE-2021-39137
 ghsas:
--- a/data/reports/GO-2022-0256.yaml
+++ b/data/reports/GO-2022-0256.yaml
@ -18,6 +18,7 @@ packages:
    vulnerable_at: 1.10.8
 description: |
    A maliciously crafted snap/1 protocol message can cause a panic.
+published: 2022-07-15T23:08:03Z
 cves:
  - CVE-2021-41173
 ghsas:
--- a/data/reports/GO-2022-0272.yaml
+++ b/data/reports/GO-2022-0272.yaml
@ -19,6 +19,7 @@ description: |
    This vulnerability only occurs when built with Go versions prior to 1.17.
    Go 1.17 and later strip directory paths from filenames returned by
    "mime/multipart".Part.FileName, which avoids this issue.
+published: 2022-07-15T23:08:12Z
 cves:
  - CVE-2021-23772
 ghsas:
--- a/data/reports/GO-2022-0273.yaml
+++ b/data/reports/GO-2022-0273.yaml
@ -6,13 +6,14 @@ packages:
      - OpenReader
    versions:
      - fixed: 1.16.8
-      - introduced: 1.17
+      - introduced: "1.17"
        fixed: 1.17.1
 description: |
    The NewReader and OpenReader functions in archive/zip can cause a panic or
    an unrecoverable fatal error when reading an archive that claims to contain
    a large number of files, regardless of its actual size. This is
    caused by an incomplete fix for CVE-2021-33196.
+published: 2022-05-18T18:23:31Z
 cves:
  - CVE-2021-39293
 credit: OSS-Fuzz Project and Emmanuel Odeke
--- a/data/reports/GO-2022-0274.yaml
+++ b/data/reports/GO-2022-0274.yaml
@ -10,6 +10,7 @@ packages:
 description: |
    An attacker with partial control over the bind mount sources of a new
    container can bypass namespace restrictions.
+published: 2022-07-15T23:08:20Z
 cves:
  - CVE-2021-43784
 ghsas:
--- a/data/reports/GO-2022-0288.yaml
+++ b/data/reports/GO-2022-0288.yaml
@ -20,6 +20,7 @@ packages:
 description: |
    An attacker can cause unbounded memory growth in servers accepting
    HTTP/2 requests.
+published: 2022-07-15T23:08:33Z
 cves:
  - CVE-2021-44716
 credit: murakmii
--- a/data/reports/GO-2022-0289.yaml
+++ b/data/reports/GO-2022-0289.yaml
@ -5,7 +5,7 @@ packages:
      - ForkExec
    versions:
      - fixed: 1.16.12
-      - introduced: 1.17
+      - introduced: "1.17"
        fixed: 1.17.5
 description: |
    When a Go program running on a Unix system is out of file descriptors and
@ -17,6 +17,7 @@ description: |

    For users who cannot immediately update to the new release, the bug can be
    mitigated by raising the per-process file descriptor limit.
+published: 2022-05-18T18:23:23Z
 cves:
  - CVE-2021-44717
 credit: Tomasz Maczukin and Kamil Trzciński of GitLab
--- a/data/reports/GO-2022-0294.yaml
+++ b/data/reports/GO-2022-0294.yaml
@ -19,6 +19,7 @@ description: |
    performed by quote verification, meaning a local attacker can couple this
    vulnerability with a maliciously-formed TCG log in Eventlog.Verify to spoof
    events in the TCG log, defeating remotely-attested measured-boot.
+published: 2022-07-15T23:27:21Z
 cves:
  - CVE-2022-0317
 ghsas:
--- a/data/reports/GO-2022-0300.yaml
+++ b/data/reports/GO-2022-0300.yaml
@ -20,6 +20,7 @@ description: |

    This issue only occurs when using the graphql.MaxDepth schema option
    (which is highly recommended in most cases).
+published: 2022-07-15T23:10:20Z
 cves:
  - CVE-2022-21708
 ghsas:
--- a/data/reports/GO-2022-0316.yaml
+++ b/data/reports/GO-2022-0316.yaml
@ -14,12 +14,13 @@ packages:
 description: |
    Pretty-printing an AST that contains synthetic nodes can change the logic
    of some statements by reordering array literals.
+published: 2022-07-27T20:27:33Z
 cves:
  - CVE-2022-23628
 ghsas:
  - GHSA-hcw3-j74m-qc58
 links:
-    advisory: https://github.com/open-policy-agent/opa/security/advisories/GHSA-hcw3-j74m-qc58
    commit: https://github.com/open-policy-agent/opa/commit/932e4ffc37a590ace79e9b75ca4340288c220239
+    advisory: https://github.com/open-policy-agent/opa/security/advisories/GHSA-hcw3-j74m-qc58
    context:
      - https://github.com/open-policy-agent/opa/commit/2bd8edab9e10e2dc9cf76ae8335ced0c224f3055
--- a/data/reports/GO-2022-0318.yaml
+++ b/data/reports/GO-2022-0318.yaml
@ -15,6 +15,7 @@ description: |
    The go command can misinterpret branch names that falsely appear to be
    version tags. This can lead to incorrect access control if an actor is
    authorized to create branches but not tags.
+published: 2022-08-01T22:20:42Z
 cves:
  - CVE-2022-23773
 links:
--- a/data/reports/GO-2022-0322.yaml
+++ b/data/reports/GO-2022-0322.yaml
@ -31,6 +31,7 @@ description: |
    pass a metric with a "method" label name to a middleware; and not
    have any firewall/LB/proxy that filters away requests with unknown
    "method".
+published: 2022-07-15T23:29:02Z
 cves:
  - CVE-2022-21698
 ghsas:
--- a/data/reports/GO-2022-0345.yaml
+++ b/data/reports/GO-2022-0345.yaml
@ -9,6 +9,7 @@ packages:
 description: |
    The RunUsingChroot function unintentionally propagates environment
    variables from the current process to the child process.
+published: 2022-07-15T23:30:21Z
 cves:
  - CVE-2021-3602
 ghsas:
--- a/data/reports/GO-2022-0346.yaml
+++ b/data/reports/GO-2022-0346.yaml
@ -10,6 +10,7 @@ description: |
    A maliciously crafted RPM file can cause the Scanner.Scan function to
    write files with arbitrary contents to arbitrary locations on the local
    filestem.
+published: 2022-07-15T23:30:27Z
 cves:
  - CVE-2021-3762
 ghsas:
--- a/data/reports/GO-2022-0355.yaml
+++ b/data/reports/GO-2022-0355.yaml
@ -13,6 +13,7 @@ description: |
    URL path normalization does not handle Windows path separators
    (backslashes), permitting an attacker to construct requests
    with relative paths.
+published: 2022-07-27T20:26:59Z
 cves:
  - CVE-2022-21221
 ghsas:
--- a/data/reports/GO-2022-0370.yaml
+++ b/data/reports/GO-2022-0370.yaml
@ -26,6 +26,7 @@ description: |

    Providing a *tls.Config with a ServerName field set to the
    correct destination hostname will avoid this issue.
+published: 2022-07-29T20:00:14Z
 cves:
  - CVE-2022-24968
 ghsas:
--- a/data/reports/GO-2022-0379.yaml
+++ b/data/reports/GO-2022-0379.yaml
@ -16,6 +16,7 @@ description: |

    This problem has been addressed in newer versions by improving validation
    in manifest unmarshaling.
+published: 2022-07-29T20:00:03Z
 ghsas:
  - GHSA-qq97-vm5h-rrhg
 links:
--- a/data/reports/GO-2022-0380.yaml
+++ b/data/reports/GO-2022-0380.yaml
@ -16,6 +16,7 @@ description: |
    In these versions, the IsRevoked method always return true.

    (This advisory is canonically https://advisories.nats.io/CVE/CVE-2020-26892.txt)
+published: 2022-07-15T23:29:36Z
 cves:
  - CVE-2020-26892
 ghsas:
--- a/data/reports/GO-2022-0384.yaml
+++ b/data/reports/GO-2022-0384.yaml
@ -21,6 +21,7 @@ description: |

    For further details, see
    https://github.com/advisories/GHSA-56hp-xqp3-w2jf.
+published: 2022-07-15T23:29:45Z
 cves:
  - CVE-2021-32690
 ghsas:
--- a/data/reports/GO-2022-0385.yaml
+++ b/data/reports/GO-2022-0385.yaml
@ -15,10 +15,11 @@ description: |
    This issue only affects WebSockets with an AuthenticateMethod hook.
    Request handlers that do not explicitly use WebSockets are not
    vulnerable.
-cve_metadata:
-    id: CVE-2021-4237
-    cwe: "CWE 287: Improper Authentication"
+published: 2022-07-01T20:11:02Z
 ghsas:
  - GHSA-5gjg-jgh4-gppm
 links:
    commit: https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
+cve_metadata:
+    id: CVE-2021-4237
+    cwe: 'CWE 287: Improper Authentication'
--- a/data/reports/GO-2022-0386.yaml
+++ b/data/reports/GO-2022-0386.yaml
@ -29,6 +29,7 @@ description: |

    For further details and mitigation procedures, see
    https://advisories.nats.io/CVE/CVE-2021-3127.txt
+published: 2022-07-01T20:11:22Z
 cves:
  - CVE-2021-3127
 ghsas:
--- a/data/reports/GO-2022-0391.yaml
+++ b/data/reports/GO-2022-0391.yaml
@ -24,10 +24,11 @@ description: |
    the plaintext, if the hash is readable to the attacker.

    AWS now blocks this metadata field, but older SDK versions still send it.
-cve_metadata:
-    id: CVE-2022-2582
-    cwe: "CWE 311: Missing Encryption of Sensitive Data"
+published: 2022-07-01T20:10:56Z
 ghsas:
  - GHSA-76wf-9vgp-pj7w
 links:
    commit: https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1
+cve_metadata:
+    id: CVE-2022-2582
+    cwe: 'CWE 311: Missing Encryption of Sensitive Data'
--- a/data/reports/GO-2022-0400.yaml
+++ b/data/reports/GO-2022-0400.yaml
@ -8,10 +8,12 @@ packages:
      - fixed: 0.7.2
    vulnerable_at: 0.7.1
 description: A race condition can cause incorrect HTTP request routing.
+published: 2022-07-01T20:10:50Z
 ghsas:
  - GHSA-h2x7-2ff6-v32p
-cve_metadata:
-    id: CVE-2022-2583
-    cwe: "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"
 links:
    commit: https://github.com/ntbosscher/gobase/commit/a8d40bce9c429d324122d18c446924dab809e812
+cve_metadata:
+    id: CVE-2022-2583
+    cwe: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization
+        ('Race Condition')
--- a/data/reports/GO-2022-0402.yaml
+++ b/data/reports/GO-2022-0402.yaml
@ -14,6 +14,7 @@ packages:
 description: |
    A malicious account can create and sign a User JWT which causes a panic
    when decoded by the NATS JWT library.
+published: 2022-07-01T20:10:43Z
 cves:
  - CVE-2020-26521
 ghsas:
--- a/data/reports/GO-2022-0411.yaml
+++ b/data/reports/GO-2022-0411.yaml
@ -13,10 +13,11 @@ description: |
    The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return
    strings containing at least one digit from 0 to 9. This significantly
    reduces the amount of entropy in short strings generated by these functions.
+published: 2022-07-01T20:08:24Z
 ghsas:
  - GHSA-xg2h-wx96-xgxr
-cve_metadata:
-    id: CVE-2021-4238
-    cwe: "CWE 330: Use of Insufficiently Random Values"
 links:
    commit: https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1
+cve_metadata:
+    id: CVE-2021-4238
+    cwe: 'CWE 330: Use of Insufficiently Random Values'
--- a/data/reports/GO-2022-0414.yaml
+++ b/data/reports/GO-2022-0414.yaml
@ -29,6 +29,7 @@ description: |
    user-provided arguments.  These arguments can be interpreted
    as command-line flags, which can be used to perform command
    injection.
+published: 2022-07-01T20:08:17Z
 cves:
  - CVE-2022-21235
 ghsas:
--- a/data/reports/GO-2022-0417.yaml
+++ b/data/reports/GO-2022-0417.yaml
@ -21,6 +21,7 @@ description: |
    This bug does not affect the container security sandbox, as the
    inheritable set never contains more capabilities than are included
    in the container's bounding set.
+published: 2022-07-01T20:08:10Z
 cves:
  - CVE-2022-27651
 ghsas:
--- a/data/reports/GO-2022-0422.yaml
+++ b/data/reports/GO-2022-0422.yaml
@ -10,10 +10,12 @@ packages:
      - fixed: 1.3.1
    vulnerable_at: 1.3.0
 description: The dag-pb codec can panic when decoding invalid blocks.
+published: 2022-07-01T20:08:04Z
 ghsas:
  - GHSA-g3vv-g2j5-45f2
-cve_metadata:
-    id: CVE-2022-2584
-    cwe: "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"
 links:
    commit: https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57
+cve_metadata:
+    id: CVE-2022-2584
+    cwe: 'CWE-119: Improper Restriction of Operations within the Bounds of a Memory
+        Buffer'
--- a/data/reports/GO-2022-0433.yaml
+++ b/data/reports/GO-2022-0433.yaml
@ -10,6 +10,7 @@ packages:
 description: |
    encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has
    a Decode stack overflow via a large amount of PEM data.
+published: 2022-05-20T21:17:25Z
 cves:
  - CVE-2022-24675
 credit: Juho Nurminen of Mattermost
--- a/data/reports/GO-2022-0434.yaml
+++ b/data/reports/GO-2022-0434.yaml
@ -12,6 +12,7 @@ description: |

    These chains can be delivered through TLS and can cause a crypto/tls or
    net/http client to crash.
+published: 2022-05-23T21:59:00Z
 cves:
  - CVE-2022-27536
 credit: Tailscale
--- a/data/reports/GO-2022-0435.yaml
+++ b/data/reports/GO-2022-0435.yaml
@ -6,12 +6,13 @@ packages:
      - P256.ScalarBaseMult
    versions:
      - fixed: 1.17.9
-      - introduced: 1.18
+      - introduced: "1.18"
        fixed: 1.18.1
 description: |
    A crafted scalar input longer than 32 bytes can cause P256().ScalarMult
    or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
    crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.
+published: 2022-05-20T21:17:46Z
 cves:
  - CVE-2022-28327
 credit: Project Wycheproof
--- a/data/reports/GO-2022-0438.yaml
+++ b/data/reports/GO-2022-0438.yaml
@ -15,6 +15,7 @@ packages:
 description: |
    The getter package can write SSH credentials to its logfile,
    exposing credentials to local users able to read the logfile.
+published: 2022-07-01T20:07:52Z
 cves:
  - CVE-2022-29810
 ghsas:
--- a/data/reports/GO-2022-0444.yaml
+++ b/data/reports/GO-2022-0444.yaml
@ -27,6 +27,7 @@ description: |
    The TUF client is vulnerable to rollback attacks, in which an
    attacker causes a client to install software older than the software
    the client previously knew to be available.
+published: 2022-07-01T20:07:44Z
 cves:
  - CVE-2022-29173
 ghsas:
--- a/data/reports/GO-2022-0460.yaml
+++ b/data/reports/GO-2022-0460.yaml
@ -18,6 +18,7 @@ packages:
 description: |
    An attacker can send packets that send the DTLS server or client
    into an infinite loop.
+published: 2022-07-01T20:07:34Z
 cves:
  - CVE-2022-29190
 ghsas:
--- a/data/reports/GO-2022-0461.yaml
+++ b/data/reports/GO-2022-0461.yaml
@ -21,6 +21,7 @@ description: |
    The Pion DTLS client and server buffer handshake data with no
    upper limit, permitting an attacker to cause unbounded memory
    consumption by sending an unterminated handshake.
+published: 2022-07-01T20:07:25Z
 cves:
  - CVE-2022-29189
 ghsas:
--- a/data/reports/GO-2022-0462.yaml
+++ b/data/reports/GO-2022-0462.yaml
@ -23,6 +23,7 @@ description: |
    possesses the private key for the certificate. The Pion DTLS server
    accepted client certificates unaccompanied by this proof, permitting
    an attacker to present any certificate and have it accepted as valid.
+published: 2022-07-01T20:07:12Z
 cves:
  - CVE-2022-29222
 ghsas:
--- a/data/reports/GO-2022-0463.yaml
+++ b/data/reports/GO-2022-0463.yaml
@ -208,6 +208,7 @@ description: |

    For example, the pattern "/a/b/:name" can match the URL "/a.xml/b/".
    This may bypass access control applied to the prefix "/a/".
+published: 2022-07-01T20:06:59Z
 cves:
  - CVE-2022-31259
 ghsas:
--- a/data/reports/GO-2022-0470.yaml
+++ b/data/reports/GO-2022-0470.yaml
@ -36,6 +36,7 @@ description: |
    contains no authentication, authorization, or validation of user
    inputs. Exposing handlers from this package can permit attackers to
    create files and delete directories.
+published: 2022-07-15T23:29:55Z
 cves:
  - CVE-2022-31022
 ghsas:
--- a/data/reports/GO-2022-0475.yaml
+++ b/data/reports/GO-2022-0475.yaml
@ -24,6 +24,7 @@ description: |

    This can be caused by malicious unquoted symbol name in a linked object
    file.
+published: 2022-07-28T17:24:30Z
 credit: Chris Brown and Tempus Ex
 links:
    pr: https://go.dev/cl/269658
--- a/data/reports/GO-2022-0476.yaml
+++ b/data/reports/GO-2022-0476.yaml
@ -14,6 +14,7 @@ description: |
    command that builds untrusted code.

    This can be caused by malicious gcc flags specified via a cgo directive.
+published: 2022-07-28T17:24:43Z
 credit: Imre Rad
 links:
    pr: https://go.dev/cl/267277
--- a/data/reports/GO-2022-0477.yaml
+++ b/data/reports/GO-2022-0477.yaml
@ -10,13 +10,7 @@ packages:
 description: |
    On Windows, rand.Read will hang indefinitely if passed a buffer larger than
    1 << 32 - 1 bytes.
-cve_metadata:
-  id: CVE-2022-30634
-  cwe: "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"
-  description: |
-      Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on
-      Windows allows attacker to cause an indefinite hang by passing a buffer
-      larger than 1 << 32 - 1 bytes.
+published: 2022-06-09T01:43:37Z
 credit: Davis Goodin and Quim Muntal of Microsoft
 os:
  - windows
@ -26,3 +20,10 @@ links:
    context:
      - https://go.dev/issue/52561
      - https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
+cve_metadata:
+    id: CVE-2022-30634
+    cwe: 'CWE-835: Loop with Unreachable Exit Condition (''Infinite Loop'')'
+    description: |
+        Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on
+        Windows allows attacker to cause an indefinite hang by passing a buffer
+        larger than 1 << 32 - 1 bytes.
--- a/data/reports/GO-2022-0492.yaml
+++ b/data/reports/GO-2022-0492.yaml
@ -15,6 +15,7 @@ description: |
    contents of a Git repository file. A maliciously crafted repository
    can exploit this to cause Read to read from arbitrary files on
    the filesystem.
+published: 2022-07-15T23:30:03Z
 cves:
  - CVE-2022-25856
 ghsas:
--- a/data/reports/GO-2022-0493.yaml
+++ b/data/reports/GO-2022-0493.yaml
@ -18,6 +18,7 @@ packages:
 description: |
    When called with a non-zero flags parameter, the Faccessat function
    can incorrectly report that a file is accessible.
+published: 2022-07-15T23:30:12Z
 cves:
  - CVE-2022-29526
 credit: Joël Gähwiler (@256dpi)
--- a/data/reports/GO-2022-0503.yaml
+++ b/data/reports/GO-2022-0503.yaml
@ -27,6 +27,7 @@ packages:
    vulnerable_at: 2.3.0
 description: |
    Decoding malformed CAR data can cause panics or excessive memory usage.
+published: 2022-07-30T03:50:50Z
 ghsas:
  - GHSA-9x4h-8wgm-8xfg
 links:
--- a/data/reports/GO-2022-0515.yaml
+++ b/data/reports/GO-2022-0515.yaml
@ -20,6 +20,7 @@ packages:
 description: |
    Calling any of the Parse functions on Go source code which contains deeply
    nested types or declarations can cause a panic due to stack exhaustion.
+published: 2022-07-20T17:01:45Z
 credit: Juho Nurminen of Mattermost
 links:
    pr: https://go.dev/cl/417063
--- a/data/reports/GO-2022-0519.yaml
+++ b/data/reports/GO-2022-0519.yaml
@ -8,6 +8,7 @@ packages:
    vulnerable_at: 1.1.30
 description: |
    Improper validation of access tokens can permit use of expired tokens.
+published: 2022-07-30T03:51:07Z
 cves:
  - CVE-2022-31145
 ghsas:
--- a/data/reports/GO-2022-0520.yaml
+++ b/data/reports/GO-2022-0520.yaml
@ -20,6 +20,7 @@ description: |
    In the more usual case where a Director function sets the
    X-Forwarded-For header value to nil, ReverseProxy leaves the header
    unmodified as expected.
+published: 2022-07-28T17:23:05Z
 credit: Christian Mehlmauer
 links:
    pr: https://go.dev/cl/412857
--- a/data/reports/GO-2022-0521.yaml
+++ b/data/reports/GO-2022-0521.yaml
@ -11,6 +11,7 @@ packages:
 description: |
    Calling Decoder.Skip when parsing a deeply nested XML document can cause a
    panic due to stack exhaustion.
+published: 2022-07-20T17:02:04Z
 credit: Go Security Team and Juho Nurminen of Mattermost
 links:
    pr: https://go.dev/cl/417062
--- a/data/reports/GO-2022-0522.yaml
+++ b/data/reports/GO-2022-0522.yaml
@ -11,6 +11,7 @@ packages:
 description: |
    Calling Glob on a path which contains a large number of path separators can
    cause a panic due to stack exhaustion.
+published: 2022-07-20T17:02:29Z
 credit: Juho Nurminen of Mattermost
 links:
    pr: https://go.dev/cl/417066
--- a/data/reports/GO-2022-0523.yaml
+++ b/data/reports/GO-2022-0523.yaml
@ -14,6 +14,7 @@ description: |
    Unmarshaling an XML document into a Go struct which has a nested
    field that uses the 'any' field tag can panic due to stack
    exhaustion.
+published: 2022-07-20T20:52:06Z
 links:
    pr: https://go.dev/cl/417061
    commit: https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08
--- a/data/reports/GO-2022-0524.yaml
+++ b/data/reports/GO-2022-0524.yaml
@ -11,6 +11,7 @@ packages:
 description: |
    Calling Reader.Read on an archive containing a large number of concatenated
    0-length compressed files can cause a panic due to stack exhaustion.
+published: 2022-07-20T20:52:11Z
 links:
    pr: https://go.dev/cl/417067
    commit: https://go.googlesource.com/go/+/b2b8872c876201eac2d0707276c6999ff3eb185e
--- a/data/reports/GO-2022-0525.yaml
+++ b/data/reports/GO-2022-0525.yaml
@ -13,6 +13,7 @@ description: |
    indicating a "chunked" encoding. This could potentially allow for request
    smuggling, but only if combined with an intermediate server that also
    improperly failed to reject the header as invalid.
+published: 2022-07-25T17:34:18Z
 credit: Zeyu Zhang (https://www.zeyu2001.com/)
 links:
    pr: https://go.dev/cl/409874
@ -23,7 +24,7 @@ links:
      - https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
 cve_metadata:
    id: CVE-2022-1705
-    cwe: "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"
+    cwe: 'CWE-444: Inconsistent Interpretation of HTTP Requests (''HTTP Request Smuggling'')'
    description: |
        Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client
        in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling
--- a/data/reports/GO-2022-0526.yaml
+++ b/data/reports/GO-2022-0526.yaml
@ -13,6 +13,7 @@ packages:
 description: |
    Calling Decoder.Decode on a message which contains deeply nested structures
    can cause a panic due to stack exhaustion.
+published: 2022-07-20T20:52:17Z
 links:
    pr: https://go.dev/cl/417064
    commit: https://go.googlesource.com/go/+/6fa37e98ea4382bf881428ee0c150ce591500eb7
--- a/data/reports/GO-2022-0527.yaml
+++ b/data/reports/GO-2022-0527.yaml
@ -11,6 +11,7 @@ packages:
 description: |
    Calling Glob on a path which contains a large number of path separators can
    cause a panic due to stack exhaustion.
+published: 2022-07-20T20:52:22Z
 links:
    pr: https://go.dev/cl/417065
    commit: https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59
--- a/data/reports/GO-2022-0528.yaml
+++ b/data/reports/GO-2022-0528.yaml
@ -9,6 +9,7 @@ packages:
 description: |
    Sending a message exactly 2000, 4000, or 6000 characters in length
    to Discord causes a panic.
+published: 2022-07-30T03:51:17Z
 cves:
  - CVE-2022-25891
 ghsas:
--- a/data/reports/GO-2022-0531.yaml
+++ b/data/reports/GO-2022-0531.yaml
@ -15,6 +15,7 @@ description: |
    generated ticket_age_add, which allows an attacker that can observe TLS
    handshakes to correlate successive connections by comparing ticket ages
    during session resumption.
+published: 2022-07-28T17:24:57Z
 credit: Github user @nervuri
 links:
    pr: https://go.dev/cl/405994
--- a/data/reports/GO-2022-0532.yaml
+++ b/data/reports/GO-2022-0532.yaml
@ -12,6 +12,7 @@ description: |
    On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput
    when Cmd.Path is unset will unintentionally trigger execution of any
    binaries in the working directory named either "..com" or "..exe".
+published: 2022-07-26T21:41:20Z
 credit: |
    Chris Darroch (chrisd8088@github.com), brian m. carlson (bk2204@github.com),
    and Mikhail Shcherbakov (https://twitter.com/yu5k3)
@ -31,4 +32,3 @@ cve_metadata:
        allows execution of any binaries in the working directory named either
        "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or
        Cmd.CombinedOutput when Cmd.Path is unset.
-
--- a/data/reports/GO-2022-0533.yaml
+++ b/data/reports/GO-2022-0533.yaml
@ -14,6 +14,7 @@ description: |
    attack.

    For example, Clean(`.\c:`) returns `c:`.
+published: 2022-07-28T17:25:07Z
 credit: Unrud
 os:
  - windows
@ -25,7 +26,8 @@ links:
      - https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
 cve_metadata:
    id: CVE-2022-29804
-    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+    cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
+        Traversal'')'
    description: |
        Incorrect conversion of certain invalid paths to valid, absolute paths
        in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows
--- a/data/reports/GO-2022-0534.yaml
+++ b/data/reports/GO-2022-0534.yaml
@ -13,6 +13,7 @@ description: |
    non-constant time comparison for secrets while validating a Gitlab request.
    This allows for a timing attack where an attacker can recover a secret and
    then forge the request.
+published: 2022-08-11T20:54:51Z
 cves:
  - CVE-2022-24912
 ghsas:
--- a/data/reports/GO-2022-0535.yaml
+++ b/data/reports/GO-2022-0535.yaml
@ -19,10 +19,11 @@ description: |
    See
    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601
    for details on the Windows vulnerability.
-os:
-  - windows
+published: 2022-08-01T22:21:17Z
 cves:
  - CVE-2020-0601
+os:
+  - windows
 links:
    pr: https://go.dev/cl/215905
    commit: https://go.googlesource.com/go/+/953bc8f391a63adf00bac2515dba62abe8a1e2c2
--- a/data/reports/GO-2022-0536.yaml
+++ b/data/reports/GO-2022-0536.yaml
@ -28,6 +28,7 @@ description: |
    over each stream that should solicit a stream of RST_STREAM frames from the
    peer. Depending on how the peer queues the RST_STREAM frames, this can
    consume excess memory, CPU, or both.
+published: 2022-08-01T22:20:53Z
 cves:
  - CVE-2019-9512
  - CVE-2019-9514
--- a/data/reports/GO-2022-0537.yaml
+++ b/data/reports/GO-2022-0537.yaml
@ -12,6 +12,7 @@ packages:
 description: |
    Decoding big.Float and big.Rat types can panic if the encoded message is
    too short, potentially allowing a denial of service.
+published: 2022-08-01T22:21:06Z
 credit: '@catenacyber'
 links:
    pr: https://go.dev/cl/417774
--- a/data/reports/GO-2022-0564.yaml
+++ b/data/reports/GO-2022-0564.yaml
@ -8,6 +8,7 @@ description: |

    There is no known workaround for Biscuit v1. The Biscuit v2 specification
    avoids this vulnerability.
+published: 2022-08-15T18:02:15Z
 cves:
  - CVE-2022-31053
 ghsas:
--- a/Показать больше
+++ b/Показать больше