go
/
vulndb
зеркало из https://github.com/golang/vulndb.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

internal/database, data/osv: trim whitespace characters in OSV description 

In GenerateOSVEntry, replace all whitespace characters with single spaces
except for paragraph breaks represented by "\n\n".

Change-Id: Ia03f0b53c94979fada6316be1346df3f48b9fabe
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/439044
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
This commit is contained in:
Tatiana Bradley 2022-10-05 12:05:17 -04:00 коммит произвёл Tatiana Bradley
Родитель 4337df1fe1
Коммит e21719caff
266 изменённых файлов: 295 добавлений и 269 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
data/osv/GO-2020-0001.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-36567"
],
"details": "The default Formatter for the Logger middleware (LoggerConfig.Formatter),\nwhich is included in the Default engine, allows attackers to inject arbitrary\nlog entries by manipulating the request path.\n",
"details": "The default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0003.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-36568"
],
"details": "An attacker can cause an application that accepts slice parameters\n(https://revel.github.io/manual/parameters.html#slices) to allocate large\namounts of memory and crash through manipulating the request query sent to the application.\n",
"details": "An attacker can cause an application that accepts slice parameters (https://revel.github.io/manual/parameters.html#slices) to allocate large amounts of memory and crash through manipulating the request query sent to the application.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0004.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-36569"
],
"details": "If any of the ListenAndServe functions are called with an empty token,\ntoken authentication is disabled globally for all listeners.\n\nAlso, a minor timing side channel was present allowing attackers with\nvery low latency and able to make a lot of requests to potentially\nrecover the token.\n",
"details": "If any of the ListenAndServe functions are called with an empty token, token authentication is disabled globally for all listeners.\n\nAlso, a minor timing side channel was present allowing attackers with very low latency and able to make a lot of requests to potentially recover the token.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0005.json
Просмотреть файл

@ -7,7 +7,7 @@
"CVE-2020-15112",
"GHSA-m332-53r6-2w93"
],
"details": "Malformed WALs can be constructed such that WAL.ReadAll can cause attempted\nout of bounds reads, or creation of arbitrarily sized slices, which may be used as\na DoS vector.\n",
"details": "Malformed WALs can be constructed such that WAL.ReadAll can cause attempted out of bounds reads, or creation of arbitrarily sized slices, which may be used as a DoS vector.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0006.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2017-15133",
"GHSA-p55x-7x9v-q8m4"
],
"details": "An attacker may prevent TCP connections to a Server by opening\na connection and leaving it idle, until the connection is closed by\nthe server no other connections will be accepted.\n",
"details": "An attacker may prevent TCP connections to a Server by opening a connection and leaving it idle, until the connection is closed by the server no other connections will be accepted.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0007.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2017-18367",
"GHSA-58v3-j75h-xr49"
],
"details": "Filters containing rules with multiple syscall arguments are improperly\nconstructed, such that all arguments are required to match rather than\nany of the arguments (AND is used rather than OR). These filters can be\nbypassed by only specifying a subset of the arguments due to this\nbehavior.\n",
"details": "Filters containing rules with multiple syscall arguments are improperly constructed, such that all arguments are required to match rather than any of the arguments (AND is used rather than OR). These filters can be bypassed by only specifying a subset of the arguments due to this behavior.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0008.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2019-19794",
"GHSA-44r7-7p62-q3fr"
],
"details": "DNS message transaction IDs are generated using math/rand which\nmakes them relatively predictable. This reduces the complexity\nof response spoofing attacks against DNS clients.\n",
"details": "DNS message transaction IDs are generated using math/rand which makes them relatively predictable. This reduces the complexity of response spoofing attacks against DNS clients.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0009.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2016-9123",
"GHSA-3fx4-7f69-5mmg"
],
"details": "On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC\nwith HMAC such that they can control how large the input buffer is when computing\nthe HMAC authentication tag. This can can allow a manipulated ciphertext to be\nverified as authentic, opening the door for padding oracle attacks.\n",
"details": "On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC with HMAC such that they can control how large the input buffer is when computing the HMAC authentication tag. This can can allow a manipulated ciphertext to be verified as authentic, opening the door for padding oracle attacks.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0010.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2016-9121",
"GHSA-86r9-39j9-99wp"
],
"details": "When using ECDH-ES an attacker can mount an invalid curve attack during\ndecryption as the supplied public key is not checked to be on the same\ncurve as the receivers private key.\n",
"details": "When using ECDH-ES an attacker can mount an invalid curve attack during decryption as the supplied public key is not checked to be on the same curve as the receivers private key.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0012.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-9283",
"GHSA-ffhg-7mh4-33c4"
],
"details": "An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public\nkey, such that the library will panic when trying to verify a signature\nwith it. If verifying signatures using user supplied public keys, this\nmay be used as a denial of service vector.\n",
"details": "An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. If verifying signatures using user supplied public keys, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0013.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2017-3204"
],
"details": "By default host key verification is disabled which allows for\nman-in-the-middle attacks against SSH clients if\nClientConfig.HostKeyCallback is not set.\n",
"details": "By default host key verification is disabled which allows for man-in-the-middle attacks against SSH clients if ClientConfig.HostKeyCallback is not set.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0014.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2018-17846"
],
"details": "html.Parse does not properly handle \"select\" tags, which can lead\nto an infinite loop. If parsing user supplied input, this may be used\nas a denial of service vector.\n",
"details": "html.Parse does not properly handle \"select\" tags, which can lead to an infinite loop. If parsing user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0015.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with\nUseBOM or ExpectBOM to trigger an infinite loop if the String function on\nthe Decoder is called, or the Decoder is passed to transform.String.\nIf used to parse user supplied input, this may be used as a denial of service\nvector.\n",
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0016.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2021-29482",
"GHSA-25xm-hr59-7c27"
],
"details": "An attacker can construct a series of bytes such that calling\nReader.Read on the bytes could cause an infinite loop. If\nparsing user supplied input, this may be used as a denial of\nservice vector.\n",
"details": "An attacker can construct a series of bytes such that calling Reader.Read on the bytes could cause an infinite loop. If parsing user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0017.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-26160",
"GHSA-w73w-5m7g-f7qc"
],
"details": "If a JWT contains an audience claim with an array of strings, rather\nthan a single string, and MapClaims.VerifyAudience is called with\nreq set to false, then audience verification will be bypassed,\nallowing an invalid set of audiences to be provided.\n",
"details": "If a JWT contains an audience claim with an array of strings, rather than a single string, and MapClaims.VerifyAudience is called with req set to false, then audience verification will be bypassed, allowing an invalid set of audiences to be provided.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0019.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-27813",
"GHSA-3xh2-74w9-5vxm"
],
"details": "An attacker can craft malicious WebSocket frames that cause an integer\noverflow in a variable which tracks the number of bytes remaining. This\nmay cause the server or client to get stuck attempting to read frames\nin a loop, which can be used as a denial of service vector.\n",
"details": "An attacker can craft malicious WebSocket frames that cause an integer overflow in a variable which tracks the number of bytes remaining. This may cause the server or client to get stuck attempting to read frames in a loop, which can be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0020.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2017-20146"
],
"details": "Usage of the CORS handler may apply improper CORS headers, allowing\nthe requester to explicitly control the value of the Access-Control-Allow-Origin\nheader, which bypasses the expected behavior of the Same Origin Policy.\n",
"details": "Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0021.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2014-8681",
"GHSA-mr6h-chqp-p9g2"
],
"details": "Due to improper santization of user input, a number of methods are\nvulnerable to SQL injection if used with user input that has not\nbeen santized by the caller.\n",
"details": "Due to improper santization of user input, a number of methods are vulnerable to SQL injection if used with user input that has not been santized by the caller.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0022.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2014-125026"
],
"details": "LZ4 bindings use a deprecated C API that is vulnerable to\nmemory corruption, which could lead to arbitrary code execution\nif called with untrusted user input.\n",
"details": "LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0023.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2015-10004"
],
"details": "Token validation methods are susceptible to a timing side-channel\nduring HMAC comparison. With a large enough number of requests\nover a low latency connection, an attacker may use this to determine\nthe expected HMAC.\n",
"details": "Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0024.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2013-10005"
],
"details": "The RemoteAddr and LocalAddr methods on the returned net.Conn may\ncall themselves, leading to an infinite loop which will crash the\nprogram due to a stack overflow.\n",
"details": "The RemoteAddr and LocalAddr methods on the returned net.Conn may call themselves, leading to an infinite loop which will crash the program due to a stack overflow.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0025.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2018-25046"
],
"details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"details": "Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0026.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2018-1103"
],
"details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"details": "Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0027.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2018-6558",
"GHSA-qj26-7grj-whg3"
],
"details": "After dropping and then elevating process privileges euid, guid, and groups\nare not properly restored to their original values, allowing an unprivileged\nuser to gain membership in the root group.\n",
"details": "After dropping and then elevating process privileges euid, guid, and groups are not properly restored to their original values, allowing an unprivileged user to gain membership in the root group.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0028.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2018-17419",
"GHSA-9jcx-pr2f-qvq5"
],
"details": "Due to a nil pointer dereference, parsing a malformed zone file\ncontaining TA records may cause a panic. If parsing user supplied\ninput, this may be used as a denial of service vector.\n",
"details": "Due to a nil pointer dereference, parsing a malformed zone file containing TA records may cause a panic. If parsing user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0032.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2019-25073"
],
"details": "Due to improper santization of user input, Controller.FileHandler allows\nfor directory traversal, allowing an attacker to read files outside of\nthe target directory that the server has permission to read.\n",
"details": "Due to improper santization of user input, Controller.FileHandler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0033.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-36559"
],
"details": "Due to improper santization of user input, HTTPEngine.Handle allows\nfor directory traversal, allowing an attacker to read files outside of\nthe target directory that the server has permission to read.\n",
"details": "Due to improper santization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0034.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-36560"
],
"details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"details": "Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0035.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-36561"
],
"details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"details": "Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0036.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2019-11254",
"GHSA-wxc4-f4m6-wwqv"
],
"details": "Due to unbounded aliasing, a crafted YAML file can cause consumption\nof significant system resources. If parsing user supplied input, this\nmay be used as a denial of service vector.\n",
"details": "Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0037.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2019-25072"
],
"details": "Due to support of Gzip compression in request bodies, as well\nas a lack of limiting response body sizes, a malicious server\ncan cause a client to consume a significant amount of system\nresources, which may be used as a denial of service vector.\n",
"details": "Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0038.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2019-20786",
"GHSA-7gfg-6934-mqq2"
],
"details": "Due to improper verification of packets, unencrypted packets containing\napplication data are accepted after the initial handshake. This allows\nan attacker to inject arbitrary data which the client/server believes\nwas encrypted, despite not knowing the session key.\n",
"details": "Due to improper verification of packets, unencrypted packets containing application data are accepted after the initial handshake. This allows an attacker to inject arbitrary data which the client/server believes was encrypted, despite not knowing the session key.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0039.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-12666",
"GHSA-733f-44f3-3frw"
],
"details": "Due to improper request santization, a specifically crafted URL\ncan cause the static file handler to redirect to an attacker chosen\nURL, allowing for open redirect attacks.\n",
"details": "Due to improper request santization, a specifically crafted URL can cause the static file handler to redirect to an attacker chosen URL, allowing for open redirect attacks.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0040.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-36562"
],
"details": "Due to unchecked type assertions, maliciously crafted messages can\ncause panics, which may be used as a denial of service vector.\n",
"details": "Due to unchecked type assertions, maliciously crafted messages can cause panics, which may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0041.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-7668",
"GHSA-88jf-7rch-32qc"
],
"details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"details": "Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0042.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-7667",
"GHSA-9423-6c93-gpp8"
],
"details": "Due to improper path santization, RPMs containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"details": "Due to improper path santization, RPMs containing relative file paths can cause files to be written (or overwritten) outside of the target directory.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0043.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2018-21246",
"GHSA-gr7w-x2jp-3xgw"
],
"details": "Due to improper TLS verification when serving traffic for multiple\nSNIs, an attacker may bypass TLS client authentication by indicating\nan SNI during the TLS handshake that is different from the name in\nthe HTTP Host header.\n",
"details": "Due to improper TLS verification when serving traffic for multiple SNIs, an attacker may bypass TLS client authentication by indicating an SNI during the TLS handshake that is different from the name in the HTTP Host header.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0045.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2016-15005"
],
"details": "CSRF tokens are generated using math/rand, which is not a cryptographically secure\nrander number generation, making predicting their values relatively trivial and\nallowing an attacker to bypass CSRF protections which relatively few requests.\n",
"details": "CSRF tokens are generated using math/rand, which is not a cryptographically secure rander number generation, making predicting their values relatively trivial and allowing an attacker to bypass CSRF protections which relatively few requests.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0046.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-7711",
"GHSA-mqqv-chpx-vq25"
],
"details": "Due to a nil pointer dereference, a malformed XML Digital Signature\ncan cause a panic during validation. If user supplied signatures are\nbeing validated, this may be used as a denial of service vector.\n",
"details": "Due to a nil pointer dereference, a malformed XML Digital Signature can cause a panic during validation. If user supplied signatures are being validated, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0047.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-36563"
],
"details": "XML Digital Signatures generated and validated using this package use\nSHA-1, which may allow an attacker to craft inputs which cause hash\ncollisions depending on their control over the input.\n",
"details": "XML Digital Signatures generated and validated using this package use SHA-1, which may allow an attacker to craft inputs which cause hash collisions depending on their control over the input.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0048.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-25614",
"GHSA-93m7-c69f-5cfj"
],
"details": "LoadURL does not check the Content-Type of loaded resources,\nwhich can cause a panic due to nil pointer deference if the loaded\nresource is not XML. If user supplied URLs are loaded, this may be\nused as a denial of service vector.\n",
"details": "LoadURL does not check the Content-Type of loaded resources, which can cause a panic due to nil pointer deference if the loaded resource is not XML. If user supplied URLs are loaded, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0049.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-36564"
],
"details": "Due to improper validation of caller input, validation is silently disabled\nif the provided expected token is malformed, causing any user supplied token\nto be considered valid.\n",
"details": "Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid.",
"affected": [
{
"package": {

2
data/osv/GO-2020-0050.json
Просмотреть файл

@ -10,7 +10,7 @@
"GHSA-m9hp-7r99-94h5",
"GHSA-q547-gmf8-8jr7"
],
"details": "Due to the behavior of encoding/xml, a crafted XML document may cause\nXML Digital Signature validation to be entirely bypassed, causing an\nunsigned document to appear signed.\n",
"details": "Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0051.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-36565"
],
"details": "Due to improper sanitization of user input on Windows, the static file handler\nallows for directory traversal, allowing an attacker to read files outside of\nthe target directory that the server has permission to read.\n",
"details": "Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0052.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-28483",
"GHSA-h395-qcrw-5vmq"
],
"details": "Due to improper HTTP header santization, a malicious user can spoof their\nsource IP address by setting the X-Forwarded-For header. This may allow\na user to bypass IP based restrictions, or obfuscate their true source.\n",
"details": "Due to improper HTTP header santization, a malicious user can spoof their source IP address by setting the X-Forwarded-For header. This may allow a user to bypass IP based restrictions, or obfuscate their true source.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0053.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2021-3121",
"GHSA-c3h9-896r-86jm"
],
"details": "Due to improper bounds checking, maliciously crafted input to generated\nUnmarshal methods can cause an out-of-bounds panic. If parsing messages\nfrom untrusted parties, this may be used as a denial of service vector.\n",
"details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0054.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-36067"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n",
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0057.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-35381",
"GHSA-8vrw-m3j9-j27c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n",
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0058.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-27846",
"GHSA-4hq8-gmxx-h6w9"
],
"details": "Due to the behavior of encoding/xml, a crafted XML document may cause\nXML Digital Signature validation to be entirely bypassed, causing an\nunsigned document to appear signed.\n",
"details": "Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0059.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n",
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0060.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-29509",
"GHSA-xhqq-x44f-9fgg"
],
"details": "Due to the behavior of encoding/xml, a crafted XML document may cause\nXML Digital Signature validation to be entirely bypassed, causing an\nunsigned document to appear signed.\n",
"details": "Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0061.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2021-4235"
],
"details": "Due to unbounded alias chasing, a maliciously crafted YAML file\ncan cause the system to consume significant system resources. If\nparsing user input, this may be used as a denial of service vector.\n",
"details": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0063.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-26264",
"GHSA-r33q-22hv-j29q"
],
"details": "Due to a nil pointer dereference, a malicously crafted RPC message\ncan cause a panic. If handling RPC messages from untrusted clients,\nthis may be used as a denial of service vector.\n",
"details": "Due to a nil pointer dereference, a malicously crafted RPC message can cause a panic. If handling RPC messages from untrusted clients, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0064.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-8565"
],
"details": "Authorization tokens may be inappropriately logged if the verbosity\nlevel is set to a debug level.\n",
"details": "Authorization tokens may be inappropriately logged if the verbosity level is set to a debug level.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0065.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2019-11250"
],
"details": "Authorization tokens may be inappropriately logged if the verbosity\nlevel is set to a debug level.\n",
"details": "Authorization tokens may be inappropriately logged if the verbosity level is set to a debug level.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0066.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-8564"
],
"details": "Attempting to read a malformed .dockercfg may cause secrets to be\ninappropriately logged.\n",
"details": "Attempting to read a malformed .dockercfg may cause secrets to be inappropriately logged.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0067.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2021-27919"
],
"details": "Using Reader.Open on an archive containing a file with a path\nprefixed by \"../\" will cause a panic due to a stack overflow.\nIf parsing user supplied archives, this may be used as a\ndenial of service vector.\n",
"details": "Using Reader.Open on an archive containing a file with a path prefixed by \"../\" will cause a panic due to a stack overflow. If parsing user supplied archives, this may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0068.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2021-3115"
],
"details": "The go command may execute arbitrary code at build time when using cgo on Windows.\nThis can be triggered by running go get on a malicious module, or any other time\nthe code is built.\n",
"details": "The go command may execute arbitrary code at build time when using cgo on Windows. This can be triggered by running go get on a malicious module, or any other time the code is built.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0069.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-28362"
],
"details": "A number of math/big.Int methods can panic when provided large inputs due\nto a flawed division method.\n",
"details": "A number of math/big.Int methods can panic when provided large inputs due to a flawed division method.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0070.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2016-3697",
"GHSA-q3j5-32m5-58c2"
],
"details": "GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will\nimproperly interpret numeric UIDs as usernames. If the method is used without\nverifying that usernames are formatted as expected, it may allow a user to\ngain unexpected privileges.\n",
"details": "GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0071.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2015-1340"
],
"details": "A race between chown and chmod operations during a container\nfilesystem shift may allow a user who can modify the filesystem to\nchmod an arbitrary path of their choice, rather than the expected\npath.\n",
"details": "A race between chown and chmod operations during a container filesystem shift may allow a user who can modify the filesystem to chmod an arbitrary path of their choice, rather than the expected path.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0072.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2017-11468"
],
"details": "Various storage methods do not impose limits on how much content is accepted\nfrom user requests, allowing a malicious user to force the caller to allocate\nan arbitrary amount of memory.\n",
"details": "Various storage methods do not impose limits on how much content is accepted from user requests, allowing a malicious user to force the caller to allocate an arbitrary amount of memory.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0073.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2017-17831"
],
"details": "Arbitrary command execution can be triggered by improperly\nsanitized SSH URLs in LFS configuration files. This can be\ntriggered by cloning a malicious repository.\n",
"details": "Arbitrary command execution can be triggered by improperly sanitized SSH URLs in LFS configuration files. This can be triggered by cloning a malicious repository.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0075.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2018-12018"
],
"details": "Due to improper argument validation in RPC messages, a maliciously crafted\nmessage can cause a panic, leading to denial of service.\n",
"details": "Due to improper argument validation in RPC messages, a maliciously crafted message can cause a panic, leading to denial of service.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0076.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2018-14632"
],
"details": "A malicious JSON patch can cause a panic due to an out-of-bounds\nwrite attempt. This can be used as a denial of service vector if\nexposed to arbitrary user input.\n",
"details": "A malicious JSON patch can cause a panic due to an out-of-bounds write attempt. This can be used as a denial of service vector if exposed to arbitrary user input.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0077.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2018-16886",
"GHSA-h6xx-pmxh-3wgp"
],
"details": "A user can use a valid client certificate that contains a CommonName that matches a\nvalid RBAC username to authenticate themselves as that user, despite lacking the\nrequired credentials. This may allow authentication bypass, but requires a certificate\nthat is issued by a CA trusted by the server.\n",
"details": "A user can use a valid client certificate that contains a CommonName that matches a valid RBAC username to authenticate themselves as that user, despite lacking the required credentials. This may allow authentication bypass, but requires a certificate that is issued by a CA trusted by the server.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0078.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2018-17075"
],
"details": "The HTML parser does not properly handle \"in frameset\" insertion mode, and can be made\nto panic when operating on malformed HTML that contains \u003ctemplate\u003e tags. If operating\non user input, this may be a vector for a denial of service attack.\n",
"details": "The HTML parser does not properly handle \"in frameset\" insertion mode, and can be made to panic when operating on malformed HTML that contains \u003ctemplate\u003e tags. If operating on user input, this may be a vector for a denial of service attack.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0079.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2018-18206",
"GHSA-vc3x-gx6c-g99f"
],
"details": "A malformed query can cause an out-of-bounds panic due to improper\nvalidation of arguments. If processing queries from untrusted\nparties, this may be used as a vector for denial of service\nattacks.\n",
"details": "A malformed query can cause an out-of-bounds panic due to improper validation of arguments. If processing queries from untrusted parties, this may be used as a vector for denial of service attacks.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0081.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2019-10214",
"GHSA-85p9-j7c9-v4gr"
],
"details": "The HTTP client used to connect to the container registry authorization\nservice explicitly disables TLS verification, allowing an attacker that\nis able to MITM the connection to steal credentials.\n",
"details": "The HTTP client used to connect to the container registry authorization service explicitly disables TLS verification, allowing an attacker that is able to MITM the connection to steal credentials.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0082.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2019-11939"
],
"details": "Thirft Servers preallocate memory for the declared size of messages before\nchecking the actual size of the message. This allows a malicious user to\nsend messages that declare that they are significantly larger than they\nactually are, allowing them to force the server to allocate significant\namounts of memory. This can be used as a denial of service vector.\n",
"details": "Thirft Servers preallocate memory for the declared size of messages before checking the actual size of the message. This allows a malicious user to send messages that declare that they are significantly larger than they actually are, allowing them to force the server to allocate significant amounts of memory. This can be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0083.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2019-12496"
],
"details": "TLS certificate verification is skipped when connecting to a MQTT server.\nThis allows an attacker who can MITM the connection to read, or forge,\nmessages passed between the client and server.\n",
"details": "TLS certificate verification is skipped when connecting to a MQTT server. This allows an attacker who can MITM the connection to read, or forge, messages passed between the client and server.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0084.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2019-16354",
"GHSA-f6px-w8rh-7r89"
],
"details": "Session data is stored using permissive permissions, allowing local users\nwith filesystem access to read arbitrary data.\n",
"details": "Session data is stored using permissive permissions, allowing local users with filesystem access to read arbitrary data.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0085.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2019-16884",
"GHSA-fgv8-vj5c-2ppq"
],
"details": "AppArmor restrictions may be bypassed due to improper validation of mount\ntargets, allowing a malicious image to mount volumes over e.g. /proc.\n",
"details": "AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0086.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2019-19619",
"GHSA-wmwp-pggc-h4mj"
],
"details": "HTML content in markdown is not santized during rendering, possibly allowing\nXSS if used to render untrusted user input.\n",
"details": "HTML content in markdown is not santized during rendering, possibly allowing XSS if used to render untrusted user input.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0087.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2019-19921",
"GHSA-fh74-hm69-rqjw"
],
"details": "A race while mounting volumes allows a possible symlink-exchange\nattack, allowing a user whom can start multiple containers with\ncustom volume mount configurations to escape the container.\n",
"details": "A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0088.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2019-3564",
"GHSA-x4rg-4545-4w7w"
],
"details": "Skip ignores unknown fields, rather than failing. A malicious user can craft small\nmessages with unknown fields which can take significant resources to parse. If a\nserver accepts messages from an untrusted user, it may be used as a denial of service\nvector.\n",
"details": "Skip ignores unknown fields, rather than failing. A malicious user can craft small messages with unknown fields which can take significant resources to parse. If a server accepts messages from an untrusted user, it may be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0089.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-10675",
"GHSA-rmh2-65xw-9m6q"
],
"details": "Parsing malformed JSON which contain opening brackets, but not closing brackets,\nleads to an infinite loop. If operating on untrusted user input this can be\nused as a denial of service vector.\n",
"details": "Parsing malformed JSON which contain opening brackets, but not closing brackets, leads to an infinite loop. If operating on untrusted user input this can be used as a denial of service vector.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0090.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-15091",
"GHSA-6jqj-f58p-mrw3"
],
"details": "Proposed commits may contain signatures for blocks not contained\nwithin the commit. Instead of skipping these signatures, they\ncause failure during verification. A malicious proposer can use\nthis to force consensus failures.\n",
"details": "Proposed commits may contain signatures for blocks not contained within the commit. Instead of skipping these signatures, they cause failure during verification. A malicious proposer can use this to force consensus failures.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0094.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-29529"
],
"details": "Protections against directory traversal during archive extraction can be\nbypassed by chaining multiple symbolic links within the archive. This allows\na malicious attacker to cause files to be created outside of the target\ndirectory. Additionally if the attacker is able to read extracted files\nthey may create symbolic links to arbitrary files on the system which the\nunpacker has permissions to read.\n",
"details": "Protections against directory traversal during archive extraction can be bypassed by chaining multiple symbolic links within the archive. This allows a malicious attacker to cause files to be created outside of the target directory. Additionally if the attacker is able to read extracted files they may create symbolic links to arbitrary files on the system which the unpacker has permissions to read.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0095.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-8918",
"GHSA-5x29-3hr9-6wpw"
],
"details": "Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport\nis able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,\nallowing them to use the created key.\n",
"details": "Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted, allowing them to use the created key.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0096.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-8945",
"GHSA-m6wg-2mwg-4rfq"
],
"details": "Due to improper setting of finalizers, memory passed to C may be freed before it is used,\nleading to crashes due to memory corruption or possible code execution.\n",
"details": "Due to improper setting of finalizers, memory passed to C may be freed before it is used, leading to crashes due to memory corruption or possible code execution.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0097.json
Просмотреть файл

@ -8,7 +8,7 @@
"CVE-2020-29244",
"CVE-2020-29245"
],
"details": "Due to improper bounds checking, a number of methods can trigger a panic due to attempted\nout-of-bounds reads. If the package is used to parse user supplied input, this may be\nused as a vector for a denial of service attack.\n",
"details": "Due to improper bounds checking, a number of methods can trigger a panic due to attempted out-of-bounds reads. If the package is used to parse user supplied input, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0098.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2021-21237",
"GHSA-cx3w-xqmc-84g5"
],
"details": "Due to the standard library behavior of exec.LookPath on Windows a number of methods may\nresult in arbitrary code execution when cloning or operating on untrusted Git repositories.\n",
"details": "Due to the standard library behavior of exec.LookPath on Windows a number of methods may result in arbitrary code execution when cloning or operating on untrusted Git repositories.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0099.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2021-21272",
"GHSA-g5v4-5x39-vwhx"
],
"details": "Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore\ncontent store may result in directory traversal during archive extraction, allowing a\nmalicious archive to write paths to arbitrary paths that the process can write to.\n",
"details": "Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore content store may result in directory traversal during archive extraction, allowing a malicious archive to write paths to arbitrary paths that the process can write to.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0100.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2021-20291",
"GHSA-7qw8-847f-pggm"
],
"details": "Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream\non a xz archive returns a reader which will hang indefinitely when Close is called. An attacker\ncan use this to cause denial of service if they are able to cause the caller to attempt to\ndecompress an archive they control.\n",
"details": "Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker can use this to cause denial of service if they are able to cause the caller to attempt to decompress an archive they control.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0101.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2019-0210",
"GHSA-jq7p-26h5-w78r"
],
"details": "Due to an improper bounds check, parsing maliciously crafted messages can cause panics. If\nthis package is used to parse untrusted input, this may be used as a vector for a denial of\nservice attack.\n",
"details": "Due to an improper bounds check, parsing maliciously crafted messages can cause panics. If this package is used to parse untrusted input, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0102.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2019-11289",
"GHSA-5796-p3m6-9qj4"
],
"details": "Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect\nnonce size. If this package is used to decrypt user supplied messages without checking the size of\nsupplied nonces, this may be used as a vector for a denial of service attack.\n",
"details": "Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect nonce size. If this package is used to decrypt user supplied messages without checking the size of supplied nonces, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0103.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-26242",
"GHSA-jm5c-rv3w-w83m"
],
"details": "Due to improper bounds checking, certain mathmatical operations can cause a panic via an\nout of bounds read. If this package is used to process untrusted user inputs, this may be used\nas a vector for a denial of service attack.\n",
"details": "Due to improper bounds checking, certain mathmatical operations can cause a panic via an out of bounds read. If this package is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0104.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2021-28681",
"GHSA-74xm-qj29-cq8p"
],
"details": "Due to improper error handling, DTLS connections were not killed when certificate verification\nfailed, causing users who did not check the connection state to continue to use the connection.\nThis could allow allow an attacker which holds the ICE password, but not a valid certificate,\nto bypass this restriction.\n",
"details": "Due to improper error handling, DTLS connections were not killed when certificate verification failed, causing users who did not check the connection state to continue to use the connection. This could allow allow an attacker which holds the ICE password, but not a valid certificate, to bypass this restriction.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0105.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-26265",
"GHSA-xw37-57qp-9mm4"
],
"details": "Due to an incorrect state calculation, a specific set of\ntransactions could cause a consensus disagreement,\ncausing users of this package to reject a canonical chain.\n",
"details": "Due to an incorrect state calculation, a specific set of transactions could cause a consensus disagreement, causing users of this package to reject a canonical chain.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0106.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2020-36566"
],
"details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"details": "Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0107.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2021-4236",
"GHSA-5gjg-jgh4-gppm"
],
"details": "Web Sockets do not execute any AuthenticateMethod methods which may be set,\nleading to a nil pointer dereference if the returned UserData pointer is\nassumed to be non-nil, or authentication bypass.\n\nThis issue only affects WebSockets with an AuthenticateMethod hook.\nRequest handlers that do not explicitly use WebSockets are not\nvulnerable.\n",
"details": "Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass.\n\nThis issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0108.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-15111",
"GHSA-9cx9-x2gp-9qvh"
],
"details": "Due to improper input sanitization, a maliciously constructed filename\ncould cause a file download to use an attacker controlled filename, as well\nas injecting additional headers into an HTTP response.\n",
"details": "Due to improper input sanitization, a maliciously constructed filename could cause a file download to use an attacker controlled filename, as well as injecting additional headers into an HTTP response.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0109.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-15223",
"GHSA-7mqr-2v3q-v2wm"
],
"details": "Due to improper error handling, an error with the underlying token storage may cause a user\nto believe a token has been successfully revoked when it is in fact still valid. An attackers\nability to exploit this relies on an ability to trigger errors in the underlying storage.\n",
"details": "Due to improper error handling, an error with the underlying token storage may cause a user to believe a token has been successfully revoked when it is in fact still valid. An attackers ability to exploit this relies on an ability to trigger errors in the underlying storage.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0110.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-15222",
"GHSA-v3q9-2p3m-7g43"
],
"details": "Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be\nreplayed.\n",
"details": "Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be replayed.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0112.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2021-20329",
"GHSA-f6mq-5m25-4r72"
],
"details": "Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed\nGo structure could allow an attacker to inject additional fields into a MongoDB document. Users are\naffected if they use this package to handle untrusted user input.\n",
"details": "Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are affected if they use this package to handle untrusted user input.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0113.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2021-38561"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n",
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0142.json
Просмотреть файл

@ -6,7 +6,7 @@
"CVE-2020-16845",
"GHSA-q6gq-997w-f55g"
],
"details": "ReadUvarint and ReadVarint can read an unlimited number of bytes from\ninvalid inputs.\n\nCertain invalid inputs to ReadUvarint or ReadVarint can cause these\nfunctions to read an unlimited number of bytes from the ByteReader\nparameter before returning an error. This can lead to processing more\ninput than expected when the caller is reading directly from a\nnetwork and depends on ReadUvarint or ReadVarint only consuming a\nsmall, bounded number of bytes, even from invalid inputs.\n",
"details": "ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs.\n\nCertain invalid inputs to ReadUvarint or ReadVarint can cause these functions to read an unlimited number of bytes from the ByteReader parameter before returning an error. This can lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint or ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0154.json
Просмотреть файл

@ -5,7 +5,7 @@
"aliases": [
"CVE-2014-7189"
],
"details": "When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle\nattackers to spoof clients via unspecified vectors.\n\nIf the server enables TLS client authentication using certificates (this is\nrare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,\nthen a malicious client can falsely assert ownership of any client\ncertificate it wishes.\n",
"details": "When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors.\n\nIf the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes.",
"affected": [
{
"package": {

2
data/osv/GO-2021-0159.json
Просмотреть файл

@ -7,7 +7,7 @@
"CVE-2015-5740",
"CVE-2015-5741"
],
"details": "HTTP headers were not properly parsed, which allows remote attackers to\nconduct HTTP request smuggling attacks via a request that contains\nContent-Length and Transfer-Encoding header fields.\n",
"details": "HTTP headers were not properly parsed, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.",
"affected": [
{
"package": {

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше