go
/
vulndb
зеркало из https://github.com/golang/vulndb.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

data/osv: add OSV entries for all reports 

Create data/osv, containing the OSV version for all reports.
This directory will be used as the source for database generation
in the future.

Set creation times on all existing reports; future reports will
take the creation time from the OSV entry history.

Change-Id: Ibe0f3a9fc76c0d4afee8102d6a0fd35c7641e97d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/430682
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
This commit is contained in:
Damien Neil 2022-09-13 15:40:34 -07:00
Родитель 61dce526ca
Коммит ea89353760
268 изменённых файлов: 17840 добавлений и 2 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

53
data/osv/GO-2020-0001.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"id": "GO-2020-0001",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-36567"
],
"details": "The default Formatter for the Logger middleware (LoggerConfig.Formatter),\nwhich is included in the Default engine, allows attackers to inject arbitrary\nlog entries by manipulating the request path.\n",
"affected": [
{
"package": {
"name": "github.com/gin-gonic/gin",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0001"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/gin-gonic/gin",
"symbols": [
"defaultLogFormatter"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/gin-gonic/gin/pull/2237"
},
{
"type": "FIX",
"url": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d"
}
]
}

54
data/osv/GO-2020-0003.json Normal file
Просмотреть файл

@ -0,0 +1,54 @@
{
"id": "GO-2020-0003",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-36568"
],
"details": "An attacker can cause an application that accepts slice parameters\n(https://revel.github.io/manual/parameters.html#slices) to allocate large\namounts of memory and crash through manipulating the request query sent to the application.\n",
"affected": [
{
"package": {
"name": "github.com/revel/revel",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0003"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/revel/revel"
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/revel/revel/pull/1427"
},
{
"type": "FIX",
"url": "https://github.com/revel/revel/commit/d160ecb72207824005b19778594cbdc272e8a605"
},
{
"type": "WEB",
"url": "https://github.com/revel/revel/issues/1424"
}
]
}

57
data/osv/GO-2020-0004.json Normal file
Просмотреть файл

@ -0,0 +1,57 @@
{
"id": "GO-2020-0004",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-36569"
],
"details": "If any of the ListenAndServe functions are called with an empty token,\ntoken authentication is disabled globally for all listeners.\n\nAlso, a minor timing side channel was present allowing attackers with\nvery low latency and able to make a lot of requests to potentially\nrecover the token.\n",
"affected": [
{
"package": {
"name": "github.com/nanobox-io/golang-nanoauth",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.0.0-20160722212129-ac0cc4484ad4"
},
{
"fixed": "0.0.0-20200131131040-063a3fb69896"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0004"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/nanobox-io/golang-nanoauth",
"symbols": [
"Auth.ListenAndServe",
"Auth.ListenAndServeTLS",
"Auth.ServerHTTP",
"ListenAndServe",
"ListenAndServeTLS"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/nanobox-io/golang-nanoauth/pull/5"
},
{
"type": "FIX",
"url": "https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3"
}
]
}

59
data/osv/GO-2020-0005.json Normal file
Просмотреть файл

@ -0,0 +1,59 @@
{
"id": "GO-2020-0005",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-15106",
"CVE-2020-15112"
],
"details": "Malformed WALs can be constructed such that WAL.ReadAll can cause attempted\nout of bounds reads, or creation of arbitrarily sized slices, which may be used as\na DoS vector.\n",
"affected": [
{
"package": {
"name": "go.etcd.io/etcd",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0-alpha.5.0.20200423152442-f4b650b51dc4"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0005"
},
"ecosystem_specific": {
"imports": [
{
"path": "go.etcd.io/etcd/wal",
"symbols": [
"WAL.ReadAll",
"decoder.decodeRecord"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/etcd-io/etcd/pull/11793"
},
{
"type": "FIX",
"url": "https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07"
},
{
"type": "WEB",
"url": "https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf"
}
]
}

59
data/osv/GO-2020-0006.json Normal file
Просмотреть файл

@ -0,0 +1,59 @@
{
"id": "GO-2020-0006",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2017-15133",
"GHSA-p55x-7x9v-q8m4"
],
"details": "An attacker may prevent TCP connections to a Server by opening\na connection and leaving it idle, until the connection is closed by\nthe server no other connections will be accepted.\n",
"affected": [
{
"package": {
"name": "github.com/miekg/dns",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.4-0.20180125103619-43913f2f4fbd"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0006"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/miekg/dns",
"symbols": [
"ActivateAndServe",
"ListenAndServe",
"ListenAndServeTLS",
"Server.ActivateAndServe",
"Server.ListenAndServe",
"Server.serveTCP"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/miekg/dns/pull/631"
},
{
"type": "FIX",
"url": "https://github.com/miekg/dns/commit/43913f2f4fbd7dcff930b8a809e709591e4dd79e"
}
]
}

54
data/osv/GO-2020-0007.json Normal file
Просмотреть файл

@ -0,0 +1,54 @@
{
"id": "GO-2020-0007",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2017-18367",
"GHSA-58v3-j75h-xr49"
],
"details": "Filters containing rules with multiple syscall arguments are improperly\nconstructed, such that all arguments are required to match rather than\nany of the arguments (AND is used rather than OR). These filters can be\nbypassed by only specifying a subset of the arguments due to this\nbehavior.\n",
"affected": [
{
"package": {
"name": "github.com/seccomp/libseccomp-golang",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1-0.20170424173420-06e7a29f36a3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0007"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/seccomp/libseccomp-golang",
"symbols": [
"ScmpFilter.AddRule",
"ScmpFilter.AddRuleConditional",
"ScmpFilter.AddRuleConditionalExact",
"ScmpFilter.AddRuleExact",
"ScmpFilter.addRuleGeneric"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e"
}
]
}

67
data/osv/GO-2020-0008.json Normal file
Просмотреть файл

@ -0,0 +1,67 @@
{
"id": "GO-2020-0008",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-19794",
"GHSA-44r7-7p62-q3fr"
],
"details": "DNS message transaction IDs are generated using math/rand which\nmakes them relatively predictable. This reduces the complexity\nof response spoofing attacks against DNS clients.\n",
"affected": [
{
"package": {
"name": "github.com/miekg/dns",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.25-0.20191211073109-8ebf2e419df7"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0008"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/miekg/dns",
"symbols": [
"Msg.SetAxfr",
"Msg.SetIxfr",
"Msg.SetNotify",
"Msg.SetQuestion",
"Msg.SetUpdate",
"id"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/miekg/dns/pull/1044"
},
{
"type": "FIX",
"url": "https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33"
},
{
"type": "WEB",
"url": "https://github.com/miekg/dns/issues/1037"
},
{
"type": "WEB",
"url": "https://github.com/miekg/dns/issues/1043"
}
]
}

89
data/osv/GO-2020-0009.json Normal file
Просмотреть файл

@ -0,0 +1,89 @@
{
"id": "GO-2020-0009",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2016-9123",
"GHSA-3fx4-7f69-5mmg"
],
"details": "On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC\nwith HMAC such that they can control how large the input buffer is when computing\nthe HMAC authentication tag. This can can allow a manipulated ciphertext to be\nverified as authentic, opening the door for padding oracle attacks.\n",
"affected": [
{
"package": {
"name": "github.com/square/go-jose",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20160903044734-789a4c4bd4c1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0009"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/square/go-jose/cipher",
"goarch": [
"386",
"arm",
"armbe",
"amd64p32",
"mips",
"mipsle",
"mips64p32",
"mips64p32le",
"ppc",
"riscv",
"s390",
"sparc"
],
"symbols": [
"cbcAEAD.computeAuthTag"
]
},
{
"path": "github.com/square/go-jose",
"goarch": [
"386",
"arm",
"armbe",
"amd64p32",
"mips",
"mipsle",
"mips64p32",
"mips64p32le",
"ppc",
"riscv",
"s390",
"sparc"
],
"symbols": [
"JsonWebEncryption.Decrypt",
"JsonWebEncryption.DecryptMulti"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2016/11/03/1"
}
]
}

62
data/osv/GO-2020-0010.json Normal file
Просмотреть файл

@ -0,0 +1,62 @@
{
"id": "GO-2020-0010",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2016-9121",
"GHSA-86r9-39j9-99wp"
],
"details": "When using ECDH-ES an attacker can mount an invalid curve attack during\ndecryption as the supplied public key is not checked to be on the same\ncurve as the receivers private key.\n",
"affected": [
{
"package": {
"name": "github.com/square/go-jose",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20160831185616-c7581939a365"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0010"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/square/go-jose/cipher",
"symbols": [
"DeriveECDHES",
"ecDecrypterSigner.decryptKey",
"rawJsonWebKey.ecPublicKey"
]
},
{
"path": "github.com/square/go-jose",
"symbols": [
"JsonWebEncryption.Decrypt"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2016/11/03/1"
}
]
}

62
data/osv/GO-2020-0012.json Normal file
Просмотреть файл

@ -0,0 +1,62 @@
{
"id": "GO-2020-0012",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-9283",
"GHSA-ffhg-7mh4-33c4"
],
"details": "An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public\nkey, such that the library will panic when trying to verify a signature\nwith it. If verifying signatures using user supplied public keys, this\nmay be used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "golang.org/x/crypto",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20200220183623-bac4c82f6975"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0012"
},
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/crypto/ssh",
"symbols": [
"NewPublicKey",
"ed25519PublicKey.Verify",
"parseED25519",
"parseSKEd25519",
"skEd25519PublicKey.Verify"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/220357"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/3L45YRc91SY"
}
]
}

61
data/osv/GO-2020-0013.json Normal file
Просмотреть файл

@ -0,0 +1,61 @@
{
"id": "GO-2020-0013",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2017-3204"
],
"details": "By default host key verification is disabled which allows for\nman-in-the-middle attacks against SSH clients if\nClientConfig.HostKeyCallback is not set.\n",
"affected": [
{
"package": {
"name": "golang.org/x/crypto",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20170330155735-e4e2799dd7aa"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0013"
},
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/crypto/ssh",
"symbols": [
"NewClientConn"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/19767"
},
{
"type": "WEB",
"url": "https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/"
}
]
}

58
data/osv/GO-2020-0014.json Normal file
Просмотреть файл

@ -0,0 +1,58 @@
{
"id": "GO-2020-0014",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2018-17846"
],
"details": "html.Parse does not properly handle \"select\" tags, which can lead\nto an infinite loop. If parsing user supplied input, this may be used\nas a denial of service vector.\n",
"affected": [
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20190125091013-d26f9f9a57f3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0014"
},
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/html",
"symbols": [
"inSelectIM",
"inSelectInTableIM"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go-review.googlesource.com/c/137275"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/27842"
}
]
}

69
data/osv/GO-2020-0015.json Normal file
Просмотреть файл

@ -0,0 +1,69 @@
{
"id": "GO-2020-0015",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with\nUseBOM or ExpectBOM to trigger an infinite loop if the String function on\nthe Decoder is called, or the Decoder is passed to transform.String.\nIf used to parse user supplied input, this may be used as a denial of service\nvector.\n",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
},
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
]
}

61
data/osv/GO-2020-0016.json Normal file
Просмотреть файл

@ -0,0 +1,61 @@
{
"id": "GO-2020-0016",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2021-29482",
"GHSA-25xm-hr59-7c27"
],
"details": "An attacker can construct a series of bytes such that calling\nReader.Read on the bytes could cause an infinite loop. If\nparsing user supplied input, this may be used as a denial of\nservice vector.\n",
"affected": [
{
"package": {
"name": "github.com/ulikunitz/xz",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.8"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0016"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/ulikunitz/xz",
"symbols": [
"Reader.Read",
"blockHeader.UnmarshalBinary",
"readUvarint",
"streamReader.Read"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b"
},
{
"type": "WEB",
"url": "https://github.com/ulikunitz/xz/issues/35"
},
{
"type": "WEB",
"url": "https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27"
}
]
}

83
data/osv/GO-2020-0017.json Normal file
Просмотреть файл

@ -0,0 +1,83 @@
{
"id": "GO-2020-0017",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-26160",
"GHSA-w73w-5m7g-f7qc"
],
"details": "If a JWT contains an audience claim with an array of strings, rather\nthan a single string, and MapClaims.VerifyAudience is called with\nreq set to false, then audience verification will be bypassed,\nallowing an invalid set of audiences to be provided.\n",
"affected": [
{
"package": {
"name": "github.com/dgrijalva/jwt-go",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.0.0-20150717181359-44718f8a89b0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0017"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/dgrijalva/jwt-go",
"symbols": [
"MapClaims.VerifyAudience"
]
}
]
}
},
{
"package": {
"name": "github.com/dgrijalva/jwt-go/v4",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0-preview1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0017"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/dgrijalva/jwt-go/v4",
"symbols": [
"MapClaims.VerifyAudience"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab"
},
{
"type": "WEB",
"url": "https://github.com/dgrijalva/jwt-go/issues/422"
}
]
}

75
data/osv/GO-2020-0019.json Normal file
Просмотреть файл

@ -0,0 +1,75 @@
{
"id": "GO-2020-0019",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-27813",
"GHSA-3xh2-74w9-5vxm"
],
"details": "An attacker can craft malicious WebSocket frames that cause an integer\noverflow in a variable which tracks the number of bytes remaining. This\nmay cause the server or client to get stuck attempting to read frames\nin a loop, which can be used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "github.com/gorilla/websocket",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0019"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/gorilla/websocket",
"symbols": [
"Conn.Close",
"Conn.NextReader",
"Conn.ReadJSON",
"Conn.ReadMessage",
"Conn.WriteJSON",
"Conn.WritePreparedMessage",
"Conn.advanceFrame",
"Dialer.Dial",
"Dialer.DialContext",
"NewClient",
"NewPreparedMessage",
"ReadJSON",
"Subprotocols",
"Upgrade",
"Upgrader.Upgrade",
"WriteJSON",
"httpProxyDialer.Dial",
"messageReader.Read",
"netDialerFunc.Dial",
"proxy_direct.Dial",
"proxy_envOnce.Get",
"proxy_socks5.Dial"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/gorilla/websocket/pull/537"
},
{
"type": "FIX",
"url": "https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37"
}
]
}

53
data/osv/GO-2020-0020.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"id": "GO-2020-0020",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2017-20146"
],
"details": "Usage of the CORS handler may apply improper CORS headers, allowing\nthe requester to explicitly control the value of the Access-Control-Allow-Origin\nheader, which bypasses the expected behavior of the Same Origin Policy.\n",
"affected": [
{
"package": {
"name": "github.com/gorilla/handlers",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0020"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/gorilla/handlers",
"symbols": [
"cors.ServeHTTP"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/gorilla/handlers/pull/116"
},
{
"type": "FIX",
"url": "https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145"
}
]
}

56
data/osv/GO-2020-0021.json Normal file
Просмотреть файл

@ -0,0 +1,56 @@
{
"id": "GO-2020-0021",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2014-8681",
"GHSA-mr6h-chqp-p9g2"
],
"details": "Due to improper santization of user input, a number of methods are\nvulnerable to SQL injection if used with user input that has not\nbeen santized by the caller.\n",
"affected": [
{
"package": {
"name": "github.com/gogits/gogs",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.8"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0021"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/gogits/gogs",
"symbols": [
"GetIssues",
"SearchRepositoryByName",
"SearchUserByName"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/gogs/gogs/commit/83283bca4cb4e0f4ec48a28af680f0d88db3d2c8"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2014/Nov/31"
}
]
}

53
data/osv/GO-2020-0022.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"id": "GO-2020-0022",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2014-125026"
],
"details": "LZ4 bindings use a deprecated C API that is vulnerable to\nmemory corruption, which could lead to arbitrary code execution\nif called with untrusted user input.\n",
"affected": [
{
"package": {
"name": "github.com/cloudflare/golz4",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20140711154735-199f5f787806"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0022"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/cloudflare/golz4",
"symbols": [
"Uncompress"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898"
},
{
"type": "WEB",
"url": "https://github.com/cloudflare/golz4/issues/5"
}
]
}

53
data/osv/GO-2020-0023.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"id": "GO-2020-0023",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2015-10004"
],
"details": "Token validation methods are susceptible to a timing side-channel\nduring HMAC comparison. With a large enough number of requests\nover a low latency connection, an attacker may use this to determine\nthe expected HMAC.\n",
"affected": [
{
"package": {
"name": "github.com/robbert229/jwt",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20170426191122-ca1404ee6e83"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0023"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/robbert229/jwt",
"symbols": [
"Algorithm.validateSignature"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654"
},
{
"type": "WEB",
"url": "https://github.com/robbert229/jwt/issues/12"
}
]
}

83
data/osv/GO-2020-0024.json Normal file
Просмотреть файл

@ -0,0 +1,83 @@
{
"id": "GO-2020-0024",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2013-10005"
],
"details": "The RemoteAddr and LocalAddr methods on the returned net.Conn may\ncall themselves, leading to an infinite loop which will crash the\nprogram due to a stack overflow.\n",
"affected": [
{
"package": {
"name": "github.com/btcsuite/go-socks",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20130808000456-233bccbb1abe"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0024"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/btcsuite/go-socks/socks",
"symbols": [
"proxiedConn.LocalAddr",
"proxiedConn.RemoteAddr"
]
}
]
}
},
{
"package": {
"name": "github.com/btcsuitereleases/go-socks",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20130808000456-233bccbb1abe"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0024"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/btcsuitereleases/go-socks/socks",
"symbols": [
"proxiedConn.LocalAddr",
"proxiedConn.RemoteAddr"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/btcsuite/go-socks/commit/233bccbb1abe02f05750f7ace66f5bffdb13defc"
}
]
}

87
data/osv/GO-2020-0025.json Normal file
Просмотреть файл

@ -0,0 +1,87 @@
{
"id": "GO-2020-0025",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2018-25046"
],
"details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"affected": [
{
"package": {
"name": "github.com/cloudfoundry/archiver",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20180523222229-09b5706aa936"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0025"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/cloudfoundry/archiver",
"symbols": [
"tgzExtractor.Extract",
"zipExtractor.Extract"
]
}
]
}
},
{
"package": {
"name": "code.cloudfoundry.org/archiver",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20180523222229-09b5706aa936"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0025"
},
"ecosystem_specific": {
"imports": [
{
"path": "code.cloudfoundry.org/archiver",
"symbols": [
"tgzExtractor.Extract",
"zipExtractor.Extract"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/cloudfoundry/archiver/commit/09b5706aa9367972c09144a450bb4523049ee840"
},
{
"type": "WEB",
"url": "https://snyk.io/research/zip-slip-vulnerability"
}
]
}

57
data/osv/GO-2020-0026.json Normal file
Просмотреть файл

@ -0,0 +1,57 @@
{
"id": "GO-2020-0026",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2018-1103"
],
"details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"affected": [
{
"package": {
"name": "github.com/openshift/source-to-image",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.10-0.20180427153919-f5cbcbc5cc6f"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0026"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/openshift/source-to-image/pkg/tar",
"symbols": [
"New",
"stiTar.ExtractTarStream",
"stiTar.ExtractTarStreamFromTarReader",
"stiTar.ExtractTarStreamWithLogging",
"stiTar.extractLink"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/openshift/source-to-image/commit/f5cbcbc5cc6f8cc2f479a7302443bea407a700cb"
},
{
"type": "WEB",
"url": "https://snyk.io/research/zip-slip-vulnerability"
}
]
}

62
data/osv/GO-2020-0027.json Normal file
Просмотреть файл

@ -0,0 +1,62 @@
{
"id": "GO-2020-0027",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2018-6558",
"GHSA-qj26-7grj-whg3"
],
"details": "After dropping and then elevating process privileges euid, guid, and groups\nare not properly restored to their original values, allowing an unprivileged\nuser to gain membership in the root group.\n",
"affected": [
{
"package": {
"name": "github.com/google/fscrypt",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.4"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0027"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/google/fscrypt/pam",
"symbols": [
"Handle.StopAsPamUser",
"NewHandle",
"SetProcessPrivileges"
]
},
{
"path": "github.com/google/fscrypt/security",
"symbols": [
"UserKeyringID"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/google/fscrypt/commit/3022c1603d968c22f147b4a2c49c4637dd1be91b"
},
{
"type": "WEB",
"url": "https://github.com/google/fscrypt/issues/77"
}
]
}

56
data/osv/GO-2020-0028.json Normal file
Просмотреть файл

@ -0,0 +1,56 @@
{
"id": "GO-2020-0028",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2018-17419",
"GHSA-9jcx-pr2f-qvq5"
],
"details": "Due to a nil pointer dereference, parsing a malformed zone file\ncontaining TA records may cause a panic. If parsing user supplied\ninput, this may be used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "github.com/miekg/dns",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.10"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0028"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/miekg/dns",
"symbols": [
"ParseZone",
"ReadRR",
"setTA"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/miekg/dns/commit/501e858f679edecd4a38a86317ce50271014a80d"
},
{
"type": "WEB",
"url": "https://github.com/miekg/dns/issues/742"
}
]
}

117
data/osv/GO-2020-0032.json Normal file
Просмотреть файл

@ -0,0 +1,117 @@
{
"id": "GO-2020-0032",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-25073"
],
"details": "Due to improper santization of user input, Controller.FileHandler allows\nfor directory traversal, allowing an attacker to read files outside of\nthe target directory that the server has permission to read.\n",
"affected": [
{
"package": {
"name": "github.com/goadesign/goa",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0032"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/goadesign/goa",
"symbols": [
"Controller.FileHandler"
]
}
]
}
},
{
"package": {
"name": "goa.design/goa",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0032"
},
"ecosystem_specific": {
"imports": [
{
"path": "goa.design/goa",
"symbols": [
"Controller.FileHandler"
]
}
]
}
},
{
"package": {
"name": "goa.design/goa/v3",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.9"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0032"
},
"ecosystem_specific": {
"imports": [
{
"path": "goa.design/goa/v3",
"symbols": [
"Controller.FileHandler"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/goadesign/goa/pull/2388"
},
{
"type": "FIX",
"url": "https://github.com/goadesign/goa/commit/70b5a199d0f813d74423993832c424e1fc73fb39"
}
]
}

60
data/osv/GO-2020-0033.json Normal file
Просмотреть файл

@ -0,0 +1,60 @@
{
"id": "GO-2020-0033",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-36559"
],
"details": "Due to improper santization of user input, HTTPEngine.Handle allows\nfor directory traversal, allowing an attacker to read files outside of\nthe target directory that the server has permission to read.\n",
"affected": [
{
"package": {
"name": "aahframe.work",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.4"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0033"
},
"ecosystem_specific": {
"imports": [
{
"path": "aahframe.work",
"symbols": [
"Application.Run",
"Application.ServeHTTP",
"Application.Start",
"HTTPEngine.Handle"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/go-aah/aah/pull/267"
},
{
"type": "FIX",
"url": "https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec"
},
{
"type": "WEB",
"url": "https://github.com/go-aah/aah/issues/266"
}
]
}

57
data/osv/GO-2020-0034.json Normal file
Просмотреть файл

@ -0,0 +1,57 @@
{
"id": "GO-2020-0034",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-36560"
],
"details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"affected": [
{
"package": {
"name": "github.com/artdarek/go-unzip",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0034"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/artdarek/go-unzip",
"symbols": [
"Unzip.Extract"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/artdarek/go-unzip/pull/2"
},
{
"type": "FIX",
"url": "https://github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7dfe0"
},
{
"type": "WEB",
"url": "https://snyk.io/research/zip-slip-vulnerability"
}
]
}

57
data/osv/GO-2020-0035.json Normal file
Просмотреть файл

@ -0,0 +1,57 @@
{
"id": "GO-2020-0035",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-36561"
],
"details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"affected": [
{
"package": {
"name": "github.com/yi-ge/unzip",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.3-0.20200308084313-2adbaa4891b9"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0035"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/yi-ge/unzip",
"symbols": [
"Unzip.Extract"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/yi-ge/unzip/pull/1"
},
{
"type": "FIX",
"url": "https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73"
},
{
"type": "WEB",
"url": "https://snyk.io/research/zip-slip-vulnerability"
}
]
}

93
data/osv/GO-2020-0036.json Normal file
Просмотреть файл

@ -0,0 +1,93 @@
{
"id": "GO-2020-0036",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-11254",
"GHSA-wxc4-f4m6-wwqv"
],
"details": "Due to unbounded aliasing, a crafted YAML file can cause consumption\nof significant system resources. If parsing user supplied input, this\nmay be used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "gopkg.in/yaml.v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.8"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0036"
},
"ecosystem_specific": {
"imports": [
{
"path": "gopkg.in/yaml.v2",
"symbols": [
"Decoder.Decode",
"Unmarshal",
"UnmarshalStrict",
"yaml_parser_fetch_more_tokens"
]
}
]
}
},
{
"package": {
"name": "github.com/go-yaml/yaml",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0036"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/go-yaml/yaml",
"symbols": [
"Decoder.Decode",
"Unmarshal",
"UnmarshalStrict",
"yaml_parser_fetch_more_tokens"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/go-yaml/yaml/pull/555"
},
{
"type": "FIX",
"url": "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496"
}
]
}

53
data/osv/GO-2020-0037.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"id": "GO-2020-0037",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-25072"
],
"details": "Due to support of Gzip compression in request bodies, as well\nas a lack of limiting response body sizes, a malicious server\ncan cause a client to consume a significant amount of system\nresources, which may be used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "github.com/tendermint/tendermint",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0037"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tendermint/tendermint/rpc/client",
"symbols": [
"makeHTTPClient"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tendermint/tendermint/pull/3430"
},
{
"type": "FIX",
"url": "https://github.com/tendermint/tendermint/commit/03085c2da23b179c4a51f59a03cb40aa4e85a613"
}
]
}

63
data/osv/GO-2020-0038.json Normal file
Просмотреть файл

@ -0,0 +1,63 @@
{
"id": "GO-2020-0038",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-20786",
"GHSA-7gfg-6934-mqq2"
],
"details": "Due to improper verification of packets, unencrypted packets containing\napplication data are accepted after the initial handshake. This allows\nan attacker to inject arbitrary data which the client/server believes\nwas encrypted, despite not knowing the session key.\n",
"affected": [
{
"package": {
"name": "github.com/pion/dtls",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0038"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/pion/dtls",
"symbols": [
"Client",
"Conn.handleIncomingPacket",
"Dial",
"Listener.Accept",
"Resume",
"Server"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/pion/dtls/pull/128"
},
{
"type": "FIX",
"url": "https://github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0"
},
{
"type": "WEB",
"url": "https://www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdf"
}
]
}

63
data/osv/GO-2020-0039.json Normal file
Просмотреть файл

@ -0,0 +1,63 @@
{
"id": "GO-2020-0039",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-12666",
"GHSA-733f-44f3-3frw"
],
"details": "Due to improper request santization, a specifically crafted URL\ncan cause the static file handler to redirect to an attacker chosen\nURL, allowing for open redirect attacks.\n",
"affected": [
{
"package": {
"name": "gopkg.in/macaron.v1",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.7"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0039"
},
"ecosystem_specific": {
"imports": [
{
"path": "gopkg.in/macaron.v1",
"symbols": [
"Context.Next",
"LoggerInvoker.Invoke",
"Macaron.Run",
"Macaron.ServeHTTP",
"Router.ServeHTTP",
"staticHandler"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/go-macaron/macaron/pull/199"
},
{
"type": "FIX",
"url": "https://github.com/go-macaron/macaron/commit/addc7461c3a90a040e79aa75bfd245107a210245"
},
{
"type": "WEB",
"url": "https://github.com/go-macaron/macaron/issues/198"
}
]
}

43
data/osv/GO-2020-0040.json Normal file
Просмотреть файл

@ -0,0 +1,43 @@
{
"id": "GO-2020-0040",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-36562"
],
"details": "Due to unchecked type assertions, maliciously crafted messages can\ncause panics, which may be used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "github.com/shiyanhui/dht",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0040"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/shiyanhui/dht"
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/shiyanhui/dht/issues/57"
}
]
}

78
data/osv/GO-2020-0041.json Normal file
Просмотреть файл

@ -0,0 +1,78 @@
{
"id": "GO-2020-0041",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-7668",
"GHSA-88jf-7rch-32qc"
],
"details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"affected": [
{
"package": {
"name": "github.com/unknwon/cae",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0041"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/unknwon/cae/tz",
"symbols": [
"Create",
"ExtractTo",
"Open",
"OpenFile",
"TzArchive.Close",
"TzArchive.ExtractTo",
"TzArchive.ExtractToFunc",
"TzArchive.Flush",
"TzArchive.Open",
"TzArchive.syncFiles"
]
},
{
"path": "github.com/unknwon/cae/zip",
"symbols": [
"Create",
"ExtractTo",
"ExtractToFunc",
"Open",
"OpenFile",
"ZipArchive.Close",
"ZipArchive.ExtractTo",
"ZipArchive.ExtractToFunc",
"ZipArchive.Flush",
"ZipArchive.Open"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/unknwon/cae/commit/07971c00a1bfd9dc171c3ad0bfab5b67c2287e11"
},
{
"type": "WEB",
"url": "https://snyk.io/research/zip-slip-vulnerability"
}
]
}

54
data/osv/GO-2020-0042.json Normal file
Просмотреть файл

@ -0,0 +1,54 @@
{
"id": "GO-2020-0042",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-7667",
"GHSA-9423-6c93-gpp8"
],
"details": "Due to improper path santization, RPMs containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"affected": [
{
"package": {
"name": "github.com/sassoftware/go-rpmutils",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0042"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/sassoftware/go-rpmutils/cpio",
"symbols": [
"Extract"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0"
},
{
"type": "WEB",
"url": "https://snyk.io/research/zip-slip-vulnerability"
}
]
}

59
data/osv/GO-2020-0043.json Normal file
Просмотреть файл

@ -0,0 +1,59 @@
{
"id": "GO-2020-0043",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2018-21246"
],
"details": "Due to improper TLS verification when serving traffic for multiple\nSNIs, an attacker may bypass TLS client authentication by indicating\nan SNI during the TLS handshake that is different from the name in\nthe HTTP Host header.\n",
"affected": [
{
"package": {
"name": "github.com/mholt/caddy",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.13"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0043"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/mholt/caddy/caddyhttp/httpserver",
"symbols": [
"Server.serveHTTP",
"assertConfigsCompatible",
"httpContext.MakeServers"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/caddyserver/caddy/pull/2099"
},
{
"type": "FIX",
"url": "https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/715214"
}
]
}

59
data/osv/GO-2020-0045.json Normal file
Просмотреть файл

@ -0,0 +1,59 @@
{
"id": "GO-2020-0045",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2016-15005"
],
"details": "CSRF tokens are generated using math/rand, which is not a cryptographically secure\nrander number generation, making predicting their values relatively trivial and\nallowing an attacker to bypass CSRF protections which relatively few requests.\n",
"affected": [
{
"package": {
"name": "github.com/dinever/golf",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0045"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/dinever/golf",
"symbols": [
"Context.Render",
"Context.RenderFromString",
"randomBytes"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/dinever/golf/pull/24"
},
{
"type": "FIX",
"url": "https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe"
},
{
"type": "WEB",
"url": "https://github.com/dinever/golf/issues/20"
}
]
}

87
data/osv/GO-2020-0046.json Normal file
Просмотреть файл

@ -0,0 +1,87 @@
{
"id": "GO-2020-0046",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-7711"
],
"details": "Due to a nil pointer dereference, a malformed XML Digital Signature\ncan cause a panic during validation. If user supplied signatures are\nbeing validated, this may be used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "github.com/russellhaering/goxmldsig",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0046"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/russellhaering/goxmldsig",
"symbols": [
"ValidationContext.validateSignature"
]
}
]
}
},
{
"package": {
"name": "github.com/russellhaering/gosaml2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0046"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/russellhaering/gosaml2",
"symbols": [
"SAMLServiceProvider.RetrieveAssertionInfo",
"SAMLServiceProvider.ValidateEncodedResponse",
"SAMLServiceProvider.validateAssertionSignatures"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/russellhaering/goxmldsig/issues/48"
},
{
"type": "WEB",
"url": "https://github.com/russellhaering/gosaml2/issues/59"
}
]
}

48
data/osv/GO-2020-0047.json Normal file
Просмотреть файл

@ -0,0 +1,48 @@
{
"id": "GO-2020-0047",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-36563"
],
"details": "XML Digital Signatures generated and validated using this package use\nSHA-1, which may allow an attacker to craft inputs which cause hash\ncollisions depending on their control over the input.\n",
"affected": [
{
"package": {
"name": "github.com/RobotsAndPencils/go-saml",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0047"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/RobotsAndPencils/go-saml",
"symbols": [
"AuthnRequest.Validate",
"NewAuthnRequest",
"NewSignedResponse"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/RobotsAndPencils/go-saml/pull/38"
}
]
}

53
data/osv/GO-2020-0048.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"id": "GO-2020-0048",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-25614"
],
"details": "LoadURL does not check the Content-Type of loaded resources,\nwhich can cause a panic due to nil pointer deference if the loaded\nresource is not XML. If user supplied URLs are loaded, this may be\nused as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "github.com/antchfx/xmlquery",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0048"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/antchfx/xmlquery",
"symbols": [
"LoadURL"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/antchfx/xmlquery/commit/5648b2f39e8d5d3fc903c45a4f1274829df71821"
},
{
"type": "WEB",
"url": "https://github.com/antchfx/xmlquery/issues/39"
}
]
}

55
data/osv/GO-2020-0049.json Normal file
Просмотреть файл

@ -0,0 +1,55 @@
{
"id": "GO-2020-0049",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-36564"
],
"details": "Due to improper validation of caller input, validation is silently disabled\nif the provided expected token is malformed, causing any user supplied token\nto be considered valid.\n",
"affected": [
{
"package": {
"name": "github.com/justinas/nosurf",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0049"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/justinas/nosurf",
"symbols": [
"CSRFHandler.ServeHTTP",
"VerifyToken",
"verifyToken"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/justinas/nosurf/pull/60"
},
{
"type": "FIX",
"url": "https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314"
}
]
}

59
data/osv/GO-2020-0050.json Normal file
Просмотреть файл

@ -0,0 +1,59 @@
{
"id": "GO-2020-0050",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-15216",
"CVE-2020-26290",
"CVE-2020-27847",
"GHSA-2x32-jm95-2cpx",
"GHSA-m9hp-7r99-94h5",
"GHSA-q547-gmf8-8jr7"
],
"details": "Due to the behavior of encoding/xml, a crafted XML document may cause\nXML Digital Signature validation to be entirely bypassed, causing an\nunsigned document to appear signed.\n",
"affected": [
{
"package": {
"name": "github.com/russellhaering/goxmldsig",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0050"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/russellhaering/goxmldsig",
"symbols": [
"ValidationContext.Validate",
"ValidationContext.findSignature"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64"
},
{
"type": "WEB",
"url": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"
}
]
}

56
data/osv/GO-2021-0051.json Normal file
Просмотреть файл

@ -0,0 +1,56 @@
{
"id": "GO-2021-0051",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-36565"
],
"details": "Due to improper sanitization of user input on Windows, the static file handler\nallows for directory traversal, allowing an attacker to read files outside of\nthe target directory that the server has permission to read.\n",
"affected": [
{
"package": {
"name": "github.com/labstack/echo/v4",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.18-0.20201215153152-4422e3b66b9f"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0051"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/labstack/echo/v4",
"goos": [
"windows"
],
"symbols": [
"common.static"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/labstack/echo/pull/1718"
},
{
"type": "FIX",
"url": "https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa"
}
]
}

95
data/osv/GO-2021-0052.json Normal file
Просмотреть файл

@ -0,0 +1,95 @@
{
"id": "GO-2021-0052",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-28483",
"GHSA-h395-qcrw-5vmq"
],
"details": "Due to improper HTTP header santization, a malicious user can spoof their\nsource IP address by setting the X-Forwarded-For header. This may allow\na user to bypass IP based restrictions, or obfuscate their true source.\n",
"affected": [
{
"package": {
"name": "github.com/gin-gonic/gin",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.7"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0052"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/gin-gonic/gin",
"symbols": [
"Context.ClientIP",
"Context.Next",
"Context.RemoteIP",
"Engine.HandleContext",
"Engine.Run",
"Engine.RunFd",
"Engine.RunListener",
"Engine.RunTLS",
"Engine.RunUnix",
"Engine.ServeHTTP"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://github.com/gin-gonic/gin/issues/2862"
},
{
"type": "REPORT",
"url": "https://github.com/gin-gonic/gin/issues/2473"
},
{
"type": "REPORT",
"url": "https://github.com/gin-gonic/gin/issues/2232"
},
{
"type": "FIX",
"url": "https://github.com/gin-gonic/gin/pull/2844"
},
{
"type": "FIX",
"url": "https://github.com/gin-gonic/gin/commit/5929d521715610c9dd14898ebbe1d188d5de8937"
},
{
"type": "FIX",
"url": "https://github.com/gin-gonic/gin/pull/2632"
},
{
"type": "FIX",
"url": "https://github.com/gin-gonic/gin/commit/bfc8ca285eb46dad60e037d57c545cd260636711"
},
{
"type": "FIX",
"url": "https://github.com/gin-gonic/gin/pull/2675"
},
{
"type": "FIX",
"url": "https://github.com/gin-gonic/gin/commit/03e5e05ae089bc989f1ca41841f05504d29e3fd9"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/pull/2474"
}
]
}

47
data/osv/GO-2021-0053.json Normal file
Просмотреть файл

@ -0,0 +1,47 @@
{
"id": "GO-2021-0053",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2021-3121",
"GHSA-c3h9-896r-86jm"
],
"details": "Due to improper bounds checking, maliciously crafted input to generated\nUnmarshal methods can cause an out-of-bounds panic. If parsing messages\nfrom untrusted parties, this may be used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "github.com/gogo/protobuf",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0053"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/gogo/protobuf"
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc"
}
]
}

54
data/osv/GO-2021-0054.json Normal file
Просмотреть файл

@ -0,0 +1,54 @@
{
"id": "GO-2021-0054",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-36067"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
]
}

78
data/osv/GO-2021-0057.json Normal file
Просмотреть файл

@ -0,0 +1,78 @@
{
"id": "GO-2021-0057",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-35381",
"GHSA-8vrw-m3j9-j27c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0057"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/buger/jsonparser",
"symbols": [
"ArrayEach",
"Delete",
"EachKey",
"FuzzDelete",
"FuzzEachKey",
"FuzzGetBoolean",
"FuzzGetFloat",
"FuzzGetInt",
"FuzzGetString",
"FuzzGetUnsafeString",
"FuzzObjectEach",
"FuzzSet",
"Get",
"GetBoolean",
"GetFloat",
"GetInt",
"GetString",
"GetUnsafeString",
"ObjectEach",
"Set",
"searchKeys"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/buger/jsonparser/pull/221"
},
{
"type": "FIX",
"url": "https://github.com/buger/jsonparser/commit/df3ea76ece10095374fd1c9a22a4fb85a44efc42"
},
{
"type": "WEB",
"url": "https://github.com/buger/jsonparser/issues/219"
}
]
}

62
data/osv/GO-2021-0058.json Normal file
Просмотреть файл

@ -0,0 +1,62 @@
{
"id": "GO-2021-0058",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-27846",
"GHSA-4hq8-gmxx-h6w9"
],
"details": "Due to the behavior of encoding/xml, a crafted XML document may cause\nXML Digital Signature validation to be entirely bypassed, causing an\nunsigned document to appear signed.\n",
"affected": [
{
"package": {
"name": "github.com/crewjam/saml",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0058"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/crewjam/saml",
"symbols": [
"IdentityProvider.ServeSSO",
"IdpAuthnRequest.Validate",
"ServiceProvider.ParseResponse",
"ServiceProvider.ParseXMLResponse",
"ServiceProvider.ValidateLogoutResponseForm",
"ServiceProvider.ValidateLogoutResponseRedirect",
"ServiceProvider.ValidateLogoutResponseRequest"
]
},
{
"path": "github.com/crewjam/saml/samlidp"
},
{
"path": "github.com/crewjam/saml/samlsp"
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053"
}
]
}

54
data/osv/GO-2021-0059.json Normal file
Просмотреть файл

@ -0,0 +1,54 @@
{
"id": "GO-2021-0059",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"sqaush"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
]
}

58
data/osv/GO-2021-0060.json Normal file
Просмотреть файл

@ -0,0 +1,58 @@
{
"id": "GO-2021-0060",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-29509",
"GHSA-xhqq-x44f-9fgg"
],
"details": "Due to the behavior of encoding/xml, a crafted XML document may cause\nXML Digital Signature validation to be entirely bypassed, causing an\nunsigned document to appear signed.\n",
"affected": [
{
"package": {
"name": "github.com/russellhaering/gosaml2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0060"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/russellhaering/gosaml2",
"symbols": [
"SAMLServiceProvider.RetrieveAssertionInfo",
"SAMLServiceProvider.ValidateEncodedLogoutRequestPOST",
"SAMLServiceProvider.ValidateEncodedLogoutResponsePOST",
"SAMLServiceProvider.ValidateEncodedResponse",
"parseResponse"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/russellhaering/gosaml2/commit/42606dafba60c58c458f14f75c4c230459672ab9"
},
{
"type": "WEB",
"url": "https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg"
}
]
}

88
data/osv/GO-2021-0061.json Normal file
Просмотреть файл

@ -0,0 +1,88 @@
{
"id": "GO-2021-0061",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2021-4235"
],
"details": "Due to unbounded alias chasing, a maliciously crafted YAML file\ncan cause the system to consume significant system resources. If\nparsing user input, this may be used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "gopkg.in/yaml.v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0061"
},
"ecosystem_specific": {
"imports": [
{
"path": "gopkg.in/yaml.v2",
"symbols": [
"Decoder.Decode",
"Unmarshal",
"UnmarshalStrict",
"decoder.unmarshal"
]
}
]
}
},
{
"package": {
"name": "github.com/go-yaml/yaml",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0061"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/go-yaml/yaml",
"symbols": [
"Decoder.Decode",
"Unmarshal",
"UnmarshalStrict",
"decoder.unmarshal"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/go-yaml/yaml/pull/375"
},
{
"type": "FIX",
"url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241"
}
]
}

55
data/osv/GO-2021-0063.json Normal file
Просмотреть файл

@ -0,0 +1,55 @@
{
"id": "GO-2021-0063",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-26264",
"GHSA-r33q-22hv-j29q"
],
"details": "Due to a nil pointer dereference, a malicously crafted RPC message\ncan cause a panic. If handling RPC messages from untrusted clients,\nthis may be used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "github.com/ethereum/go-ethereum",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.25"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0063"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/ethereum/go-ethereum/les",
"symbols": [
"PrivateLightServerAPI.Benchmark",
"serverHandler.handleMsg"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/ethereum/go-ethereum/pull/21896"
},
{
"type": "FIX",
"url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"
}
]
}

89
data/osv/GO-2021-0064.json Normal file
Просмотреть файл

@ -0,0 +1,89 @@
{
"id": "GO-2021-0064",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-8565"
],
"details": "Authorization tokens may be inappropriately logged if the verbosity\nlevel is set to a debug level.\n",
"affected": [
{
"package": {
"name": "k8s.io/client-go",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.20.0-alpha.2"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0064"
},
"ecosystem_specific": {
"imports": [
{
"path": "k8s.io/client-go/transport",
"symbols": [
"requestInfo.toCurl"
]
}
]
}
},
{
"package": {
"name": "k8s.io/kubernetes",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.0-alpha.2"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0064"
},
"ecosystem_specific": {
"imports": [
{
"path": "k8s.io/kubernetes/staging/src/k8s.io/client-go/transport",
"symbols": [
"requestInfo.toCurl"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/kubernetes/kubernetes/pull/95316"
},
{
"type": "FIX",
"url": "https://github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/95623"
}
]
}

89
data/osv/GO-2021-0065.json Normal file
Просмотреть файл

@ -0,0 +1,89 @@
{
"id": "GO-2021-0065",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-11250"
],
"details": "Authorization tokens may be inappropriately logged if the verbosity\nlevel is set to a debug level.\n",
"affected": [
{
"package": {
"name": "k8s.io/client-go",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.17.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0065"
},
"ecosystem_specific": {
"imports": [
{
"path": "k8s.io/client-go/transport",
"symbols": [
"debuggingRoundTripper.RoundTrip"
]
}
]
}
},
{
"package": {
"name": "k8s.io/kubernetes",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.0-beta.1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0065"
},
"ecosystem_specific": {
"imports": [
{
"path": "k8s.io/kubernetes/staging/src/k8s.io/client-go/transport",
"symbols": [
"debuggingRoundTripper.RoundTrip"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/kubernetes/kubernetes/pull/81330"
},
{
"type": "FIX",
"url": "https://github.com/kubernetes/kubernetes/commit/4441f1d9c3e94d9a3d93b4f184a591cab02a5245"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/81114"
}
]
}

58
data/osv/GO-2021-0066.json Normal file
Просмотреть файл

@ -0,0 +1,58 @@
{
"id": "GO-2021-0066",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-8564"
],
"details": "Attempting to read a malformed .dockercfg may cause secrets to be\ninappropriately logged.\n",
"affected": [
{
"package": {
"name": "k8s.io/kubernetes",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.0-alpha.1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0066"
},
"ecosystem_specific": {
"imports": [
{
"path": "k8s.io/kubernetes/pkg/credentialprovider",
"symbols": [
"readDockerConfigFileFromBytes",
"readDockerConfigJSONFileFromBytes"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/kubernetes/kubernetes/pull/94712"
},
{
"type": "FIX",
"url": "https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/95622"
}
]
}

61
data/osv/GO-2021-0067.json Normal file
Просмотреть файл

@ -0,0 +1,61 @@
{
"id": "GO-2021-0067",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2021-27919"
],
"details": "Using Reader.Open on an archive containing a file with a path\nprefixed by \"../\" will cause a panic due to a stack overflow.\nIf parsing user supplied archives, this may be used as a\ndenial of service vector.\n",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.16.0"
},
{
"fixed": "1.16.1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0067"
},
"ecosystem_specific": {
"imports": [
{
"path": "archive/zip",
"symbols": [
"toValidName"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/300489"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/44916"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw/m/zzhWj5jPAQAJ"
}
]
}

75
data/osv/GO-2021-0068.json Normal file
Просмотреть файл

@ -0,0 +1,75 @@
{
"id": "GO-2021-0068",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2021-3115"
],
"details": "The go command may execute arbitrary code at build time when using cgo on Windows.\nThis can be triggered by running go get on a malicious module, or any other time\nthe code is built.\n",
"affected": [
{
"package": {
"name": "toolchain",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.14"
},
{
"introduced": "1.15.0"
},
{
"fixed": "1.15.7"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0068"
},
"ecosystem_specific": {
"imports": [
{
"path": "cmd/go",
"goos": [
"windows"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/284783"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/43783"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ"
},
{
"type": "FIX",
"url": "https://go.dev/cl/284780"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0"
}
]
}

67
data/osv/GO-2021-0069.json Normal file
Просмотреть файл

@ -0,0 +1,67 @@
{
"id": "GO-2021-0069",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-28362"
],
"details": "A number of math/big.Int methods can panic when provided large inputs due\nto a flawed division method.\n",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.12"
},
{
"introduced": "1.15.0"
},
{
"fixed": "1.15.5"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0069"
},
"ecosystem_specific": {
"imports": [
{
"path": "math/big",
"symbols": [
"nat.divRecursiveStep"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/269657"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/1e1fa5903b760c6714ba17e50bf850b01f49135c"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/42552"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ"
}
]
}

71
data/osv/GO-2021-0070.json Normal file
Просмотреть файл

@ -0,0 +1,71 @@
{
"id": "GO-2021-0070",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2016-3697",
"GHSA-q3j5-32m5-58c2"
],
"details": "GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will\nimproperly interpret numeric UIDs as usernames. If the method is used without\nverifying that usernames are formatted as expected, it may allow a user to\ngain unexpected privileges.\n",
"affected": [
{
"package": {
"name": "github.com/opencontainers/runc",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0070"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/opencontainers/runc/libcontainer/user",
"symbols": [
"GetExecUser",
"GetExecUserPath"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/opencontainers/runc/pull/708"
},
{
"type": "FIX",
"url": "https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091"
},
{
"type": "WEB",
"url": "https://github.com/docker/docker/issues/21436"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1034.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2634.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201612-28"
}
]
}

57
data/osv/GO-2021-0071.json Normal file
Просмотреть файл

@ -0,0 +1,57 @@
{
"id": "GO-2021-0071",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2015-1340"
],
"details": "A race between chown and chmod operations during a container\nfilesystem shift may allow a user who can modify the filesystem to\nchmod an arbitrary path of their choice, rather than the expected\npath.\n",
"affected": [
{
"package": {
"name": "github.com/lxc/lxd",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20151004155856-19c6961cc101"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0071"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/lxc/lxd/shared",
"symbols": [
"IdmapSet.doUidshiftIntoContainer"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/lxc/lxd/pull/1189"
},
{
"type": "FIX",
"url": "https://github.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1502270"
}
]
}

81
data/osv/GO-2021-0072.json Normal file
Просмотреть файл

@ -0,0 +1,81 @@
{
"id": "GO-2021-0072",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2017-11468"
],
"details": "Various storage methods do not impose limits on how much content is accepted\nfrom user requests, allowing a malicious user to force the caller to allocate\nan arbitrary amount of memory.\n",
"affected": [
{
"package": {
"name": "github.com/docker/distribution",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.0-rc.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0072"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/docker/distribution/registry/handlers",
"symbols": [
"blobUploadHandler.PatchBlobData",
"blobUploadHandler.PutBlobUploadComplete",
"copyFullPayload",
"imageManifestHandler.GetImageManifest",
"imageManifestHandler.PutImageManifest"
]
},
{
"path": "github.com/docker/distribution/registry/storage",
"symbols": [
"PurgeUploads",
"Walk",
"blobStore.Enumerate",
"blobStore.Get",
"blobStore.Get",
"linkedBlobStore.Enumerate",
"linkedBlobStore.Get",
"manifestStore.Enumerate",
"manifestStore.Get",
"registry.Enumerate",
"registry.Repositories"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/distribution/distribution/pull/2340"
},
{
"type": "FIX",
"url": "https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2603"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html"
}
]
}

65
data/osv/GO-2021-0073.json Normal file
Просмотреть файл

@ -0,0 +1,65 @@
{
"id": "GO-2021-0073",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2017-17831"
],
"details": "Arbitrary command execution can be triggered by improperly\nsanitized SSH URLs in LFS configuration files. This can be\ntriggered by cloning a malicious repository.\n",
"affected": [
{
"package": {
"name": "github.com/git-lfs/git-lfs",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.1-0.20170519163204-f913f5f9c7c6"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0073"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/git-lfs/git-lfs/lfsapi",
"symbols": [
"sshGetLFSExeAndArgs"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/git-lfs/git-lfs/pull/2241"
},
{
"type": "FIX",
"url": "https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19"
},
{
"type": "WEB",
"url": "http://blog.recurity-labs.com/2017-08-10/scm-vulns"
},
{
"type": "WEB",
"url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102926"
}
]
}

57
data/osv/GO-2021-0075.json Normal file
Просмотреть файл

@ -0,0 +1,57 @@
{
"id": "GO-2021-0075",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2018-12018"
],
"details": "Due to improper argument validation in RPC messages, a maliciously crafted\nmessage can cause a panic, leading to denial of service.\n",
"affected": [
{
"package": {
"name": "github.com/ethereum/go-ethereum",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.11"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0075"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/ethereum/go-ethereum/les",
"symbols": [
"protocolManager.handleMsg"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/ethereum/go-ethereum/pull/16891"
},
{
"type": "FIX",
"url": "https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4"
},
{
"type": "WEB",
"url": "https://peckshield.com/2018/06/27/EPoD/"
}
]
}

53
data/osv/GO-2021-0076.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"id": "GO-2021-0076",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2018-14632"
],
"details": "A malicious JSON patch can cause a panic due to an out-of-bounds\nwrite attempt. This can be used as a denial of service vector if\nexposed to arbitrary user input.\n",
"affected": [
{
"package": {
"name": "github.com/evanphx/json-patch",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.2"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0076"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/evanphx/json-patch",
"symbols": [
"partialArray.add"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/evanphx/json-patch/pull/57"
},
{
"type": "FIX",
"url": "https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03"
}
]
}

54
data/osv/GO-2021-0077.json Normal file
Просмотреть файл

@ -0,0 +1,54 @@
{
"id": "GO-2021-0077",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2018-16886",
"GHSA-h6xx-pmxh-3wgp"
],
"details": "A user can use a valid client certificate that contains a CommonName that matches a\nvalid RBAC username to authenticate themselves as that user, despite lacking the\nrequired credentials. This may allow authentication bypass, but requires a certificate\nthat is issued by a CA trusted by the server.\n",
"affected": [
{
"package": {
"name": "go.etcd.io/etcd",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0-alpha.5.0.20190108173120-83c051b701d3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0077"
},
"ecosystem_specific": {
"imports": [
{
"path": "go.etcd.io/etcd/auth",
"symbols": [
"authStore.AuthInfoFromTLS"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/etcd-io/etcd/pull/10366"
},
{
"type": "FIX",
"url": "https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2"
}
]
}

66
data/osv/GO-2021-0078.json Normal file
Просмотреть файл

@ -0,0 +1,66 @@
{
"id": "GO-2021-0078",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2018-17075"
],
"details": "The HTML parser does not properly handle \"in frameset\" insertion mode, and can be made\nto panic when operating on malformed HTML that contains \u003ctemplate\u003e tags. If operating\non user input, this may be a vector for a denial of service attack.\n",
"affected": [
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20180816102801-aaf60122140d"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0078"
},
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/html",
"symbols": [
"inBodyIM",
"inFramesetIM"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/123776"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/net/+/aaf60122140d3fcf75376d319f0554393160eb50"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/27016"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/chromium/issues/detail?id=829668"
},
{
"type": "WEB",
"url": "https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906"
}
]
}

54
data/osv/GO-2021-0079.json Normal file
Просмотреть файл

@ -0,0 +1,54 @@
{
"id": "GO-2021-0079",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2018-18206",
"GHSA-vc3x-gx6c-g99f"
],
"details": "A malformed query can cause an out-of-bounds panic due to improper\nvalidation of arguments. If processing queries from untrusted\nparties, this may be used as a vector for denial of service\nattacks.\n",
"affected": [
{
"package": {
"name": "github.com/bytom/bytom",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.4-0.20180831054840-1ac3c8ac4f2b"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0079"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/bytom/bytom/p2p/discover",
"symbols": [
"Network.checkTopicRegister"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/Bytom/bytom/pull/1307"
},
{
"type": "FIX",
"url": "https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42"
}
]
}

62
data/osv/GO-2021-0081.json Normal file
Просмотреть файл

@ -0,0 +1,62 @@
{
"id": "GO-2021-0081",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-10214",
"GHSA-85p9-j7c9-v4gr"
],
"details": "The HTTP client used to connect to the container registry authorization\nservice explicitly disables TLS verification, allowing an attacker that\nis able to MITM the connection to steal credentials.\n",
"affected": [
{
"package": {
"name": "github.com/containers/image",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2-0.20190802080134-634605d06e73"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0081"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/containers/image/docker",
"symbols": [
"dockerClient.getBearerToken"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/containers/image/pull/669"
},
{
"type": "FIX",
"url": "https://github.com/containers/image/commit/634605d06e738aec8332bcfd69162e7509ac7aaf"
},
{
"type": "WEB",
"url": "https://github.com/containers/image/issues/654"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214"
}
]
}

50
data/osv/GO-2021-0082.json Normal file
Просмотреть файл

@ -0,0 +1,50 @@
{
"id": "GO-2021-0082",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-11939"
],
"details": "Thirft Servers preallocate memory for the declared size of messages before\nchecking the actual size of the message. This allows a malicious user to\nsend messages that declare that they are significantly larger than they\nactually are, allowing them to force the server to allocate significant\namounts of memory. This can be used as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "github.com/facebook/fbthrift",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.1-0.20200311080807-483ed864d69f"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0082"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/facebook/fbthrift/thrift/lib/go/thrift"
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757"
},
{
"type": "WEB",
"url": "https://www.facebook.com/security/advisories/cve-2019-11939"
}
]
}

53
data/osv/GO-2021-0083.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"id": "GO-2021-0083",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-12496"
],
"details": "TLS certificate verification is skipped when connecting to a MQTT server.\nThis allows an attacker who can MITM the connection to read, or forge,\nmessages passed between the client and server.\n",
"affected": [
{
"package": {
"name": "github.com/hybridgroup/gobot",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.1-0.20190521122906-c1aa4f867846"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0083"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/hybridgroup/gobot/platforms/mqtt",
"symbols": [
"Adaptor.newTLSConfig"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f"
},
{
"type": "WEB",
"url": "https://github.com/hybridgroup/gobot/releases/tag/v1.13.0"
}
]
}

59
data/osv/GO-2021-0084.json Normal file
Просмотреть файл

@ -0,0 +1,59 @@
{
"id": "GO-2021-0084",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-16354",
"GHSA-f6px-w8rh-7r89"
],
"details": "Session data is stored using permissive permissions, allowing local users\nwith filesystem access to read arbitrary data.\n",
"affected": [
{
"package": {
"name": "github.com/astaxie/beego",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.2-0.20200613154013-bac2b31afecc"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0084"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/astaxie/beego/session",
"symbols": [
"FileProvider.SessionRead",
"FileProvider.SessionRegenerate"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/beego/beego/pull/3975"
},
{
"type": "FIX",
"url": "https://github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1"
},
{
"type": "WEB",
"url": "https://github.com/beego/beego/issues/3763"
}
]
}

84
data/osv/GO-2021-0085.json Normal file
Просмотреть файл

@ -0,0 +1,84 @@
{
"id": "GO-2021-0085",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-16884",
"GHSA-fgv8-vj5c-2ppq"
],
"details": "AppArmor restrictions may be bypassed due to improper validation of mount\ntargets, allowing a malicious image to mount volumes over e.g. /proc.\n",
"affected": [
{
"package": {
"name": "github.com/opencontainers/runc",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-rc8.0.20190930145003-cad42f6e0932"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0085"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/opencontainers/runc/libcontainer"
}
]
}
},
{
"package": {
"name": "github.com/opencontainers/selinux",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.1-0.20190929122143-5215b1806f52"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0085"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/opencontainers/selinux/go-selinux"
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/opencontainers/runc/pull/2130"
},
{
"type": "FIX",
"url": "https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/issues/2128"
}
]
}

50
data/osv/GO-2021-0086.json Normal file
Просмотреть файл

@ -0,0 +1,50 @@
{
"id": "GO-2021-0086",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-19619",
"GHSA-wmwp-pggc-h4mj"
],
"details": "HTML content in markdown is not santized during rendering, possibly allowing\nXSS if used to render untrusted user input.\n",
"affected": [
{
"package": {
"name": "github.com/documize/community",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.76.3-0.20191119114751-a4384210d4d0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0086"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/documize/community/domain/section/markdown",
"symbols": [
"Provider.Render"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/documize/community/commit/a4384210d4d0d6b18e6fdb7e155de96d4a1cf9f3"
}
]
}

58
data/osv/GO-2021-0087.json Normal file
Просмотреть файл

@ -0,0 +1,58 @@
{
"id": "GO-2021-0087",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-19921",
"GHSA-fh74-hm69-rqjw"
],
"details": "A race while mounting volumes allows a possible symlink-exchange\nattack, allowing a user whom can start multiple containers with\ncustom volume mount configurations to escape the container.\n",
"affected": [
{
"package": {
"name": "github.com/opencontainers/runc",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-rc9.0.20200122160610-2fc03cc11c77"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0087"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/opencontainers/runc/libcontainer",
"symbols": [
"mountToRootfs"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/opencontainers/runc/pull/2207"
},
{
"type": "FIX",
"url": "https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/issues/2197"
}
]
}

54
data/osv/GO-2021-0088.json Normal file
Просмотреть файл

@ -0,0 +1,54 @@
{
"id": "GO-2021-0088",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-3564",
"GHSA-x4rg-4545-4w7w"
],
"details": "Skip ignores unknown fields, rather than failing. A malicious user can craft small\nmessages with unknown fields which can take significant resources to parse. If a\nserver accepts messages from an untrusted user, it may be used as a denial of service\nvector.\n",
"affected": [
{
"package": {
"name": "github.com/facebook/fbthrift",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.1-0.20190225164308-c461c1bd1a3e"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0088"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/facebook/fbthrift/thrift/lib/go/thrift",
"symbols": [
"Skip"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/facebook/fbthrift/commit/c461c1bd1a3e130b181aa9c854da3030cd4b5156"
},
{
"type": "WEB",
"url": "https://www.facebook.com/security/advisories/cve-2019-3564"
}
]
}

58
data/osv/GO-2021-0089.json Normal file
Просмотреть файл

@ -0,0 +1,58 @@
{
"id": "GO-2021-0089",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-10675",
"GHSA-rmh2-65xw-9m6q"
],
"details": "Parsing malformed JSON which contain opening brackets, but not closing brackets,\nleads to an infinite loop. If operating on untrusted user input this can be\nused as a denial of service vector.\n",
"affected": [
{
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20200321185410-91ac96899e49"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0089"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/buger/jsonparser",
"symbols": [
"findKeyStart"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/buger/jsonparser/pull/192"
},
{
"type": "FIX",
"url": "https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717"
},
{
"type": "WEB",
"url": "https://github.com/buger/jsonparser/issues/188"
}
]
}

59
data/osv/GO-2021-0090.json Normal file
Просмотреть файл

@ -0,0 +1,59 @@
{
"id": "GO-2021-0090",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-15091",
"GHSA-6jqj-f58p-mrw3"
],
"details": "Proposed commits may contain signatures for blocks not contained\nwithin the commit. Instead of skipping these signatures, they\ncause failure during verification. A malicious proposer can use\nthis to force consensus failures.\n",
"affected": [
{
"package": {
"name": "github.com/tendermint/tendermint",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.33.0"
},
{
"fixed": "0.34.0-dev1.0.20200702134149-480b995a3172"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0090"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tendermint/tendermint/types",
"symbols": [
"MakeCommit",
"VoteSet.MakeCommit"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tendermint/tendermint/pull/5426"
},
{
"type": "FIX",
"url": "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340"
},
{
"type": "WEB",
"url": "https://github.com/tendermint/tendermint/issues/4926"
}
]
}

57
data/osv/GO-2021-0094.json Normal file
Просмотреть файл

@ -0,0 +1,57 @@
{
"id": "GO-2021-0094",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-29529"
],
"details": "Protections against directory traversal during archive extraction can be\nbypassed by chaining multiple symbolic links within the archive. This allows\na malicious attacker to cause files to be created outside of the target\ndirectory. Additionally if the attacker is able to read extracted files\nthey may create symbolic links to arbitrary files on the system which the\nunpacker has permissions to read.\n",
"affected": [
{
"package": {
"name": "github.com/hashicorp/go-slug",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0094"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/hashicorp/go-slug",
"symbols": [
"Unpack"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/hashicorp/go-slug/pull/12"
},
{
"type": "FIX",
"url": "https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f"
},
{
"type": "WEB",
"url": "https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug"
}
]
}

58
data/osv/GO-2021-0095.json Normal file
Просмотреть файл

@ -0,0 +1,58 @@
{
"id": "GO-2021-0095",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-8918",
"GHSA-5x29-3hr9-6wpw"
],
"details": "Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport\nis able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,\nallowing them to use the created key.\n",
"affected": [
{
"package": {
"name": "github.com/google/go-tpm",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0095"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/google/go-tpm/tpm",
"symbols": [
"CreateWrapKey"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/google/go-tpm/pull/195"
},
{
"type": "FIX",
"url": "https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141"
},
{
"type": "WEB",
"url": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"
}
]
}

51
data/osv/GO-2021-0096.json Normal file
Просмотреть файл

@ -0,0 +1,51 @@
{
"id": "GO-2021-0096",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-8945",
"GHSA-m6wg-2mwg-4rfq"
],
"details": "Due to improper setting of finalizers, memory passed to C may be freed before it is used,\nleading to crashes due to memory corruption or possible code execution.\n",
"affected": [
{
"package": {
"name": "github.com/proglottis/gpgme",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0096"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/proglottis/gpgme"
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/proglottis/gpgme/pull/23"
},
{
"type": "FIX",
"url": "https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733"
}
]
}

67
data/osv/GO-2021-0097.json Normal file
Просмотреть файл

@ -0,0 +1,67 @@
{
"id": "GO-2021-0097",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-29242",
"CVE-2020-29243",
"CVE-2020-29244",
"CVE-2020-29245"
],
"details": "Due to improper bounds checking, a number of methods can trigger a panic due to attempted\nout-of-bounds reads. If the package is used to parse user supplied input, this may be\nused as a vector for a denial of service attack.\n",
"affected": [
{
"package": {
"name": "github.com/dhowden/tag",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20201120070457-d52dcb253c63"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0097"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/dhowden/tag",
"symbols": [
"readAPICFrame",
"readAtomData",
"readPICFrame",
"readTextWithDescrFrame"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/dhowden/tag/commit/d52dcb253c63a153632bfee5f269dd411dcd8e96"
},
{
"type": "WEB",
"url": "https://github.com/dhowden/tag/commit/a92213460e4838490ce3066ef11dc823cdc1740e"
},
{
"type": "WEB",
"url": "https://github.com/dhowden/tag/commit/4b595ed4fac79f467594aa92f8953f90f817116e"
},
{
"type": "WEB",
"url": "https://github.com/dhowden/tag/commit/6b18201aa5c5535511802ddfb4e4117686b4866d"
}
]
}

85
data/osv/GO-2021-0098.json Normal file
Просмотреть файл

@ -0,0 +1,85 @@
{
"id": "GO-2021-0098",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2021-21237",
"GHSA-cx3w-xqmc-84g5"
],
"details": "Due to the standard library behavior of exec.LookPath on Windows a number of methods may\nresult in arbitrary code execution when cloning or operating on untrusted Git repositories.\n",
"affected": [
{
"package": {
"name": "github.com/git-lfs/git-lfs",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.1-0.20210113180018-fc664697ed2c"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0098"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/git-lfs/git-lfs/commands",
"goos": [
"windows"
],
"symbols": [
"PipeCommand"
]
},
{
"path": "github.com/git-lfs/git-lfs/creds",
"goos": [
"windows"
],
"symbols": [
"AskPassCredentialHelper.getFromProgram",
"commandCredentialHelper.Approve"
]
},
{
"path": "github.com/git-lfs/git-lfs/lfs",
"goos": [
"windows"
],
"symbols": [
"pipeExtensions"
]
},
{
"path": "github.com/git-lfs/git-lfs/lfshttp",
"goos": [
"windows"
],
"symbols": [
"sshAuthClient.Resolve"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a"
},
{
"type": "WEB",
"url": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5"
}
]
}

55
data/osv/GO-2021-0099.json Normal file
Просмотреть файл

@ -0,0 +1,55 @@
{
"id": "GO-2021-0099",
"published": "2021-04-14T20:04:52Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2021-21272",
"GHSA-g5v4-5x39-vwhx"
],
"details": "Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore\ncontent store may result in directory traversal during archive extraction, allowing a\nmalicious archive to write paths to arbitrary paths that the process can write to.\n",
"affected": [
{
"package": {
"name": "github.com/deislabs/oras",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0099"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/deislabs/oras/pkg/content",
"symbols": [
"extractTarDirectory",
"fileWriter.Commit"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e"
},
{
"type": "WEB",
"url": "https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx"
}
]
}

71
data/osv/GO-2021-0100.json Normal file
Просмотреть файл

@ -0,0 +1,71 @@
{
"id": "GO-2021-0100",
"published": "2021-07-28T18:08:05Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2021-20291",
"GHSA-7qw8-847f-pggm"
],
"details": "Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream\non a xz archive returns a reader which will hang indefinitely when Close is called. An attacker\ncan use this to cause denial of service if they are able to cause the caller to attempt to\ndecompress an archive they control.\n",
"affected": [
{
"package": {
"name": "github.com/containers/storage",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.28.1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0100"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/containers/storage/pkg/archive",
"symbols": [
"ApplyLayer",
"ApplyUncompressedLayer",
"Archiver.CopyFileWithTar",
"Archiver.CopyWithTar",
"Archiver.TarUntar",
"Archiver.UntarPath",
"CopyResource",
"CopyTo",
"DecompressStream",
"IsArchivePath",
"Untar",
"UntarPath",
"UntarUncompressed",
"cmdStream"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/containers/storage/pull/860"
},
{
"type": "FIX",
"url": "https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939485"
}
]
}

96
data/osv/GO-2021-0101.json Normal file
Просмотреть файл

@ -0,0 +1,96 @@
{
"id": "GO-2021-0101",
"published": "2021-07-28T18:08:05Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-0210",
"GHSA-jq7p-26h5-w78r"
],
"details": "Due to an improper bounds check, parsing maliciously crafted messages can cause panics. If\nthis package is used to parse untrusted input, this may be used as a vector for a denial of\nservice attack.\n",
"affected": [
{
"package": {
"name": "github.com/apache/thrift",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.0.0-20151001171628-53dd39833a08"
},
{
"fixed": "0.13.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0101"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/apache/thrift/lib/go/thrift",
"symbols": [
"Skip",
"SkipDefaultDepth",
"TJSONProtocol.ParseElemListBegin",
"TJSONProtocol.ReadBool",
"TJSONProtocol.ReadByte",
"TJSONProtocol.ReadDouble",
"TJSONProtocol.ReadFieldBegin",
"TJSONProtocol.ReadFieldEnd",
"TJSONProtocol.ReadI16",
"TJSONProtocol.ReadI32",
"TJSONProtocol.ReadI64",
"TJSONProtocol.ReadListBegin",
"TJSONProtocol.ReadListEnd",
"TJSONProtocol.ReadMapBegin",
"TJSONProtocol.ReadMapEnd",
"TJSONProtocol.ReadMessageBegin",
"TJSONProtocol.ReadMessageEnd",
"TJSONProtocol.ReadSetBegin",
"TJSONProtocol.ReadSetEnd",
"TJSONProtocol.ReadStructBegin",
"TJSONProtocol.ReadStructEnd",
"TSimpleJSONProtocol.ParseElemListBegin",
"TSimpleJSONProtocol.ParseF64",
"TSimpleJSONProtocol.ParseI64",
"TSimpleJSONProtocol.ParseListBegin",
"TSimpleJSONProtocol.ParseListEnd",
"TSimpleJSONProtocol.ParseObjectEnd",
"TSimpleJSONProtocol.ParseObjectStart",
"TSimpleJSONProtocol.ReadByte",
"TSimpleJSONProtocol.ReadDouble",
"TSimpleJSONProtocol.ReadI16",
"TSimpleJSONProtocol.ReadI32",
"TSimpleJSONProtocol.ReadI64",
"TSimpleJSONProtocol.ReadListBegin",
"TSimpleJSONProtocol.ReadListEnd",
"TSimpleJSONProtocol.ReadMapBegin",
"TSimpleJSONProtocol.ReadMapEnd",
"TSimpleJSONProtocol.ReadMessageBegin",
"TSimpleJSONProtocol.ReadMessageEnd",
"TSimpleJSONProtocol.ReadSetBegin",
"TSimpleJSONProtocol.ReadSetEnd",
"TSimpleJSONProtocol.ReadStructBegin",
"TSimpleJSONProtocol.ReadStructEnd",
"TSimpleJSONProtocol.safePeekContains",
"TStandardClient.Call",
"TStandardClient.Recv",
"tApplicationException.Read"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/apache/thrift/commit/264a3f318ed3e9e51573f67f963c8509786bcec2"
}
]
}

86
data/osv/GO-2021-0102.json Normal file
Просмотреть файл

@ -0,0 +1,86 @@
{
"id": "GO-2021-0102",
"published": "2021-07-28T18:08:05Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2019-11289",
"GHSA-5796-p3m6-9qj4"
],
"details": "Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect\nnonce size. If this package is used to decrypt user supplied messages without checking the size of\nsupplied nonces, this may be used as a vector for a denial of service attack.\n",
"affected": [
{
"package": {
"name": "code.cloudfoundry.org/gorouter",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20191101214924-b1b5c44e050f"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0102"
},
"ecosystem_specific": {
"imports": [
{
"path": "code.cloudfoundry.org/gorouter/common/secure",
"symbols": [
"AesGCM.Decrypt"
]
}
]
}
},
{
"package": {
"name": "github.com/cloudfoundry/gorouter",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20191101214924-b1b5c44e050f"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0102"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/cloudfoundry/gorouter/common/secure",
"symbols": [
"AesGCM.Decrypt"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/cloudfoundry/gorouter/commit/b1b5c44e050f73b399b379ca63a42a2c5780a83f"
},
{
"type": "WEB",
"url": "https://www.cloudfoundry.org/blog/cve-2019-11289/"
}
]
}

64
data/osv/GO-2021-0103.json Normal file
Просмотреть файл

@ -0,0 +1,64 @@
{
"id": "GO-2021-0103",
"published": "2021-07-28T18:08:05Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-26242",
"GHSA-jm5c-rv3w-w83m"
],
"details": "Due to improper bounds checking, certain mathmatical operations can cause a panic via an\nout of bounds read. If this package is used to process untrusted user inputs, this may be used\nas a vector for a denial of service attack.\n",
"affected": [
{
"package": {
"name": "github.com/holiman/uint256",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.1.0"
},
{
"fixed": "1.1.1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0103"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/holiman/uint256",
"symbols": [
"Int.AddMod",
"Int.Div",
"Int.Mod",
"Int.MulMod",
"Int.SDiv",
"Int.SMod",
"udivrem"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/holiman/uint256/pull/80"
},
{
"type": "FIX",
"url": "https://github.com/holiman/uint256/commit/6785da6e3eea403260a5760029e722aa4ff1716d"
},
{
"type": "WEB",
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m"
}
]
}

66
data/osv/GO-2021-0104.json Normal file
Просмотреть файл

@ -0,0 +1,66 @@
{
"id": "GO-2021-0104",
"published": "2021-07-28T18:08:05Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2021-28681",
"GHSA-74xm-qj29-cq8p"
],
"details": "Due to improper error handling, DTLS connections were not killed when certificate verification\nfailed, causing users who did not check the connection state to continue to use the connection.\nThis could allow allow an attacker which holds the ICE password, but not a valid certificate,\nto bypass this restriction.\n",
"affected": [
{
"package": {
"name": "github.com/pion/webrtc/v3",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.15"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0104"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/pion/webrtc/v3",
"symbols": [
"DTLSTransport.Start",
"PeerConnection.AddTrack",
"PeerConnection.AddTransceiverFromTrack",
"PeerConnection.CreateDataChannel",
"PeerConnection.RemoveTrack",
"PeerConnection.SetLocalDescription",
"PeerConnection.SetRemoteDescription",
"operations.Done",
"operations.Enqueue"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/pion/webrtc/pull/1709"
},
{
"type": "FIX",
"url": "https://github.com/pion/webrtc/commit/545613dcdeb5dedb01cce94175f40bcbe045df2e"
},
{
"type": "WEB",
"url": "https://github.com/pion/webrtc/issues/1708"
}
]
}

54
data/osv/GO-2021-0105.json Normal file
Просмотреть файл

@ -0,0 +1,54 @@
{
"id": "GO-2021-0105",
"published": "2021-07-28T18:08:05Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-26265",
"GHSA-xw37-57qp-9mm4"
],
"details": "Due to an incorrect state calculation, a specific set of\ntransactions could cause a consensus disagreement,\ncausing users of this package to reject a canonical chain.\n",
"affected": [
{
"package": {
"name": "github.com/ethereum/go-ethereum",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.9.4"
},
{
"fixed": "1.9.20"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0105"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/ethereum/go-ethereum/core",
"symbols": [
"StateDB.createObject"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/ethereum/go-ethereum/pull/21080"
},
{
"type": "FIX",
"url": "https://github.com/ethereum/go-ethereum/commit/87c0ba92136a75db0ab2aba1046d4a9860375d6a"
}
]
}

53
data/osv/GO-2021-0106.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"id": "GO-2021-0106",
"published": "2021-07-28T18:08:05Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-36566"
],
"details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n",
"affected": [
{
"package": {
"name": "github.com/whyrusleeping/tar-utils",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20201201191210-20a61371de5b"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0106"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/whyrusleeping/tar-utils",
"symbols": [
"Extractor.outputPath"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227"
},
{
"type": "WEB",
"url": "https://snyk.io/research/zip-slip-vulnerability"
}
]
}

51
data/osv/GO-2021-0107.json Normal file
Просмотреть файл

@ -0,0 +1,51 @@
{
"id": "GO-2021-0107",
"published": "2021-07-28T18:08:05Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2021-4236",
"GHSA-5gjg-jgh4-gppm"
],
"details": "Web Sockets do not execute any AuthenticateMethod methods which may be set,\nleading to a nil pointer dereference if the returned UserData pointer is\nassumed to be non-nil, or authentication bypass.\n\nThis issue only affects WebSockets with an AuthenticateMethod hook.\nRequest handlers that do not explicitly use WebSockets are not\nvulnerable.\n",
"affected": [
{
"package": {
"name": "github.com/ecnepsnai/web",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.5.2"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0107"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/ecnepsnai/web",
"symbols": [
"Server.Socket",
"Server.socketHandler"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f"
}
]
}

54
data/osv/GO-2021-0108.json Normal file
Просмотреть файл

@ -0,0 +1,54 @@
{
"id": "GO-2021-0108",
"published": "2021-07-28T18:08:05Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-15111",
"GHSA-9cx9-x2gp-9qvh"
],
"details": "Due to improper input sanitization, a maliciously constructed filename\ncould cause a file download to use an attacker controlled filename, as well\nas injecting additional headers into an HTTP response.\n",
"affected": [
{
"package": {
"name": "github.com/gofiber/fiber",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.6"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0108"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/gofiber/fiber",
"symbols": [
"Ctx.Attachment"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/gofiber/fiber/pull/579"
},
{
"type": "FIX",
"url": "https://github.com/gofiber/fiber/commit/f698b5d5066cfe594102ae252cd58a1fe57cf56f"
}
]
}

50
data/osv/GO-2021-0109.json Normal file
Просмотреть файл

@ -0,0 +1,50 @@
{
"id": "GO-2021-0109",
"published": "2021-07-28T18:08:05Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-15223",
"GHSA-7mqr-2v3q-v2wm"
],
"details": "Due to improper error handling, an error with the underlying token storage may cause a user\nto believe a token has been successfully revoked when it is in fact still valid. An attackers\nability to exploit this relies on an ability to trigger errors in the underlying storage.\n",
"affected": [
{
"package": {
"name": "github.com/ory/fosite",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.34.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0109"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/ory/fosite",
"symbols": [
"TokenRevocationHandler.RevokeToken"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/ory/fosite/commit/03dd55813f5521985f7dd64277b7ba0cf1441319"
}
]
}

56
data/osv/GO-2021-0110.json Normal file
Просмотреть файл

@ -0,0 +1,56 @@
{
"id": "GO-2021-0110",
"published": "2021-07-28T18:08:05Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-15222",
"GHSA-v3q9-2p3m-7g43"
],
"details": "Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be\nreplayed.\n",
"affected": [
{
"package": {
"name": "github.com/ory/fosite",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0110"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/ory/fosite",
"symbols": [
"Fosite.AuthenticateClient",
"Fosite.NewAccessRequest",
"Fosite.NewRevocationRequest"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9"
},
{
"type": "WEB",
"url": "https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43"
}
]
}

175
data/osv/GO-2021-0112.json Normal file
Просмотреть файл

@ -0,0 +1,175 @@
{
"id": "GO-2021-0112",
"published": "2021-07-28T18:08:05Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2021-20329",
"GHSA-f6mq-5m25-4r72"
],
"details": "Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed\nGo structure could allow an attacker to inject additional fields into a MongoDB document. Users are\naffected if they use this package to handle untrusted user input.\n",
"affected": [
{
"package": {
"name": "go.mongodb.org/mongo-driver",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0112"
},
"ecosystem_specific": {
"imports": [
{
"path": "go.mongodb.org/mongo-driver/x/bsonx/bsoncore",
"symbols": [
"AppendArrayElement",
"AppendArrayElementStart",
"AppendBinaryElement",
"AppendBooleanElement",
"AppendCodeWithScopeElement",
"AppendDBPointerElement",
"AppendDateTimeElement",
"AppendDecimal128Element",
"AppendDocumentElement",
"AppendDocumentElementStart",
"AppendDoubleElement",
"AppendHeader",
"AppendInt32Element",
"AppendInt64Element",
"AppendJavaScriptElement",
"AppendMaxKeyElement",
"AppendMinKeyElement",
"AppendNullElement",
"AppendObjectIDElement",
"AppendRegex",
"AppendRegexElement",
"AppendStringElement",
"AppendSymbolElement",
"AppendTimeElement",
"AppendTimestampElement",
"AppendUndefinedElement",
"AppendValueElement",
"ArrayBuilder.AppendArray",
"ArrayBuilder.AppendBinary",
"ArrayBuilder.AppendBoolean",
"ArrayBuilder.AppendCodeWithScope",
"ArrayBuilder.AppendDBPointer",
"ArrayBuilder.AppendDateTime",
"ArrayBuilder.AppendDecimal128",
"ArrayBuilder.AppendDocument",
"ArrayBuilder.AppendDouble",
"ArrayBuilder.AppendInt32",
"ArrayBuilder.AppendInt64",
"ArrayBuilder.AppendJavaScript",
"ArrayBuilder.AppendMaxKey",
"ArrayBuilder.AppendMinKey",
"ArrayBuilder.AppendNull",
"ArrayBuilder.AppendObjectID",
"ArrayBuilder.AppendRegex",
"ArrayBuilder.AppendString",
"ArrayBuilder.AppendSymbol",
"ArrayBuilder.AppendTimestamp",
"ArrayBuilder.AppendUndefined",
"ArrayBuilder.AppendValue",
"ArrayBuilder.StartArray",
"BuildArray",
"BuildArrayElement",
"BuildDocumentElement",
"DocumentBuilder.AppendArray",
"DocumentBuilder.AppendBinary",
"DocumentBuilder.AppendBoolean",
"DocumentBuilder.AppendCodeWithScope",
"DocumentBuilder.AppendDBPointer",
"DocumentBuilder.AppendDateTime",
"DocumentBuilder.AppendDecimal128",
"DocumentBuilder.AppendDocument",
"DocumentBuilder.AppendDouble",
"DocumentBuilder.AppendInt32",
"DocumentBuilder.AppendInt64",
"DocumentBuilder.AppendJavaScript",
"DocumentBuilder.AppendMaxKey",
"DocumentBuilder.AppendMinKey",
"DocumentBuilder.AppendNull",
"DocumentBuilder.AppendObjectID",
"DocumentBuilder.AppendRegex",
"DocumentBuilder.AppendString",
"DocumentBuilder.AppendSymbol",
"DocumentBuilder.AppendTimestamp",
"DocumentBuilder.AppendUndefined",
"DocumentBuilder.AppendValue",
"DocumentBuilder.StartDocument"
]
},
{
"path": "go.mongodb.org/mongo-driver/bson/bsonrw",
"symbols": [
"Copier.AppendArrayBytes",
"Copier.AppendDocumentBytes",
"Copier.AppendValueBytes",
"Copier.CopyArrayFromBytes",
"Copier.CopyBytesToArrayWriter",
"Copier.CopyBytesToDocumentWriter",
"Copier.CopyDocument",
"Copier.CopyDocumentFromBytes",
"Copier.CopyDocumentToBytes",
"Copier.CopyValue",
"Copier.CopyValueFromBytes",
"Copier.CopyValueToBytes",
"CopyDocument",
"valueWriter.WriteArray",
"valueWriter.WriteBinary",
"valueWriter.WriteBinaryWithSubtype",
"valueWriter.WriteBoolean",
"valueWriter.WriteCodeWithScope",
"valueWriter.WriteDBPointer",
"valueWriter.WriteDateTime",
"valueWriter.WriteDecimal128",
"valueWriter.WriteDocument",
"valueWriter.WriteDouble",
"valueWriter.WriteInt32",
"valueWriter.WriteInt64",
"valueWriter.WriteJavascript",
"valueWriter.WriteMaxKey",
"valueWriter.WriteMinKey",
"valueWriter.WriteNull",
"valueWriter.WriteObjectID",
"valueWriter.WriteRegex",
"valueWriter.WriteString",
"valueWriter.WriteSymbol",
"valueWriter.WriteTimestamp",
"valueWriter.WriteUndefined",
"valueWriter.WriteValueBytes",
"valueWriter.writeElementHeader"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/mongodb/mongo-go-driver/pull/622"
},
{
"type": "FIX",
"url": "https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/GODRIVER-1923"
}
]
}

56
data/osv/GO-2021-0113.json Normal file
Просмотреть файл

@ -0,0 +1,56 @@
{
"id": "GO-2021-0113",
"published": "2021-10-06T17:51:21Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2021-38561"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
},
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
]
}

69
data/osv/GO-2021-0142.json Normal file
Просмотреть файл

@ -0,0 +1,69 @@
{
"id": "GO-2021-0142",
"published": "2022-07-01T20:11:09Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2020-16845",
"GHSA-q6gq-997w-f55g"
],
"details": "ReadUvarint and ReadVarint can read an unlimited number of bytes from\ninvalid inputs.\n\nCertain invalid inputs to ReadUvarint or ReadVarint can cause these\nfunctions to read an unlimited number of bytes from the ByteReader\nparameter before returning an error. This can lead to processing more\ninput than expected when the caller is reading directly from a\nnetwork and depends on ReadUvarint or ReadVarint only consuming a\nsmall, bounded number of bytes, even from invalid inputs.\n",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.13.15"
},
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.7"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0142"
},
"ecosystem_specific": {
"imports": [
{
"path": "encoding/binary",
"symbols": [
"ReadUvarint",
"ReadVarint"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/247120"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/40618"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/NyPIaucMgXo"
}
]
}

62
data/osv/GO-2021-0154.json Normal file
Просмотреть файл

@ -0,0 +1,62 @@
{
"id": "GO-2021-0154",
"published": "2022-05-25T21:11:41Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2014-7189"
],
"details": "When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle\nattackers to spoof clients via unspecified vectors.\n\nIf the server enables TLS client authentication using certificates (this is\nrare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,\nthen a malicious client can falsely assert ownership of any client\ncertificate it wishes.\n",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.1.0"
},
{
"fixed": "1.3.2"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0154"
},
"ecosystem_specific": {
"imports": [
{
"path": "crypto/tls",
"symbols": [
"checkForResumption",
"decryptTicket"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/148080043"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/commit/64df53ed7f"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/53085"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ"
}
]
}

99
data/osv/GO-2021-0159.json Normal file
Просмотреть файл

@ -0,0 +1,99 @@
{
"id": "GO-2021-0159",
"published": "2022-01-05T21:39:14Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2015-5739",
"CVE-2015-5740",
"CVE-2015-5741"
],
"details": "HTTP headers were not properly parsed, which allows remote attackers to\nconduct HTTP request smuggling attacks via a request that contains\nContent-Length and Transfer-Encoding header fields.\n",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0159"
},
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"CanonicalMIMEHeaderKey",
"body.readLocked",
"canonicalMIMEHeaderKey",
"chunkWriter.writeHeader",
"fixLength",
"fixTransferEncoding",
"readTransfer",
"transferWriter.shouldSendContentLength",
"validHeaderFieldByte"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/13148"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/26049f6f9171d1190f3bbe05ec304845cfe6399f"
},
{
"type": "FIX",
"url": "https://go.dev/cl/11772"
},
{
"type": "FIX",
"url": "https://go.dev/cl/11810"
},
{
"type": "FIX",
"url": "https://go.dev/cl/12865"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/117ddcb83d7f42d6aa72241240af99ded81118e9"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/300d9a21583e7cf0149a778a0611e76ff7c6680f"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/c2db5f4ccc61ba7df96a747e268a277b802cbb87"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/12027"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/11930"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/iSIyW4lM4hY/m/ADuQR4DiDwAJ"
}
]
}

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше