diff --git a/data/osv/GO-2020-0001.json b/data/osv/GO-2020-0001.json new file mode 100644 index 00000000..0c51b166 --- /dev/null +++ b/data/osv/GO-2020-0001.json @@ -0,0 +1,53 @@ +{ + "id": "GO-2020-0001", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-36567" + ], + "details": "The default Formatter for the Logger middleware (LoggerConfig.Formatter),\nwhich is included in the Default engine, allows attackers to inject arbitrary\nlog entries by manipulating the request path.\n", + "affected": [ + { + "package": { + "name": "github.com/gin-gonic/gin", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0001" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gin-gonic/gin", + "symbols": [ + "defaultLogFormatter" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/pull/2237" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0003.json b/data/osv/GO-2020-0003.json new file mode 100644 index 00000000..12706674 --- /dev/null +++ b/data/osv/GO-2020-0003.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2020-0003", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-36568" + ], + "details": "An attacker can cause an application that accepts slice parameters\n(https://revel.github.io/manual/parameters.html#slices) to allocate large\namounts of memory and crash through manipulating the request query sent to the application.\n", + "affected": [ + { + "package": { + "name": "github.com/revel/revel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0003" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/revel/revel" + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/revel/revel/pull/1427" + }, + { + "type": "FIX", + "url": "https://github.com/revel/revel/commit/d160ecb72207824005b19778594cbdc272e8a605" + }, + { + "type": "WEB", + "url": "https://github.com/revel/revel/issues/1424" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0004.json b/data/osv/GO-2020-0004.json new file mode 100644 index 00000000..383bb081 --- /dev/null +++ b/data/osv/GO-2020-0004.json @@ -0,0 +1,57 @@ +{ + "id": "GO-2020-0004", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-36569" + ], + "details": "If any of the ListenAndServe functions are called with an empty token,\ntoken authentication is disabled globally for all listeners.\n\nAlso, a minor timing side channel was present allowing attackers with\nvery low latency and able to make a lot of requests to potentially\nrecover the token.\n", + "affected": [ + { + "package": { + "name": "github.com/nanobox-io/golang-nanoauth", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20160722212129-ac0cc4484ad4" + }, + { + "fixed": "0.0.0-20200131131040-063a3fb69896" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0004" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/nanobox-io/golang-nanoauth", + "symbols": [ + "Auth.ListenAndServe", + "Auth.ListenAndServeTLS", + "Auth.ServerHTTP", + "ListenAndServe", + "ListenAndServeTLS" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/nanobox-io/golang-nanoauth/pull/5" + }, + { + "type": "FIX", + "url": "https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0005.json b/data/osv/GO-2020-0005.json new file mode 100644 index 00000000..31cc8091 --- /dev/null +++ b/data/osv/GO-2020-0005.json @@ -0,0 +1,59 @@ +{ + "id": "GO-2020-0005", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-15106", + "CVE-2020-15112" + ], + "details": "Malformed WALs can be constructed such that WAL.ReadAll can cause attempted\nout of bounds reads, or creation of arbitrarily sized slices, which may be used as\na DoS vector.\n", + "affected": [ + { + "package": { + "name": "go.etcd.io/etcd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.5.0-alpha.5.0.20200423152442-f4b650b51dc4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0005" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "go.etcd.io/etcd/wal", + "symbols": [ + "WAL.ReadAll", + "decoder.decodeRecord" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/etcd-io/etcd/pull/11793" + }, + { + "type": "FIX", + "url": "https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07" + }, + { + "type": "WEB", + "url": "https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0006.json b/data/osv/GO-2020-0006.json new file mode 100644 index 00000000..6f3d71d5 --- /dev/null +++ b/data/osv/GO-2020-0006.json @@ -0,0 +1,59 @@ +{ + "id": "GO-2020-0006", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-15133", + "GHSA-p55x-7x9v-q8m4" + ], + "details": "An attacker may prevent TCP connections to a Server by opening\na connection and leaving it idle, until the connection is closed by\nthe server no other connections will be accepted.\n", + "affected": [ + { + "package": { + "name": "github.com/miekg/dns", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.4-0.20180125103619-43913f2f4fbd" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0006" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/miekg/dns", + "symbols": [ + "ActivateAndServe", + "ListenAndServe", + "ListenAndServeTLS", + "Server.ActivateAndServe", + "Server.ListenAndServe", + "Server.serveTCP" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/miekg/dns/pull/631" + }, + { + "type": "FIX", + "url": "https://github.com/miekg/dns/commit/43913f2f4fbd7dcff930b8a809e709591e4dd79e" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0007.json b/data/osv/GO-2020-0007.json new file mode 100644 index 00000000..3592c1fd --- /dev/null +++ b/data/osv/GO-2020-0007.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2020-0007", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-18367", + "GHSA-58v3-j75h-xr49" + ], + "details": "Filters containing rules with multiple syscall arguments are improperly\nconstructed, such that all arguments are required to match rather than\nany of the arguments (AND is used rather than OR). These filters can be\nbypassed by only specifying a subset of the arguments due to this\nbehavior.\n", + "affected": [ + { + "package": { + "name": "github.com/seccomp/libseccomp-golang", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.1-0.20170424173420-06e7a29f36a3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0007" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/seccomp/libseccomp-golang", + "symbols": [ + "ScmpFilter.AddRule", + "ScmpFilter.AddRuleConditional", + "ScmpFilter.AddRuleConditionalExact", + "ScmpFilter.AddRuleExact", + "ScmpFilter.addRuleGeneric" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0008.json b/data/osv/GO-2020-0008.json new file mode 100644 index 00000000..7b7a2275 --- /dev/null +++ b/data/osv/GO-2020-0008.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2020-0008", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-19794", + "GHSA-44r7-7p62-q3fr" + ], + "details": "DNS message transaction IDs are generated using math/rand which\nmakes them relatively predictable. This reduces the complexity\nof response spoofing attacks against DNS clients.\n", + "affected": [ + { + "package": { + "name": "github.com/miekg/dns", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.25-0.20191211073109-8ebf2e419df7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0008" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/miekg/dns", + "symbols": [ + "Msg.SetAxfr", + "Msg.SetIxfr", + "Msg.SetNotify", + "Msg.SetQuestion", + "Msg.SetUpdate", + "id" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/miekg/dns/pull/1044" + }, + { + "type": "FIX", + "url": "https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33" + }, + { + "type": "WEB", + "url": "https://github.com/miekg/dns/issues/1037" + }, + { + "type": "WEB", + "url": "https://github.com/miekg/dns/issues/1043" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0009.json b/data/osv/GO-2020-0009.json new file mode 100644 index 00000000..e725e0fb --- /dev/null +++ b/data/osv/GO-2020-0009.json @@ -0,0 +1,89 @@ +{ + "id": "GO-2020-0009", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2016-9123", + "GHSA-3fx4-7f69-5mmg" + ], + "details": "On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC\nwith HMAC such that they can control how large the input buffer is when computing\nthe HMAC authentication tag. This can can allow a manipulated ciphertext to be\nverified as authentic, opening the door for padding oracle attacks.\n", + "affected": [ + { + "package": { + "name": "github.com/square/go-jose", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20160903044734-789a4c4bd4c1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0009" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/square/go-jose/cipher", + "goarch": [ + "386", + "arm", + "armbe", + "amd64p32", + "mips", + "mipsle", + "mips64p32", + "mips64p32le", + "ppc", + "riscv", + "s390", + "sparc" + ], + "symbols": [ + "cbcAEAD.computeAuthTag" + ] + }, + { + "path": "github.com/square/go-jose", + "goarch": [ + "386", + "arm", + "armbe", + "amd64p32", + "mips", + "mipsle", + "mips64p32", + "mips64p32le", + "ppc", + "riscv", + "s390", + "sparc" + ], + "symbols": [ + "JsonWebEncryption.Decrypt", + "JsonWebEncryption.DecryptMulti" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96" + }, + { + "type": "WEB", + "url": "https://www.openwall.com/lists/oss-security/2016/11/03/1" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0010.json b/data/osv/GO-2020-0010.json new file mode 100644 index 00000000..f91e0ff3 --- /dev/null +++ b/data/osv/GO-2020-0010.json @@ -0,0 +1,62 @@ +{ + "id": "GO-2020-0010", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2016-9121", + "GHSA-86r9-39j9-99wp" + ], + "details": "When using ECDH-ES an attacker can mount an invalid curve attack during\ndecryption as the supplied public key is not checked to be on the same\ncurve as the receivers private key.\n", + "affected": [ + { + "package": { + "name": "github.com/square/go-jose", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20160831185616-c7581939a365" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0010" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/square/go-jose/cipher", + "symbols": [ + "DeriveECDHES", + "ecDecrypterSigner.decryptKey", + "rawJsonWebKey.ecPublicKey" + ] + }, + { + "path": "github.com/square/go-jose", + "symbols": [ + "JsonWebEncryption.Decrypt" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507" + }, + { + "type": "WEB", + "url": "https://www.openwall.com/lists/oss-security/2016/11/03/1" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0012.json b/data/osv/GO-2020-0012.json new file mode 100644 index 00000000..85232509 --- /dev/null +++ b/data/osv/GO-2020-0012.json @@ -0,0 +1,62 @@ +{ + "id": "GO-2020-0012", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-9283", + "GHSA-ffhg-7mh4-33c4" + ], + "details": "An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public\nkey, such that the library will panic when trying to verify a signature\nwith it. If verifying signatures using user supplied public keys, this\nmay be used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20200220183623-bac4c82f6975" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0012" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "NewPublicKey", + "ed25519PublicKey.Verify", + "parseED25519", + "parseSKEd25519", + "skEd25519PublicKey.Verify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/220357" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/3L45YRc91SY" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0013.json b/data/osv/GO-2020-0013.json new file mode 100644 index 00000000..c90e9d62 --- /dev/null +++ b/data/osv/GO-2020-0013.json @@ -0,0 +1,61 @@ +{ + "id": "GO-2020-0013", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-3204" + ], + "details": "By default host key verification is disabled which allows for\nman-in-the-middle attacks against SSH clients if\nClientConfig.HostKeyCallback is not set.\n", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20170330155735-e4e2799dd7aa" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0013" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "NewClientConn" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/340830" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/19767" + }, + { + "type": "WEB", + "url": "https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0014.json b/data/osv/GO-2020-0014.json new file mode 100644 index 00000000..40d985fd --- /dev/null +++ b/data/osv/GO-2020-0014.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2020-0014", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-17846" + ], + "details": "html.Parse does not properly handle \"select\" tags, which can lead\nto an infinite loop. If parsing user supplied input, this may be used\nas a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20190125091013-d26f9f9a57f3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0014" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "inSelectIM", + "inSelectInTableIM" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go-review.googlesource.com/c/137275" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/27842" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0015.json b/data/osv/GO-2020-0015.json new file mode 100644 index 00000000..54f1145b --- /dev/null +++ b/data/osv/GO-2020-0015.json @@ -0,0 +1,69 @@ +{ + "id": "GO-2020-0015", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-14040", + "GHSA-5rcv-m4m3-hfh7" + ], + "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with\nUseBOM or ExpectBOM to trigger an infinite loop if the String function on\nthe Decoder is called, or the Decoder is passed to transform.String.\nIf used to parse user supplied input, this may be used as a denial of service\nvector.\n", + "affected": [ + { + "package": { + "name": "golang.org/x/text", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0015" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/text/encoding/unicode", + "symbols": [ + "bomOverride.Transform", + "utf16Decoder.Transform" + ] + }, + { + "path": "golang.org/x/text/transform", + "symbols": [ + "String" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/238238" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/39491" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0016.json b/data/osv/GO-2020-0016.json new file mode 100644 index 00000000..575403e4 --- /dev/null +++ b/data/osv/GO-2020-0016.json @@ -0,0 +1,61 @@ +{ + "id": "GO-2020-0016", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-29482", + "GHSA-25xm-hr59-7c27" + ], + "details": "An attacker can construct a series of bytes such that calling\nReader.Read on the bytes could cause an infinite loop. If\nparsing user supplied input, this may be used as a denial of\nservice vector.\n", + "affected": [ + { + "package": { + "name": "github.com/ulikunitz/xz", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.5.8" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0016" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ulikunitz/xz", + "symbols": [ + "Reader.Read", + "blockHeader.UnmarshalBinary", + "readUvarint", + "streamReader.Read" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b" + }, + { + "type": "WEB", + "url": "https://github.com/ulikunitz/xz/issues/35" + }, + { + "type": "WEB", + "url": "https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0017.json b/data/osv/GO-2020-0017.json new file mode 100644 index 00000000..42749ce8 --- /dev/null +++ b/data/osv/GO-2020-0017.json @@ -0,0 +1,83 @@ +{ + "id": "GO-2020-0017", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-26160", + "GHSA-w73w-5m7g-f7qc" + ], + "details": "If a JWT contains an audience claim with an array of strings, rather\nthan a single string, and MapClaims.VerifyAudience is called with\nreq set to false, then audience verification will be bypassed,\nallowing an invalid set of audiences to be provided.\n", + "affected": [ + { + "package": { + "name": "github.com/dgrijalva/jwt-go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20150717181359-44718f8a89b0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0017" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/dgrijalva/jwt-go", + "symbols": [ + "MapClaims.VerifyAudience" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/dgrijalva/jwt-go/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.0.0-preview1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0017" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/dgrijalva/jwt-go/v4", + "symbols": [ + "MapClaims.VerifyAudience" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab" + }, + { + "type": "WEB", + "url": "https://github.com/dgrijalva/jwt-go/issues/422" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0019.json b/data/osv/GO-2020-0019.json new file mode 100644 index 00000000..377b80b0 --- /dev/null +++ b/data/osv/GO-2020-0019.json @@ -0,0 +1,75 @@ +{ + "id": "GO-2020-0019", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-27813", + "GHSA-3xh2-74w9-5vxm" + ], + "details": "An attacker can craft malicious WebSocket frames that cause an integer\noverflow in a variable which tracks the number of bytes remaining. This\nmay cause the server or client to get stuck attempting to read frames\nin a loop, which can be used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "github.com/gorilla/websocket", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0019" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gorilla/websocket", + "symbols": [ + "Conn.Close", + "Conn.NextReader", + "Conn.ReadJSON", + "Conn.ReadMessage", + "Conn.WriteJSON", + "Conn.WritePreparedMessage", + "Conn.advanceFrame", + "Dialer.Dial", + "Dialer.DialContext", + "NewClient", + "NewPreparedMessage", + "ReadJSON", + "Subprotocols", + "Upgrade", + "Upgrader.Upgrade", + "WriteJSON", + "httpProxyDialer.Dial", + "messageReader.Read", + "netDialerFunc.Dial", + "proxy_direct.Dial", + "proxy_envOnce.Get", + "proxy_socks5.Dial" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/gorilla/websocket/pull/537" + }, + { + "type": "FIX", + "url": "https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0020.json b/data/osv/GO-2020-0020.json new file mode 100644 index 00000000..7f6b17ac --- /dev/null +++ b/data/osv/GO-2020-0020.json @@ -0,0 +1,53 @@ +{ + "id": "GO-2020-0020", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-20146" + ], + "details": "Usage of the CORS handler may apply improper CORS headers, allowing\nthe requester to explicitly control the value of the Access-Control-Allow-Origin\nheader, which bypasses the expected behavior of the Same Origin Policy.\n", + "affected": [ + { + "package": { + "name": "github.com/gorilla/handlers", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0020" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gorilla/handlers", + "symbols": [ + "cors.ServeHTTP" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/gorilla/handlers/pull/116" + }, + { + "type": "FIX", + "url": "https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0021.json b/data/osv/GO-2020-0021.json new file mode 100644 index 00000000..1bd3e508 --- /dev/null +++ b/data/osv/GO-2020-0021.json @@ -0,0 +1,56 @@ +{ + "id": "GO-2020-0021", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2014-8681", + "GHSA-mr6h-chqp-p9g2" + ], + "details": "Due to improper santization of user input, a number of methods are\nvulnerable to SQL injection if used with user input that has not\nbeen santized by the caller.\n", + "affected": [ + { + "package": { + "name": "github.com/gogits/gogs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.5.8" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0021" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gogits/gogs", + "symbols": [ + "GetIssues", + "SearchRepositoryByName", + "SearchUserByName" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/gogs/gogs/commit/83283bca4cb4e0f4ec48a28af680f0d88db3d2c8" + }, + { + "type": "WEB", + "url": "https://seclists.org/fulldisclosure/2014/Nov/31" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0022.json b/data/osv/GO-2020-0022.json new file mode 100644 index 00000000..b5427cbb --- /dev/null +++ b/data/osv/GO-2020-0022.json @@ -0,0 +1,53 @@ +{ + "id": "GO-2020-0022", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2014-125026" + ], + "details": "LZ4 bindings use a deprecated C API that is vulnerable to\nmemory corruption, which could lead to arbitrary code execution\nif called with untrusted user input.\n", + "affected": [ + { + "package": { + "name": "github.com/cloudflare/golz4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20140711154735-199f5f787806" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0022" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/cloudflare/golz4", + "symbols": [ + "Uncompress" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898" + }, + { + "type": "WEB", + "url": "https://github.com/cloudflare/golz4/issues/5" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0023.json b/data/osv/GO-2020-0023.json new file mode 100644 index 00000000..c19b4895 --- /dev/null +++ b/data/osv/GO-2020-0023.json @@ -0,0 +1,53 @@ +{ + "id": "GO-2020-0023", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2015-10004" + ], + "details": "Token validation methods are susceptible to a timing side-channel\nduring HMAC comparison. With a large enough number of requests\nover a low latency connection, an attacker may use this to determine\nthe expected HMAC.\n", + "affected": [ + { + "package": { + "name": "github.com/robbert229/jwt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20170426191122-ca1404ee6e83" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0023" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/robbert229/jwt", + "symbols": [ + "Algorithm.validateSignature" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654" + }, + { + "type": "WEB", + "url": "https://github.com/robbert229/jwt/issues/12" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0024.json b/data/osv/GO-2020-0024.json new file mode 100644 index 00000000..c2981745 --- /dev/null +++ b/data/osv/GO-2020-0024.json @@ -0,0 +1,83 @@ +{ + "id": "GO-2020-0024", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2013-10005" + ], + "details": "The RemoteAddr and LocalAddr methods on the returned net.Conn may\ncall themselves, leading to an infinite loop which will crash the\nprogram due to a stack overflow.\n", + "affected": [ + { + "package": { + "name": "github.com/btcsuite/go-socks", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20130808000456-233bccbb1abe" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0024" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/btcsuite/go-socks/socks", + "symbols": [ + "proxiedConn.LocalAddr", + "proxiedConn.RemoteAddr" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/btcsuitereleases/go-socks", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20130808000456-233bccbb1abe" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0024" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/btcsuitereleases/go-socks/socks", + "symbols": [ + "proxiedConn.LocalAddr", + "proxiedConn.RemoteAddr" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/btcsuite/go-socks/commit/233bccbb1abe02f05750f7ace66f5bffdb13defc" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0025.json b/data/osv/GO-2020-0025.json new file mode 100644 index 00000000..b2f8bbcc --- /dev/null +++ b/data/osv/GO-2020-0025.json @@ -0,0 +1,87 @@ +{ + "id": "GO-2020-0025", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-25046" + ], + "details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n", + "affected": [ + { + "package": { + "name": "github.com/cloudfoundry/archiver", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20180523222229-09b5706aa936" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0025" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/cloudfoundry/archiver", + "symbols": [ + "tgzExtractor.Extract", + "zipExtractor.Extract" + ] + } + ] + } + }, + { + "package": { + "name": "code.cloudfoundry.org/archiver", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20180523222229-09b5706aa936" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0025" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "code.cloudfoundry.org/archiver", + "symbols": [ + "tgzExtractor.Extract", + "zipExtractor.Extract" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/cloudfoundry/archiver/commit/09b5706aa9367972c09144a450bb4523049ee840" + }, + { + "type": "WEB", + "url": "https://snyk.io/research/zip-slip-vulnerability" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0026.json b/data/osv/GO-2020-0026.json new file mode 100644 index 00000000..8fcc70e8 --- /dev/null +++ b/data/osv/GO-2020-0026.json @@ -0,0 +1,57 @@ +{ + "id": "GO-2020-0026", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-1103" + ], + "details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n", + "affected": [ + { + "package": { + "name": "github.com/openshift/source-to-image", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.10-0.20180427153919-f5cbcbc5cc6f" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0026" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/openshift/source-to-image/pkg/tar", + "symbols": [ + "New", + "stiTar.ExtractTarStream", + "stiTar.ExtractTarStreamFromTarReader", + "stiTar.ExtractTarStreamWithLogging", + "stiTar.extractLink" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/openshift/source-to-image/commit/f5cbcbc5cc6f8cc2f479a7302443bea407a700cb" + }, + { + "type": "WEB", + "url": "https://snyk.io/research/zip-slip-vulnerability" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0027.json b/data/osv/GO-2020-0027.json new file mode 100644 index 00000000..f645fb27 --- /dev/null +++ b/data/osv/GO-2020-0027.json @@ -0,0 +1,62 @@ +{ + "id": "GO-2020-0027", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-6558", + "GHSA-qj26-7grj-whg3" + ], + "details": "After dropping and then elevating process privileges euid, guid, and groups\nare not properly restored to their original values, allowing an unprivileged\nuser to gain membership in the root group.\n", + "affected": [ + { + "package": { + "name": "github.com/google/fscrypt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.2.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0027" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/google/fscrypt/pam", + "symbols": [ + "Handle.StopAsPamUser", + "NewHandle", + "SetProcessPrivileges" + ] + }, + { + "path": "github.com/google/fscrypt/security", + "symbols": [ + "UserKeyringID" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/google/fscrypt/commit/3022c1603d968c22f147b4a2c49c4637dd1be91b" + }, + { + "type": "WEB", + "url": "https://github.com/google/fscrypt/issues/77" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0028.json b/data/osv/GO-2020-0028.json new file mode 100644 index 00000000..87c64806 --- /dev/null +++ b/data/osv/GO-2020-0028.json @@ -0,0 +1,56 @@ +{ + "id": "GO-2020-0028", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-17419", + "GHSA-9jcx-pr2f-qvq5" + ], + "details": "Due to a nil pointer dereference, parsing a malformed zone file\ncontaining TA records may cause a panic. If parsing user supplied\ninput, this may be used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "github.com/miekg/dns", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.10" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0028" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/miekg/dns", + "symbols": [ + "ParseZone", + "ReadRR", + "setTA" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/miekg/dns/commit/501e858f679edecd4a38a86317ce50271014a80d" + }, + { + "type": "WEB", + "url": "https://github.com/miekg/dns/issues/742" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0032.json b/data/osv/GO-2020-0032.json new file mode 100644 index 00000000..75b13402 --- /dev/null +++ b/data/osv/GO-2020-0032.json @@ -0,0 +1,117 @@ +{ + "id": "GO-2020-0032", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-25073" + ], + "details": "Due to improper santization of user input, Controller.FileHandler allows\nfor directory traversal, allowing an attacker to read files outside of\nthe target directory that the server has permission to read.\n", + "affected": [ + { + "package": { + "name": "github.com/goadesign/goa", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0032" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/goadesign/goa", + "symbols": [ + "Controller.FileHandler" + ] + } + ] + } + }, + { + "package": { + "name": "goa.design/goa", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0032" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "goa.design/goa", + "symbols": [ + "Controller.FileHandler" + ] + } + ] + } + }, + { + "package": { + "name": "goa.design/goa/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.9" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0032" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "goa.design/goa/v3", + "symbols": [ + "Controller.FileHandler" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/goadesign/goa/pull/2388" + }, + { + "type": "FIX", + "url": "https://github.com/goadesign/goa/commit/70b5a199d0f813d74423993832c424e1fc73fb39" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0033.json b/data/osv/GO-2020-0033.json new file mode 100644 index 00000000..82d8c9fb --- /dev/null +++ b/data/osv/GO-2020-0033.json @@ -0,0 +1,60 @@ +{ + "id": "GO-2020-0033", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-36559" + ], + "details": "Due to improper santization of user input, HTTPEngine.Handle allows\nfor directory traversal, allowing an attacker to read files outside of\nthe target directory that the server has permission to read.\n", + "affected": [ + { + "package": { + "name": "aahframe.work", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0033" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "aahframe.work", + "symbols": [ + "Application.Run", + "Application.ServeHTTP", + "Application.Start", + "HTTPEngine.Handle" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-aah/aah/pull/267" + }, + { + "type": "FIX", + "url": "https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec" + }, + { + "type": "WEB", + "url": "https://github.com/go-aah/aah/issues/266" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0034.json b/data/osv/GO-2020-0034.json new file mode 100644 index 00000000..ee0126e4 --- /dev/null +++ b/data/osv/GO-2020-0034.json @@ -0,0 +1,57 @@ +{ + "id": "GO-2020-0034", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-36560" + ], + "details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n", + "affected": [ + { + "package": { + "name": "github.com/artdarek/go-unzip", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0034" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/artdarek/go-unzip", + "symbols": [ + "Unzip.Extract" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/artdarek/go-unzip/pull/2" + }, + { + "type": "FIX", + "url": "https://github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7dfe0" + }, + { + "type": "WEB", + "url": "https://snyk.io/research/zip-slip-vulnerability" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0035.json b/data/osv/GO-2020-0035.json new file mode 100644 index 00000000..27373afb --- /dev/null +++ b/data/osv/GO-2020-0035.json @@ -0,0 +1,57 @@ +{ + "id": "GO-2020-0035", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-36561" + ], + "details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n", + "affected": [ + { + "package": { + "name": "github.com/yi-ge/unzip", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.3-0.20200308084313-2adbaa4891b9" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0035" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/yi-ge/unzip", + "symbols": [ + "Unzip.Extract" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/yi-ge/unzip/pull/1" + }, + { + "type": "FIX", + "url": "https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73" + }, + { + "type": "WEB", + "url": "https://snyk.io/research/zip-slip-vulnerability" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0036.json b/data/osv/GO-2020-0036.json new file mode 100644 index 00000000..a07e750d --- /dev/null +++ b/data/osv/GO-2020-0036.json @@ -0,0 +1,93 @@ +{ + "id": "GO-2020-0036", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-11254", + "GHSA-wxc4-f4m6-wwqv" + ], + "details": "Due to unbounded aliasing, a crafted YAML file can cause consumption\nof significant system resources. If parsing user supplied input, this\nmay be used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.8" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0036" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "yaml_parser_fetch_more_tokens" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/go-yaml/yaml", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0036" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/go-yaml/yaml", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "yaml_parser_fetch_more_tokens" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/pull/555" + }, + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48" + }, + { + "type": "WEB", + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0037.json b/data/osv/GO-2020-0037.json new file mode 100644 index 00000000..36584560 --- /dev/null +++ b/data/osv/GO-2020-0037.json @@ -0,0 +1,53 @@ +{ + "id": "GO-2020-0037", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-25072" + ], + "details": "Due to support of Gzip compression in request bodies, as well\nas a lack of limiting response body sizes, a malicious server\ncan cause a client to consume a significant amount of system\nresources, which may be used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "github.com/tendermint/tendermint", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.31.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0037" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tendermint/tendermint/rpc/client", + "symbols": [ + "makeHTTPClient" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tendermint/tendermint/pull/3430" + }, + { + "type": "FIX", + "url": "https://github.com/tendermint/tendermint/commit/03085c2da23b179c4a51f59a03cb40aa4e85a613" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0038.json b/data/osv/GO-2020-0038.json new file mode 100644 index 00000000..0a70dcbe --- /dev/null +++ b/data/osv/GO-2020-0038.json @@ -0,0 +1,63 @@ +{ + "id": "GO-2020-0038", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-20786", + "GHSA-7gfg-6934-mqq2" + ], + "details": "Due to improper verification of packets, unencrypted packets containing\napplication data are accepted after the initial handshake. This allows\nan attacker to inject arbitrary data which the client/server believes\nwas encrypted, despite not knowing the session key.\n", + "affected": [ + { + "package": { + "name": "github.com/pion/dtls", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0038" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/pion/dtls", + "symbols": [ + "Client", + "Conn.handleIncomingPacket", + "Dial", + "Listener.Accept", + "Resume", + "Server" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/pion/dtls/pull/128" + }, + { + "type": "FIX", + "url": "https://github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0" + }, + { + "type": "WEB", + "url": "https://www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdf" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0039.json b/data/osv/GO-2020-0039.json new file mode 100644 index 00000000..50a9130f --- /dev/null +++ b/data/osv/GO-2020-0039.json @@ -0,0 +1,63 @@ +{ + "id": "GO-2020-0039", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-12666", + "GHSA-733f-44f3-3frw" + ], + "details": "Due to improper request santization, a specifically crafted URL\ncan cause the static file handler to redirect to an attacker chosen\nURL, allowing for open redirect attacks.\n", + "affected": [ + { + "package": { + "name": "gopkg.in/macaron.v1", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0039" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/macaron.v1", + "symbols": [ + "Context.Next", + "LoggerInvoker.Invoke", + "Macaron.Run", + "Macaron.ServeHTTP", + "Router.ServeHTTP", + "staticHandler" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-macaron/macaron/pull/199" + }, + { + "type": "FIX", + "url": "https://github.com/go-macaron/macaron/commit/addc7461c3a90a040e79aa75bfd245107a210245" + }, + { + "type": "WEB", + "url": "https://github.com/go-macaron/macaron/issues/198" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0040.json b/data/osv/GO-2020-0040.json new file mode 100644 index 00000000..cc6cc2e9 --- /dev/null +++ b/data/osv/GO-2020-0040.json @@ -0,0 +1,43 @@ +{ + "id": "GO-2020-0040", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-36562" + ], + "details": "Due to unchecked type assertions, maliciously crafted messages can\ncause panics, which may be used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "github.com/shiyanhui/dht", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0040" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/shiyanhui/dht" + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/shiyanhui/dht/issues/57" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0041.json b/data/osv/GO-2020-0041.json new file mode 100644 index 00000000..178607b3 --- /dev/null +++ b/data/osv/GO-2020-0041.json @@ -0,0 +1,78 @@ +{ + "id": "GO-2020-0041", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-7668", + "GHSA-88jf-7rch-32qc" + ], + "details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n", + "affected": [ + { + "package": { + "name": "github.com/unknwon/cae", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0041" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/unknwon/cae/tz", + "symbols": [ + "Create", + "ExtractTo", + "Open", + "OpenFile", + "TzArchive.Close", + "TzArchive.ExtractTo", + "TzArchive.ExtractToFunc", + "TzArchive.Flush", + "TzArchive.Open", + "TzArchive.syncFiles" + ] + }, + { + "path": "github.com/unknwon/cae/zip", + "symbols": [ + "Create", + "ExtractTo", + "ExtractToFunc", + "Open", + "OpenFile", + "ZipArchive.Close", + "ZipArchive.ExtractTo", + "ZipArchive.ExtractToFunc", + "ZipArchive.Flush", + "ZipArchive.Open" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/unknwon/cae/commit/07971c00a1bfd9dc171c3ad0bfab5b67c2287e11" + }, + { + "type": "WEB", + "url": "https://snyk.io/research/zip-slip-vulnerability" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0042.json b/data/osv/GO-2020-0042.json new file mode 100644 index 00000000..02f2db14 --- /dev/null +++ b/data/osv/GO-2020-0042.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2020-0042", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-7667", + "GHSA-9423-6c93-gpp8" + ], + "details": "Due to improper path santization, RPMs containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n", + "affected": [ + { + "package": { + "name": "github.com/sassoftware/go-rpmutils", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.1.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0042" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/sassoftware/go-rpmutils/cpio", + "symbols": [ + "Extract" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0" + }, + { + "type": "WEB", + "url": "https://snyk.io/research/zip-slip-vulnerability" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0043.json b/data/osv/GO-2020-0043.json new file mode 100644 index 00000000..f5e379a6 --- /dev/null +++ b/data/osv/GO-2020-0043.json @@ -0,0 +1,59 @@ +{ + "id": "GO-2020-0043", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-21246" + ], + "details": "Due to improper TLS verification when serving traffic for multiple\nSNIs, an attacker may bypass TLS client authentication by indicating\nan SNI during the TLS handshake that is different from the name in\nthe HTTP Host header.\n", + "affected": [ + { + "package": { + "name": "github.com/mholt/caddy", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.10.13" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0043" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/mholt/caddy/caddyhttp/httpserver", + "symbols": [ + "Server.serveHTTP", + "assertConfigsCompatible", + "httpContext.MakeServers" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/caddyserver/caddy/pull/2099" + }, + { + "type": "FIX", + "url": "https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3" + }, + { + "type": "WEB", + "url": "https://bugs.gentoo.org/715214" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0045.json b/data/osv/GO-2020-0045.json new file mode 100644 index 00000000..f6df53da --- /dev/null +++ b/data/osv/GO-2020-0045.json @@ -0,0 +1,59 @@ +{ + "id": "GO-2020-0045", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2016-15005" + ], + "details": "CSRF tokens are generated using math/rand, which is not a cryptographically secure\nrander number generation, making predicting their values relatively trivial and\nallowing an attacker to bypass CSRF protections which relatively few requests.\n", + "affected": [ + { + "package": { + "name": "github.com/dinever/golf", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0045" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/dinever/golf", + "symbols": [ + "Context.Render", + "Context.RenderFromString", + "randomBytes" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/dinever/golf/pull/24" + }, + { + "type": "FIX", + "url": "https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe" + }, + { + "type": "WEB", + "url": "https://github.com/dinever/golf/issues/20" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0046.json b/data/osv/GO-2020-0046.json new file mode 100644 index 00000000..ec634597 --- /dev/null +++ b/data/osv/GO-2020-0046.json @@ -0,0 +1,87 @@ +{ + "id": "GO-2020-0046", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-7711" + ], + "details": "Due to a nil pointer dereference, a malformed XML Digital Signature\ncan cause a panic during validation. If user supplied signatures are\nbeing validated, this may be used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "github.com/russellhaering/goxmldsig", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0046" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/russellhaering/goxmldsig", + "symbols": [ + "ValidationContext.validateSignature" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/russellhaering/gosaml2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.6.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0046" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/russellhaering/gosaml2", + "symbols": [ + "SAMLServiceProvider.RetrieveAssertionInfo", + "SAMLServiceProvider.ValidateEncodedResponse", + "SAMLServiceProvider.validateAssertionSignatures" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/russellhaering/goxmldsig/issues/48" + }, + { + "type": "WEB", + "url": "https://github.com/russellhaering/gosaml2/issues/59" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0047.json b/data/osv/GO-2020-0047.json new file mode 100644 index 00000000..8fc01edb --- /dev/null +++ b/data/osv/GO-2020-0047.json @@ -0,0 +1,48 @@ +{ + "id": "GO-2020-0047", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-36563" + ], + "details": "XML Digital Signatures generated and validated using this package use\nSHA-1, which may allow an attacker to craft inputs which cause hash\ncollisions depending on their control over the input.\n", + "affected": [ + { + "package": { + "name": "github.com/RobotsAndPencils/go-saml", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0047" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/RobotsAndPencils/go-saml", + "symbols": [ + "AuthnRequest.Validate", + "NewAuthnRequest", + "NewSignedResponse" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/RobotsAndPencils/go-saml/pull/38" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0048.json b/data/osv/GO-2020-0048.json new file mode 100644 index 00000000..a9639a34 --- /dev/null +++ b/data/osv/GO-2020-0048.json @@ -0,0 +1,53 @@ +{ + "id": "GO-2020-0048", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-25614" + ], + "details": "LoadURL does not check the Content-Type of loaded resources,\nwhich can cause a panic due to nil pointer deference if the loaded\nresource is not XML. If user supplied URLs are loaded, this may be\nused as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "github.com/antchfx/xmlquery", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0048" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/antchfx/xmlquery", + "symbols": [ + "LoadURL" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/antchfx/xmlquery/commit/5648b2f39e8d5d3fc903c45a4f1274829df71821" + }, + { + "type": "WEB", + "url": "https://github.com/antchfx/xmlquery/issues/39" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0049.json b/data/osv/GO-2020-0049.json new file mode 100644 index 00000000..8103e0b3 --- /dev/null +++ b/data/osv/GO-2020-0049.json @@ -0,0 +1,55 @@ +{ + "id": "GO-2020-0049", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-36564" + ], + "details": "Due to improper validation of caller input, validation is silently disabled\nif the provided expected token is malformed, causing any user supplied token\nto be considered valid.\n", + "affected": [ + { + "package": { + "name": "github.com/justinas/nosurf", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0049" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/justinas/nosurf", + "symbols": [ + "CSRFHandler.ServeHTTP", + "VerifyToken", + "verifyToken" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/justinas/nosurf/pull/60" + }, + { + "type": "FIX", + "url": "https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2020-0050.json b/data/osv/GO-2020-0050.json new file mode 100644 index 00000000..ad9f0ab7 --- /dev/null +++ b/data/osv/GO-2020-0050.json @@ -0,0 +1,59 @@ +{ + "id": "GO-2020-0050", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-15216", + "CVE-2020-26290", + "CVE-2020-27847", + "GHSA-2x32-jm95-2cpx", + "GHSA-m9hp-7r99-94h5", + "GHSA-q547-gmf8-8jr7" + ], + "details": "Due to the behavior of encoding/xml, a crafted XML document may cause\nXML Digital Signature validation to be entirely bypassed, causing an\nunsigned document to appear signed.\n", + "affected": [ + { + "package": { + "name": "github.com/russellhaering/goxmldsig", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0050" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/russellhaering/goxmldsig", + "symbols": [ + "ValidationContext.Validate", + "ValidationContext.findSignature" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64" + }, + { + "type": "WEB", + "url": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0051.json b/data/osv/GO-2021-0051.json new file mode 100644 index 00000000..ceaccfe6 --- /dev/null +++ b/data/osv/GO-2021-0051.json @@ -0,0 +1,56 @@ +{ + "id": "GO-2021-0051", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-36565" + ], + "details": "Due to improper sanitization of user input on Windows, the static file handler\nallows for directory traversal, allowing an attacker to read files outside of\nthe target directory that the server has permission to read.\n", + "affected": [ + { + "package": { + "name": "github.com/labstack/echo/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.1.18-0.20201215153152-4422e3b66b9f" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0051" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/labstack/echo/v4", + "goos": [ + "windows" + ], + "symbols": [ + "common.static" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/labstack/echo/pull/1718" + }, + { + "type": "FIX", + "url": "https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0052.json b/data/osv/GO-2021-0052.json new file mode 100644 index 00000000..5931beda --- /dev/null +++ b/data/osv/GO-2021-0052.json @@ -0,0 +1,95 @@ +{ + "id": "GO-2021-0052", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-28483", + "GHSA-h395-qcrw-5vmq" + ], + "details": "Due to improper HTTP header santization, a malicious user can spoof their\nsource IP address by setting the X-Forwarded-For header. This may allow\na user to bypass IP based restrictions, or obfuscate their true source.\n", + "affected": [ + { + "package": { + "name": "github.com/gin-gonic/gin", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.7.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0052" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gin-gonic/gin", + "symbols": [ + "Context.ClientIP", + "Context.Next", + "Context.RemoteIP", + "Engine.HandleContext", + "Engine.Run", + "Engine.RunFd", + "Engine.RunListener", + "Engine.RunTLS", + "Engine.RunUnix", + "Engine.ServeHTTP" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://github.com/gin-gonic/gin/issues/2862" + }, + { + "type": "REPORT", + "url": "https://github.com/gin-gonic/gin/issues/2473" + }, + { + "type": "REPORT", + "url": "https://github.com/gin-gonic/gin/issues/2232" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/pull/2844" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/commit/5929d521715610c9dd14898ebbe1d188d5de8937" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/pull/2632" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/commit/bfc8ca285eb46dad60e037d57c545cd260636711" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/pull/2675" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/commit/03e5e05ae089bc989f1ca41841f05504d29e3fd9" + }, + { + "type": "WEB", + "url": "https://github.com/gin-gonic/gin/pull/2474" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0053.json b/data/osv/GO-2021-0053.json new file mode 100644 index 00000000..02c71677 --- /dev/null +++ b/data/osv/GO-2021-0053.json @@ -0,0 +1,47 @@ +{ + "id": "GO-2021-0053", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3121", + "GHSA-c3h9-896r-86jm" + ], + "details": "Due to improper bounds checking, maliciously crafted input to generated\nUnmarshal methods can cause an out-of-bounds panic. If parsing messages\nfrom untrusted parties, this may be used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "github.com/gogo/protobuf", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0053" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gogo/protobuf" + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0054.json b/data/osv/GO-2021-0054.json new file mode 100644 index 00000000..77091630 --- /dev/null +++ b/data/osv/GO-2021-0054.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2021-0054", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-36067" + ], + "details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "github.com/tidwall/gjson", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.6" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0054" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tidwall/gjson", + "symbols": [ + "Result.ForEach", + "unwrap" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/196" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0057.json b/data/osv/GO-2021-0057.json new file mode 100644 index 00000000..7f35707c --- /dev/null +++ b/data/osv/GO-2021-0057.json @@ -0,0 +1,78 @@ +{ + "id": "GO-2021-0057", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-35381", + "GHSA-8vrw-m3j9-j27c" + ], + "details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "github.com/buger/jsonparser", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0057" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/buger/jsonparser", + "symbols": [ + "ArrayEach", + "Delete", + "EachKey", + "FuzzDelete", + "FuzzEachKey", + "FuzzGetBoolean", + "FuzzGetFloat", + "FuzzGetInt", + "FuzzGetString", + "FuzzGetUnsafeString", + "FuzzObjectEach", + "FuzzSet", + "Get", + "GetBoolean", + "GetFloat", + "GetInt", + "GetString", + "GetUnsafeString", + "ObjectEach", + "Set", + "searchKeys" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/buger/jsonparser/pull/221" + }, + { + "type": "FIX", + "url": "https://github.com/buger/jsonparser/commit/df3ea76ece10095374fd1c9a22a4fb85a44efc42" + }, + { + "type": "WEB", + "url": "https://github.com/buger/jsonparser/issues/219" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0058.json b/data/osv/GO-2021-0058.json new file mode 100644 index 00000000..08f45aef --- /dev/null +++ b/data/osv/GO-2021-0058.json @@ -0,0 +1,62 @@ +{ + "id": "GO-2021-0058", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-27846", + "GHSA-4hq8-gmxx-h6w9" + ], + "details": "Due to the behavior of encoding/xml, a crafted XML document may cause\nXML Digital Signature validation to be entirely bypassed, causing an\nunsigned document to appear signed.\n", + "affected": [ + { + "package": { + "name": "github.com/crewjam/saml", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.4.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0058" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/crewjam/saml", + "symbols": [ + "IdentityProvider.ServeSSO", + "IdpAuthnRequest.Validate", + "ServiceProvider.ParseResponse", + "ServiceProvider.ParseXMLResponse", + "ServiceProvider.ValidateLogoutResponseForm", + "ServiceProvider.ValidateLogoutResponseRedirect", + "ServiceProvider.ValidateLogoutResponseRequest" + ] + }, + { + "path": "github.com/crewjam/saml/samlidp" + }, + { + "path": "github.com/crewjam/saml/samlsp" + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0059.json b/data/osv/GO-2021-0059.json new file mode 100644 index 00000000..f582d989 --- /dev/null +++ b/data/osv/GO-2021-0059.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2021-0059", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-35380", + "GHSA-w942-gw6m-p62c" + ], + "details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "github.com/tidwall/gjson", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0059" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tidwall/gjson", + "symbols": [ + "sqaush" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/192" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0060.json b/data/osv/GO-2021-0060.json new file mode 100644 index 00000000..ae8ed20b --- /dev/null +++ b/data/osv/GO-2021-0060.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2021-0060", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-29509", + "GHSA-xhqq-x44f-9fgg" + ], + "details": "Due to the behavior of encoding/xml, a crafted XML document may cause\nXML Digital Signature validation to be entirely bypassed, causing an\nunsigned document to appear signed.\n", + "affected": [ + { + "package": { + "name": "github.com/russellhaering/gosaml2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.6.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0060" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/russellhaering/gosaml2", + "symbols": [ + "SAMLServiceProvider.RetrieveAssertionInfo", + "SAMLServiceProvider.ValidateEncodedLogoutRequestPOST", + "SAMLServiceProvider.ValidateEncodedLogoutResponsePOST", + "SAMLServiceProvider.ValidateEncodedResponse", + "parseResponse" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/russellhaering/gosaml2/commit/42606dafba60c58c458f14f75c4c230459672ab9" + }, + { + "type": "WEB", + "url": "https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0061.json b/data/osv/GO-2021-0061.json new file mode 100644 index 00000000..4dc947d9 --- /dev/null +++ b/data/osv/GO-2021-0061.json @@ -0,0 +1,88 @@ +{ + "id": "GO-2021-0061", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-4235" + ], + "details": "Due to unbounded alias chasing, a maliciously crafted YAML file\ncan cause the system to consume significant system resources. If\nparsing user input, this may be used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0061" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "decoder.unmarshal" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/go-yaml/yaml", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0061" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/go-yaml/yaml", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "decoder.unmarshal" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/pull/375" + }, + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0063.json b/data/osv/GO-2021-0063.json new file mode 100644 index 00000000..983e9987 --- /dev/null +++ b/data/osv/GO-2021-0063.json @@ -0,0 +1,55 @@ +{ + "id": "GO-2021-0063", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-26264", + "GHSA-r33q-22hv-j29q" + ], + "details": "Due to a nil pointer dereference, a malicously crafted RPC message\ncan cause a panic. If handling RPC messages from untrusted clients,\nthis may be used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "github.com/ethereum/go-ethereum", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.25" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0063" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ethereum/go-ethereum/les", + "symbols": [ + "PrivateLightServerAPI.Benchmark", + "serverHandler.handleMsg" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/ethereum/go-ethereum/pull/21896" + }, + { + "type": "FIX", + "url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0064.json b/data/osv/GO-2021-0064.json new file mode 100644 index 00000000..11c04c40 --- /dev/null +++ b/data/osv/GO-2021-0064.json @@ -0,0 +1,89 @@ +{ + "id": "GO-2021-0064", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-8565" + ], + "details": "Authorization tokens may be inappropriately logged if the verbosity\nlevel is set to a debug level.\n", + "affected": [ + { + "package": { + "name": "k8s.io/client-go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.20.0-alpha.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0064" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "k8s.io/client-go/transport", + "symbols": [ + "requestInfo.toCurl" + ] + } + ] + } + }, + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.0-alpha.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0064" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "k8s.io/kubernetes/staging/src/k8s.io/client-go/transport", + "symbols": [ + "requestInfo.toCurl" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/kubernetes/kubernetes/pull/95316" + }, + { + "type": "FIX", + "url": "https://github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/95623" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0065.json b/data/osv/GO-2021-0065.json new file mode 100644 index 00000000..93e0d6a7 --- /dev/null +++ b/data/osv/GO-2021-0065.json @@ -0,0 +1,89 @@ +{ + "id": "GO-2021-0065", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-11250" + ], + "details": "Authorization tokens may be inappropriately logged if the verbosity\nlevel is set to a debug level.\n", + "affected": [ + { + "package": { + "name": "k8s.io/client-go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.17.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0065" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "k8s.io/client-go/transport", + "symbols": [ + "debuggingRoundTripper.RoundTrip" + ] + } + ] + } + }, + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.0-beta.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0065" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "k8s.io/kubernetes/staging/src/k8s.io/client-go/transport", + "symbols": [ + "debuggingRoundTripper.RoundTrip" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/kubernetes/kubernetes/pull/81330" + }, + { + "type": "FIX", + "url": "https://github.com/kubernetes/kubernetes/commit/4441f1d9c3e94d9a3d93b4f184a591cab02a5245" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/81114" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0066.json b/data/osv/GO-2021-0066.json new file mode 100644 index 00000000..dd970b00 --- /dev/null +++ b/data/osv/GO-2021-0066.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2021-0066", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-8564" + ], + "details": "Attempting to read a malformed .dockercfg may cause secrets to be\ninappropriately logged.\n", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.0-alpha.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0066" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "k8s.io/kubernetes/pkg/credentialprovider", + "symbols": [ + "readDockerConfigFileFromBytes", + "readDockerConfigJSONFileFromBytes" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/kubernetes/kubernetes/pull/94712" + }, + { + "type": "FIX", + "url": "https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/95622" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0067.json b/data/osv/GO-2021-0067.json new file mode 100644 index 00000000..e227cbf8 --- /dev/null +++ b/data/osv/GO-2021-0067.json @@ -0,0 +1,61 @@ +{ + "id": "GO-2021-0067", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-27919" + ], + "details": "Using Reader.Open on an archive containing a file with a path\nprefixed by \"../\" will cause a panic due to a stack overflow.\nIf parsing user supplied archives, this may be used as a\ndenial of service vector.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0067" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "archive/zip", + "symbols": [ + "toValidName" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/300489" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/44916" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw/m/zzhWj5jPAQAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0068.json b/data/osv/GO-2021-0068.json new file mode 100644 index 00000000..0dc7f827 --- /dev/null +++ b/data/osv/GO-2021-0068.json @@ -0,0 +1,75 @@ +{ + "id": "GO-2021-0068", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3115" + ], + "details": "The go command may execute arbitrary code at build time when using cgo on Windows.\nThis can be triggered by running go get on a malicious module, or any other time\nthe code is built.\n", + "affected": [ + { + "package": { + "name": "toolchain", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.14.14" + }, + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0068" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "cmd/go", + "goos": [ + "windows" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/284783" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/43783" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/284780" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0069.json b/data/osv/GO-2021-0069.json new file mode 100644 index 00000000..6dfac230 --- /dev/null +++ b/data/osv/GO-2021-0069.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0069", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-28362" + ], + "details": "A number of math/big.Int methods can panic when provided large inputs due\nto a flawed division method.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.14.0" + }, + { + "fixed": "1.14.12" + }, + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0069" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "math/big", + "symbols": [ + "nat.divRecursiveStep" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/269657" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/1e1fa5903b760c6714ba17e50bf850b01f49135c" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/42552" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0070.json b/data/osv/GO-2021-0070.json new file mode 100644 index 00000000..90b57f4e --- /dev/null +++ b/data/osv/GO-2021-0070.json @@ -0,0 +1,71 @@ +{ + "id": "GO-2021-0070", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2016-3697", + "GHSA-q3j5-32m5-58c2" + ], + "details": "GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will\nimproperly interpret numeric UIDs as usernames. If the method is used without\nverifying that usernames are formatted as expected, it may allow a user to\ngain unexpected privileges.\n", + "affected": [ + { + "package": { + "name": "github.com/opencontainers/runc", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.1.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0070" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/opencontainers/runc/libcontainer/user", + "symbols": [ + "GetExecUser", + "GetExecUserPath" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/opencontainers/runc/pull/708" + }, + { + "type": "FIX", + "url": "https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091" + }, + { + "type": "WEB", + "url": "https://github.com/docker/docker/issues/21436" + }, + { + "type": "WEB", + "url": "http://rhn.redhat.com/errata/RHSA-2016-1034.html" + }, + { + "type": "WEB", + "url": "http://rhn.redhat.com/errata/RHSA-2016-2634.html" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/201612-28" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0071.json b/data/osv/GO-2021-0071.json new file mode 100644 index 00000000..a1b2f784 --- /dev/null +++ b/data/osv/GO-2021-0071.json @@ -0,0 +1,57 @@ +{ + "id": "GO-2021-0071", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2015-1340" + ], + "details": "A race between chown and chmod operations during a container\nfilesystem shift may allow a user who can modify the filesystem to\nchmod an arbitrary path of their choice, rather than the expected\npath.\n", + "affected": [ + { + "package": { + "name": "github.com/lxc/lxd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20151004155856-19c6961cc101" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0071" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/lxc/lxd/shared", + "symbols": [ + "IdmapSet.doUidshiftIntoContainer" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/lxc/lxd/pull/1189" + }, + { + "type": "FIX", + "url": "https://github.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4" + }, + { + "type": "WEB", + "url": "https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1502270" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0072.json b/data/osv/GO-2021-0072.json new file mode 100644 index 00000000..b3a89faa --- /dev/null +++ b/data/osv/GO-2021-0072.json @@ -0,0 +1,81 @@ +{ + "id": "GO-2021-0072", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-11468" + ], + "details": "Various storage methods do not impose limits on how much content is accepted\nfrom user requests, allowing a malicious user to force the caller to allocate\nan arbitrary amount of memory.\n", + "affected": [ + { + "package": { + "name": "github.com/docker/distribution", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.7.0-rc.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0072" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/docker/distribution/registry/handlers", + "symbols": [ + "blobUploadHandler.PatchBlobData", + "blobUploadHandler.PutBlobUploadComplete", + "copyFullPayload", + "imageManifestHandler.GetImageManifest", + "imageManifestHandler.PutImageManifest" + ] + }, + { + "path": "github.com/docker/distribution/registry/storage", + "symbols": [ + "PurgeUploads", + "Walk", + "blobStore.Enumerate", + "blobStore.Get", + "blobStore.Get", + "linkedBlobStore.Enumerate", + "linkedBlobStore.Get", + "manifestStore.Enumerate", + "manifestStore.Get", + "registry.Enumerate", + "registry.Repositories" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/distribution/distribution/pull/2340" + }, + { + "type": "FIX", + "url": "https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2017:2603" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0073.json b/data/osv/GO-2021-0073.json new file mode 100644 index 00000000..f51dc345 --- /dev/null +++ b/data/osv/GO-2021-0073.json @@ -0,0 +1,65 @@ +{ + "id": "GO-2021-0073", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-17831" + ], + "details": "Arbitrary command execution can be triggered by improperly\nsanitized SSH URLs in LFS configuration files. This can be\ntriggered by cloning a malicious repository.\n", + "affected": [ + { + "package": { + "name": "github.com/git-lfs/git-lfs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.1-0.20170519163204-f913f5f9c7c6" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0073" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/git-lfs/git-lfs/lfsapi", + "symbols": [ + "sshGetLFSExeAndArgs" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/git-lfs/git-lfs/pull/2241" + }, + { + "type": "FIX", + "url": "https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19" + }, + { + "type": "WEB", + "url": "http://blog.recurity-labs.com/2017-08-10/scm-vulns" + }, + { + "type": "WEB", + "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/102926" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0075.json b/data/osv/GO-2021-0075.json new file mode 100644 index 00000000..92f53232 --- /dev/null +++ b/data/osv/GO-2021-0075.json @@ -0,0 +1,57 @@ +{ + "id": "GO-2021-0075", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-12018" + ], + "details": "Due to improper argument validation in RPC messages, a maliciously crafted\nmessage can cause a panic, leading to denial of service.\n", + "affected": [ + { + "package": { + "name": "github.com/ethereum/go-ethereum", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.11" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0075" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ethereum/go-ethereum/les", + "symbols": [ + "protocolManager.handleMsg" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/ethereum/go-ethereum/pull/16891" + }, + { + "type": "FIX", + "url": "https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4" + }, + { + "type": "WEB", + "url": "https://peckshield.com/2018/06/27/EPoD/" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0076.json b/data/osv/GO-2021-0076.json new file mode 100644 index 00000000..b6f8c098 --- /dev/null +++ b/data/osv/GO-2021-0076.json @@ -0,0 +1,53 @@ +{ + "id": "GO-2021-0076", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-14632" + ], + "details": "A malicious JSON patch can cause a panic due to an out-of-bounds\nwrite attempt. This can be used as a denial of service vector if\nexposed to arbitrary user input.\n", + "affected": [ + { + "package": { + "name": "github.com/evanphx/json-patch", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.5.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0076" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/evanphx/json-patch", + "symbols": [ + "partialArray.add" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/evanphx/json-patch/pull/57" + }, + { + "type": "FIX", + "url": "https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0077.json b/data/osv/GO-2021-0077.json new file mode 100644 index 00000000..64dd2406 --- /dev/null +++ b/data/osv/GO-2021-0077.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2021-0077", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-16886", + "GHSA-h6xx-pmxh-3wgp" + ], + "details": "A user can use a valid client certificate that contains a CommonName that matches a\nvalid RBAC username to authenticate themselves as that user, despite lacking the\nrequired credentials. This may allow authentication bypass, but requires a certificate\nthat is issued by a CA trusted by the server.\n", + "affected": [ + { + "package": { + "name": "go.etcd.io/etcd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.5.0-alpha.5.0.20190108173120-83c051b701d3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0077" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "go.etcd.io/etcd/auth", + "symbols": [ + "authStore.AuthInfoFromTLS" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/etcd-io/etcd/pull/10366" + }, + { + "type": "FIX", + "url": "https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0078.json b/data/osv/GO-2021-0078.json new file mode 100644 index 00000000..a600c08c --- /dev/null +++ b/data/osv/GO-2021-0078.json @@ -0,0 +1,66 @@ +{ + "id": "GO-2021-0078", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-17075" + ], + "details": "The HTML parser does not properly handle \"in frameset\" insertion mode, and can be made\nto panic when operating on malformed HTML that contains \u003ctemplate\u003e tags. If operating\non user input, this may be a vector for a denial of service attack.\n", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20180816102801-aaf60122140d" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0078" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "inBodyIM", + "inFramesetIM" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/123776" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/aaf60122140d3fcf75376d319f0554393160eb50" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/27016" + }, + { + "type": "WEB", + "url": "https://bugs.chromium.org/p/chromium/issues/detail?id=829668" + }, + { + "type": "WEB", + "url": "https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0079.json b/data/osv/GO-2021-0079.json new file mode 100644 index 00000000..7ff85318 --- /dev/null +++ b/data/osv/GO-2021-0079.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2021-0079", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-18206", + "GHSA-vc3x-gx6c-g99f" + ], + "details": "A malformed query can cause an out-of-bounds panic due to improper\nvalidation of arguments. If processing queries from untrusted\nparties, this may be used as a vector for denial of service\nattacks.\n", + "affected": [ + { + "package": { + "name": "github.com/bytom/bytom", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.4-0.20180831054840-1ac3c8ac4f2b" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0079" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/bytom/bytom/p2p/discover", + "symbols": [ + "Network.checkTopicRegister" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/Bytom/bytom/pull/1307" + }, + { + "type": "FIX", + "url": "https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0081.json b/data/osv/GO-2021-0081.json new file mode 100644 index 00000000..828d86ca --- /dev/null +++ b/data/osv/GO-2021-0081.json @@ -0,0 +1,62 @@ +{ + "id": "GO-2021-0081", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-10214", + "GHSA-85p9-j7c9-v4gr" + ], + "details": "The HTTP client used to connect to the container registry authorization\nservice explicitly disables TLS verification, allowing an attacker that\nis able to MITM the connection to steal credentials.\n", + "affected": [ + { + "package": { + "name": "github.com/containers/image", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.2-0.20190802080134-634605d06e73" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0081" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/containers/image/docker", + "symbols": [ + "dockerClient.getBearerToken" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/containers/image/pull/669" + }, + { + "type": "FIX", + "url": "https://github.com/containers/image/commit/634605d06e738aec8332bcfd69162e7509ac7aaf" + }, + { + "type": "WEB", + "url": "https://github.com/containers/image/issues/654" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0082.json b/data/osv/GO-2021-0082.json new file mode 100644 index 00000000..83a8b2ed --- /dev/null +++ b/data/osv/GO-2021-0082.json @@ -0,0 +1,50 @@ +{ + "id": "GO-2021-0082", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-11939" + ], + "details": "Thirft Servers preallocate memory for the declared size of messages before\nchecking the actual size of the message. This allows a malicious user to\nsend messages that declare that they are significantly larger than they\nactually are, allowing them to force the server to allocate significant\namounts of memory. This can be used as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "github.com/facebook/fbthrift", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.31.1-0.20200311080807-483ed864d69f" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0082" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/facebook/fbthrift/thrift/lib/go/thrift" + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757" + }, + { + "type": "WEB", + "url": "https://www.facebook.com/security/advisories/cve-2019-11939" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0083.json b/data/osv/GO-2021-0083.json new file mode 100644 index 00000000..be609d2d --- /dev/null +++ b/data/osv/GO-2021-0083.json @@ -0,0 +1,53 @@ +{ + "id": "GO-2021-0083", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-12496" + ], + "details": "TLS certificate verification is skipped when connecting to a MQTT server.\nThis allows an attacker who can MITM the connection to read, or forge,\nmessages passed between the client and server.\n", + "affected": [ + { + "package": { + "name": "github.com/hybridgroup/gobot", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.1-0.20190521122906-c1aa4f867846" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0083" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/hybridgroup/gobot/platforms/mqtt", + "symbols": [ + "Adaptor.newTLSConfig" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f" + }, + { + "type": "WEB", + "url": "https://github.com/hybridgroup/gobot/releases/tag/v1.13.0" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0084.json b/data/osv/GO-2021-0084.json new file mode 100644 index 00000000..a1d52012 --- /dev/null +++ b/data/osv/GO-2021-0084.json @@ -0,0 +1,59 @@ +{ + "id": "GO-2021-0084", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-16354", + "GHSA-f6px-w8rh-7r89" + ], + "details": "Session data is stored using permissive permissions, allowing local users\nwith filesystem access to read arbitrary data.\n", + "affected": [ + { + "package": { + "name": "github.com/astaxie/beego", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.2-0.20200613154013-bac2b31afecc" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0084" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/astaxie/beego/session", + "symbols": [ + "FileProvider.SessionRead", + "FileProvider.SessionRegenerate" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/beego/beego/pull/3975" + }, + { + "type": "FIX", + "url": "https://github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1" + }, + { + "type": "WEB", + "url": "https://github.com/beego/beego/issues/3763" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0085.json b/data/osv/GO-2021-0085.json new file mode 100644 index 00000000..4eb40fbe --- /dev/null +++ b/data/osv/GO-2021-0085.json @@ -0,0 +1,84 @@ +{ + "id": "GO-2021-0085", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-16884", + "GHSA-fgv8-vj5c-2ppq" + ], + "details": "AppArmor restrictions may be bypassed due to improper validation of mount\ntargets, allowing a malicious image to mount volumes over e.g. /proc.\n", + "affected": [ + { + "package": { + "name": "github.com/opencontainers/runc", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0-rc8.0.20190930145003-cad42f6e0932" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0085" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/opencontainers/runc/libcontainer" + } + ] + } + }, + { + "package": { + "name": "github.com/opencontainers/selinux", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.1-0.20190929122143-5215b1806f52" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0085" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/opencontainers/selinux/go-selinux" + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/opencontainers/runc/pull/2130" + }, + { + "type": "FIX", + "url": "https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4" + }, + { + "type": "WEB", + "url": "https://github.com/opencontainers/runc/issues/2128" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0086.json b/data/osv/GO-2021-0086.json new file mode 100644 index 00000000..a651832f --- /dev/null +++ b/data/osv/GO-2021-0086.json @@ -0,0 +1,50 @@ +{ + "id": "GO-2021-0086", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-19619", + "GHSA-wmwp-pggc-h4mj" + ], + "details": "HTML content in markdown is not santized during rendering, possibly allowing\nXSS if used to render untrusted user input.\n", + "affected": [ + { + "package": { + "name": "github.com/documize/community", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.76.3-0.20191119114751-a4384210d4d0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0086" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/documize/community/domain/section/markdown", + "symbols": [ + "Provider.Render" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/documize/community/commit/a4384210d4d0d6b18e6fdb7e155de96d4a1cf9f3" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0087.json b/data/osv/GO-2021-0087.json new file mode 100644 index 00000000..5bdd4c4a --- /dev/null +++ b/data/osv/GO-2021-0087.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2021-0087", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-19921", + "GHSA-fh74-hm69-rqjw" + ], + "details": "A race while mounting volumes allows a possible symlink-exchange\nattack, allowing a user whom can start multiple containers with\ncustom volume mount configurations to escape the container.\n", + "affected": [ + { + "package": { + "name": "github.com/opencontainers/runc", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0-rc9.0.20200122160610-2fc03cc11c77" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0087" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/opencontainers/runc/libcontainer", + "symbols": [ + "mountToRootfs" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/opencontainers/runc/pull/2207" + }, + { + "type": "FIX", + "url": "https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0" + }, + { + "type": "WEB", + "url": "https://github.com/opencontainers/runc/issues/2197" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0088.json b/data/osv/GO-2021-0088.json new file mode 100644 index 00000000..fc494da7 --- /dev/null +++ b/data/osv/GO-2021-0088.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2021-0088", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-3564", + "GHSA-x4rg-4545-4w7w" + ], + "details": "Skip ignores unknown fields, rather than failing. A malicious user can craft small\nmessages with unknown fields which can take significant resources to parse. If a\nserver accepts messages from an untrusted user, it may be used as a denial of service\nvector.\n", + "affected": [ + { + "package": { + "name": "github.com/facebook/fbthrift", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.31.1-0.20190225164308-c461c1bd1a3e" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0088" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/facebook/fbthrift/thrift/lib/go/thrift", + "symbols": [ + "Skip" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/facebook/fbthrift/commit/c461c1bd1a3e130b181aa9c854da3030cd4b5156" + }, + { + "type": "WEB", + "url": "https://www.facebook.com/security/advisories/cve-2019-3564" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0089.json b/data/osv/GO-2021-0089.json new file mode 100644 index 00000000..f4bdebcf --- /dev/null +++ b/data/osv/GO-2021-0089.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2021-0089", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-10675", + "GHSA-rmh2-65xw-9m6q" + ], + "details": "Parsing malformed JSON which contain opening brackets, but not closing brackets,\nleads to an infinite loop. If operating on untrusted user input this can be\nused as a denial of service vector.\n", + "affected": [ + { + "package": { + "name": "github.com/buger/jsonparser", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20200321185410-91ac96899e49" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0089" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/buger/jsonparser", + "symbols": [ + "findKeyStart" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/buger/jsonparser/pull/192" + }, + { + "type": "FIX", + "url": "https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717" + }, + { + "type": "WEB", + "url": "https://github.com/buger/jsonparser/issues/188" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0090.json b/data/osv/GO-2021-0090.json new file mode 100644 index 00000000..546715c0 --- /dev/null +++ b/data/osv/GO-2021-0090.json @@ -0,0 +1,59 @@ +{ + "id": "GO-2021-0090", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-15091", + "GHSA-6jqj-f58p-mrw3" + ], + "details": "Proposed commits may contain signatures for blocks not contained\nwithin the commit. Instead of skipping these signatures, they\ncause failure during verification. A malicious proposer can use\nthis to force consensus failures.\n", + "affected": [ + { + "package": { + "name": "github.com/tendermint/tendermint", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.33.0" + }, + { + "fixed": "0.34.0-dev1.0.20200702134149-480b995a3172" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0090" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tendermint/tendermint/types", + "symbols": [ + "MakeCommit", + "VoteSet.MakeCommit" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tendermint/tendermint/pull/5426" + }, + { + "type": "FIX", + "url": "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340" + }, + { + "type": "WEB", + "url": "https://github.com/tendermint/tendermint/issues/4926" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0094.json b/data/osv/GO-2021-0094.json new file mode 100644 index 00000000..afc9e3bb --- /dev/null +++ b/data/osv/GO-2021-0094.json @@ -0,0 +1,57 @@ +{ + "id": "GO-2021-0094", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-29529" + ], + "details": "Protections against directory traversal during archive extraction can be\nbypassed by chaining multiple symbolic links within the archive. This allows\na malicious attacker to cause files to be created outside of the target\ndirectory. Additionally if the attacker is able to read extracted files\nthey may create symbolic links to arbitrary files on the system which the\nunpacker has permissions to read.\n", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/go-slug", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.5.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0094" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/hashicorp/go-slug", + "symbols": [ + "Unpack" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/hashicorp/go-slug/pull/12" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f" + }, + { + "type": "WEB", + "url": "https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0095.json b/data/osv/GO-2021-0095.json new file mode 100644 index 00000000..2bb0ed03 --- /dev/null +++ b/data/osv/GO-2021-0095.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2021-0095", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-8918", + "GHSA-5x29-3hr9-6wpw" + ], + "details": "Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport\nis able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,\nallowing them to use the created key.\n", + "affected": [ + { + "package": { + "name": "github.com/google/go-tpm", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0095" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/google/go-tpm/tpm", + "symbols": [ + "CreateWrapKey" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/google/go-tpm/pull/195" + }, + { + "type": "FIX", + "url": "https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141" + }, + { + "type": "WEB", + "url": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0096.json b/data/osv/GO-2021-0096.json new file mode 100644 index 00000000..8f6422c4 --- /dev/null +++ b/data/osv/GO-2021-0096.json @@ -0,0 +1,51 @@ +{ + "id": "GO-2021-0096", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-8945", + "GHSA-m6wg-2mwg-4rfq" + ], + "details": "Due to improper setting of finalizers, memory passed to C may be freed before it is used,\nleading to crashes due to memory corruption or possible code execution.\n", + "affected": [ + { + "package": { + "name": "github.com/proglottis/gpgme", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.1.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0096" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/proglottis/gpgme" + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/proglottis/gpgme/pull/23" + }, + { + "type": "FIX", + "url": "https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0097.json b/data/osv/GO-2021-0097.json new file mode 100644 index 00000000..7fda93d3 --- /dev/null +++ b/data/osv/GO-2021-0097.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0097", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-29242", + "CVE-2020-29243", + "CVE-2020-29244", + "CVE-2020-29245" + ], + "details": "Due to improper bounds checking, a number of methods can trigger a panic due to attempted\nout-of-bounds reads. If the package is used to parse user supplied input, this may be\nused as a vector for a denial of service attack.\n", + "affected": [ + { + "package": { + "name": "github.com/dhowden/tag", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20201120070457-d52dcb253c63" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0097" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/dhowden/tag", + "symbols": [ + "readAPICFrame", + "readAtomData", + "readPICFrame", + "readTextWithDescrFrame" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/dhowden/tag/commit/d52dcb253c63a153632bfee5f269dd411dcd8e96" + }, + { + "type": "WEB", + "url": "https://github.com/dhowden/tag/commit/a92213460e4838490ce3066ef11dc823cdc1740e" + }, + { + "type": "WEB", + "url": "https://github.com/dhowden/tag/commit/4b595ed4fac79f467594aa92f8953f90f817116e" + }, + { + "type": "WEB", + "url": "https://github.com/dhowden/tag/commit/6b18201aa5c5535511802ddfb4e4117686b4866d" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0098.json b/data/osv/GO-2021-0098.json new file mode 100644 index 00000000..d71c8ea9 --- /dev/null +++ b/data/osv/GO-2021-0098.json @@ -0,0 +1,85 @@ +{ + "id": "GO-2021-0098", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-21237", + "GHSA-cx3w-xqmc-84g5" + ], + "details": "Due to the standard library behavior of exec.LookPath on Windows a number of methods may\nresult in arbitrary code execution when cloning or operating on untrusted Git repositories.\n", + "affected": [ + { + "package": { + "name": "github.com/git-lfs/git-lfs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.1-0.20210113180018-fc664697ed2c" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0098" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/git-lfs/git-lfs/commands", + "goos": [ + "windows" + ], + "symbols": [ + "PipeCommand" + ] + }, + { + "path": "github.com/git-lfs/git-lfs/creds", + "goos": [ + "windows" + ], + "symbols": [ + "AskPassCredentialHelper.getFromProgram", + "commandCredentialHelper.Approve" + ] + }, + { + "path": "github.com/git-lfs/git-lfs/lfs", + "goos": [ + "windows" + ], + "symbols": [ + "pipeExtensions" + ] + }, + { + "path": "github.com/git-lfs/git-lfs/lfshttp", + "goos": [ + "windows" + ], + "symbols": [ + "sshAuthClient.Resolve" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a" + }, + { + "type": "WEB", + "url": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0099.json b/data/osv/GO-2021-0099.json new file mode 100644 index 00000000..7ae6b84b --- /dev/null +++ b/data/osv/GO-2021-0099.json @@ -0,0 +1,55 @@ +{ + "id": "GO-2021-0099", + "published": "2021-04-14T20:04:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-21272", + "GHSA-g5v4-5x39-vwhx" + ], + "details": "Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore\ncontent store may result in directory traversal during archive extraction, allowing a\nmalicious archive to write paths to arbitrary paths that the process can write to.\n", + "affected": [ + { + "package": { + "name": "github.com/deislabs/oras", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0099" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/deislabs/oras/pkg/content", + "symbols": [ + "extractTarDirectory", + "fileWriter.Commit" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e" + }, + { + "type": "WEB", + "url": "https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0100.json b/data/osv/GO-2021-0100.json new file mode 100644 index 00000000..0689377d --- /dev/null +++ b/data/osv/GO-2021-0100.json @@ -0,0 +1,71 @@ +{ + "id": "GO-2021-0100", + "published": "2021-07-28T18:08:05Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-20291", + "GHSA-7qw8-847f-pggm" + ], + "details": "Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream\non a xz archive returns a reader which will hang indefinitely when Close is called. An attacker\ncan use this to cause denial of service if they are able to cause the caller to attempt to\ndecompress an archive they control.\n", + "affected": [ + { + "package": { + "name": "github.com/containers/storage", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.28.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0100" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/containers/storage/pkg/archive", + "symbols": [ + "ApplyLayer", + "ApplyUncompressedLayer", + "Archiver.CopyFileWithTar", + "Archiver.CopyWithTar", + "Archiver.TarUntar", + "Archiver.UntarPath", + "CopyResource", + "CopyTo", + "DecompressStream", + "IsArchivePath", + "Untar", + "UntarPath", + "UntarUncompressed", + "cmdStream" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/containers/storage/pull/860" + }, + { + "type": "FIX", + "url": "https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939485" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0101.json b/data/osv/GO-2021-0101.json new file mode 100644 index 00000000..6e5233cd --- /dev/null +++ b/data/osv/GO-2021-0101.json @@ -0,0 +1,96 @@ +{ + "id": "GO-2021-0101", + "published": "2021-07-28T18:08:05Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-0210", + "GHSA-jq7p-26h5-w78r" + ], + "details": "Due to an improper bounds check, parsing maliciously crafted messages can cause panics. If\nthis package is used to parse untrusted input, this may be used as a vector for a denial of\nservice attack.\n", + "affected": [ + { + "package": { + "name": "github.com/apache/thrift", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20151001171628-53dd39833a08" + }, + { + "fixed": "0.13.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0101" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/apache/thrift/lib/go/thrift", + "symbols": [ + "Skip", + "SkipDefaultDepth", + "TJSONProtocol.ParseElemListBegin", + "TJSONProtocol.ReadBool", + "TJSONProtocol.ReadByte", + "TJSONProtocol.ReadDouble", + "TJSONProtocol.ReadFieldBegin", + "TJSONProtocol.ReadFieldEnd", + "TJSONProtocol.ReadI16", + "TJSONProtocol.ReadI32", + "TJSONProtocol.ReadI64", + "TJSONProtocol.ReadListBegin", + "TJSONProtocol.ReadListEnd", + "TJSONProtocol.ReadMapBegin", + "TJSONProtocol.ReadMapEnd", + "TJSONProtocol.ReadMessageBegin", + "TJSONProtocol.ReadMessageEnd", + "TJSONProtocol.ReadSetBegin", + "TJSONProtocol.ReadSetEnd", + "TJSONProtocol.ReadStructBegin", + "TJSONProtocol.ReadStructEnd", + "TSimpleJSONProtocol.ParseElemListBegin", + "TSimpleJSONProtocol.ParseF64", + "TSimpleJSONProtocol.ParseI64", + "TSimpleJSONProtocol.ParseListBegin", + "TSimpleJSONProtocol.ParseListEnd", + "TSimpleJSONProtocol.ParseObjectEnd", + "TSimpleJSONProtocol.ParseObjectStart", + "TSimpleJSONProtocol.ReadByte", + "TSimpleJSONProtocol.ReadDouble", + "TSimpleJSONProtocol.ReadI16", + "TSimpleJSONProtocol.ReadI32", + "TSimpleJSONProtocol.ReadI64", + "TSimpleJSONProtocol.ReadListBegin", + "TSimpleJSONProtocol.ReadListEnd", + "TSimpleJSONProtocol.ReadMapBegin", + "TSimpleJSONProtocol.ReadMapEnd", + "TSimpleJSONProtocol.ReadMessageBegin", + "TSimpleJSONProtocol.ReadMessageEnd", + "TSimpleJSONProtocol.ReadSetBegin", + "TSimpleJSONProtocol.ReadSetEnd", + "TSimpleJSONProtocol.ReadStructBegin", + "TSimpleJSONProtocol.ReadStructEnd", + "TSimpleJSONProtocol.safePeekContains", + "TStandardClient.Call", + "TStandardClient.Recv", + "tApplicationException.Read" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/apache/thrift/commit/264a3f318ed3e9e51573f67f963c8509786bcec2" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0102.json b/data/osv/GO-2021-0102.json new file mode 100644 index 00000000..da414415 --- /dev/null +++ b/data/osv/GO-2021-0102.json @@ -0,0 +1,86 @@ +{ + "id": "GO-2021-0102", + "published": "2021-07-28T18:08:05Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-11289", + "GHSA-5796-p3m6-9qj4" + ], + "details": "Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect\nnonce size. If this package is used to decrypt user supplied messages without checking the size of\nsupplied nonces, this may be used as a vector for a denial of service attack.\n", + "affected": [ + { + "package": { + "name": "code.cloudfoundry.org/gorouter", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20191101214924-b1b5c44e050f" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0102" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "code.cloudfoundry.org/gorouter/common/secure", + "symbols": [ + "AesGCM.Decrypt" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/cloudfoundry/gorouter", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20191101214924-b1b5c44e050f" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0102" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/cloudfoundry/gorouter/common/secure", + "symbols": [ + "AesGCM.Decrypt" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/cloudfoundry/gorouter/commit/b1b5c44e050f73b399b379ca63a42a2c5780a83f" + }, + { + "type": "WEB", + "url": "https://www.cloudfoundry.org/blog/cve-2019-11289/" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0103.json b/data/osv/GO-2021-0103.json new file mode 100644 index 00000000..c85dfe59 --- /dev/null +++ b/data/osv/GO-2021-0103.json @@ -0,0 +1,64 @@ +{ + "id": "GO-2021-0103", + "published": "2021-07-28T18:08:05Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-26242", + "GHSA-jm5c-rv3w-w83m" + ], + "details": "Due to improper bounds checking, certain mathmatical operations can cause a panic via an\nout of bounds read. If this package is used to process untrusted user inputs, this may be used\nas a vector for a denial of service attack.\n", + "affected": [ + { + "package": { + "name": "github.com/holiman/uint256", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1.0" + }, + { + "fixed": "1.1.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0103" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/holiman/uint256", + "symbols": [ + "Int.AddMod", + "Int.Div", + "Int.Mod", + "Int.MulMod", + "Int.SDiv", + "Int.SMod", + "udivrem" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/holiman/uint256/pull/80" + }, + { + "type": "FIX", + "url": "https://github.com/holiman/uint256/commit/6785da6e3eea403260a5760029e722aa4ff1716d" + }, + { + "type": "WEB", + "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0104.json b/data/osv/GO-2021-0104.json new file mode 100644 index 00000000..a75f384f --- /dev/null +++ b/data/osv/GO-2021-0104.json @@ -0,0 +1,66 @@ +{ + "id": "GO-2021-0104", + "published": "2021-07-28T18:08:05Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-28681", + "GHSA-74xm-qj29-cq8p" + ], + "details": "Due to improper error handling, DTLS connections were not killed when certificate verification\nfailed, causing users who did not check the connection state to continue to use the connection.\nThis could allow allow an attacker which holds the ICE password, but not a valid certificate,\nto bypass this restriction.\n", + "affected": [ + { + "package": { + "name": "github.com/pion/webrtc/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.15" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0104" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/pion/webrtc/v3", + "symbols": [ + "DTLSTransport.Start", + "PeerConnection.AddTrack", + "PeerConnection.AddTransceiverFromTrack", + "PeerConnection.CreateDataChannel", + "PeerConnection.RemoveTrack", + "PeerConnection.SetLocalDescription", + "PeerConnection.SetRemoteDescription", + "operations.Done", + "operations.Enqueue" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/pion/webrtc/pull/1709" + }, + { + "type": "FIX", + "url": "https://github.com/pion/webrtc/commit/545613dcdeb5dedb01cce94175f40bcbe045df2e" + }, + { + "type": "WEB", + "url": "https://github.com/pion/webrtc/issues/1708" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0105.json b/data/osv/GO-2021-0105.json new file mode 100644 index 00000000..628dd02c --- /dev/null +++ b/data/osv/GO-2021-0105.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2021-0105", + "published": "2021-07-28T18:08:05Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-26265", + "GHSA-xw37-57qp-9mm4" + ], + "details": "Due to an incorrect state calculation, a specific set of\ntransactions could cause a consensus disagreement,\ncausing users of this package to reject a canonical chain.\n", + "affected": [ + { + "package": { + "name": "github.com/ethereum/go-ethereum", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.9.4" + }, + { + "fixed": "1.9.20" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0105" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ethereum/go-ethereum/core", + "symbols": [ + "StateDB.createObject" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/ethereum/go-ethereum/pull/21080" + }, + { + "type": "FIX", + "url": "https://github.com/ethereum/go-ethereum/commit/87c0ba92136a75db0ab2aba1046d4a9860375d6a" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0106.json b/data/osv/GO-2021-0106.json new file mode 100644 index 00000000..623da31d --- /dev/null +++ b/data/osv/GO-2021-0106.json @@ -0,0 +1,53 @@ +{ + "id": "GO-2021-0106", + "published": "2021-07-28T18:08:05Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-36566" + ], + "details": "Due to improper path santization, archives containing relative file\npaths can cause files to be written (or overwritten) outside of the\ntarget directory.\n", + "affected": [ + { + "package": { + "name": "github.com/whyrusleeping/tar-utils", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20201201191210-20a61371de5b" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0106" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/whyrusleeping/tar-utils", + "symbols": [ + "Extractor.outputPath" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227" + }, + { + "type": "WEB", + "url": "https://snyk.io/research/zip-slip-vulnerability" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0107.json b/data/osv/GO-2021-0107.json new file mode 100644 index 00000000..c600f941 --- /dev/null +++ b/data/osv/GO-2021-0107.json @@ -0,0 +1,51 @@ +{ + "id": "GO-2021-0107", + "published": "2021-07-28T18:08:05Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-4236", + "GHSA-5gjg-jgh4-gppm" + ], + "details": "Web Sockets do not execute any AuthenticateMethod methods which may be set,\nleading to a nil pointer dereference if the returned UserData pointer is\nassumed to be non-nil, or authentication bypass.\n\nThis issue only affects WebSockets with an AuthenticateMethod hook.\nRequest handlers that do not explicitly use WebSockets are not\nvulnerable.\n", + "affected": [ + { + "package": { + "name": "github.com/ecnepsnai/web", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.4.0" + }, + { + "fixed": "1.5.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0107" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ecnepsnai/web", + "symbols": [ + "Server.Socket", + "Server.socketHandler" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0108.json b/data/osv/GO-2021-0108.json new file mode 100644 index 00000000..ffbf5ad7 --- /dev/null +++ b/data/osv/GO-2021-0108.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2021-0108", + "published": "2021-07-28T18:08:05Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-15111", + "GHSA-9cx9-x2gp-9qvh" + ], + "details": "Due to improper input sanitization, a maliciously constructed filename\ncould cause a file download to use an attacker controlled filename, as well\nas injecting additional headers into an HTTP response.\n", + "affected": [ + { + "package": { + "name": "github.com/gofiber/fiber", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.6" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0108" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gofiber/fiber", + "symbols": [ + "Ctx.Attachment" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/gofiber/fiber/pull/579" + }, + { + "type": "FIX", + "url": "https://github.com/gofiber/fiber/commit/f698b5d5066cfe594102ae252cd58a1fe57cf56f" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0109.json b/data/osv/GO-2021-0109.json new file mode 100644 index 00000000..c057e5b0 --- /dev/null +++ b/data/osv/GO-2021-0109.json @@ -0,0 +1,50 @@ +{ + "id": "GO-2021-0109", + "published": "2021-07-28T18:08:05Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-15223", + "GHSA-7mqr-2v3q-v2wm" + ], + "details": "Due to improper error handling, an error with the underlying token storage may cause a user\nto believe a token has been successfully revoked when it is in fact still valid. An attackers\nability to exploit this relies on an ability to trigger errors in the underlying storage.\n", + "affected": [ + { + "package": { + "name": "github.com/ory/fosite", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.34.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0109" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ory/fosite", + "symbols": [ + "TokenRevocationHandler.RevokeToken" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/ory/fosite/commit/03dd55813f5521985f7dd64277b7ba0cf1441319" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0110.json b/data/osv/GO-2021-0110.json new file mode 100644 index 00000000..237eb5a0 --- /dev/null +++ b/data/osv/GO-2021-0110.json @@ -0,0 +1,56 @@ +{ + "id": "GO-2021-0110", + "published": "2021-07-28T18:08:05Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-15222", + "GHSA-v3q9-2p3m-7g43" + ], + "details": "Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be\nreplayed.\n", + "affected": [ + { + "package": { + "name": "github.com/ory/fosite", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.31.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0110" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ory/fosite", + "symbols": [ + "Fosite.AuthenticateClient", + "Fosite.NewAccessRequest", + "Fosite.NewRevocationRequest" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9" + }, + { + "type": "WEB", + "url": "https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0112.json b/data/osv/GO-2021-0112.json new file mode 100644 index 00000000..05978e6a --- /dev/null +++ b/data/osv/GO-2021-0112.json @@ -0,0 +1,175 @@ +{ + "id": "GO-2021-0112", + "published": "2021-07-28T18:08:05Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-20329", + "GHSA-f6mq-5m25-4r72" + ], + "details": "Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed\nGo structure could allow an attacker to inject additional fields into a MongoDB document. Users are\naffected if they use this package to handle untrusted user input.\n", + "affected": [ + { + "package": { + "name": "go.mongodb.org/mongo-driver", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0112" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "go.mongodb.org/mongo-driver/x/bsonx/bsoncore", + "symbols": [ + "AppendArrayElement", + "AppendArrayElementStart", + "AppendBinaryElement", + "AppendBooleanElement", + "AppendCodeWithScopeElement", + "AppendDBPointerElement", + "AppendDateTimeElement", + "AppendDecimal128Element", + "AppendDocumentElement", + "AppendDocumentElementStart", + "AppendDoubleElement", + "AppendHeader", + "AppendInt32Element", + "AppendInt64Element", + "AppendJavaScriptElement", + "AppendMaxKeyElement", + "AppendMinKeyElement", + "AppendNullElement", + "AppendObjectIDElement", + "AppendRegex", + "AppendRegexElement", + "AppendStringElement", + "AppendSymbolElement", + "AppendTimeElement", + "AppendTimestampElement", + "AppendUndefinedElement", + "AppendValueElement", + "ArrayBuilder.AppendArray", + "ArrayBuilder.AppendBinary", + "ArrayBuilder.AppendBoolean", + "ArrayBuilder.AppendCodeWithScope", + "ArrayBuilder.AppendDBPointer", + "ArrayBuilder.AppendDateTime", + "ArrayBuilder.AppendDecimal128", + "ArrayBuilder.AppendDocument", + "ArrayBuilder.AppendDouble", + "ArrayBuilder.AppendInt32", + "ArrayBuilder.AppendInt64", + "ArrayBuilder.AppendJavaScript", + "ArrayBuilder.AppendMaxKey", + "ArrayBuilder.AppendMinKey", + "ArrayBuilder.AppendNull", + "ArrayBuilder.AppendObjectID", + "ArrayBuilder.AppendRegex", + "ArrayBuilder.AppendString", + "ArrayBuilder.AppendSymbol", + "ArrayBuilder.AppendTimestamp", + "ArrayBuilder.AppendUndefined", + "ArrayBuilder.AppendValue", + "ArrayBuilder.StartArray", + "BuildArray", + "BuildArrayElement", + "BuildDocumentElement", + "DocumentBuilder.AppendArray", + "DocumentBuilder.AppendBinary", + "DocumentBuilder.AppendBoolean", + "DocumentBuilder.AppendCodeWithScope", + "DocumentBuilder.AppendDBPointer", + "DocumentBuilder.AppendDateTime", + "DocumentBuilder.AppendDecimal128", + "DocumentBuilder.AppendDocument", + "DocumentBuilder.AppendDouble", + "DocumentBuilder.AppendInt32", + "DocumentBuilder.AppendInt64", + "DocumentBuilder.AppendJavaScript", + "DocumentBuilder.AppendMaxKey", + "DocumentBuilder.AppendMinKey", + "DocumentBuilder.AppendNull", + "DocumentBuilder.AppendObjectID", + "DocumentBuilder.AppendRegex", + "DocumentBuilder.AppendString", + "DocumentBuilder.AppendSymbol", + "DocumentBuilder.AppendTimestamp", + "DocumentBuilder.AppendUndefined", + "DocumentBuilder.AppendValue", + "DocumentBuilder.StartDocument" + ] + }, + { + "path": "go.mongodb.org/mongo-driver/bson/bsonrw", + "symbols": [ + "Copier.AppendArrayBytes", + "Copier.AppendDocumentBytes", + "Copier.AppendValueBytes", + "Copier.CopyArrayFromBytes", + "Copier.CopyBytesToArrayWriter", + "Copier.CopyBytesToDocumentWriter", + "Copier.CopyDocument", + "Copier.CopyDocumentFromBytes", + "Copier.CopyDocumentToBytes", + "Copier.CopyValue", + "Copier.CopyValueFromBytes", + "Copier.CopyValueToBytes", + "CopyDocument", + "valueWriter.WriteArray", + "valueWriter.WriteBinary", + "valueWriter.WriteBinaryWithSubtype", + "valueWriter.WriteBoolean", + "valueWriter.WriteCodeWithScope", + "valueWriter.WriteDBPointer", + "valueWriter.WriteDateTime", + "valueWriter.WriteDecimal128", + "valueWriter.WriteDocument", + "valueWriter.WriteDouble", + "valueWriter.WriteInt32", + "valueWriter.WriteInt64", + "valueWriter.WriteJavascript", + "valueWriter.WriteMaxKey", + "valueWriter.WriteMinKey", + "valueWriter.WriteNull", + "valueWriter.WriteObjectID", + "valueWriter.WriteRegex", + "valueWriter.WriteString", + "valueWriter.WriteSymbol", + "valueWriter.WriteTimestamp", + "valueWriter.WriteUndefined", + "valueWriter.WriteValueBytes", + "valueWriter.writeElementHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/mongodb/mongo-go-driver/pull/622" + }, + { + "type": "FIX", + "url": "https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca" + }, + { + "type": "WEB", + "url": "https://jira.mongodb.org/browse/GODRIVER-1923" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0113.json b/data/osv/GO-2021-0113.json new file mode 100644 index 00000000..a00fcd3f --- /dev/null +++ b/data/osv/GO-2021-0113.json @@ -0,0 +1,56 @@ +{ + "id": "GO-2021-0113", + "published": "2021-10-06T17:51:21Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-38561" + ], + "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n", + "affected": [ + { + "package": { + "name": "golang.org/x/text", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0113" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/text/language", + "symbols": [ + "MatchStrings", + "MustParse", + "Parse", + "ParseAcceptLanguage" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/340830" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0142.json b/data/osv/GO-2021-0142.json new file mode 100644 index 00000000..1e3bd737 --- /dev/null +++ b/data/osv/GO-2021-0142.json @@ -0,0 +1,69 @@ +{ + "id": "GO-2021-0142", + "published": "2022-07-01T20:11:09Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-16845", + "GHSA-q6gq-997w-f55g" + ], + "details": "ReadUvarint and ReadVarint can read an unlimited number of bytes from\ninvalid inputs.\n\nCertain invalid inputs to ReadUvarint or ReadVarint can cause these\nfunctions to read an unlimited number of bytes from the ByteReader\nparameter before returning an error. This can lead to processing more\ninput than expected when the caller is reading directly from a\nnetwork and depends on ReadUvarint or ReadVarint only consuming a\nsmall, bounded number of bytes, even from invalid inputs.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.15" + }, + { + "introduced": "1.14.0" + }, + { + "fixed": "1.14.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0142" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/binary", + "symbols": [ + "ReadUvarint", + "ReadVarint" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/247120" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/40618" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/NyPIaucMgXo" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0154.json b/data/osv/GO-2021-0154.json new file mode 100644 index 00000000..697b07b6 --- /dev/null +++ b/data/osv/GO-2021-0154.json @@ -0,0 +1,62 @@ +{ + "id": "GO-2021-0154", + "published": "2022-05-25T21:11:41Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2014-7189" + ], + "details": "When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle\nattackers to spoof clients via unspecified vectors.\n\nIf the server enables TLS client authentication using certificates (this is\nrare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,\nthen a malicious client can falsely assert ownership of any client\ncertificate it wishes.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.1.0" + }, + { + "fixed": "1.3.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0154" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "checkForResumption", + "decryptTicket" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/148080043" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/commit/64df53ed7f" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53085" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0159.json b/data/osv/GO-2021-0159.json new file mode 100644 index 00000000..bab10e83 --- /dev/null +++ b/data/osv/GO-2021-0159.json @@ -0,0 +1,99 @@ +{ + "id": "GO-2021-0159", + "published": "2022-01-05T21:39:14Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2015-5739", + "CVE-2015-5740", + "CVE-2015-5741" + ], + "details": "HTTP headers were not properly parsed, which allows remote attackers to\nconduct HTTP request smuggling attacks via a request that contains\nContent-Length and Transfer-Encoding header fields.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0159" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "CanonicalMIMEHeaderKey", + "body.readLocked", + "canonicalMIMEHeaderKey", + "chunkWriter.writeHeader", + "fixLength", + "fixTransferEncoding", + "readTransfer", + "transferWriter.shouldSendContentLength", + "validHeaderFieldByte" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/13148" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/26049f6f9171d1190f3bbe05ec304845cfe6399f" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/11772" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/11810" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/12865" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/117ddcb83d7f42d6aa72241240af99ded81118e9" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/300d9a21583e7cf0149a778a0611e76ff7c6680f" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/c2db5f4ccc61ba7df96a747e268a277b802cbb87" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/12027" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/11930" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/iSIyW4lM4hY/m/ADuQR4DiDwAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0160.json b/data/osv/GO-2021-0160.json new file mode 100644 index 00000000..360e24bf --- /dev/null +++ b/data/osv/GO-2021-0160.json @@ -0,0 +1,70 @@ +{ + "id": "GO-2021-0160", + "published": "2022-01-05T15:31:16Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2015-8618" + ], + "details": "Int.Exp Montgomery mishandled carry propagation and produced an incorrect\noutput, which makes it easier for attackers to obtain private RSA keys via\nunspecified vectors.\n\nThis issue can affect RSA computations in crypto/rsa, which is used by\ncrypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA\nprivate key due to this issue. Other protocol implementations that create\nmany RSA signatures could also be impacted in the same way.\n\nSpecifically, incorrect results in one part of the RSA Chinese Remainder\ncomputation can cause the result to be incorrect in such a way that it leaks\none of the primes. While RSA blinding should prevent an attacker from crafting\nspecific inputs that trigger the bug, on 32-bit systems the bug can be expected\nto occur at random around one in 2^26 times. Thus collecting around 64 million\nsignatures (of known data) from an affected server should be enough to extract\nthe private key used.\n\nNote that on 64-bit systems, the frequency of the bug is so low\n(less than one in 2^50) that it would be very difficult to exploit.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.0" + }, + { + "fixed": "1.5.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0160" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "math/big", + "symbols": [ + "nat.expNNMontgomery", + "nat.montgomery" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/18491" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/1e066cad1ba23f4064545355b8737e4762dd6838" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/4306352182bf94f86f0cfc6a8b0ed461cbf1d82c" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/17672" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/13515" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/MEATuOi_ei4" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0163.json b/data/osv/GO-2021-0163.json new file mode 100644 index 00000000..ecdbe690 --- /dev/null +++ b/data/osv/GO-2021-0163.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0163", + "published": "2022-01-05T22:41:50Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2016-3958" + ], + "details": "Untrusted search path vulnerability on Windows related to LoadLibrary allows\nlocal users to gain privileges via a malicious DLL in the current working\ndirectory.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.4" + }, + { + "introduced": "1.6.0" + }, + { + "fixed": "1.6.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0163" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "syscall", + "symbols": [ + "LoadLibrary" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/21428" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/6a0bb87bd0bf0fdf8ddbd35f77a75ebd412f61b0" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/14959" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/9eqIHqaWvck" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0172.json b/data/osv/GO-2021-0172.json new file mode 100644 index 00000000..840e86dd --- /dev/null +++ b/data/osv/GO-2021-0172.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0172", + "published": "2022-02-15T23:56:14Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-1000098" + ], + "details": "When parsing large multipart/form-data, an attacker can\ncause a HTTP server to open a large number of file\ndescriptors. This may be used as a denial-of-service\nvector.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.4" + }, + { + "introduced": "1.7.0" + }, + { + "fixed": "1.7.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0172" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "mime/multipart", + "symbols": [ + "Reader.readForm" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/30410" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/16296" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0178.json b/data/osv/GO-2021-0178.json new file mode 100644 index 00000000..2c79f40d --- /dev/null +++ b/data/osv/GO-2021-0178.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0178", + "published": "2022-01-07T20:35:00Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-15042" + ], + "details": "SMTP clients using net/smtp can use the PLAIN authentication scheme on\nnetwork connections not secured with TLS, exposing passwords to\nman-in-the-middle SMTP servers.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.1.0" + }, + { + "fixed": "1.8.4" + }, + { + "introduced": "1.9.0" + }, + { + "fixed": "1.9.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0178" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/smtp", + "symbols": [ + "plainAuth.Start" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/68170" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/ec3b6131de8f9c9c25283260c95c616c74f6d790" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/22134" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0223.json b/data/osv/GO-2021-0223.json new file mode 100644 index 00000000..71489107 --- /dev/null +++ b/data/osv/GO-2021-0223.json @@ -0,0 +1,70 @@ +{ + "id": "GO-2021-0223", + "published": "2022-02-17T17:46:03Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-14039" + ], + "details": "On Windows, if VerifyOptions.Roots is nil, Certificate.Verify\ndoes not check the EKU requirements specified in VerifyOptions.KeyUsages.\nThis may allow a certificate to be used for an unintended purpose.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.13" + }, + { + "introduced": "1.14.0" + }, + { + "fixed": "1.14.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0223" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "goos": [ + "windows" + ], + "symbols": [ + "Certificate.systemVerify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/242597" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/82175e699a2e2cd83d3aa34949e9b922d66d52f5" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/39360" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0224.json b/data/osv/GO-2021-0224.json new file mode 100644 index 00000000..96c8b7da --- /dev/null +++ b/data/osv/GO-2021-0224.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0224", + "published": "2022-02-17T17:36:04Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-15586" + ], + "details": "HTTP servers where the Handler concurrently reads the request\nbody and writes a response can encounter a data race and crash.\nThe httputil.ReverseProxy Handler is affected.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.13" + }, + { + "introduced": "1.14.0" + }, + { + "fixed": "1.14.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0224" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "expectContinueReader.Read" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/242598" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/fa98f46741f818913a8c11b877520a548715131f" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/34902" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0226.json b/data/osv/GO-2021-0226.json new file mode 100644 index 00000000..18da5c6f --- /dev/null +++ b/data/osv/GO-2021-0226.json @@ -0,0 +1,77 @@ +{ + "id": "GO-2021-0226", + "published": "2022-01-13T03:44:58Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-24553" + ], + "details": "When a Handler does not explicitly set the Content-Type header, the the\npackage would default to “text/html”, which could cause a Cross-Site Scripting\nvulnerability if an attacker can control any part of the contents of a\nresponse.\n\nThe Content-Type header is now set based on the contents of the first Write\nusing http.DetectContentType, which is consistent with the behavior of the\nnet/http package.\n\nAlthough this protects some applications that validate the contents of\nuploaded files, not setting the Content-Type header explicitly on any\nattacker-controlled file is unsafe and should be avoided.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.14.8" + }, + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0226" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http/cgi", + "symbols": [ + "response.Write", + "response.WriteHeader", + "response.writeCGIHeader" + ] + }, + { + "path": "net/http/fcgi", + "symbols": [ + "response.Write", + "response.WriteHeader", + "response.writeCGIHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/252179" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/4f5cd0c0331943c7ec72df3b827d972584f77833" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/40928" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0227.json b/data/osv/GO-2021-0227.json new file mode 100644 index 00000000..9d3a693f --- /dev/null +++ b/data/osv/GO-2021-0227.json @@ -0,0 +1,57 @@ +{ + "id": "GO-2021-0227", + "published": "2022-02-17T17:35:32Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-29652" + ], + "details": "Clients can cause a panic in SSH servers. An attacker can craft\nan authentication request message for the “gssapi-with-mic” method\nwhich will cause NewServerConn to panic via a nil pointer dereference\nif ServerConfig.GSSAPIWithMICConfig is nil.\n", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20201216223049-8b5274cf687f" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0227" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "connection.serverAuthenticate" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/278852" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e8" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0228.json b/data/osv/GO-2021-0228.json new file mode 100644 index 00000000..fadb44f5 --- /dev/null +++ b/data/osv/GO-2021-0228.json @@ -0,0 +1,69 @@ +{ + "id": "GO-2021-0228", + "published": "2022-01-14T17:30:28Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-7664", + "GHSA-vpx7-vm66-qx8r" + ], + "details": "The ExtractTo function doesn't securely escape file paths in zip archives\nwhich include leading or non-leading \"..\". This allows an attacker to add or\nreplace files system-wide.\n", + "affected": [ + { + "package": { + "name": "github.com/unknwon/cae", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0228" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/unknwon/cae/zip", + "symbols": [ + "Create", + "ExtractTo", + "ExtractToFunc", + "Open", + "OpenFile", + "TzArchive.ExtractToFunc", + "TzArchive.ExtractToFunc", + "TzArchive.syncFiles", + "TzArchive.syncFiles", + "ZipArchive.Close", + "ZipArchive.ExtractTo", + "ZipArchive.ExtractToFunc", + "ZipArchive.ExtractToFunc", + "ZipArchive.Flush", + "ZipArchive.Open", + "ZipArchive.Open" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/unknwon/cae/commit/07971c00a1bfd9dc171c3ad0bfab5b67c2287e11" + }, + { + "type": "WEB", + "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUNKNWONCAEZIP-570383" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0234.json b/data/osv/GO-2021-0234.json new file mode 100644 index 00000000..5ad5b004 --- /dev/null +++ b/data/osv/GO-2021-0234.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0234", + "published": "2022-02-17T17:34:24Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-27918" + ], + "details": "The Decode, DecodeElement, and Skip methods of an xml.Decoder\nprovided by xml.NewTokenDecoder may enter an infinite loop when\noperating on a custom xml.TokenReader which returns an EOF in the\nmiddle of an open XML element.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.9" + }, + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0234" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/xml", + "symbols": [ + "Decoder.Token" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/300391" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/d0b79e3513a29628f3599dc8860666b6eed75372" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/44913" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0235.json b/data/osv/GO-2021-0235.json new file mode 100644 index 00000000..242314ee --- /dev/null +++ b/data/osv/GO-2021-0235.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0235", + "published": "2022-02-17T17:34:14Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3114" + ], + "details": "The P224() Curve implementation can in rare circumstances generate\nincorrect outputs, including returning invalid points from\nScalarMult.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.14.14" + }, + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0235" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/elliptic", + "symbols": [ + "p224Contract" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/284779" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/d95ca9138026cbe40e0857d76a81a16d03230871" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/43786" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0237.json b/data/osv/GO-2021-0237.json new file mode 100644 index 00000000..a162a81d --- /dev/null +++ b/data/osv/GO-2021-0237.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2021-0237", + "published": "2022-01-11T17:18:11Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-32721", + "GHSA-mj9r-wwm8-7q52" + ], + "details": "Attackers may be able to craft phishing links and other open\nredirects by exploiting PowerMux's trailing slash redirection\nfeature. This may lead to users being redirected to untrusted\nsites after following an attacker crafted link.\n", + "affected": [ + { + "package": { + "name": "github.com/AndrewBurian/powermux", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0237" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/AndrewBurian/powermux", + "symbols": [ + "Route.execute" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/AndrewBurian/powermux/pull/42" + }, + { + "type": "FIX", + "url": "https://github.com/AndrewBurian/powermux/commit/5e60a8a0372b35a898796c2697c40e8daabed8e9" + }, + { + "type": "WEB", + "url": "https://github.com/AndrewBurian/powermux/security/advisories/GHSA-mj9r-wwm8-7q52" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0238.json b/data/osv/GO-2021-0238.json new file mode 100644 index 00000000..e7232467 --- /dev/null +++ b/data/osv/GO-2021-0238.json @@ -0,0 +1,61 @@ +{ + "id": "GO-2021-0238", + "published": "2022-02-17T17:33:43Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-33194" + ], + "details": "An attacker can craft an input to ParseFragment that causes it\nto enter an infinite loop and never return.\n", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20210520170846-37e1c6afe023" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0238" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "inHeadIM" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/311090" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/37e1c6afe02340126705deced573a85ab75209d7" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/46288" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/wPunbCPkWUg" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0239.json b/data/osv/GO-2021-0239.json new file mode 100644 index 00000000..34a5358a --- /dev/null +++ b/data/osv/GO-2021-0239.json @@ -0,0 +1,71 @@ +{ + "id": "GO-2021-0239", + "published": "2022-02-17T17:33:35Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-33195" + ], + "details": "The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr\nfunctions and their respective methods on the Resolver type may\nreturn arbitrary values retrieved from DNS which do not follow\nthe established RFC 1035 rules for domain names. If these names\nare used without further sanitization, for instance unsafely\nincluded in HTML, they may allow for injection of unexpected\ncontent. Note that LookupTXT may still return arbitrary values\nthat could require sanitization before further use.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.13" + }, + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0239" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net", + "symbols": [ + "Resolver.LookupAddr", + "Resolver.LookupCNAME", + "Resolver.LookupMX", + "Resolver.LookupNS", + "Resolver.LookupSRV" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/320949" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/c89f1224a544cde464fcb86e78ebb0cc97eedba2" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/46241" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0240.json b/data/osv/GO-2021-0240.json new file mode 100644 index 00000000..93f8729d --- /dev/null +++ b/data/osv/GO-2021-0240.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0240", + "published": "2022-02-17T17:33:25Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-33196" + ], + "details": "NewReader and OpenReader can cause a panic or an unrecoverable\nfatal error when reading an archive that claims to contain a large\nnumber of files, regardless of its actual size.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.13" + }, + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0240" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "archive/zip", + "symbols": [ + "Reader.init" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/318909" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/74242baa4136c7a9132a8ccd9881354442788c8c" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/46242" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0241.json b/data/osv/GO-2021-0241.json new file mode 100644 index 00000000..9f5b7266 --- /dev/null +++ b/data/osv/GO-2021-0241.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0241", + "published": "2022-02-17T17:33:16Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-33197" + ], + "details": "ReverseProxy can be made to forward certain hop-by-hop headers,\nincluding Connection. If the target of the ReverseProxy is\nitself a reverse proxy, this lets an attacker drop arbitrary\nheaders, including those set by the ReverseProxy.Director.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.13" + }, + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0241" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http/httputil", + "symbols": [ + "ReverseProxy.ServeHTTP" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/321929" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/950fa11c4cb01a145bb07eeb167d90a1846061b3" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/46313" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0242.json b/data/osv/GO-2021-0242.json new file mode 100644 index 00000000..6ad40bc0 --- /dev/null +++ b/data/osv/GO-2021-0242.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0242", + "published": "2022-02-17T17:33:07Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-33198" + ], + "details": "Rat.SetString and Rat.UnmarshalText may cause a panic or an\nunrecoverable fatal error if passed inputs with very large\nexponents.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.13" + }, + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0242" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "math/big", + "symbols": [ + "Rat.SetString" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/316149" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/6c591f79b0b5327549bd4e94970f7a279efb4ab0" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/45910" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0243.json b/data/osv/GO-2021-0243.json new file mode 100644 index 00000000..538209ee --- /dev/null +++ b/data/osv/GO-2021-0243.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0243", + "published": "2022-02-17T17:32:57Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-34558" + ], + "details": "crypto/tls clients can panic when provided a certificate of the\nwrong type for the negotiated parameters. net/http clients\nperforming HTTPS requests are also affected.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.14" + }, + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.6" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0243" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "rsaKeyAgreement.generateClientKeyExchange" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/334031" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/a98589711da5e9d935e8d690cfca92892e86d557" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/n9FxMelZGAQ" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/47143" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0245.json b/data/osv/GO-2021-0245.json new file mode 100644 index 00000000..881151f9 --- /dev/null +++ b/data/osv/GO-2021-0245.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0245", + "published": "2022-02-17T17:32:24Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-36221" + ], + "details": "ReverseProxy can panic after encountering a problem copying\na proxied response body.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.15" + }, + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0245" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http/httputil", + "symbols": [ + "ReverseProxy.ServeHTTP" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/333191" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/b7a85e0003cedb1b48a1fd3ae5b746ec6330102e" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/uHACNfXAZqk" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/46866" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0258.json b/data/osv/GO-2021-0258.json new file mode 100644 index 00000000..c0bd20a9 --- /dev/null +++ b/data/osv/GO-2021-0258.json @@ -0,0 +1,60 @@ +{ + "id": "GO-2021-0258", + "published": "2022-01-14T17:30:31Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-41230", + "GHSA-j6wp-3859-vxfg" + ], + "details": "Pomerium is an open source identity-aware access proxy. Changes to the OIDC\nclaims of a user after initial login are not reflected in policy evaluation\nwhen using allowed_idp_claims as part of policy. If using allowed_idp_claims\nand a user's claims are changed, Pomerium can make incorrect authorization\ndecisions.\n\nFor users unable to upgrade clear data on databroker service by clearing\nredis or restarting the in-memory databroker to force claims to be updated.\n", + "affected": [ + { + "package": { + "name": "github.com/pomerium/pomerium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.15.6" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0258" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/pomerium/pomerium/internal/identity/manager", + "symbols": [ + "Manager.Run", + "Manager.RunLeased", + "Manager.onUpdateRecords" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/pomerium/pomerium/pull/2724" + }, + { + "type": "FIX", + "url": "https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511" + }, + { + "type": "WEB", + "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0263.json b/data/osv/GO-2021-0263.json new file mode 100644 index 00000000..35f612e1 --- /dev/null +++ b/data/osv/GO-2021-0263.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0263", + "published": "2022-01-13T03:45:03Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-41771" + ], + "details": "Calling File.ImportedSymbols on a loaded file which contains an invalid\ndynamic symbol table command can cause a panic, in particular if the encoded\nnumber of undefined symbols is larger than the number of symbols in the symbol\ntable.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.10" + }, + { + "introduced": "1.17.0" + }, + { + "fixed": "1.17.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0263" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "debug/macho", + "symbols": [ + "NewFile" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/367075" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/61536ec03063b4951163bd09609c86d82631fa27" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/48990" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0264.json b/data/osv/GO-2021-0264.json new file mode 100644 index 00000000..f861b68a --- /dev/null +++ b/data/osv/GO-2021-0264.json @@ -0,0 +1,68 @@ +{ + "id": "GO-2021-0264", + "published": "2022-01-13T20:54:43Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-41772" + ], + "details": "Previously, opening a zip with (*Reader).Open could result in a panic if the\nzip contained a file whose name was exclusively made up of slash characters or\n\"..\" path elements.\n\nOpen could also panic if passed the empty string directly as an argument.\n\nNow, any files in the zip whose name could not be made valid for fs.FS.Open\nwill be skipped, and no longer added to the fs.FS file list, although they\nare still accessible through (*Reader).File.\n\nNote that it was already the case that a file could be accessible from\n(*Reader).Open with a name different from the one in (*Reader).File, as the\nformer is the cleaned name, while the latter is the original one.\n\nFinally, the actual panic site was made robust as a defense-in-depth measure.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.10" + }, + { + "introduced": "1.17.0" + }, + { + "fixed": "1.17.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0264" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "archive/zip", + "symbols": [ + "Reader.Open", + "split" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/349770" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/b24687394b55a93449e2be4e6892ead58ea9a10f" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/48085" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0265.json b/data/osv/GO-2021-0265.json new file mode 100644 index 00000000..002ea5ea --- /dev/null +++ b/data/osv/GO-2021-0265.json @@ -0,0 +1,70 @@ +{ + "id": "GO-2021-0265", + "published": "2022-08-15T18:06:07Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-42248", + "CVE-2021-42836", + "GHSA-c9gm-7rfj-8w5h", + "GHSA-ppj4-34rq-v8j9" + ], + "details": "A maliciously crafted path can cause Get and other query functions\nto consume excessive amounts of CPU and time.\n", + "affected": [ + { + "package": { + "name": "github.com/tidwall/gjson", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0265" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tidwall/gjson", + "symbols": [ + "Get", + "GetBytes", + "GetMany", + "GetManyBytes", + "Result.Get", + "parseObject", + "queryMatches" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/237" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/236" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0317.json b/data/osv/GO-2021-0317.json new file mode 100644 index 00000000..f54043fe --- /dev/null +++ b/data/osv/GO-2021-0317.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0317", + "published": "2022-05-23T22:15:42Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-23772" + ], + "details": "Rat.SetString had an overflow issue that can lead to uncontrolled memory consumption.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.14" + }, + { + "introduced": "1.17.0" + }, + { + "fixed": "1.17.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0317" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "math/big", + "symbols": [ + "Rat.SetString" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/379537" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/ad345c265916bbf6c646865e4642eafce6d39e78" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/50699" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0319.json b/data/osv/GO-2021-0319.json new file mode 100644 index 00000000..fd02db96 --- /dev/null +++ b/data/osv/GO-2021-0319.json @@ -0,0 +1,69 @@ +{ + "id": "GO-2021-0319", + "published": "2022-05-23T22:15:21Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-23806" + ], + "details": "Some big.Int values that are not valid field elements (negative or overflowing)\nmight cause Curve.IsOnCurve to incorrectly return true. Operating on those values\nmay cause a panic or an invalid curve operation. Note that Unmarshal will never\nreturn such values.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.14" + }, + { + "introduced": "1.17.0" + }, + { + "fixed": "1.17.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0319" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/elliptic", + "symbols": [ + "CurveParams.IsOnCurve", + "p384PointFromAffine", + "p521PointFromAffine" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/382455" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/7f9494c277a471f6f47f4af3036285c0b1419816" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/50974" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0347.json b/data/osv/GO-2021-0347.json new file mode 100644 index 00000000..751308db --- /dev/null +++ b/data/osv/GO-2021-0347.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2021-0347", + "published": "2022-05-23T22:15:47Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24921" + ], + "details": "On 64-bit platforms, an extremely deeply nested expression can\ncause regexp.Compile to cause goroutine stack exhaustion, forcing\nthe program to exit. Note this applies to very large expressions,\non the order of 2MB.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.15" + }, + { + "introduced": "1.17.0" + }, + { + "fixed": "1.17.8" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0347" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "regexp", + "symbols": [ + "regexp.Compile" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/384616" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/452f24ae94f38afa3704d4361d91d51218405c0a" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/51112" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0356.json b/data/osv/GO-2021-0356.json new file mode 100644 index 00000000..b9be385d --- /dev/null +++ b/data/osv/GO-2021-0356.json @@ -0,0 +1,63 @@ +{ + "id": "GO-2021-0356", + "published": "2022-04-25T20:38:40Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-27191", + "GHSA-8c26-wmh5-6g9v" + ], + "details": "Attackers can cause a crash in SSH servers when the server has been\nconfigured by passing a Signer to ServerConfig.AddHostKey such that\n 1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and\n 2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its\n PublicKey method.\n\nServers that only use Signer implementations provided by the ssh package are\nunaffected.\n", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20220314234659-1baeb1ce4c0b" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0356" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "ServerConfig.AddHostKey", + "ServerConfig.AddHostKey" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/392355" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/-cp44ypCT5s" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2021-0412.json b/data/osv/GO-2021-0412.json new file mode 100644 index 00000000..edf59017 --- /dev/null +++ b/data/osv/GO-2021-0412.json @@ -0,0 +1,62 @@ +{ + "id": "GO-2021-0412", + "published": "2022-04-28T23:35:11Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24778", + "GHSA-8v99-48m9-c8pm" + ], + "details": "The imgcrypt library provides API exensions for containerd to\nsupport encrypted container images and implements the ctd-decoder\ncommand line tool for use by containerd to decrypt encrypted\ncontainer images. The imgcrypt function `CheckAuthorization`\nis supposed to check whether the current used is authorized to\naccess an encrypted image and prevent the user from running an\nimage that another user previously decrypted on the same system.\nIn versions prior to 1.1.4, a failure occurs when an image with\na ManifestList is used and the architecture of the local host\nis not the first one in the ManifestList. Only the first\narchitecture in the list was tested, which may not have its\nlayers available locally since it could not be run on the host\narchitecture. Therefore, the verdict on unavailable layers was\nthat the image could be run anticipating that image run failure\nwould occur later due to the layers not being available. However,\nthis verdict to allow the image to run enabled other architectures\nin the ManifestList to run an image without providing keys if\nthat image had previously been decrypted. A patch has been\napplied to imgcrypt 1.1.4. Workarounds may include usage of\ndifferent namespaces for each remote user.\n", + "affected": [ + { + "package": { + "name": "github.com/containerd/imgcrypt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0412" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/containerd/imgcrypt/images/encryption", + "symbols": [ + "cryptManifestList" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9" + }, + { + "type": "WEB", + "url": "https://github.com/containerd/imgcrypt/issues/69" + }, + { + "type": "WEB", + "url": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4" + }, + { + "type": "WEB", + "url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0166.json b/data/osv/GO-2022-0166.json new file mode 100644 index 00000000..37954308 --- /dev/null +++ b/data/osv/GO-2022-0166.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0166", + "published": "2022-05-24T22:06:33Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2016-3959" + ], + "details": "The Verify function in crypto/dsa passed certain parameters unchecked to\nthe underlying big integer library, possibly leading to extremely\nlong-running computations, which in turn makes Go programs vulnerable to\nremote denial of service attacks. Programs using HTTPS client certificates\nor the Go SSH server libraries are both exposed to this vulnerability.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.4" + }, + { + "introduced": "1.6.0" + }, + { + "fixed": "1.6.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0166" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/dsa", + "symbols": [ + "Verify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/21533" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/eb876dd83cb8413335d64e50aae5d38337d1ebb4" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/15184" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/9eqIHqaWvck" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0171.json b/data/osv/GO-2022-0171.json new file mode 100644 index 00000000..bbc7dc49 --- /dev/null +++ b/data/osv/GO-2022-0171.json @@ -0,0 +1,71 @@ +{ + "id": "GO-2022-0171", + "published": "2022-05-24T20:17:59Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-1000097" + ], + "details": "On Darwin, user's trust preferences for root certificates were not honored.\nIf the user had a root certificate loaded in their Keychain that was\nexplicitly not trusted, a Go program would still verify a connection using\nthat root certificate.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.4" + }, + { + "introduced": "1.7.0" + }, + { + "fixed": "1.7.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0171" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "goos": [ + "darwin" + ], + "symbols": [ + "FetchPEMRoots", + "execSecurityRoots" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/33721" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/18141" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0177.json b/data/osv/GO-2022-0177.json new file mode 100644 index 00000000..258e3e95 --- /dev/null +++ b/data/osv/GO-2022-0177.json @@ -0,0 +1,64 @@ +{ + "id": "GO-2022-0177", + "published": "2022-08-09T17:31:35Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-15041" + ], + "details": "The \"go get\" command allows remote command execution.\n\nUsing custom domains, it is possible to arrange things so that\nexample.com/pkg1 points to a Subversion repository but\nexample.com/pkg1/pkg2 points to a Git repository. If the Subversion\nrepository includes a Git checkout in its pkg2 directory and\nsome other work is done to ensure the proper ordering of operations, \"go\nget\" can be tricked into reusing this Git checkout for the fetch of code\nfrom pkg2. If the Subversion repository's Git checkout has malicious\ncommands in .git/hooks/, they will execute on the system running \"go get\".\n", + "affected": [ + { + "package": { + "name": "toolchain", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.4" + }, + { + "introduced": "1.9.0" + }, + { + "fixed": "1.9.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0177" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "cmd/go" + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/68110" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/ec71ee078fd3243b78c0d404c8634bd97e38d7eb" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/22125" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0187.json b/data/osv/GO-2022-0187.json new file mode 100644 index 00000000..fb1d9d9d --- /dev/null +++ b/data/osv/GO-2022-0187.json @@ -0,0 +1,70 @@ +{ + "id": "GO-2022-0187", + "published": "2022-07-01T20:11:15Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-8932" + ], + "details": "The ScalarMult implementation of curve P-256 for amd64 architectures\ngenerates incorrect results for certain specific input points.\nAn adaptive attack can progressively extract the scalar input to\nScalarMult by submitting crafted points and observing failures to\nderive correct output. This leads to a full key recovery attack\nagainst static ECDH, as used in popular JWT libraries.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.6.0" + }, + { + "fixed": "1.7.6" + }, + { + "introduced": "1.8.0" + }, + { + "fixed": "1.8.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0187" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/elliptic", + "goarch": [ + "amd64" + ], + "symbols": [ + "p256SubInternal" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/41070" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/9294fa2749ffee7edbbb817a0ef9fe633136fa9c" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/20040" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/B5ww0iFt1_Q/m/TgUFJV14BgAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0189.json b/data/osv/GO-2022-0189.json new file mode 100644 index 00000000..f208188a --- /dev/null +++ b/data/osv/GO-2022-0189.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0189", + "published": "2022-08-04T21:30:35Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-16873" + ], + "details": "The \"go get\" command is vulnerable to remote code execution when executed\nwith the -u flag and the import path of a malicious Go package, or a\npackage that imports it directly or indirectly.\n\nSpecifically, it is only vulnerable in GOPATH mode, but not in module mode\n(the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get).\n\nUsing custom domains, it's possible to arrange things so that a Git\nrepository is cloned to a folder named \".git\" by using a vanity import path\nthat ends with \"/.git\". If the Git repository root contains a \"HEAD\" file,\na \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work\nto ensure the proper ordering of operations, \"go get -u\" can be tricked\ninto considering the parent directory as a repository root, and running Git\ncommands on it. That will use the \"config\" file in the original Git\nrepository root for its configuration, and if that config file contains\nmalicious commands, they will execute on the system running \"go get -u\".\n\nNote that forbidding import paths with a .git element might not be\nsufficient to mitigate this issue, as on certain systems there can be other\naliases for VCS state folders.\n", + "affected": [ + { + "package": { + "name": "toolchain", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.6" + }, + { + "introduced": "1.11.0" + }, + { + "fixed": "1.11.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0189" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "cmd/go/internal/get", + "symbols": [ + "downloadPackage" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/154101" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/29230" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0190.json b/data/osv/GO-2022-0190.json new file mode 100644 index 00000000..811d5d7d --- /dev/null +++ b/data/osv/GO-2022-0190.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0190", + "published": "2022-08-02T15:44:23Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-16874" + ], + "details": "The \"go get\" command is vulnerable to directory traversal when executed\nwith the import path of a malicious Go package which contains curly brace\n(both '{' and '}' characters).\n\nSpecifically, it is only vulnerable in GOPATH mode, but not in module mode\n(the distinction is documented at\nhttps://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause\nan arbitrary filesystem write, which can lead to code execution.\n", + "affected": [ + { + "package": { + "name": "toolchain", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.6" + }, + { + "introduced": "1.11.0" + }, + { + "fixed": "1.11.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0190" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "cmd/go/internal/get", + "symbols": [ + "downloadPackage" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/154101" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/29230" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0191.json b/data/osv/GO-2022-0191.json new file mode 100644 index 00000000..b2a42e1c --- /dev/null +++ b/data/osv/GO-2022-0191.json @@ -0,0 +1,68 @@ +{ + "id": "GO-2022-0191", + "published": "2022-07-15T23:03:26Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-16875" + ], + "details": "The crypto/x509 package does not limit the amount of work\nperformed for each chain verification, which might allow attackers\nto craft pathological inputs leading to a CPU denial of service.\nGo TLS servers accepting client certificates and TLS clients\nverifying certificates are affected.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.6" + }, + { + "introduced": "1.11.0" + }, + { + "fixed": "1.11.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0191" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "CertPool.findVerifiedParents", + "Certificate.buildChains" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/154105" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/770130659b6fb2acf271476579a3644e093dda7f" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/29233" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0192.json b/data/osv/GO-2022-0192.json new file mode 100644 index 00000000..4a1940a0 --- /dev/null +++ b/data/osv/GO-2022-0192.json @@ -0,0 +1,59 @@ +{ + "id": "GO-2022-0192", + "published": "2022-07-01T20:11:34Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-17142" + ], + "details": "The Parse function can panic on some invalid inputs.\n\nFor example, the Parse function panics on the input\n\"\u003cmath\u003e\u003ctemplate\u003e\u003cmo\u003e\u003ctemplate\u003e\".\n", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20180925071336-cf3bd585ca2a" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0192" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Parse", + "ParseFragment", + "parser.resetInsertionMode" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/136875" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/cf3bd585ca2a5a21b057abd8be7eea2204af89d0" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/27702" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0193.json b/data/osv/GO-2022-0193.json new file mode 100644 index 00000000..46105176 --- /dev/null +++ b/data/osv/GO-2022-0193.json @@ -0,0 +1,59 @@ +{ + "id": "GO-2022-0193", + "published": "2022-07-06T18:14:54Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-17143" + ], + "details": "The Parse function can panic on some invalid inputs.\n\nFor example, the Parse function panics on the input\n\"\u003ctemplate\u003e\u003ctBody\u003e\u003cisindex/action=0\u003e\".\n", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20180921000356-2f5d2388922f" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0193" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Parse", + "ParseFragment", + "inBodyIM" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go-review.googlesource.com/c/net/+/136575" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/2f5d2388922f370f4355f327fcf4cfe9f5583908" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/27704" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0197.json b/data/osv/GO-2022-0197.json new file mode 100644 index 00000000..9650ded8 --- /dev/null +++ b/data/osv/GO-2022-0197.json @@ -0,0 +1,60 @@ +{ + "id": "GO-2022-0197", + "published": "2022-07-01T20:15:19Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-17847", + "CVE-2018-17848" + ], + "details": "The Parse function can panic on some invalid inputs.\n\nFor example, the Parse function panics on the input\n\"\u003csvg\u003e\u003ctemplate\u003e\u003cdesc\u003e\u003ct\u003e\u003csvg\u003e\u003c/template\u003e\".\n", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20190125002852-4b62a64f59f7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0197" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Parse", + "ParseFragment", + "nodeStack.contains" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/159397" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/4b62a64f59f73840b9ab79204c94fee61cd1ba2c" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/27846" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0201.json b/data/osv/GO-2022-0201.json new file mode 100644 index 00000000..75b6be1d --- /dev/null +++ b/data/osv/GO-2022-0201.json @@ -0,0 +1,60 @@ +{ + "id": "GO-2022-0201", + "published": "2022-08-09T18:15:41Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-6574" + ], + "details": "The \"go get\" command with cgo is vulnerable to remote command execution\nby leveraging the gcc or clang plugin feature.\n\nWhen cgo is enabled, the build step during \"go get\" invokes the host C\ncompiler, gcc or clang, adding compiler flags specified in the Go source\nfiles. Both gcc and clang support a plugin mechanism in which a\nshared-library plugin is loaded into the compiler, as directed by\ncompiler flags. This means that a Go package repository can contain an\nattack.so file along with a Go source file that says (for example)\n\"// #cgo CFLAGS: -fplugin=attack.so\" causing the attack plugin to be\nloaded into the host C compiler during the build. Gcc and clang plugins are\ncompletely unrestricted in their access to the host system.\n", + "affected": [ + { + "package": { + "name": "toolchain", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.7" + }, + { + "introduced": "1.9.0" + }, + { + "fixed": "1.9.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0201" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "cmd/go" + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/1dcb5836ad2c60776561da2923c70576ba2eefc6" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/23672" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-nuts/c/Gbhh1NxAjMU" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0203.json b/data/osv/GO-2022-0203.json new file mode 100644 index 00000000..2444b38b --- /dev/null +++ b/data/osv/GO-2022-0203.json @@ -0,0 +1,64 @@ +{ + "id": "GO-2022-0203", + "published": "2022-08-09T23:19:00Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-7187" + ], + "details": "The \"go get\" command is vulnerable to remote code execution.\n\nWhen the -insecure command-line option is used, \"go get\" does not validate\nthe import path (get/vcs.go only checks for \"://\" anywhere in the string),\nwhich allows remote attackers to execute arbitrary OS commands via a\ncrafted web site.\n", + "affected": [ + { + "package": { + "name": "toolchain", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.5" + }, + { + "introduced": "1.10.0" + }, + { + "fixed": "1.10.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0203" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "cmd/go" + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/94603" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/23867" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/IkPkOF8JqLs/m/TFBbWHJYAwAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0209.json b/data/osv/GO-2022-0209.json new file mode 100644 index 00000000..5ad6accc --- /dev/null +++ b/data/osv/GO-2022-0209.json @@ -0,0 +1,64 @@ +{ + "id": "GO-2022-0209", + "published": "2022-07-01T20:15:25Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-11840" + ], + "details": "XORKeyStream generates incorrect and insecure output for very\nlarge inputs.\n\nIf more than 256 GiB of keystream is generated, or if the counter\notherwise grows greater than 32 bits, the amd64 implementation will\nfirst generate incorrect output, and then cycle back to previously\ngenerated keystream. Repeated keystream bytes can lead to loss of\nconfidentiality in encryption applications, or to predictability\nin CSPRNG applications.\n\nThe issue might affect uses of golang.org/x/crypto/nacl with extremely\nlarge messages.\n\nArchitectures other than amd64 and uses that generate less than 256 GiB\nof keystream for a single salsa20.XORKeyStream invocation are unaffected.\n", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20190320223903-b7391e95e576" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0209" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/salsa20/salsa", + "goarch": [ + "amd64" + ], + "symbols": [ + "XORKeyStream" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/168406" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/30965" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/tjyNcJxb2vQ/m/n0NRBziSCAAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0211.json b/data/osv/GO-2022-0211.json new file mode 100644 index 00000000..1dc18993 --- /dev/null +++ b/data/osv/GO-2022-0211.json @@ -0,0 +1,69 @@ +{ + "id": "GO-2022-0211", + "published": "2022-07-01T20:15:30Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-14809" + ], + "details": "The url.Parse function accepts URLs with malformed hosts, such that the Host\nfield can have arbitrary suffixes that appear in neither Hostname() nor Port(),\nallowing authorization bypasses in certain applications.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.13" + }, + { + "introduced": "1.12.0" + }, + { + "fixed": "1.12.8" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0211" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/url", + "symbols": [ + "URL.Hostname", + "URL.Port", + "parseHost" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/189258" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/29098" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/65QixT3tcmg" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0212.json b/data/osv/GO-2022-0212.json new file mode 100644 index 00000000..fdcbdd26 --- /dev/null +++ b/data/osv/GO-2022-0212.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0212", + "published": "2022-05-23T22:46:20Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-16276" + ], + "details": "net/http (through net/textproto) used to accept and normalize invalid\nHTTP/1.1 headers with a space before the colon, in violation of RFC 7230.\n\nIf a Go server is used behind an uncommon reverse proxy that accepts and\nforwards but doesn't normalize such invalid headers, the reverse proxy and\nthe server can interpret the headers differently. This can lead to filter\nbypasses or request smuggling, the latter if requests from separate clients\nare multiplexed onto the same upstream connection by the proxy. Such\ninvalid headers are now rejected by Go servers, and passed without\nnormalization to Go client applications.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.10" + }, + { + "introduced": "1.13.0" + }, + { + "fixed": "1.13.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0212" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/textproto", + "symbols": [ + "Reader.ReadMimeHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/197503" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/41b1f88efab9d263408448bf139659119002ea50" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/34540" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/cszieYyuL9Q/m/g4Z7pKaqAgAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0213.json b/data/osv/GO-2022-0213.json new file mode 100644 index 00000000..c054a8b2 --- /dev/null +++ b/data/osv/GO-2022-0213.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0213", + "published": "2022-05-24T20:14:11Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-17596" + ], + "details": "Invalid DSA public keys can cause a panic in dsa.Verify. In particular,\nusing crypto/x509.Verify on a crafted X.509 certificate chain can lead to a\npanic, even if the certificates don't chain to a trusted root. The chain\ncan be delivered via a crypto/tls connection to a client, or to a server\nthat accepts and verifies client certificates. net/http clients can be made\nto crash by an HTTPS server, while net/http servers that accept client\ncertificates will recover the panic and are unaffected.\n\nMoreover, an application might crash invoking\ncrypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate\nrequest, parsing a golang.org/x/crypto/openpgp Entity, or during a\ngolang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh\nclient can panic due to a malformed host key, while a server could panic if\neither PublicKeyCallback accepts a malformed public key, or if\nIsUserAuthority accepts a certificate with a malformed public key.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.11" + }, + { + "introduced": "1.13.0" + }, + { + "fixed": "1.13.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0213" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/dsa", + "symbols": [ + "Verify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/205441" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/552987fdbf4c2bc9641016fd323c3ae5d3a0d9a3" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/34960" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/lVEm7llp0w0/m/VbafyRkgCgAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0217.json b/data/osv/GO-2022-0217.json new file mode 100644 index 00000000..1ccff2a8 --- /dev/null +++ b/data/osv/GO-2022-0217.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0217", + "published": "2022-05-24T15:21:01Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-6486" + ], + "details": "A DoS vulnerability in the crypto/elliptic implementations of the P-521 and\nP-384 elliptic curves may let an attacker craft inputs that consume\nexcessive amounts of CPU.\n\nThese inputs might be delivered via TLS handshakes, X.509 certificates, JWT\ntokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private\nkey is reused more than once, the attack can also lead to key recovery.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.8" + }, + { + "introduced": "1.11.0" + }, + { + "fixed": "1.11.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0217" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/elliptic", + "symbols": [ + "curve.doubleJacobian" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/159218" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/193c16a3648b8670a762e925b6ac6e074f468a20" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/29903" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/mVeX35iXuSw" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0220.json b/data/osv/GO-2022-0220.json new file mode 100644 index 00000000..8bf1e38a --- /dev/null +++ b/data/osv/GO-2022-0220.json @@ -0,0 +1,81 @@ +{ + "id": "GO-2022-0220", + "published": "2022-05-25T18:01:46Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-9634" + ], + "details": "Go on Windows misused certain LoadLibrary functionality, leading to DLL\ninjection.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.10" + }, + { + "introduced": "1.12.0" + }, + { + "fixed": "1.12.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0220" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "runtime", + "goos": [ + "windows" + ], + "symbols": [ + "loadOptionalSyscalls", + "osinit", + "syscall_loadsystemlibrary" + ] + }, + { + "path": "syscall", + "goos": [ + "windows" + ], + "symbols": [ + "LoadDLL" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/165798" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/9b6e9f0c8c66355c0f0575d808b32f52c8c6d21c" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/28978" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/z9eTD34GEIs/m/Z_XmhTrVAwAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0229.json b/data/osv/GO-2022-0229.json new file mode 100644 index 00000000..187f55e7 --- /dev/null +++ b/data/osv/GO-2022-0229.json @@ -0,0 +1,98 @@ +{ + "id": "GO-2022-0229", + "published": "2022-07-06T18:23:48Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-7919", + "GHSA-cjjc-xp8v-855w" + ], + "details": "On 32-bit architectures, a malformed input to crypto/x509 or\nthe ASN.1 parsing functions of golang.org/x/crypto/cryptobyte\ncan lead to a panic.\n\nThe malformed certificate can be delivered via a crypto/tls\nconnection to a client, or to a server that accepts client\ncertificates. net/http clients can be made to crash by an HTTPS\nserver, while net/http servers that accept client certificates\nwill recover the panic and are unaffected.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.16" + }, + { + "introduced": "1.13.0" + }, + { + "fixed": "1.13.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0229" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509" + } + ] + } + }, + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20200124225646-8b5121be2f68" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0229" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/cryptobyte" + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/216680" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/216677" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/36837" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Hsw4mHYc470" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0230.json b/data/osv/GO-2022-0230.json new file mode 100644 index 00000000..89d375c2 --- /dev/null +++ b/data/osv/GO-2022-0230.json @@ -0,0 +1,62 @@ +{ + "id": "GO-2022-0230", + "published": "2022-07-01T20:17:57Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-20206", + "GHSA-xjqr-g762-pxwp" + ], + "details": "The FindInPath function is vulnerable to directory traversal attacks,\npotentially permitting attackers to execute arbitrary binaries.\n\nThis function does not sanitize its plugin parameter, so parameter\nnames containing \"../\" or other such elements may reference\narbitrary locations on the filesystem.\n", + "affected": [ + { + "package": { + "name": "github.com/containernetworking/cni", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.8.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0230" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/containernetworking/cni/pkg/invoke", + "symbols": [ + "DelegateAdd", + "DelegateCheck", + "DelegateDel", + "FindInPath", + "RawExec.FindInPath" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/containernetworking/cni/pull/808" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1919391" + }, + { + "type": "WEB", + "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0233.json b/data/osv/GO-2022-0233.json new file mode 100644 index 00000000..5e9e622e --- /dev/null +++ b/data/osv/GO-2022-0233.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2022-0233", + "published": "2022-07-01T20:18:04Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-23409", + "GHSA-xcf7-q56x-78gh" + ], + "details": "The PROXY protocol server does not impose a timeout on reading the header\nfrom new connections, allowing a malicious client to cause resource\nexhaustion and a denial of service by opening many connections and\nsending no data on them.\n\nv0.6.0 of the proxyproto package adds support for a user-defined\nheader timeout. v0.6.1 adds a default timeout of 200ms and v0.6.2\nincreases the default timeout to 10s.\n", + "affected": [ + { + "package": { + "name": "github.com/pires/go-proxyproto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.6.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0233" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/pires/go-proxyproto", + "symbols": [ + "Listener.Accept" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/pires/go-proxyproto/pull/74" + }, + { + "type": "FIX", + "url": "https://github.com/pires/go-proxyproto/pull/74/commits/cdc63867da24fc609b727231f682670d0d1cd346" + }, + { + "type": "WEB", + "url": "https://github.com/pires/go-proxyproto/issues/65" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0236.json b/data/osv/GO-2022-0236.json new file mode 100644 index 00000000..743bab36 --- /dev/null +++ b/data/osv/GO-2022-0236.json @@ -0,0 +1,103 @@ +{ + "id": "GO-2022-0236", + "published": "2022-07-15T23:04:18Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-31525" + ], + "details": "A malicious HTTP server or client can cause the net/http client\nor server to panic.\n\nReadRequest and ReadResponse can hit an unrecoverable panic\nwhen reading a very large header (over 7MB on 64-bit architectures,\nor over 4MB on 32-bit ones). Transport and Client are vulnerable\nand the program can be made to crash by a malicious server.\nServer is not vulnerable by default, but can be if the default\nmax header of 1MB is overridden by setting Server.MaxHeaderBytes\nto a higher value, in which case the program can be made to\ncrash by a malicious client.\n\nThis also affects golang.org/x/net/http2/h2c and\nHeaderValuesContainsToken in golang.org/x/net/http/httpguts.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.12" + }, + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0236" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "http2clientStream.writeRequest", + "http2isConnectionCloseRequest", + "isProtocolSwitchHeader", + "shouldClose" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20210428140749-89ef3d95e781" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0236" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http/httpguts", + "symbols": [ + "HeaderValuesContainsToken", + "headerValueContainsToken" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/313069" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/89ef3d95e781148a0951956029c92a211477f7f9" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/45710" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0244.json b/data/osv/GO-2022-0244.json new file mode 100644 index 00000000..3e318bab --- /dev/null +++ b/data/osv/GO-2022-0244.json @@ -0,0 +1,64 @@ +{ + "id": "GO-2022-0244", + "published": "2022-07-15T23:06:26Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3538" + ], + "details": "Random data used to create UUIDs can contain zeros, resulting in\npredictable UUIDs and possible collisions.\n", + "affected": [ + { + "package": { + "name": "github.com/satori/go.uuid", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.2.1-0.20180103161547-0ef6afb2f6cd" + }, + { + "fixed": "1.2.1-0.20180404165556-75cca531ea76" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0244" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/satori/go.uuid", + "symbols": [ + "NewV1", + "NewV2", + "NewV4", + "rfc4122Generator.NewV1", + "rfc4122Generator.NewV2", + "rfc4122Generator.NewV4", + "rfc4122Generator.getClockSequence", + "rfc4122Generator.getHardwareAddr" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/satori/go.uuid/pull/75" + }, + { + "type": "FIX", + "url": "https://github.com/satori/go.uuid/commit/75cca531ea763666bc46e531da3b4c3b95f64557" + }, + { + "type": "REPORT", + "url": "https://github.com/satori/go.uuid/issues/73" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0246.json b/data/osv/GO-2022-0246.json new file mode 100644 index 00000000..1a6ebbf5 --- /dev/null +++ b/data/osv/GO-2022-0246.json @@ -0,0 +1,59 @@ +{ + "id": "GO-2022-0246", + "published": "2022-07-15T23:06:38Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3761", + "GHSA-c8xp-8mf3-62h9" + ], + "details": "The ROAEntry.Validate function fails to perform bounds checks on\nthe MaxLength field, allowing invalid values to pass validation.\n", + "affected": [ + { + "package": { + "name": "github.com/cloudflare/cfrpki", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0246" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/cloudflare/cfrpki/validator/lib", + "symbols": [ + "ROAEntry.Validate", + "RPKIROA.ValidateEntries" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/cloudflare/cfrpki/pull/90" + }, + { + "type": "FIX", + "url": "https://github.com/cloudflare/cfrpki/commit/a8db4e009ef217484598ba1fd1c595b54e0f6422" + }, + { + "type": "WEB", + "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0247.json b/data/osv/GO-2022-0247.json new file mode 100644 index 00000000..f2c54aed --- /dev/null +++ b/data/osv/GO-2022-0247.json @@ -0,0 +1,85 @@ +{ + "id": "GO-2022-0247", + "published": "2022-05-24T20:14:28Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-38297" + ], + "details": "When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js,\npassing very large arguments can cause portions of the module to be\noverwritten with data from the arguments due to a buffer overflow error.\n\nIf using wasm_exec.js to execute WASM modules, users will need to replace\ntheir copy (as described in\nhttps://golang.org/wiki/WebAssembly#getting-started) after rebuilding any\nmodules.\n", + "affected": [ + { + "package": { + "name": "toolchain", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.9" + }, + { + "introduced": "1.17.0" + }, + { + "fixed": "1.17.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0247" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "cmd/link", + "goos": [ + "js" + ], + "goarch": [ + "wasm" + ], + "symbols": [ + "Link.address" + ] + }, + { + "path": "misc/wasm", + "goos": [ + "js" + ], + "goarch": [ + "wasm" + ], + "symbols": [ + "run" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/354571" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/48797" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0248.json b/data/osv/GO-2022-0248.json new file mode 100644 index 00000000..9ccea86e --- /dev/null +++ b/data/osv/GO-2022-0248.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2022-0248", + "published": "2022-07-15T23:07:18Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3907", + "GHSA-cqh2-vc2f-q4fh" + ], + "details": "Manifest path extraction is vulnerable to directory traversal attacks.\n\nThe ExtractPathManifest function permits file paths containing relative\ndirectory components (\"..\"), permitting files to reference arbitrary\nlocations on the filesystem.\n", + "affected": [ + { + "package": { + "name": "github.com/cloudflare/cfrpki", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0248" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/cloudflare/cfrpki/validator/pki", + "symbols": [ + "ExtractPathManifest", + "SimpleManager.Explore", + "SimpleManager.ExploreAdd", + "Validator.AddManifest", + "Validator.AddResource" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0251.json b/data/osv/GO-2022-0251.json new file mode 100644 index 00000000..06db1336 --- /dev/null +++ b/data/osv/GO-2022-0251.json @@ -0,0 +1,53 @@ +{ + "id": "GO-2022-0251", + "published": "2022-07-15T23:07:28Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3910", + "GHSA-5mxh-2qfv-4g7j" + ], + "details": "Invalid input data can cause a panic.\n", + "affected": [ + { + "package": { + "name": "github.com/cloudflare/cfrpki", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0251" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/cloudflare/cfrpki/validator/lib", + "symbols": [ + "BER2DER", + "DecodeManifest", + "DecoderConfig.DecodeManifest", + "readObject" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/cloudflare/cfrpki/commit/76f0f7a98da001fa04e5bc0407c6702f91096bfa" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0252.json b/data/osv/GO-2022-0252.json new file mode 100644 index 00000000..eb92bc4d --- /dev/null +++ b/data/osv/GO-2022-0252.json @@ -0,0 +1,57 @@ +{ + "id": "GO-2022-0252", + "published": "2022-07-15T23:07:41Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3911", + "GHSA-w6ww-fmfx-2x22" + ], + "details": "Invalid input data can cause a panic.\n", + "affected": [ + { + "package": { + "name": "github.com/cloudflare/cfrpki", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0252" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/cloudflare/cfrpki/validator/lib", + "symbols": [ + "DecodeROA", + "DecoderConfig.DecodeROA", + "GetRangeIP", + "IPNet.GetRange", + "RPKICertificate.ValidateIPCertificate", + "RPKIROA.ValidateIPRoaCertificate", + "ValidateIPCertificateList", + "ValidateIPRoaCertificateList" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/cloudflare/cfrpki/commit/2882307febd66801de97b2a2ce4d93fe58132005" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0253.json b/data/osv/GO-2022-0253.json new file mode 100644 index 00000000..7959c0fa --- /dev/null +++ b/data/osv/GO-2022-0253.json @@ -0,0 +1,50 @@ +{ + "id": "GO-2022-0253", + "published": "2022-07-15T23:07:48Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3912", + "GHSA-g9wh-3vrx-r7hg" + ], + "details": "The HTTPFetcher.GetXML function reads a response of unlimited size into\nmemory, permitting resource exhausion.\n", + "affected": [ + { + "package": { + "name": "github.com/cloudflare/cfrpki", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0253" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/cloudflare/cfrpki/sync/lib", + "symbols": [ + "HTTPFetcher.GetXML" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/cloudflare/cfrpki/commit/648658b1b176a747b52645989cfddc73a81eacad" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0254.json b/data/osv/GO-2022-0254.json new file mode 100644 index 00000000..4e92a0fe --- /dev/null +++ b/data/osv/GO-2022-0254.json @@ -0,0 +1,60 @@ +{ + "id": "GO-2022-0254", + "published": "2022-07-15T23:07:56Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-39137", + "GHSA-9856-9gg9-qcmq" + ], + "details": "A vulnerability in the Geth EVM can cause a node to reject the\ncanonical chain.\n\nA memory-corruption bug within the EVM can cause a consensus\nerror, where vulnerable nodes obtain a different stateRoot when\nprocessing a maliciously crafted transaction. This, in turn,\nwould lead to the chain being split in two forks.\n", + "affected": [ + { + "package": { + "name": "github.com/ethereum/go-ethereum", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.8" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0254" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ethereum/go-ethereum/core/vm", + "symbols": [ + "EVM.Call", + "EVM.CallCode", + "EVM.Create", + "EVM.Create2", + "EVM.DelegateCall", + "EVM.StaticCall", + "EVMInterpreter.Run", + "opCall", + "opCallCode", + "opDelegateCall", + "opStaticCall" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/ethereum/go-ethereum/pull/23381/commits/4d4879cafd1b3c906fc184a8c4a357137465128f" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0256.json b/data/osv/GO-2022-0256.json new file mode 100644 index 00000000..3af29872 --- /dev/null +++ b/data/osv/GO-2022-0256.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2022-0256", + "published": "2022-07-15T23:08:03Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-41173", + "GHSA-59hh-656j-3p7v" + ], + "details": "A maliciously crafted snap/1 protocol message can cause a panic.\n", + "affected": [ + { + "package": { + "name": "github.com/ethereum/go-ethereum", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.9" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0256" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ethereum/go-ethereum/eth/protocols/snap", + "symbols": [ + "handleMessage" + ] + }, + { + "path": "github.com/ethereum/go-ethereum/trie", + "symbols": [ + "SecureTrie.TryGetNode", + "Trie.TryGetNode", + "Trie.tryGetNode" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/ethereum/go-ethereum/pull/23657/commits/f1fd963a5a965e643e52fcf805a2a02a323c32b8" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0272.json b/data/osv/GO-2022-0272.json new file mode 100644 index 00000000..f9d2f4d5 --- /dev/null +++ b/data/osv/GO-2022-0272.json @@ -0,0 +1,87 @@ +{ + "id": "GO-2022-0272", + "published": "2022-07-15T23:08:12Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-23772", + "GHSA-jcxc-rh6w-wf49" + ], + "details": "The Context.UploadFormFiles function is vulnerable to directory\ntraversal attacks, and can be made to write to arbitrary locations\noutside the destination directory.\n\nThis vulnerability only occurs when built with Go versions prior to 1.17.\nGo 1.17 and later strip directory paths from filenames returned by\n\"mime/multipart\".Part.FileName, which avoids this issue.\n", + "affected": [ + { + "package": { + "name": "github.com/kataras/iris/v12", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "12.2.0-alpha8" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0272" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/kataras/iris/v12/context", + "symbols": [ + "Context.UploadFormFiles" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/kataras/iris", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0272" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/kataras/iris/context", + "symbols": [ + "Context.UploadFormFiles" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08" + }, + { + "type": "WEB", + "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169" + }, + { + "type": "WEB", + "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0273.json b/data/osv/GO-2022-0273.json new file mode 100644 index 00000000..1ec54c09 --- /dev/null +++ b/data/osv/GO-2022-0273.json @@ -0,0 +1,68 @@ +{ + "id": "GO-2022-0273", + "published": "2022-05-18T18:23:31Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-39293" + ], + "details": "The NewReader and OpenReader functions in archive/zip can cause a panic or\nan unrecoverable fatal error when reading an archive that claims to contain\na large number of files, regardless of its actual size. This is\ncaused by an incomplete fix for CVE-2021-33196.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.8" + }, + { + "introduced": "1.17.0" + }, + { + "fixed": "1.17.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0273" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "archive/zip", + "symbols": [ + "NewReader", + "OpenReader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/343434" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/bacbc33439b124ffd7392c91a5f5d96eca8c0c0b" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/47801" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/dx9d7IOseHw" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0274.json b/data/osv/GO-2022-0274.json new file mode 100644 index 00000000..d8d6f750 --- /dev/null +++ b/data/osv/GO-2022-0274.json @@ -0,0 +1,62 @@ +{ + "id": "GO-2022-0274", + "published": "2022-07-15T23:08:20Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-43784", + "GHSA-v95c-p5hm-xq8f" + ], + "details": "An attacker with partial control over the bind mount sources of a new\ncontainer can bypass namespace restrictions.\n", + "affected": [ + { + "package": { + "name": "github.com/opencontainers/runc", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.0.1-0.20211012131345-9c444070ec7b" + }, + { + "fixed": "1.1.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0274" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/opencontainers/runc/libcontainer", + "symbols": [ + "Bytemsg.Serialize", + "LinuxFactory.StartInitialization", + "linuxContainer.Run", + "linuxContainer.Start", + "linuxStandardInit.Init" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed" + }, + { + "type": "WEB", + "url": "https://github.com/opencontainers/runc/commit/dde509df4e28cec33b3c99c6cda3d4fd5beafc77" + }, + { + "type": "WEB", + "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2241" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0288.json b/data/osv/GO-2022-0288.json new file mode 100644 index 00000000..73295644 --- /dev/null +++ b/data/osv/GO-2022-0288.json @@ -0,0 +1,96 @@ +{ + "id": "GO-2022-0288", + "published": "2022-07-15T23:08:33Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-44716" + ], + "details": "An attacker can cause unbounded memory growth in servers accepting\nHTTP/2 requests.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.12" + }, + { + "introduced": "1.17.0" + }, + { + "fixed": "1.17.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0288" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "http2serverConn.canonicalHeader" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20211209124913-491a49abca63" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0288" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.canonicalHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/369794" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/50058" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/hcmEScgc00k" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0289.json b/data/osv/GO-2022-0289.json new file mode 100644 index 00000000..974bc1a4 --- /dev/null +++ b/data/osv/GO-2022-0289.json @@ -0,0 +1,75 @@ +{ + "id": "GO-2022-0289", + "published": "2022-05-18T18:23:23Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-44717" + ], + "details": "When a Go program running on a Unix system is out of file descriptors and\ncalls syscall.ForkExec (including indirectly by using the os/exec package),\nsyscall.ForkExec can close file descriptor 0 as it fails. If this happens\n(or can be provoked) repeatedly, it can result in misdirected I/O such as\nwriting network traffic intended for one connection to a different\nconnection, or content intended for one file to a different one.\n\nFor users who cannot immediately update to the new release, the bug can be\nmitigated by raising the per-process file descriptor limit.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.12" + }, + { + "introduced": "1.17.0" + }, + { + "fixed": "1.17.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0289" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "syscall", + "symbols": [ + "ForkExec" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/370576" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/a76511f3a40ea69ee4f5cd86e735e1c8a84f0aa2" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/50057" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/hcmEScgc00k" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/370577" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/370795" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0294.json b/data/osv/GO-2022-0294.json new file mode 100644 index 00000000..0f213dd7 --- /dev/null +++ b/data/osv/GO-2022-0294.json @@ -0,0 +1,53 @@ +{ + "id": "GO-2022-0294", + "published": "2022-07-15T23:27:21Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-0317", + "GHSA-99cg-575x-774p" + ], + "details": "A local attacker can defeat remotely-attested measured boot.\n\nImproper input validation in AKPublic.Verify can cause it to succeed when\nprovided with a maliciously-formed Quote over no/some PCRs. Subsequent use\nof the same set of PCR values in Eventlog.Verify lacks the authentication\nperformed by quote verification, meaning a local attacker can couple this\nvulnerability with a maliciously-formed TCG log in Eventlog.Verify to spoof\nevents in the TCG log, defeating remotely-attested measured-boot.\n", + "affected": [ + { + "package": { + "name": "github.com/google/go-attestation", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.4.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0294" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/google/go-attestation/attest", + "symbols": [ + "AKPublic.Verify", + "AKPublic.validate12Quote", + "AKPublic.validate20Quote", + "TPM.AttestPlatform" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/google/go-attestation/commit/82f2c9c2c76e1d3691d17ee78116d1d93a123788" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0300.json b/data/osv/GO-2022-0300.json new file mode 100644 index 00000000..d5913258 --- /dev/null +++ b/data/osv/GO-2022-0300.json @@ -0,0 +1,56 @@ +{ + "id": "GO-2022-0300", + "published": "2022-07-15T23:10:20Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-21708", + "GHSA-mh3m-8c74-74xh" + ], + "details": "Malicious inputs can cause a panic.\n\nA maliciously crafted input can cause a stack overflow and panic.\nAny user with access to the GraphQL can send such a query.\n\nThis issue only occurs when using the graphql.MaxDepth schema option\n(which is highly recommended in most cases).\n", + "affected": [ + { + "package": { + "name": "github.com/graph-gophers/graphql-go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0300" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/graph-gophers/graphql-go", + "symbols": [ + "Schema.Exec", + "Schema.Subscribe", + "Schema.ToJSON", + "Schema.Validate", + "Schema.ValidateWithVariables", + "Schema.exec", + "Schema.subscribe" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/graph-gophers/graphql-go/commit/eae31ca73eb3473c544710955d1dbebc22605bfe" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0316.json b/data/osv/GO-2022-0316.json new file mode 100644 index 00000000..4ea3a946 --- /dev/null +++ b/data/osv/GO-2022-0316.json @@ -0,0 +1,61 @@ +{ + "id": "GO-2022-0316", + "published": "2022-07-27T20:27:33Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-23628", + "GHSA-hcw3-j74m-qc58" + ], + "details": "Pretty-printing an AST that contains synthetic nodes can change the logic\nof some statements by reordering array literals.\n", + "affected": [ + { + "package": { + "name": "github.com/open-policy-agent/opa", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.33.1" + }, + { + "fixed": "0.37.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0316" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/open-policy-agent/opa/format", + "symbols": [ + "Ast", + "MustAst", + "Source", + "groupIterable" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-hcw3-j74m-qc58" + }, + { + "type": "FIX", + "url": "https://github.com/open-policy-agent/opa/commit/932e4ffc37a590ace79e9b75ca4340288c220239" + }, + { + "type": "WEB", + "url": "https://github.com/open-policy-agent/opa/commit/2bd8edab9e10e2dc9cf76ae8335ced0c224f3055" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0318.json b/data/osv/GO-2022-0318.json new file mode 100644 index 00000000..af8dc1b0 --- /dev/null +++ b/data/osv/GO-2022-0318.json @@ -0,0 +1,68 @@ +{ + "id": "GO-2022-0318", + "published": "2022-08-01T22:20:42Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-23773" + ], + "details": "Incorrect access control is possible in the go command.\n\nThe go command can misinterpret branch names that falsely appear to be\nversion tags. This can lead to incorrect access control if an actor is\nauthorized to create branches but not tags.\n", + "affected": [ + { + "package": { + "name": "toolchain", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.14" + }, + { + "introduced": "1.17.0" + }, + { + "fixed": "1.17.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0318" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "cmd/go/internal/modfetch", + "symbols": [ + "codeRepo.convert", + "codeRepo.validatePseudoVersion" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/378400" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/35671" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0322.json b/data/osv/GO-2022-0322.json new file mode 100644 index 00000000..a0376a79 --- /dev/null +++ b/data/osv/GO-2022-0322.json @@ -0,0 +1,48 @@ +{ + "id": "GO-2022-0322", + "published": "2022-07-15T23:29:02Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-21698", + "GHSA-cg3q-j54f-5p7p" + ], + "details": "The Prometheus client_golang HTTP server is vulnerable to a denial of\nservice attack when handling requests with non-standard HTTP methods.\n\nIn order to be affected, an instrumented software must use any of\nthe promhttp.InstrumentHandler* middleware except `RequestsInFlight`;\nnot filter any specific methods (e.g GET) before middleware;\npass a metric with a \"method\" label name to a middleware; and not\nhave any firewall/LB/proxy that filters away requests with unknown\n\"method\".\n", + "affected": [ + { + "package": { + "name": "github.com/prometheus/client_golang", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0322" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/prometheus/client_golang/prometheus/promhttp", + "symbols": [ + "flusherDelegator.Flush", + "readerFromDelegator.ReadFrom", + "responseWriterDelegator.Write", + "responseWriterDelegator.WriteHeader", + "sanitizeMethod" + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0345.json b/data/osv/GO-2022-0345.json new file mode 100644 index 00000000..f5be77c9 --- /dev/null +++ b/data/osv/GO-2022-0345.json @@ -0,0 +1,50 @@ +{ + "id": "GO-2022-0345", + "published": "2022-07-15T23:30:21Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3602", + "GHSA-7638-r9r3-rmjj" + ], + "details": "The RunUsingChroot function unintentionally propagates environment\nvariables from the current process to the child process.\n", + "affected": [ + { + "package": { + "name": "github.com/containers/buildah", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.22.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0345" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/containers/buildah/chroot", + "symbols": [ + "RunUsingChroot" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0346.json b/data/osv/GO-2022-0346.json new file mode 100644 index 00000000..964c9d91 --- /dev/null +++ b/data/osv/GO-2022-0346.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2022-0346", + "published": "2022-07-15T23:30:27Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3762", + "GHSA-mq47-6wwv-v79w" + ], + "details": "A maliciously crafted RPM file can cause the Scanner.Scan function to\nwrite files with arbitrary contents to arbitrary locations on the local\nfilestem.\n", + "affected": [ + { + "package": { + "name": "github.com/quay/claircore", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0346" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/quay/claircore/rpm", + "symbols": [ + "Scanner.Scan" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/quay/claircore/pull/478" + }, + { + "type": "FIX", + "url": "https://github.com/quay/claircore/commit/691f2023a1720a0579e688b69a2f4bfe1f4b7821" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0355.json b/data/osv/GO-2022-0355.json new file mode 100644 index 00000000..9a2bbcc2 --- /dev/null +++ b/data/osv/GO-2022-0355.json @@ -0,0 +1,275 @@ +{ + "id": "GO-2022-0355", + "published": "2022-07-27T20:26:59Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-21221", + "GHSA-fx95-883v-4q4h" + ], + "details": "The fasthttp.FS request handler is vulnerable to directory traversal\nattacks on Windows systems, and can serve files from outside the\nprovided root directory.\n\nURL path normalization does not handle Windows path separators\n(backslashes), permitting an attacker to construct requests\nwith relative paths.\n", + "affected": [ + { + "package": { + "name": "github.com/valyala/fasthttp", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.34.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0355" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/valyala/fasthttp", + "symbols": [ + "AppendBrotliBytes", + "AppendBrotliBytesLevel", + "AppendDeflateBytes", + "AppendDeflateBytesLevel", + "AppendGunzipBytes", + "AppendGzipBytes", + "AppendGzipBytesLevel", + "AppendHTTPDate", + "AppendInflateBytes", + "AppendUnbrotliBytes", + "Args.WriteTo", + "Client.CloseIdleConnections", + "Client.Do", + "Client.DoDeadline", + "Client.DoRedirects", + "Client.DoTimeout", + "Client.Get", + "Client.GetDeadline", + "Client.GetTimeout", + "Client.Post", + "Cookie.AppendBytes", + "Cookie.Cookie", + "Cookie.Parse", + "Cookie.ParseBytes", + "Cookie.String", + "Cookie.WriteTo", + "Dial", + "DialDualStack", + "DialDualStackTimeout", + "DialTimeout", + "Do", + "DoDeadline", + "DoRedirects", + "DoTimeout", + "FS.NewRequestHandler", + "FSHandler", + "FileLastModified", + "GenerateTestCertificate", + "Get", + "GetDeadline", + "GetTimeout", + "HostClient.CloseIdleConnections", + "HostClient.Do", + "HostClient.DoDeadline", + "HostClient.DoRedirects", + "HostClient.DoTimeout", + "HostClient.Get", + "HostClient.GetDeadline", + "HostClient.GetTimeout", + "HostClient.Post", + "LBClient.Do", + "LBClient.DoDeadline", + "LBClient.DoTimeout", + "ListenAndServe", + "ListenAndServeTLS", + "ListenAndServeTLSEmbed", + "ListenAndServeUNIX", + "NewStreamReader", + "ParseByteRange", + "ParseHTTPDate", + "ParseIPv4", + "PipelineClient.Do", + "PipelineClient.DoDeadline", + "PipelineClient.DoTimeout", + "PipelineClient.PendingRequests", + "Post", + "Request.Body", + "Request.BodyGunzip", + "Request.BodyInflate", + "Request.BodyUnbrotli", + "Request.BodyWriteTo", + "Request.ContinueReadBody", + "Request.ContinueReadBodyStream", + "Request.Host", + "Request.MultipartForm", + "Request.PostArgs", + "Request.Read", + "Request.ReadBody", + "Request.ReadLimitBody", + "Request.SetBodyStreamWriter", + "Request.SetHost", + "Request.SetHostBytes", + "Request.String", + "Request.SwapBody", + "Request.URI", + "Request.Write", + "Request.WriteTo", + "RequestCtx.FormFile", + "RequestCtx.FormValue", + "RequestCtx.Host", + "RequestCtx.IfModifiedSince", + "RequestCtx.MultipartForm", + "RequestCtx.Path", + "RequestCtx.PostArgs", + "RequestCtx.PostBody", + "RequestCtx.QueryArgs", + "RequestCtx.Redirect", + "RequestCtx.RedirectBytes", + "RequestCtx.SendFile", + "RequestCtx.SendFileBytes", + "RequestCtx.SetBodyStreamWriter", + "RequestCtx.String", + "RequestCtx.URI", + "RequestHeader.Add", + "RequestHeader.AddBytesK", + "RequestHeader.AddBytesKV", + "RequestHeader.AddBytesV", + "RequestHeader.Read", + "RequestHeader.ReadTrailer", + "RequestHeader.Set", + "RequestHeader.SetByteRange", + "RequestHeader.SetBytesK", + "RequestHeader.SetBytesKV", + "RequestHeader.SetBytesV", + "RequestHeader.SetCanonical", + "RequestHeader.SetReferer", + "RequestHeader.SetRefererBytes", + "RequestHeader.Write", + "Response.Body", + "Response.BodyGunzip", + "Response.BodyInflate", + "Response.BodyUnbrotli", + "Response.BodyWriteTo", + "Response.Read", + "Response.ReadBody", + "Response.ReadLimitBody", + "Response.SendFile", + "Response.SetBodyStreamWriter", + "Response.String", + "Response.SwapBody", + "Response.Write", + "Response.WriteDeflate", + "Response.WriteDeflateLevel", + "Response.WriteGzip", + "Response.WriteGzipLevel", + "Response.WriteTo", + "ResponseHeader.Add", + "ResponseHeader.AddBytesK", + "ResponseHeader.AddBytesKV", + "ResponseHeader.AddBytesV", + "ResponseHeader.AppendBytes", + "ResponseHeader.Cookie", + "ResponseHeader.DelClientCookie", + "ResponseHeader.DelClientCookieBytes", + "ResponseHeader.Header", + "ResponseHeader.Read", + "ResponseHeader.ReadTrailer", + "ResponseHeader.Set", + "ResponseHeader.SetBytesK", + "ResponseHeader.SetBytesKV", + "ResponseHeader.SetBytesV", + "ResponseHeader.SetCanonical", + "ResponseHeader.SetContentRange", + "ResponseHeader.SetCookie", + "ResponseHeader.SetLastModified", + "ResponseHeader.String", + "ResponseHeader.Write", + "ResponseHeader.WriteTo", + "SaveMultipartFile", + "Serve", + "ServeConn", + "ServeFile", + "ServeFileBytes", + "ServeFileBytesUncompressed", + "ServeFileUncompressed", + "ServeTLS", + "ServeTLSEmbed", + "Server.AppendCert", + "Server.AppendCertEmbed", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.ListenAndServeTLSEmbed", + "Server.ListenAndServeUNIX", + "Server.Serve", + "Server.ServeConn", + "Server.ServeTLS", + "Server.ServeTLSEmbed", + "Server.Shutdown", + "TCPDialer.Dial", + "TCPDialer.DialDualStack", + "TCPDialer.DialDualStackTimeout", + "TCPDialer.DialTimeout", + "URI.Parse", + "URI.Update", + "URI.UpdateBytes", + "URI.WriteTo", + "WriteBrotli", + "WriteBrotliLevel", + "WriteDeflate", + "WriteDeflateLevel", + "WriteGunzip", + "WriteGzip", + "WriteGzipLevel", + "WriteInflate", + "WriteMultipartForm", + "WriteUnbrotli", + "bigFileReader.Read", + "bigFileReader.WriteTo", + "ctxLogger.Printf", + "firstByteReader.Read", + "flushWriter.Write", + "fsFile.NewReader", + "fsSmallFileReader.WriteTo", + "hijackConn.Close", + "hijackConn.Read", + "perIPConn.Close", + "perIPConnCounter.Unregister", + "pipelineConnClient.Do", + "pipelineConnClient.DoDeadline", + "pipelineConnClient.PendingRequests", + "requestStream.Read", + "statsWriter.Write", + "tcpKeepaliveListener.Accept", + "workerPool.Serve" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1" + }, + { + "type": "WEB", + "url": "https://github.com/valyala/fasthttp/issues/1226" + }, + { + "type": "WEB", + "url": "https://github.com/valyala/fasthttp/releases/tag/v1.34.0" + }, + { + "type": "WEB", + "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0370.json b/data/osv/GO-2022-0370.json new file mode 100644 index 00000000..e7784f8b --- /dev/null +++ b/data/osv/GO-2022-0370.json @@ -0,0 +1,69 @@ +{ + "id": "GO-2022-0370", + "published": "2022-07-29T20:00:14Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24968", + "GHSA-h289-x5wc-xcv8", + "GHSA-m658-p24x-p74r" + ], + "details": "Websocket client connections are vulnerable to man-in-the-middle\nattacks via DNS spoofing.\n\nWhen looking up a WSS endpoint using a DNS TXT record, the server\nTLS certificate is incorrectly validated using the name of the\nserver returned by the TXT record request, not the name of the\nthe server being connected to. This permits any attacker that\ncan spoof a DNS record to redirect the user to a server of their\nchoosing.\n\nProviding a *tls.Config with a ServerName field set to the\ncorrect destination hostname will avoid this issue.\n", + "affected": [ + { + "package": { + "name": "mellium.im/xmpp", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.18.0" + }, + { + "fixed": "0.21.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0370" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "mellium.im/xmpp/websocket", + "symbols": [ + "Dial", + "DialDirect", + "DialSession", + "Dialer.Dial", + "Dialer.DialDirect", + "Dialer.config", + "NewClient" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://mellium.im/cve/cve-2022-24968/" + }, + { + "type": "FIX", + "url": "https://github.com/mellium/xmpp/pull/260" + }, + { + "type": "FIX", + "url": "https://github.com/mellium/xmpp/commit/0d92aa486da69b71f2f4a30e62aa722c711b98ac" + }, + { + "type": "REPORT", + "url": "https://mellium.im/issue/259" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0379.json b/data/osv/GO-2022-0379.json new file mode 100644 index 00000000..08c9d49b --- /dev/null +++ b/data/osv/GO-2022-0379.json @@ -0,0 +1,49 @@ +{ + "id": "GO-2022-0379", + "published": "2022-07-29T20:00:03Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-qq97-vm5h-rrhg" + ], + "details": "Systems that rely on digest equivalence for image attestations may be\nvulnerable to type confusion.\n\nA maliciously crafted OCI Container Image can cause registry clients to\nparse the same image in two different ways without modifying the image's\ndigest, invalidating the common pattern of relying on container image\ndigests for equivalence.\n\nThis problem has been addressed in newer versions by improving validation\nin manifest unmarshaling.\n", + "affected": [ + { + "package": { + "name": "github.com/docker/distribution", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.8.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0379" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/docker/distribution", + "symbols": [ + "UnmarshalManifest" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0380.json b/data/osv/GO-2022-0380.json new file mode 100644 index 00000000..674ae500 --- /dev/null +++ b/data/osv/GO-2022-0380.json @@ -0,0 +1,56 @@ +{ + "id": "GO-2022-0380", + "published": "2022-07-15T23:29:36Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-26892", + "GHSA-2c64-vj8g-vwrq", + "GHSA-4w5x-x539-ppf5" + ], + "details": "The AccountClaims.IsRevoked and Export.IsRevoked functions improperly\nvalidate expired credentials using the current system time rather than\nthe issue time of the JWT to be tested.\n\nThese functions cannot be used properly. Newer versions of the jwt package\nprovide an IsClaimRevoked method which performs correct validation.\nIn these versions, the IsRevoked method always return true.\n\n(This advisory is canonically https://advisories.nats.io/CVE/CVE-2020-26892.txt)\n", + "affected": [ + { + "package": { + "name": "github.com/nats-io/jwt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0380" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/nats-io/jwt", + "symbols": [ + "AccountClaims.IsRevoked", + "Export.IsRevoked" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/nats-io/jwt/commit/e11ce317263cef69619fc1ca743b195d02aa1d8a" + }, + { + "type": "WEB", + "url": "https://advisories.nats.io/CVE/CVE-2020-26892.txt" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0384.json b/data/osv/GO-2022-0384.json new file mode 100644 index 00000000..7dbd7ffe --- /dev/null +++ b/data/osv/GO-2022-0384.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2022-0384", + "published": "2022-07-15T23:29:45Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-32690", + "GHSA-56hp-xqp3-w2jf", + "GHSA-7jr6-prv4-5wf5" + ], + "details": "The username and password credentials associated with a Helm repository\ncan be passed to another domain referenced by that Helm repository.\n\nIf the index.yaml for a Helm repository is hosted on one domain and\nreferences a chart archive on a different domain, Helm will provide\nthe credentials for the index.yaml's domain when fetching those\narchives.\n\nFor further details, see\nhttps://github.com/advisories/GHSA-56hp-xqp3-w2jf.\n", + "affected": [ + { + "package": { + "name": "helm.sh/helm/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.6.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0384" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "helm.sh/helm/v3/pkg/downloader", + "symbols": [ + "ChartDownloader.DownloadTo", + "ChartDownloader.ResolveChartVersion", + "Manager.Build", + "Manager.Update" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/helm/helm/commit/61d8e8c4a6f95540c15c6a65f36a6dd0a45e7a2f" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0386.json b/data/osv/GO-2022-0386.json new file mode 100644 index 00000000..770d6fef --- /dev/null +++ b/data/osv/GO-2022-0386.json @@ -0,0 +1,95 @@ +{ + "id": "GO-2022-0386", + "published": "2022-07-01T20:11:22Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3127", + "GHSA-j756-f273-xhp4", + "GHSA-62mh-w5cv-p88c", + "GHSA-9r5x-fjv3-q6h4" + ], + "details": "Import tokens valid for one account may be used for any other account.\n\nValidation of Import token bindings incorrectly warns on mismatches,\nrather than rejecting the Goken. This permits a token for one account\nto be used for any other account.\n\nFor further details and mitigation procedures, see\nhttps://advisories.nats.io/CVE/CVE-2021-3127.txt\n", + "affected": [ + { + "package": { + "name": "github.com/nats-io/jwt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.3-0.20210314221642-a826c77dc9d2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0386" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/nats-io/jwt", + "symbols": [ + "Account.Validate", + "AccountClaims.Validate", + "ActivationClaims.Validate", + "Import.Validate", + "Imports.Validate" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/nats-io/jwt/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0386" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/nats-io/jwt/v2", + "symbols": [ + "Account.Validate", + "AccountClaims.Validate", + "Import.Validate", + "Imports.Validate" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/nats-io/jwt/pull/149" + }, + { + "type": "WEB", + "url": "https://advisories.nats.io/CVE/CVE-2021-3127.txt" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0391.json b/data/osv/GO-2022-0391.json new file mode 100644 index 00000000..1a755ee1 --- /dev/null +++ b/data/osv/GO-2022-0391.json @@ -0,0 +1,61 @@ +{ + "id": "GO-2022-0391", + "published": "2022-07-01T20:10:56Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-2582", + "GHSA-76wf-9vgp-pj7w" + ], + "details": "The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside\nthe ciphertext as a metadata field. This hash can be used to brute force\nthe plaintext, if the hash is readable to the attacker.\n\nAWS now blocks this metadata field, but older SDK versions still send it.\n", + "affected": [ + { + "package": { + "name": "github.com/aws/aws-sdk-go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.34.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0391" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/aws/aws-sdk-go/service/s3/s3crypto", + "symbols": [ + "DecryptionClient.GetObject", + "DecryptionClient.GetObjectWithContext", + "EncryptionClient.PutObject", + "EncryptionClient.PutObjectWithContext", + "S3LoadStrategy.Load", + "S3SaveStrategy.Save", + "defaultV2LoadStrategy.Load", + "encodeMeta", + "kmsKeyHandler.DecryptKey", + "kmsKeyHandler.DecryptKeyWithContext", + "kmsKeyHandler.GenerateCipherData", + "kmsKeyHandler.GenerateCipherDataWithContext" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0400.json b/data/osv/GO-2022-0400.json new file mode 100644 index 00000000..b4dcc01c --- /dev/null +++ b/data/osv/GO-2022-0400.json @@ -0,0 +1,51 @@ +{ + "id": "GO-2022-0400", + "published": "2022-07-01T20:10:50Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-2583", + "GHSA-h2x7-2ff6-v32p" + ], + "details": "A race condition can cause incorrect HTTP request routing.", + "affected": [ + { + "package": { + "name": "github.com/ntbosscher/gobase", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0400" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ntbosscher/gobase/auth/httpauth", + "symbols": [ + "Setup", + "middleware" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/ntbosscher/gobase/commit/a8d40bce9c429d324122d18c446924dab809e812" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0402.json b/data/osv/GO-2022-0402.json new file mode 100644 index 00000000..9be58a4b --- /dev/null +++ b/data/osv/GO-2022-0402.json @@ -0,0 +1,60 @@ +{ + "id": "GO-2022-0402", + "published": "2022-07-01T20:10:43Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-26521", + "GHSA-hmm9-r2m2-qg9w", + "GHSA-h2fg-54x9-5qhq" + ], + "details": "A malicious account can create and sign a User JWT which causes a panic\nwhen decoded by the NATS JWT library.\n", + "affected": [ + { + "package": { + "name": "github.com/nats-io/jwt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0402" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/nats-io/jwt", + "symbols": [ + "Account.Validate", + "AccountClaims.Validate", + "Export.Validate", + "Exports.Validate", + "Import.Validate", + "Imports.Validate" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/nats-io/jwt/pull/107" + }, + { + "type": "WEB", + "url": "https://advisories.nats.io/CVE/CVE-2020-26521.txt" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0411.json b/data/osv/GO-2022-0411.json new file mode 100644 index 00000000..98f166c1 --- /dev/null +++ b/data/osv/GO-2022-0411.json @@ -0,0 +1,51 @@ +{ + "id": "GO-2022-0411", + "published": "2022-07-01T20:08:24Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-4238", + "GHSA-xg2h-wx96-xgxr" + ], + "details": "Randomly-generated alphanumeric strings contain significantly less entropy\nthan expected.\n\nThe RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return\nstrings containing at least one digit from 0 to 9. This significantly\nreduces the amount of entropy in short strings generated by these functions.\n", + "affected": [ + { + "package": { + "name": "github.com/Masterminds/goutils", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0411" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/Masterminds/goutils", + "symbols": [ + "CryptoRandomAlphaNumeric", + "RandomAlphaNumeric" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0414.json b/data/osv/GO-2022-0414.json new file mode 100644 index 00000000..c5c52544 --- /dev/null +++ b/data/osv/GO-2022-0414.json @@ -0,0 +1,65 @@ +{ + "id": "GO-2022-0414", + "published": "2022-07-01T20:08:17Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-21235", + "GHSA-6635-c626-vj4r" + ], + "details": "Passing untrusted inputs to VCS functions can permit an attacker\nto execute arbitrary commands.\n\nThe vcs package executes version control commands with\nuser-provided arguments. These arguments can be interpreted\nas command-line flags, which can be used to perform command\ninjection.\n", + "affected": [ + { + "package": { + "name": "github.com/Masterminds/vcs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0414" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/Masterminds/vcs", + "symbols": [ + "BzrRepo.ExportDir", + "BzrRepo.Get", + "BzrRepo.Init", + "BzrRepo.Ping", + "GitRepo.Get", + "GitRepo.Init", + "GitRepo.Update", + "HgRepo.ExportDir", + "HgRepo.Get", + "HgRepo.Init", + "HgRepo.Ping", + "NewRepo", + "NewSvnRepo", + "SvnRepo.ExportDir", + "SvnRepo.Get", + "SvnRepo.Ping" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/Masterminds/vcs/pull/105" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0417.json b/data/osv/GO-2022-0417.json new file mode 100644 index 00000000..d3aed8f6 --- /dev/null +++ b/data/osv/GO-2022-0417.json @@ -0,0 +1,62 @@ +{ + "id": "GO-2022-0417", + "published": "2022-07-01T20:08:10Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-27651", + "GHSA-c3g4-w6cv-6v7h" + ], + "details": "Containers are created with non-empty inheritable Linux process\ncapabilities, permitting programs with inheritable file capabilities\nto elevate those capabilities to the permitted set during execve(2).\n\nThis bug does not affect the container security sandbox, as the\ninheritable set never contains more capabilities than are included\nin the container's bounding set.\n", + "affected": [ + { + "package": { + "name": "github.com/containers/buildah", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0417" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/containers/buildah", + "symbols": [ + "Builder.Run", + "setupCapAdd", + "setupCapDrop" + ] + }, + { + "path": "github.com/containers/buildah/chroot", + "symbols": [ + "setCapabilities" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066840" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0422.json b/data/osv/GO-2022-0422.json new file mode 100644 index 00000000..efc6ef62 --- /dev/null +++ b/data/osv/GO-2022-0422.json @@ -0,0 +1,53 @@ +{ + "id": "GO-2022-0422", + "published": "2022-07-01T20:08:04Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-2584", + "GHSA-g3vv-g2j5-45f2" + ], + "details": "The dag-pb codec can panic when decoding invalid blocks.", + "affected": [ + { + "package": { + "name": "github.com/ipld/go-codec-dagpb", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0422" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ipld/go-codec-dagpb", + "symbols": [ + "Decode", + "DecodeBytes", + "Decoder", + "Unmarshal" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0425.json b/data/osv/GO-2022-0425.json new file mode 100644 index 00000000..45ec6a7f --- /dev/null +++ b/data/osv/GO-2022-0425.json @@ -0,0 +1,55 @@ +{ + "id": "GO-2022-0425", + "published": "2022-02-15T01:57:18Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-4239", + "GHSA-g9mp-8g3h-3c5c" + ], + "details": "The Noise protocol implementation suffers from weakened\ncryptographic security after encrypting 2^64 messages, and a\npotential denial of service attack.\n\nAfter 2^64 (~18.4 quintillion) messages are encrypted with the\nEncrypt function, the nonce counter will wrap around, causing\nmultiple messages to be encrypted with the same key and nonce.\n\nIn a separate issue, the Decrypt function increments the nonce\nstate even when it fails to decrypt a message. If an attacker\ncan provide an invalid input to the Decrypt function, this will\ncause the nonce state to desynchronize between the peers,\nresulting in a failure to encrypt all subsequent messages.\n", + "affected": [ + { + "package": { + "name": "github.com/flynn/noise", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0425" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/flynn/noise", + "symbols": [ + "CipherState.Decrypt", + "CipherState.Encrypt", + "HandshakeState.ReadMessage", + "HandshakeState.WriteMessage", + "symmetricState.DecryptAndHash", + "symmetricState.EncryptAndHash" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/flynn/noise/pull/44" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0433.json b/data/osv/GO-2022-0433.json new file mode 100644 index 00000000..e7b3632f --- /dev/null +++ b/data/osv/GO-2022-0433.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0433", + "published": "2022-05-20T21:17:25Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24675" + ], + "details": "encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has\na Decode stack overflow via a large amount of PEM data.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.9" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0433" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/pem", + "symbols": [ + "Decode" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/399820" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/45c3387d777caf28f4b992ad9a6216e3085bb8fe" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/51853" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0434.json b/data/osv/GO-2022-0434.json new file mode 100644 index 00000000..b73eff8d --- /dev/null +++ b/data/osv/GO-2022-0434.json @@ -0,0 +1,64 @@ +{ + "id": "GO-2022-0434", + "published": "2022-05-23T21:59:00Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-27536" + ], + "details": "Verifying certificate chains containing certificates which are not compliant\nwith RFC 5280 causes Certificate.Verify to panic on macOS.\n\nThese chains can be delivered through TLS and can cause a crypto/tls or\nnet/http client to crash.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0434" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "goos": [ + "darwin" + ], + "symbols": [ + "Certificate.Verify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/393655" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/0fca8a8f25cf4636fd980e72ba0bded4230922de" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/51759" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0435.json b/data/osv/GO-2022-0435.json new file mode 100644 index 00000000..e09079bc --- /dev/null +++ b/data/osv/GO-2022-0435.json @@ -0,0 +1,68 @@ +{ + "id": "GO-2022-0435", + "published": "2022-05-20T21:17:46Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-28327" + ], + "details": "A crafted scalar input longer than 32 bytes can cause P256().ScalarMult\nor P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and\ncrypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.9" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0435" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/elliptic", + "symbols": [ + "P256.ScalarBaseMult", + "P256.ScalarMult" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/397135" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/37065847d87df92b5eb246c88ba2085efcf0b331" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/52075" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0438.json b/data/osv/GO-2022-0438.json new file mode 100644 index 00000000..f714bd8a --- /dev/null +++ b/data/osv/GO-2022-0438.json @@ -0,0 +1,65 @@ +{ + "id": "GO-2022-0438", + "published": "2022-07-01T20:07:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29810", + "GHSA-27rq-4943-qcwp" + ], + "details": "The getter package can write SSH credentials to its logfile,\nexposing credentials to local users able to read the logfile.\n", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/go-getter", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.11" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0438" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/hashicorp/go-getter", + "symbols": [ + "Client.ChecksumFromFile", + "Client.Get", + "FolderStorage.Get", + "Get", + "GetAny", + "GetFile", + "HttpGetter.Get", + "RedactURL" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/hashicorp/go-getter/pull/348" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/go-getter/releases/tag/v1.5.11" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0444.json b/data/osv/GO-2022-0444.json new file mode 100644 index 00000000..51d27327 --- /dev/null +++ b/data/osv/GO-2022-0444.json @@ -0,0 +1,65 @@ +{ + "id": "GO-2022-0444", + "published": "2022-07-01T20:07:44Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29173", + "GHSA-66x3-6cw3-v5gj" + ], + "details": "The TUF client is vulnerable to rollback attacks, in which an\nattacker causes a client to install software older than the software\nthe client previously knew to be available.\n", + "affected": [ + { + "package": { + "name": "github.com/theupdateframework/go-tuf", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0444" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/theupdateframework/go-tuf/client", + "symbols": [ + "Client.Download", + "Client.Init", + "Client.Target", + "Client.Update", + "Client.UpdateRoots", + "Client.decodeRoot", + "Client.decodeTargets", + "Client.decodeTimestamp", + "Client.downloadMetaFromSnapshot", + "Client.downloadMetaFromTimestamp" + ] + }, + { + "path": "github.com/theupdateframework/go-tuf/util", + "symbols": [ + "TimestampFileMetaEqual" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/theupdateframework/go-tuf/commit/ed6788e710fc3093a7ecc2d078bf734c0f200d8d" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0460.json b/data/osv/GO-2022-0460.json new file mode 100644 index 00000000..71ee46fc --- /dev/null +++ b/data/osv/GO-2022-0460.json @@ -0,0 +1,59 @@ +{ + "id": "GO-2022-0460", + "published": "2022-07-01T20:07:34Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29190", + "GHSA-cm8f-h6j3-p25c" + ], + "details": "An attacker can send packets that send the DTLS server or client\ninto an infinite loop.\n", + "affected": [ + { + "package": { + "name": "github.com/pion/dtls/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0460" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/pion/dtls/v2", + "symbols": [ + "Client", + "ClientWithContext", + "Dial", + "DialWithContext", + "Resume", + "Server", + "ServerWithContext", + "fragmentBuffer.pop", + "handshakeFSM.Run", + "listener.Accept" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/pion/dtls/commit/e0b2ce3592e8e7d73713ac67b363a2e192a4cecf" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0461.json b/data/osv/GO-2022-0461.json new file mode 100644 index 00000000..e88dd979 --- /dev/null +++ b/data/osv/GO-2022-0461.json @@ -0,0 +1,59 @@ +{ + "id": "GO-2022-0461", + "published": "2022-07-01T20:07:25Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29189", + "GHSA-cx94-mrg9-rq4j" + ], + "details": "Attacker can cause unbounded memory consumption.\n\nThe Pion DTLS client and server buffer handshake data with no\nupper limit, permitting an attacker to cause unbounded memory\nconsumption by sending an unterminated handshake.\n", + "affected": [ + { + "package": { + "name": "github.com/pion/dtls/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0461" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/pion/dtls/v2", + "symbols": [ + "Client", + "ClientWithContext", + "Dial", + "DialWithContext", + "Resume", + "Server", + "ServerWithContext", + "fragmentBuffer.push", + "handshakeFSM.Run", + "listener.Accept" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/pion/dtls/commit/a6397ff7282bc56dc37a68ea9211702edb4de1de" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0462.json b/data/osv/GO-2022-0462.json new file mode 100644 index 00000000..22196797 --- /dev/null +++ b/data/osv/GO-2022-0462.json @@ -0,0 +1,63 @@ +{ + "id": "GO-2022-0462", + "published": "2022-07-01T20:07:12Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29222", + "GHSA-w45j-f832-hxvh" + ], + "details": "Client-provided certificates are not correctly validated,\nand must not be trusted.\n\nDTLS client certificates must be accompanied by proof that the client\npossesses the private key for the certificate. The Pion DTLS server\naccepted client certificates unaccompanied by this proof, permitting\nan attacker to present any certificate and have it accepted as valid.\n", + "affected": [ + { + "package": { + "name": "github.com/pion/dtls/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0462" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/pion/dtls/v2", + "symbols": [ + "Client", + "ClientWithContext", + "Dial", + "DialWithContext", + "Resume", + "Server", + "ServerWithContext", + "flight4Parse", + "handshakeFSM.Run", + "listener.Accept" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412" + }, + { + "type": "WEB", + "url": "https://github.com/pion/dtls/security/advisories/GHSA-w45j-f832-hxvh" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0463.json b/data/osv/GO-2022-0463.json new file mode 100644 index 00000000..d906aa89 --- /dev/null +++ b/data/osv/GO-2022-0463.json @@ -0,0 +1,329 @@ +{ + "id": "GO-2022-0463", + "published": "2022-07-01T20:06:59Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31259", + "GHSA-qx32-f6g6-fcfr" + ], + "details": "Routes in the beego HTTP router can match unintended patterns.\nThis overly-broad matching may permit an attacker to bypass access\ncontrols.\n\nFor example, the pattern \"/a/b/:name\" can match the URL \"/a.xml/b/\".\nThis may bypass access control applied to the prefix \"/a/\".\n", + "affected": [ + { + "package": { + "name": "github.com/beego/beego", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.9" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0463" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/beego/beego", + "symbols": [ + "App.Run", + "ControllerRegister.FindPolicy", + "ControllerRegister.FindRouter", + "ControllerRegister.ServeHTTP", + "FilterRouter.ValidRouter", + "InitBeegoBeforeTest", + "Run", + "RunWithMiddleWares", + "TestBeegoInit", + "Tree.Match", + "Tree.match", + "adminApp.Run" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/beego/beego/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0463" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/beego/beego/v2/server/web", + "symbols": [ + "AddNamespace", + "AddViewPath", + "Any", + "AutoPrefix", + "AutoRouter", + "BuildTemplate", + "Compare", + "CompareNot", + "Controller.Abort", + "Controller.Bind", + "Controller.BindForm", + "Controller.BindJSON", + "Controller.BindProtobuf", + "Controller.BindXML", + "Controller.BindYAML", + "Controller.CheckXSRFCookie", + "Controller.CustomAbort", + "Controller.Delete", + "Controller.DestroySession", + "Controller.Get", + "Controller.GetBool", + "Controller.GetFile", + "Controller.GetFloat", + "Controller.GetInt", + "Controller.GetInt16", + "Controller.GetInt32", + "Controller.GetInt64", + "Controller.GetInt8", + "Controller.GetSecureCookie", + "Controller.GetString", + "Controller.GetStrings", + "Controller.GetUint16", + "Controller.GetUint32", + "Controller.GetUint64", + "Controller.GetUint8", + "Controller.Head", + "Controller.Input", + "Controller.IsAjax", + "Controller.JSONResp", + "Controller.Options", + "Controller.ParseForm", + "Controller.Patch", + "Controller.Post", + "Controller.Put", + "Controller.Redirect", + "Controller.Render", + "Controller.RenderBytes", + "Controller.RenderString", + "Controller.Resp", + "Controller.SaveToFile", + "Controller.SaveToFileWithBuffer", + "Controller.ServeFormatted", + "Controller.ServeJSON", + "Controller.ServeJSONP", + "Controller.ServeXML", + "Controller.ServeYAML", + "Controller.SessionRegenerateID", + "Controller.SetData", + "Controller.SetSecureCookie", + "Controller.Trace", + "Controller.URLFor", + "Controller.XMLResp", + "Controller.XSRFFormHTML", + "Controller.XSRFToken", + "Controller.YamlResp", + "ControllerRegister.Add", + "ControllerRegister.AddAuto", + "ControllerRegister.AddAutoPrefix", + "ControllerRegister.AddMethod", + "ControllerRegister.AddRouterMethod", + "ControllerRegister.Any", + "ControllerRegister.CtrlAny", + "ControllerRegister.CtrlDelete", + "ControllerRegister.CtrlGet", + "ControllerRegister.CtrlHead", + "ControllerRegister.CtrlOptions", + "ControllerRegister.CtrlPatch", + "ControllerRegister.CtrlPost", + "ControllerRegister.CtrlPut", + "ControllerRegister.Delete", + "ControllerRegister.FindPolicy", + "ControllerRegister.FindRouter", + "ControllerRegister.Get", + "ControllerRegister.GetContext", + "ControllerRegister.Handler", + "ControllerRegister.Head", + "ControllerRegister.Include", + "ControllerRegister.Init", + "ControllerRegister.InsertFilter", + "ControllerRegister.Options", + "ControllerRegister.Patch", + "ControllerRegister.Post", + "ControllerRegister.Put", + "ControllerRegister.ServeHTTP", + "ControllerRegister.URLFor", + "CtrlAny", + "CtrlDelete", + "CtrlGet", + "CtrlHead", + "CtrlOptions", + "CtrlPatch", + "CtrlPost", + "CtrlPut", + "Date", + "DateFormat", + "DateParse", + "Delete", + "Exception", + "ExecuteTemplate", + "ExecuteViewPathTemplate", + "FileSystem.Open", + "FilterRouter.ValidRouter", + "FlashData.Error", + "FlashData.Notice", + "FlashData.Set", + "FlashData.Store", + "FlashData.Success", + "FlashData.Warning", + "Get", + "GetConfig", + "HTML2str", + "Handler", + "Head", + "Htmlquote", + "Htmlunquote", + "HttpServer.Any", + "HttpServer.AutoPrefix", + "HttpServer.AutoRouter", + "HttpServer.CtrlAny", + "HttpServer.CtrlDelete", + "HttpServer.CtrlGet", + "HttpServer.CtrlHead", + "HttpServer.CtrlOptions", + "HttpServer.CtrlPatch", + "HttpServer.CtrlPost", + "HttpServer.CtrlPut", + "HttpServer.Delete", + "HttpServer.Get", + "HttpServer.Handler", + "HttpServer.Head", + "HttpServer.Include", + "HttpServer.InsertFilter", + "HttpServer.LogAccess", + "HttpServer.Options", + "HttpServer.Patch", + "HttpServer.Post", + "HttpServer.PrintTree", + "HttpServer.Put", + "HttpServer.RESTRouter", + "HttpServer.Router", + "HttpServer.RouterWithOpts", + "HttpServer.Run", + "Include", + "InitBeegoBeforeTest", + "InsertFilter", + "LoadAppConfig", + "LogAccess", + "MapGet", + "Namespace.Any", + "Namespace.AutoPrefix", + "Namespace.AutoRouter", + "Namespace.Cond", + "Namespace.CtrlAny", + "Namespace.CtrlDelete", + "Namespace.CtrlGet", + "Namespace.CtrlHead", + "Namespace.CtrlOptions", + "Namespace.CtrlPatch", + "Namespace.CtrlPost", + "Namespace.CtrlPut", + "Namespace.Delete", + "Namespace.Filter", + "Namespace.Get", + "Namespace.Handler", + "Namespace.Head", + "Namespace.Include", + "Namespace.Namespace", + "Namespace.Options", + "Namespace.Patch", + "Namespace.Post", + "Namespace.Put", + "Namespace.Router", + "NewControllerRegister", + "NewControllerRegisterWithCfg", + "NewHttpServerWithCfg", + "NewHttpSever", + "NewNamespace", + "NotNil", + "Options", + "ParseForm", + "Patch", + "Policy", + "Post", + "PrintTree", + "Put", + "RESTRouter", + "ReadFromRequest", + "RenderForm", + "Router", + "RouterWithOpts", + "Run", + "RunWithMiddleWares", + "TestBeegoInit", + "Tree.AddRouter", + "Tree.AddTree", + "Tree.Match", + "Tree.match", + "URLFor", + "URLMap.GetMap", + "URLMap.GetMapData", + "Walk", + "adminApp.Run", + "adminController.AdminIndex", + "adminController.Healthcheck", + "adminController.ListConf", + "adminController.ProfIndex", + "adminController.PrometheusMetrics", + "adminController.QpsIndex", + "adminController.TaskStatus", + "beegoAppConfig.Bool", + "beegoAppConfig.DefaultBool" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/beego/beego/pull/4958" + }, + { + "type": "FIX", + "url": "https://github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2dd" + }, + { + "type": "WEB", + "url": "https://beego.vip" + }, + { + "type": "WEB", + "url": "https://github.com/beego/beego/issues/4946" + }, + { + "type": "WEB", + "url": "https://github.com/beego/beego/pull/4954" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0470.json b/data/osv/GO-2022-0470.json new file mode 100644 index 00000000..e564484f --- /dev/null +++ b/data/osv/GO-2022-0470.json @@ -0,0 +1,100 @@ +{ + "id": "GO-2022-0470", + "published": "2022-07-15T23:29:55Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31022", + "GHSA-9w9f-6mg8-jp7w" + ], + "details": "HTTP handlers provide unauthenticated access to the local filesystem.\n\nThe Bleve http package is intended for demonstration purposes and\ncontains no authentication, authorization, or validation of user\ninputs. Exposing handlers from this package can permit attackers to\ncreate files and delete directories.\n", + "affected": [ + { + "package": { + "name": "github.com/blevesearch/bleve", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0470" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/blevesearch/bleve/http", + "symbols": [ + "AliasHandler.ServeHTTP", + "CreateIndexHandler.ServeHTTP", + "DebugDocumentHandler.ServeHTTP", + "DeleteIndexHandler.ServeHTTP", + "DocCountHandler.ServeHTTP", + "DocDeleteHandler.ServeHTTP", + "DocGetHandler.ServeHTTP", + "DocIndexHandler.ServeHTTP", + "GetIndexHandler.ServeHTTP", + "ListFieldsHandler.ServeHTTP", + "SearchHandler.ServeHTTP" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/blevesearch/bleve/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0470" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/blevesearch/bleve/v2/http", + "symbols": [ + "AliasHandler.ServeHTTP", + "CreateIndexHandler.ServeHTTP", + "DebugDocumentHandler.ServeHTTP", + "DeleteIndexHandler.ServeHTTP", + "DocCountHandler.ServeHTTP", + "DocDeleteHandler.ServeHTTP", + "DocGetHandler.ServeHTTP", + "DocIndexHandler.ServeHTTP", + "GetIndexHandler.ServeHTTP", + "ListFieldsHandler.ServeHTTP", + "SearchHandler.ServeHTTP" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff" + }, + { + "type": "WEB", + "url": "https://github.com/blevesearch/bleve/security/advisories/GHSA-9w9f-6mg8-jp7w" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0475.json b/data/osv/GO-2022-0475.json new file mode 100644 index 00000000..3bda9a6e --- /dev/null +++ b/data/osv/GO-2022-0475.json @@ -0,0 +1,73 @@ +{ + "id": "GO-2022-0475", + "published": "2022-07-28T17:24:30Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-28366" + ], + "details": "The go command may execute arbitrary code at build time when cgo is in use.\nThis may occur when running go get on a malicious package, or any other\ncommand that builds untrusted code.\n\nThis can be caused by malicious unquoted symbol name in a linked object\nfile.\n", + "affected": [ + { + "package": { + "name": "toolchain", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.14.12" + }, + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0475" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "cmd/go", + "symbols": [ + "Builder.cgo" + ] + }, + { + "path": "cmd/cgo", + "symbols": [ + "dynimport" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/269658" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/42559" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0476.json b/data/osv/GO-2022-0476.json new file mode 100644 index 00000000..a0e55527 --- /dev/null +++ b/data/osv/GO-2022-0476.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0476", + "published": "2022-07-28T17:24:43Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-28367" + ], + "details": "The go command may execute arbitrary code at build time when cgo is in use.\nThis may occur when running go get on a malicious package, or any other\ncommand that builds untrusted code.\n\nThis can be caused by malicious gcc flags specified via a cgo directive.\n", + "affected": [ + { + "package": { + "name": "toolchain", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.14.12" + }, + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0476" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "cmd/go", + "symbols": [ + "validCompilerFlags" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/267277" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/42556" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0477.json b/data/osv/GO-2022-0477.json new file mode 100644 index 00000000..9f83f80e --- /dev/null +++ b/data/osv/GO-2022-0477.json @@ -0,0 +1,70 @@ +{ + "id": "GO-2022-0477", + "published": "2022-06-09T01:43:37Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-30634" + ], + "details": "On Windows, rand.Read will hang indefinitely if passed a buffer larger than\n1 \u003c\u003c 32 - 1 bytes.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.11" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0477" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/rand", + "goos": [ + "windows" + ], + "symbols": [ + "Read" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/402257" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/bb1f4416180511231de6d17a1f2f55c82aafc863" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/52561" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0492.json b/data/osv/GO-2022-0492.json new file mode 100644 index 00000000..7c2a4c85 --- /dev/null +++ b/data/osv/GO-2022-0492.json @@ -0,0 +1,55 @@ +{ + "id": "GO-2022-0492", + "published": "2022-07-15T23:30:03Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-25856", + "GHSA-qpgx-64h2-gc3c" + ], + "details": "GitArtifactReader is vulnerable to directory traversal attacks.\n\nThe GitArtifactReader.Read function reads and returns the\ncontents of a Git repository file. A maliciously crafted repository\ncan exploit this to cause Read to read from arbitrary files on\nthe filesystem.\n", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-events", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.7.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0492" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/argoproj/argo-events/sensors/artifacts", + "symbols": [ + "GetArtifactReader", + "NewGitReader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-events/pull/1965" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-events/issues/1947" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0493.json b/data/osv/GO-2022-0493.json new file mode 100644 index 00000000..6532bad1 --- /dev/null +++ b/data/osv/GO-2022-0493.json @@ -0,0 +1,100 @@ +{ + "id": "GO-2022-0493", + "published": "2022-07-15T23:30:12Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29526" + ], + "details": "When called with a non-zero flags parameter, the Faccessat function\ncan incorrectly report that a file is accessible.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.10" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0493" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "syscall", + "symbols": [ + "Faccessat" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/sys", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20220412211240-33da011f77ad" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0493" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/sys/unix", + "symbols": [ + "Access", + "Faccessat" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/399539" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/52313" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/400074" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0503.json b/data/osv/GO-2022-0503.json new file mode 100644 index 00000000..b867bc6b --- /dev/null +++ b/data/osv/GO-2022-0503.json @@ -0,0 +1,84 @@ +{ + "id": "GO-2022-0503", + "published": "2022-07-30T03:50:50Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-9x4h-8wgm-8xfg" + ], + "details": "Decoding malformed CAR data can cause panics or excessive memory usage.\n", + "affected": [ + { + "package": { + "name": "github.com/ipld/go-car", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.4.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0503" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ipld/go-car" + }, + { + "path": "github.com/ipld/go-car/util" + } + ] + } + }, + { + "package": { + "name": "github.com/ipld/go-car/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.4.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0503" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ipld/go-car/v2" + }, + { + "path": "github.com/ipld/go-car/v2/blockstore" + }, + { + "path": "github.com/ipld/go-car/v2/index" + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9x4h-8wgm-8xfg" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0515.json b/data/osv/GO-2022-0515.json new file mode 100644 index 00000000..35ca3aa7 --- /dev/null +++ b/data/osv/GO-2022-0515.json @@ -0,0 +1,76 @@ +{ + "id": "GO-2022-0515", + "published": "2022-07-20T17:01:45Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-1962" + ], + "details": "Calling any of the Parse functions on Go source code which contains deeply\nnested types or declarations can cause a panic due to stack exhaustion.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0515" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "go/parser", + "symbols": [ + "ParseExprFrom", + "ParseFile", + "parser.parseBinaryExpr", + "parser.parseIfStmt", + "parser.parsePrimaryExpr", + "parser.parseStmt", + "parser.parseUnaryExpr", + "parser.tryIdentOrType", + "resolver.closeScope", + "resolver.openScope" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417063" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/695be961d57508da5a82217f7415200a11845879" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53616" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0519.json b/data/osv/GO-2022-0519.json new file mode 100644 index 00000000..14e3c93e --- /dev/null +++ b/data/osv/GO-2022-0519.json @@ -0,0 +1,50 @@ +{ + "id": "GO-2022-0519", + "published": "2022-07-30T03:51:07Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31145", + "GHSA-qwrj-9hmp-gpxh" + ], + "details": "Improper validation of access tokens can permit use of expired tokens.\n", + "affected": [ + { + "package": { + "name": "github.com/flyteorg/flyteadmin", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.31" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0519" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/flyteorg/flyteadmin/auth/authzserver", + "symbols": [ + "ResourceServer.ValidateAccessToken" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/flyteorg/flyteadmin/commit/a1ec282d02706e074bc4986fd0412e5da3b9d00a" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0520.json b/data/osv/GO-2022-0520.json new file mode 100644 index 00000000..581ecd21 --- /dev/null +++ b/data/osv/GO-2022-0520.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0520", + "published": "2022-07-28T17:23:05Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-32148" + ], + "details": "Client IP adresses may be unintentionally exposed via X-Forwarded-For\nheaders.\n\nWhen httputil.ReverseProxy.ServeHTTP is called with a Request.Header map\ncontaining a nil value for the X-Forwarded-For header, ReverseProxy sets\nthe client IP as the value of the X-Forwarded-For header, contrary to\nits documentation.\n\nIn the more usual case where a Director function sets the\nX-Forwarded-For header value to nil, ReverseProxy leaves the header\nunmodified as expected.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0520" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "Header.Clone" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/412857" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53423" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0521.json b/data/osv/GO-2022-0521.json new file mode 100644 index 00000000..3dfaf36d --- /dev/null +++ b/data/osv/GO-2022-0521.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0521", + "published": "2022-07-20T17:02:04Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-28131" + ], + "details": "Calling Decoder.Skip when parsing a deeply nested XML document can cause a\npanic due to stack exhaustion.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0521" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/xml", + "symbols": [ + "Decoder.Skip" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417062" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53614" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0522.json b/data/osv/GO-2022-0522.json new file mode 100644 index 00000000..48bb6776 --- /dev/null +++ b/data/osv/GO-2022-0522.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0522", + "published": "2022-07-20T17:02:29Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-30632" + ], + "details": "Calling Glob on a path which contains a large number of path separators can\ncause a panic due to stack exhaustion.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0522" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "path/filepath", + "symbols": [ + "Glob" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417066" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/ac68c6c683409f98250d34ad282b9e1b0c9095ef" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53416" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0523.json b/data/osv/GO-2022-0523.json new file mode 100644 index 00000000..52c224ae --- /dev/null +++ b/data/osv/GO-2022-0523.json @@ -0,0 +1,69 @@ +{ + "id": "GO-2022-0523", + "published": "2022-07-20T20:52:06Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-30633" + ], + "details": "Unmarshaling an XML document into a Go struct which has a nested\nfield that uses the 'any' field tag can panic due to stack\nexhaustion.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0523" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/xml", + "symbols": [ + "Decoder.DecodeElement", + "Decoder.unmarshal", + "Decoder.unmarshalPath" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417061" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53611" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0524.json b/data/osv/GO-2022-0524.json new file mode 100644 index 00000000..818bb378 --- /dev/null +++ b/data/osv/GO-2022-0524.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0524", + "published": "2022-07-20T20:52:11Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-30631" + ], + "details": "Calling Reader.Read on an archive containing a large number of concatenated\n0-length compressed files can cause a panic due to stack exhaustion.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0524" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "compress/gzip", + "symbols": [ + "Reader.Read" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417067" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/b2b8872c876201eac2d0707276c6999ff3eb185e" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53168" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0525.json b/data/osv/GO-2022-0525.json new file mode 100644 index 00000000..a78b1c0f --- /dev/null +++ b/data/osv/GO-2022-0525.json @@ -0,0 +1,71 @@ +{ + "id": "GO-2022-0525", + "published": "2022-07-25T17:34:18Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-1705" + ], + "details": "The HTTP/1 client accepted some invalid Transfer-Encoding headers as\nindicating a \"chunked\" encoding. This could potentially allow for request\nsmuggling, but only if combined with an intermediate server that also\nimproperly failed to reject the header as invalid.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0525" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "transferReader.parseTransferEncoding" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/409874" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53188" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/410714" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0526.json b/data/osv/GO-2022-0526.json new file mode 100644 index 00000000..e41f93a4 --- /dev/null +++ b/data/osv/GO-2022-0526.json @@ -0,0 +1,69 @@ +{ + "id": "GO-2022-0526", + "published": "2022-07-20T20:52:17Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-30635" + ], + "details": "Calling Decoder.Decode on a message which contains deeply nested structures\ncan cause a panic due to stack exhaustion.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0526" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/gob", + "symbols": [ + "Decoder.compileDec", + "Decoder.compileIgnoreSingle", + "Decoder.decIgnoreOpFor" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417064" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/6fa37e98ea4382bf881428ee0c150ce591500eb7" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53615" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0527.json b/data/osv/GO-2022-0527.json new file mode 100644 index 00000000..d46de74a --- /dev/null +++ b/data/osv/GO-2022-0527.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0527", + "published": "2022-07-20T20:52:22Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-30630" + ], + "details": "Calling Glob on a path which contains a large number of path separators can\ncause a panic due to stack exhaustion.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0527" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "io/fs", + "symbols": [ + "Glob" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417065" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53415" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0528.json b/data/osv/GO-2022-0528.json new file mode 100644 index 00000000..db850a9c --- /dev/null +++ b/data/osv/GO-2022-0528.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2022-0528", + "published": "2022-07-30T03:51:17Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-25891", + "GHSA-477v-w82m-634j" + ], + "details": "Sending a message exactly 2000, 4000, or 6000 characters in length\nto Discord causes a panic.\n", + "affected": [ + { + "package": { + "name": "github.com/containrrr/shoutrrr", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.6.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0528" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/containrrr/shoutrrr/pkg/util", + "symbols": [ + "PartitionMessage" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/containrrr/shoutrrr/pull/242" + }, + { + "type": "FIX", + "url": "https://github.com/containrrr/shoutrrr/commit/6a27056f9d7522a8b493216195cb7634bf4b5c42" + }, + { + "type": "WEB", + "url": "https://github.com/containrrr/shoutrrr/issues/240" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0531.json b/data/osv/GO-2022-0531.json new file mode 100644 index 00000000..1c6a4bfd --- /dev/null +++ b/data/osv/GO-2022-0531.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0531", + "published": "2022-07-28T17:24:57Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-30629" + ], + "details": "An attacker can correlate a resumed TLS session with a previous connection.\n\nSession tickets generated by crypto/tls do not contain a randomly\ngenerated ticket_age_add, which allows an attacker that can observe TLS\nhandshakes to correlate successive connections by comparing ticket ages\nduring session resumption.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.11" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0531" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "serverHandshakeStateTLS13.sendSessionTickets" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/405994" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a5" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/52814" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0532.json b/data/osv/GO-2022-0532.json new file mode 100644 index 00000000..8ff2c9c7 --- /dev/null +++ b/data/osv/GO-2022-0532.json @@ -0,0 +1,70 @@ +{ + "id": "GO-2022-0532", + "published": "2022-07-26T21:41:20Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-30580" + ], + "details": "On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput\nwhen Cmd.Path is unset will unintentionally trigger execution of any\nbinaries in the working directory named either \"..com\" or \"..exe\".\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.11" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0532" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "os/exec", + "goos": [ + "windows" + ], + "symbols": [ + "Cmd.Start" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/403759" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/52574" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0533.json b/data/osv/GO-2022-0533.json new file mode 100644 index 00000000..ce059468 --- /dev/null +++ b/data/osv/GO-2022-0533.json @@ -0,0 +1,70 @@ +{ + "id": "GO-2022-0533", + "published": "2022-07-28T17:25:07Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29804" + ], + "details": "On Windows, the filepath.Clean function can convert certain invalid paths\nto valid, absolute paths, potentially allowing a directory traversal\nattack.\n\nFor example, Clean(`.\\c:`) returns `c:`.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.11" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0533" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "path/filepath", + "goos": [ + "windows" + ], + "symbols": [ + "Clean" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/401595" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/52476" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0534.json b/data/osv/GO-2022-0534.json new file mode 100644 index 00000000..54cb03b4 --- /dev/null +++ b/data/osv/GO-2022-0534.json @@ -0,0 +1,62 @@ +{ + "id": "GO-2022-0534", + "published": "2022-08-11T20:54:51Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24912", + "GHSA-jxqv-jcvh-7gr4" + ], + "details": "Validation of Gitlab requests can leak secrets.\n\nThe package github.com/runatlantis/atlantis/server/controllers/events uses a\nnon-constant time comparison for secrets while validating a Gitlab request.\nThis allows for a timing attack where an attacker can recover a secret and\nthen forge the request.\n", + "affected": [ + { + "package": { + "name": "github.com/runatlantis/atlantis", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0534" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/runatlantis/atlantis/server/controllers/events", + "symbols": [ + "DefaultGitlabRequestParserValidator.ParseAndValidate" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/runatlantis/atlantis/pull/2392" + }, + { + "type": "FIX", + "url": "https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820" + }, + { + "type": "WEB", + "url": "https://github.com/runatlantis/atlantis/issues/2391" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0535.json b/data/osv/GO-2022-0535.json new file mode 100644 index 00000000..8f3afd74 --- /dev/null +++ b/data/osv/GO-2022-0535.json @@ -0,0 +1,70 @@ +{ + "id": "GO-2022-0535", + "published": "2022-08-01T22:21:17Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-0601" + ], + "details": "A Windows vulnerability allows attackers to spoof valid certificate chains\nwhen the system root store is in use.\n\nA workaround is present in Go 1.12.6+ and Go 1.13.7+, but affected\nusers should additionally install the Windows security update to protect\ntheir system.\n\nSee\nhttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601\nfor details on the Windows vulnerability.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.16" + }, + { + "introduced": "1.13.0" + }, + { + "fixed": "1.13.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0535" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "goos": [ + "windows" + ], + "symbols": [ + "Certificate.systemVerify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/215905" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/953bc8f391a63adf00bac2515dba62abe8a1e2c2" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/36834" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Hsw4mHYc470/m/WJeW5wguEgAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0536.json b/data/osv/GO-2022-0536.json new file mode 100644 index 00000000..aac92960 --- /dev/null +++ b/data/osv/GO-2022-0536.json @@ -0,0 +1,104 @@ +{ + "id": "GO-2022-0536", + "published": "2022-08-01T22:20:53Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-9512", + "CVE-2019-9514" + ], + "details": "Some HTTP/2 implementations are vulnerable to a reset flood, potentially\nleading to a denial of service.\n\nServers that accept direct connections from untrusted clients could be\nremotely made to allocate an unlimited amount of memory, until the program\ncrashes. The attacker opens a number of streams and sends an invalid request\nover each stream that should solicit a stream of RST_STREAM frames from the\npeer. Depending on how the peer queues the RST_STREAM frames, this can\nconsume excess memory, CPU, or both.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.13" + }, + { + "introduced": "1.12.0" + }, + { + "fixed": "1.12.8" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0536" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "http2serverConn.scheduleFrameWrite", + "http2serverConn.serve", + "http2serverConn.writeFrame" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20190813141303-74dc4d7220e7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0536" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http", + "symbols": [ + "serverConn.scheduleFrameWrite", + "serverConn.serve", + "serverConn.writeFrame" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/190137" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/145e193131eb486077b66009beb051aba07c52a5" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/33606" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/65QixT3tcmg/m/DrFiG6vvCwAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0537.json b/data/osv/GO-2022-0537.json new file mode 100644 index 00000000..6f397bbc --- /dev/null +++ b/data/osv/GO-2022-0537.json @@ -0,0 +1,68 @@ +{ + "id": "GO-2022-0537", + "published": "2022-08-01T22:21:06Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-32189" + ], + "details": "Decoding big.Float and big.Rat types can panic if the encoded message is\ntoo short, potentially allowing a denial of service.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.13" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0537" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "math/big", + "symbols": [ + "Float.GobDecode", + "Rat.GobDecode" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417774" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/055113ef364337607e3e72ed7d48df67fde6fc66" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53871" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/YqYYG87xB10" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0558.json b/data/osv/GO-2022-0558.json new file mode 100644 index 00000000..221f7660 --- /dev/null +++ b/data/osv/GO-2022-0558.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0558", + "published": "2022-08-22T18:07:59Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-1227", + "GHSA-66vw-v2x9-hw75" + ], + "details": "The psgo package executes the 'nsenter' binary, potentially allowing\nprivilege escalation when used in environments where nsenter is provided\nby an untrusted source.\n", + "affected": [ + { + "package": { + "name": "github.com/containers/psgo", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.7.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0558" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/containers/psgo", + "symbols": [ + "JoinNamespaceAndProcessInfo", + "JoinNamespaceAndProcessInfoByPids", + "JoinNamespaceAndProcessInfoByPidsWithOptions", + "JoinNamespaceAndProcessInfoWithOptions", + "ProcessInfo", + "ProcessInfoByPids", + "contextFromOptions" + ] + }, + { + "path": "github.com/containers/psgo/internal/proc", + "symbols": [ + "ParseStatus", + "readStatusUserNS" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/containers/psgo/pull/92" + }, + { + "type": "WEB", + "url": "https://github.com/containers/podman/issues/10941" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0563.json b/data/osv/GO-2022-0563.json new file mode 100644 index 00000000..fe7ed58a --- /dev/null +++ b/data/osv/GO-2022-0563.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2022-0563", + "published": "2022-02-05T00:00:31Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-46398", + "GHSA-72wf-hwcq-65h9" + ], + "details": "A Cross-Site Request Forgery vulnerability exists in Filebrowser\nthat allows attackers to create a backdoor user with admin privilege\nand get access to the filesystem via a malicious HTML webpage that is sent\nto the victim.\n", + "affected": [ + { + "package": { + "name": "github.com/filebrowser/filebrowser/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.18.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0563" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/filebrowser/filebrowser/v2/http", + "symbols": [ + "NewHandler" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/filebrowser/filebrowser/commit/74b7cd8e81840537a8206317344f118093153e8d" + }, + { + "type": "WEB", + "url": "https://github.com/filebrowser/filebrowser/issues/1621" + }, + { + "type": "WEB", + "url": "https://systemweakness.com/critical-csrf-to-rce-in-filebrowser-865a3c34b8e7" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0564.json b/data/osv/GO-2022-0564.json new file mode 100644 index 00000000..53cd4ea9 --- /dev/null +++ b/data/osv/GO-2022-0564.json @@ -0,0 +1,47 @@ +{ + "id": "GO-2022-0564", + "published": "2022-08-15T18:02:15Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31053", + "GHSA-75rw-34q6-72cr" + ], + "details": "An attacker can forge Biscuit v1 tokens with any access level.\n\nThere is no known workaround for Biscuit v1. The Biscuit v2 specification\navoids this vulnerability.\n", + "affected": [ + { + "package": { + "name": "github.com/biscuit-auth/biscuit-go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.1-0.20220327202226-f061134c2a1e" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0564" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/biscuit-auth/biscuit-go" + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-75rw-34q6-72cr" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0569.json b/data/osv/GO-2022-0569.json new file mode 100644 index 00000000..c90b75c5 --- /dev/null +++ b/data/osv/GO-2022-0569.json @@ -0,0 +1,305 @@ +{ + "id": "GO-2022-0569", + "published": "2022-08-23T13:24:17Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31836", + "GHSA-95f9-94vc-665h" + ], + "details": "The leafInfo.match() function uses path.join()\nto deal with wildcard values which can lead to cross directory risk.\n", + "affected": [ + { + "package": { + "name": "github.com/beego/beego", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.11" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0569" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/beego/beego", + "symbols": [ + "Tree.Match" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/beego/beego/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0569" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/beego/beego/v2/server/web", + "symbols": [ + "AddNamespace", + "AddViewPath", + "Any", + "AutoPrefix", + "AutoRouter", + "BuildTemplate", + "Compare", + "CompareNot", + "Controller.Abort", + "Controller.Bind", + "Controller.BindForm", + "Controller.BindJSON", + "Controller.BindProtobuf", + "Controller.BindXML", + "Controller.BindYAML", + "Controller.CheckXSRFCookie", + "Controller.CustomAbort", + "Controller.Delete", + "Controller.DestroySession", + "Controller.Get", + "Controller.GetBool", + "Controller.GetFile", + "Controller.GetFloat", + "Controller.GetInt", + "Controller.GetInt16", + "Controller.GetInt32", + "Controller.GetInt64", + "Controller.GetInt8", + "Controller.GetSecureCookie", + "Controller.GetString", + "Controller.GetStrings", + "Controller.GetUint16", + "Controller.GetUint32", + "Controller.GetUint64", + "Controller.GetUint8", + "Controller.Head", + "Controller.Input", + "Controller.IsAjax", + "Controller.JSONResp", + "Controller.Options", + "Controller.ParseForm", + "Controller.Patch", + "Controller.Post", + "Controller.Put", + "Controller.Redirect", + "Controller.Render", + "Controller.RenderBytes", + "Controller.RenderString", + "Controller.Resp", + "Controller.SaveToFile", + "Controller.SaveToFileWithBuffer", + "Controller.ServeFormatted", + "Controller.ServeJSON", + "Controller.ServeJSONP", + "Controller.ServeXML", + "Controller.ServeYAML", + "Controller.SessionRegenerateID", + "Controller.SetData", + "Controller.SetSecureCookie", + "Controller.Trace", + "Controller.URLFor", + "Controller.XMLResp", + "Controller.XSRFFormHTML", + "Controller.XSRFToken", + "Controller.YamlResp", + "ControllerRegister.Add", + "ControllerRegister.AddAuto", + "ControllerRegister.AddAutoPrefix", + "ControllerRegister.AddMethod", + "ControllerRegister.AddRouterMethod", + "ControllerRegister.Any", + "ControllerRegister.CtrlAny", + "ControllerRegister.CtrlDelete", + "ControllerRegister.CtrlGet", + "ControllerRegister.CtrlHead", + "ControllerRegister.CtrlOptions", + "ControllerRegister.CtrlPatch", + "ControllerRegister.CtrlPost", + "ControllerRegister.CtrlPut", + "ControllerRegister.Delete", + "ControllerRegister.FindPolicy", + "ControllerRegister.FindRouter", + "ControllerRegister.Get", + "ControllerRegister.GetContext", + "ControllerRegister.Handler", + "ControllerRegister.Head", + "ControllerRegister.Include", + "ControllerRegister.Init", + "ControllerRegister.InsertFilter", + "ControllerRegister.Options", + "ControllerRegister.Patch", + "ControllerRegister.Post", + "ControllerRegister.Put", + "ControllerRegister.ServeHTTP", + "ControllerRegister.URLFor", + "CtrlAny", + "CtrlDelete", + "CtrlGet", + "CtrlHead", + "CtrlOptions", + "CtrlPatch", + "CtrlPost", + "CtrlPut", + "Date", + "DateFormat", + "DateParse", + "Delete", + "Exception", + "ExecuteTemplate", + "ExecuteViewPathTemplate", + "FileSystem.Open", + "FilterRouter.ValidRouter", + "FlashData.Error", + "FlashData.Notice", + "FlashData.Set", + "FlashData.Store", + "FlashData.Success", + "FlashData.Warning", + "Get", + "GetConfig", + "HTML2str", + "Handler", + "Head", + "Htmlquote", + "Htmlunquote", + "HttpServer.Any", + "HttpServer.AutoPrefix", + "HttpServer.AutoRouter", + "HttpServer.CtrlAny", + "HttpServer.CtrlDelete", + "HttpServer.CtrlGet", + "HttpServer.CtrlHead", + "HttpServer.CtrlOptions", + "HttpServer.CtrlPatch", + "HttpServer.CtrlPost", + "HttpServer.CtrlPut", + "HttpServer.Delete", + "HttpServer.Get", + "HttpServer.Handler", + "HttpServer.Head", + "HttpServer.Include", + "HttpServer.InsertFilter", + "HttpServer.LogAccess", + "HttpServer.Options", + "HttpServer.Patch", + "HttpServer.Post", + "HttpServer.PrintTree", + "HttpServer.Put", + "HttpServer.RESTRouter", + "HttpServer.Router", + "HttpServer.RouterWithOpts", + "HttpServer.Run", + "Include", + "InitBeegoBeforeTest", + "InsertFilter", + "LoadAppConfig", + "LogAccess", + "MapGet", + "Namespace.Any", + "Namespace.AutoPrefix", + "Namespace.AutoRouter", + "Namespace.Cond", + "Namespace.CtrlAny", + "Namespace.CtrlDelete", + "Namespace.CtrlGet", + "Namespace.CtrlHead", + "Namespace.CtrlOptions", + "Namespace.CtrlPatch", + "Namespace.CtrlPost", + "Namespace.CtrlPut", + "Namespace.Delete", + "Namespace.Filter", + "Namespace.Get", + "Namespace.Handler", + "Namespace.Head", + "Namespace.Include", + "Namespace.Namespace", + "Namespace.Options", + "Namespace.Patch", + "Namespace.Post", + "Namespace.Put", + "Namespace.Router", + "NewControllerRegister", + "NewControllerRegisterWithCfg", + "NewHttpServerWithCfg", + "NewHttpSever", + "NewNamespace", + "NotNil", + "Options", + "ParseForm", + "Patch", + "Policy", + "Post", + "PrintTree", + "Put", + "RESTRouter", + "ReadFromRequest", + "RenderForm", + "Router", + "RouterWithOpts", + "Run", + "RunWithMiddleWares", + "TestBeegoInit", + "Tree.AddRouter", + "Tree.AddTree", + "Tree.Match", + "URLFor", + "URLMap.GetMap", + "URLMap.GetMapData", + "Walk", + "adminApp.Run", + "adminController.AdminIndex", + "adminController.Healthcheck", + "adminController.ListConf", + "adminController.ProfIndex", + "adminController.PrometheusMetrics", + "adminController.QpsIndex", + "adminController.TaskStatus", + "beegoAppConfig.Bool", + "beegoAppConfig.DefaultBool" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/beego/beego/pull/5025" + }, + { + "type": "FIX", + "url": "https://github.com/beego/beego/pull/5025/commits/ea5ae58d40589d249cf577a053e490509de2bf57" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0572.json b/data/osv/GO-2022-0572.json new file mode 100644 index 00000000..b37c90f8 --- /dev/null +++ b/data/osv/GO-2022-0572.json @@ -0,0 +1,258 @@ +{ + "id": "GO-2022-0572", + "published": "2022-08-22T17:56:17Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-30080", + "GHSA-28r6-jm5h-mrgg" + ], + "details": "An issue was discovered in the route lookup process in\nbeego which attackers to bypass access control.\n", + "affected": [ + { + "package": { + "name": "github.com/beego/beego", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0572" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/beego/beego", + "symbols": [ + "Tree.Match" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/beego/beego/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0572" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/beego/beego/v2/server/web", + "symbols": [ + "AddNamespace", + "AddViewPath", + "Any", + "AutoPrefix", + "AutoRouter", + "BuildTemplate", + "Compare", + "CompareNot", + "Controller.Abort", + "Controller.CheckXSRFCookie", + "Controller.CustomAbort", + "Controller.Delete", + "Controller.DestroySession", + "Controller.Get", + "Controller.GetBool", + "Controller.GetFile", + "Controller.GetFloat", + "Controller.GetInt", + "Controller.GetInt16", + "Controller.GetInt32", + "Controller.GetInt64", + "Controller.GetInt8", + "Controller.GetSecureCookie", + "Controller.GetString", + "Controller.GetStrings", + "Controller.GetUint16", + "Controller.GetUint32", + "Controller.GetUint64", + "Controller.GetUint8", + "Controller.Head", + "Controller.Input", + "Controller.IsAjax", + "Controller.Options", + "Controller.ParseForm", + "Controller.Patch", + "Controller.Post", + "Controller.Put", + "Controller.Redirect", + "Controller.Render", + "Controller.RenderBytes", + "Controller.RenderString", + "Controller.SaveToFile", + "Controller.ServeFormatted", + "Controller.ServeJSON", + "Controller.ServeJSONP", + "Controller.ServeXML", + "Controller.ServeYAML", + "Controller.SessionRegenerateID", + "Controller.SetData", + "Controller.SetSecureCookie", + "Controller.Trace", + "Controller.URLFor", + "Controller.XSRFFormHTML", + "Controller.XSRFToken", + "ControllerRegister.Add", + "ControllerRegister.AddAuto", + "ControllerRegister.AddAutoPrefix", + "ControllerRegister.AddMethod", + "ControllerRegister.Any", + "ControllerRegister.Delete", + "ControllerRegister.FindPolicy", + "ControllerRegister.FindRouter", + "ControllerRegister.Get", + "ControllerRegister.GetContext", + "ControllerRegister.Handler", + "ControllerRegister.Head", + "ControllerRegister.Include", + "ControllerRegister.InsertFilter", + "ControllerRegister.InsertFilterChain", + "ControllerRegister.Options", + "ControllerRegister.Patch", + "ControllerRegister.Post", + "ControllerRegister.Put", + "ControllerRegister.ServeHTTP", + "ControllerRegister.URLFor", + "Date", + "DateFormat", + "DateParse", + "Delete", + "Exception", + "ExecuteTemplate", + "ExecuteViewPathTemplate", + "FileSystem.Open", + "FilterRouter.ValidRouter", + "FlashData.Error", + "FlashData.Notice", + "FlashData.Set", + "FlashData.Store", + "FlashData.Success", + "FlashData.Warning", + "Get", + "GetConfig", + "HTML2str", + "Handler", + "Head", + "Htmlquote", + "Htmlunquote", + "HttpServer.Any", + "HttpServer.AutoPrefix", + "HttpServer.AutoRouter", + "HttpServer.Delete", + "HttpServer.Get", + "HttpServer.Handler", + "HttpServer.Head", + "HttpServer.Include", + "HttpServer.InsertFilter", + "HttpServer.InsertFilterChain", + "HttpServer.LogAccess", + "HttpServer.Options", + "HttpServer.Patch", + "HttpServer.Post", + "HttpServer.PrintTree", + "HttpServer.Put", + "HttpServer.RESTRouter", + "HttpServer.Router", + "HttpServer.Run", + "Include", + "InitBeegoBeforeTest", + "InsertFilter", + "InsertFilterChain", + "LoadAppConfig", + "LogAccess", + "MapGet", + "Namespace.Any", + "Namespace.AutoPrefix", + "Namespace.AutoRouter", + "Namespace.Cond", + "Namespace.Delete", + "Namespace.Filter", + "Namespace.Get", + "Namespace.Handler", + "Namespace.Head", + "Namespace.Include", + "Namespace.Namespace", + "Namespace.Options", + "Namespace.Patch", + "Namespace.Post", + "Namespace.Put", + "Namespace.Router", + "NewControllerRegister", + "NewControllerRegisterWithCfg", + "NewHttpServerWithCfg", + "NewHttpSever", + "NewNamespace", + "NotNil", + "Options", + "ParseForm", + "Patch", + "Policy", + "Post", + "PrintTree", + "Put", + "RESTRouter", + "ReadFromRequest", + "RenderForm", + "Router", + "Run", + "RunWithMiddleWares", + "TestBeegoInit", + "Tree.AddRouter", + "Tree.AddTree", + "Tree.Match", + "URLFor", + "URLMap.GetMap", + "URLMap.GetMapData", + "Walk", + "adminApp.Run", + "adminController.AdminIndex", + "adminController.Healthcheck", + "adminController.ListConf", + "adminController.ProfIndex", + "adminController.PrometheusMetrics", + "adminController.QpsIndex", + "adminController.TaskStatus", + "beegoAppConfig.Bool", + "beegoAppConfig.DefaultBool" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/beego/beego/pull/4459" + }, + { + "type": "FIX", + "url": "https://github.com/beego/beego/commit/d5df5e470d0a8ed291930ae802fd7e6b95226519" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0574.json b/data/osv/GO-2022-0574.json new file mode 100644 index 00000000..62d79e70 --- /dev/null +++ b/data/osv/GO-2022-0574.json @@ -0,0 +1,205 @@ +{ + "id": "GO-2022-0574", + "published": "2022-07-01T00:01:03Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-33082", + "GHSA-2m4x-4q9j-w97g" + ], + "details": "An issue in the AST parser of Open Policy Agent makes it possible for\nattackers to cause a Denial of Service attack from a crafted input.\n", + "affected": [ + { + "package": { + "name": "github.com/open-policy-agent/opa", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.42.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0574" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/open-policy-agent/opa/ast", + "symbols": [ + "Args.Copy", + "Args.Vars", + "Array.Copy", + "Array.Foreach", + "Array.Iter", + "Array.Until", + "ArrayComprehension.Copy", + "BeforeAfterVisitor.Walk", + "Body.Copy", + "Body.Vars", + "Call.Copy", + "CompileModules", + "CompileModulesWithOpt", + "Compiler.Compile", + "Compiler.GetRulesDynamic", + "Compiler.GetRulesDynamicWithOpts", + "Compiler.PassesTypeCheck", + "ContainsClosures", + "ContainsComprehensions", + "ContainsRefs", + "Copy", + "Every.Copy", + "Every.KeyValueVars", + "Expr.Copy", + "Expr.CopyWithoutTerms", + "Expr.Vars", + "GenericTransformer.Transform", + "GenericVisitor.Walk", + "Head.Copy", + "Head.Vars", + "Import.Copy", + "IsConstant", + "JSON", + "JSONWithOpt", + "Module.Copy", + "Module.UnmarshalJSON", + "MustCompileModules", + "MustCompileModulesWithOpts", + "MustJSON", + "MustParseBody", + "MustParseBodyWithOpts", + "MustParseExpr", + "MustParseImports", + "MustParseModule", + "MustParseModuleWithOpts", + "MustParsePackage", + "MustParseRef", + "MustParseRule", + "MustParseStatement", + "MustParseStatements", + "MustParseTerm", + "NewGraph", + "ObjectComprehension.Copy", + "OutputVarsFromBody", + "OutputVarsFromExpr", + "Package.Copy", + "ParseBody", + "ParseBodyWithOpts", + "ParseExpr", + "ParseImports", + "ParseModule", + "ParseModuleWithOpts", + "ParsePackage", + "ParseRef", + "ParseRule", + "ParseStatement", + "ParseStatements", + "ParseStatementsWithOpts", + "ParseTerm", + "Parser.Parse", + "Pretty", + "QueryContext.Copy", + "Ref.ConstantPrefix", + "Ref.Copy", + "Ref.Dynamic", + "Ref.Extend", + "Ref.OutputVars", + "Rule.Copy", + "SetComprehension.Copy", + "SomeDecl.Copy", + "Term.Copy", + "Term.Vars", + "Transform", + "TransformComprehensions", + "TransformRefs", + "TransformVars", + "TreeNode.DepthFirst", + "TypeEnv.Get", + "Unify", + "ValueMap.Copy", + "ValueMap.Equal", + "ValueMap.Hash", + "ValueMap.Iter", + "ValueMap.MarshalJSON", + "ValueMap.String", + "ValueToInterface", + "VarVisitor.Walk", + "Walk", + "WalkBeforeAndAfter", + "WalkBodies", + "WalkClosures", + "WalkExprs", + "WalkNodes", + "WalkRefs", + "WalkRules", + "WalkTerms", + "WalkVars", + "WalkWiths", + "With.Copy", + "baseDocEqIndex.AllRules", + "baseDocEqIndex.Build", + "baseDocEqIndex.Lookup", + "bodySafetyTransformer.Visit", + "comprehensionIndexNestedCandidateVisitor.Walk", + "comprehensionIndexRegressionCheckVisitor.Walk", + "metadataParser.Parse", + "object.Copy", + "object.Diff", + "object.Filter", + "object.Foreach", + "object.Intersect", + "object.Iter", + "object.Map", + "object.Merge", + "object.MergeWith", + "object.Until", + "queryCompiler.Compile", + "refChecker.Visit", + "refindices.Sorted", + "refindices.Update", + "rewriteDeclaredVarsInTerm", + "rewriteNestedHeadVarLocalTransform.Visit", + "ruleArgLocalRewriter.Visit", + "ruleWalker.Do", + "set.Copy", + "set.Diff", + "set.Foreach", + "set.Intersect", + "set.Iter", + "set.Map", + "set.Reduce", + "set.Union", + "set.Until", + "trieNode.Do", + "trieNode.Traverse", + "trieTraversalResult.Add", + "typeChecker.CheckBody", + "typeChecker.CheckTypes" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/open-policy-agent/opa/pull/4701" + }, + { + "type": "FIX", + "url": "https://github.com/open-policy-agent/opa/commit/064f6168a8dfebdeb2ea147f7882bb9f5d2b7f67" + }, + { + "type": "WEB", + "url": "https://github.com/open-policy-agent/opa/issues/4762" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0586.json b/data/osv/GO-2022-0586.json new file mode 100644 index 00000000..a4652fc6 --- /dev/null +++ b/data/osv/GO-2022-0586.json @@ -0,0 +1,98 @@ +{ + "id": "GO-2022-0586", + "published": "2022-05-26T00:01:27Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-26945", + "CVE-2022-30321", + "CVE-2022-30322", + "CVE-2022-30323", + "GHSA-28r2-q6m8-9hpx", + "GHSA-cjr4-fv6c-f3mv", + "GHSA-fcgg-rvwg-jv58", + "GHSA-x24g-9w7v-vprh" + ], + "details": "Malicious HTTP responses can cause a number of misbehaviors,\nincluding overwriting local files, resource exhaustion, and panics.\n\n* Protocol switching, endless redirect, and configuration bypass are\n possible through abuse of custom HTTP response header processing.\n\n* Arbitrary host access is possible through go-getter path traversal,\n symlink processing, and command injection flaws.\n\n* Asymmetric resource exhaustion can occur when go-getter processes\n malicious HTTP responses.\n\n* A panic can be triggered when go-getter processed password-protected ZIP\n files.\n", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/go-getter", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.11" + }, + { + "fixed": "1.6.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0586" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/hashicorp/go-getter" + } + ] + } + }, + { + "package": { + "name": "github.com/hashicorp/go-getter/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.0.2" + }, + { + "fixed": "2.1.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0586" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/hashicorp/go-getter/v2" + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/go-getter/pull/361" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/go-getter/pull/359" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0587.json b/data/osv/GO-2022-0587.json new file mode 100644 index 00000000..c9662b92 --- /dev/null +++ b/data/osv/GO-2022-0587.json @@ -0,0 +1,86 @@ +{ + "id": "GO-2022-0587", + "published": "2022-05-20T00:00:26Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-28946", + "GHSA-x7f3-62pm-9p38" + ], + "details": "An issue in ast.Parser in Open Policy Agent causes the application to\nincorrectly interpret expressions, allowing a Denial of Service (DoS)\nvia triggering out-of-range memory access.\n", + "affected": [ + { + "package": { + "name": "github.com/open-policy-agent/opa", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.40.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0587" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/open-policy-agent/opa/ast", + "symbols": [ + "CompileModules", + "CompileModulesWithOpt", + "MustCompileModules", + "MustCompileModulesWithOpts", + "MustParseBody", + "MustParseBodyWithOpts", + "MustParseExpr", + "MustParseImports", + "MustParseModule", + "MustParseModuleWithOpts", + "MustParsePackage", + "MustParseRef", + "MustParseRule", + "MustParseStatement", + "MustParseStatements", + "MustParseTerm", + "ParseBody", + "ParseBodyWithOpts", + "ParseExpr", + "ParseImports", + "ParseModule", + "ParseModuleWithOpts", + "ParsePackage", + "ParseRef", + "ParseRule", + "ParseStatement", + "ParseStatements", + "ParseStatementsWithOpts", + "ParseTerm", + "Parser.Parse", + "Parser.parseEvery", + "Parser.parseSome", + "metadataParser.Parse" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/open-policy-agent/opa/pull/4548" + }, + { + "type": "FIX", + "url": "https://github.com/open-policy-agent/opa/commit/e9d3828db670cbe11129885f37f08cbf04935264" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0588.json b/data/osv/GO-2022-0588.json new file mode 100644 index 00000000..11dc192d --- /dev/null +++ b/data/osv/GO-2022-0588.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2022-0588", + "published": "2022-08-15T18:02:24Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-42576", + "GHSA-x95h-979x-cf3j" + ], + "details": "The bluemonday HTML sanitizer can leak the contents of a \"style\" element\ninto HTML output, potentially causing XSS vulnerabilities.\n\nThe default bluemonday sanitization policies are not vulnerable.\nOnly user-defined policies allowing \"select\", \"style\", and\n\"option\" elements are affected.\n\nPermitting the \"style\" element in policies is hazardous, because bluemonday\ndoes not contain a CSS sanitizer. Newer versions of bluemonday suppress\n\"style\" and \"script\" elements even when allowed by a policy unless the\npolicy explicitly requests unsafe processing.\n", + "affected": [ + { + "package": { + "name": "github.com/microcosm-cc/bluemonday", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.16" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0588" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/microcosm-cc/bluemonday", + "symbols": [ + "Policy.AllowElements", + "Policy.AllowElementsMatching", + "Policy.AllowLists", + "Policy.AllowTables", + "UGCPolicy" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/microcosm-cc/bluemonday/commit/c788a2a4d42e081ad54a31368478820bb4a42fb4" + }, + { + "type": "WEB", + "url": "https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0603.json b/data/osv/GO-2022-0603.json new file mode 100644 index 00000000..a2cf87dd --- /dev/null +++ b/data/osv/GO-2022-0603.json @@ -0,0 +1,54 @@ +{ + "id": "GO-2022-0603", + "published": "2022-08-22T18:00:47Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-28948", + "GHSA-hp87-p4gw-j4gq" + ], + "details": "An issue in the Unmarshal function can cause a program to\npanic when attempting to deserialize invalid input.\n", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.0.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0603" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v3", + "symbols": [ + "Unmarshal" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/8f96da9f5d5eff988554c1aae1784627c4bf6754" + }, + { + "type": "WEB", + "url": "https://github.com/go-yaml/yaml/issues/666" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0619.json b/data/osv/GO-2022-0619.json new file mode 100644 index 00000000..9e3ac232 --- /dev/null +++ b/data/osv/GO-2022-0619.json @@ -0,0 +1,118 @@ +{ + "id": "GO-2022-0619", + "published": "2022-08-15T18:05:29Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-1996", + "GHSA-r48q-9g5r-8q2h" + ], + "details": "CORS filters that use an AllowedDomains configuration parameter\ncan match domains outside the specified set, permitting an attacker\nto avoid the CORS policy.\n\nThe AllowedDomains configuration parameter is documented as a list of\nallowed origin domains, but values in this list are applied as regular\nexpression matches. For example, an allowed domain of \"example.com\" will\nmatch the Origin header \"example.com.malicious.domain\".\n", + "affected": [ + { + "package": { + "name": "github.com/emicklei/go-restful", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.16.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0619" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/emicklei/go-restful", + "symbols": [ + "CrossOriginResourceSharing.Filter", + "CrossOriginResourceSharing.isOriginAllowed" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/emicklei/go-restful/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.7.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0619" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/emicklei/go-restful/v2", + "symbols": [ + "CrossOriginResourceSharing.Filter", + "CrossOriginResourceSharing.isOriginAllowed" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/emicklei/go-restful/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.8.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0619" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/emicklei/go-restful/v3", + "symbols": [ + "CrossOriginResourceSharing.Filter", + "CrossOriginResourceSharing.isOriginAllowed" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/emicklei/go-restful/commit/f292efff46ae17e9d104f865a60a39a2ae9402f1" + }, + { + "type": "WEB", + "url": "https://github.com/emicklei/go-restful/issues/489" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0621.json b/data/osv/GO-2022-0621.json new file mode 100644 index 00000000..3f564941 --- /dev/null +++ b/data/osv/GO-2022-0621.json @@ -0,0 +1,55 @@ +{ + "id": "GO-2022-0621", + "published": "2021-05-18T15:38:54Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-10223", + "CVE-2019-17110", + "GHSA-2v6x-frw8-7r7f" + ], + "details": "Exposing annotations as metrics can leak secrets.\n\nAn experimental feature of kube-state-metrics enables annotations\nto be exposed as metrics. By default, metrics only expose metadata\nabout secrets. However, a combination of the default kubectl behavior\nand this new feature can cause the entire secret content to end up\nin metric labels.\n", + "affected": [ + { + "package": { + "name": "k8s.io/kube-state-metrics", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.7.0" + }, + { + "fixed": "1.7.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0621" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "k8s.io/kube-state-metrics/internal/store", + "symbols": [ + "kubeAnnotationsToPrometheusLabels" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/kubernetes/kube-state-metrics/commit/03122fe3e2df49a9a7298b8af921d3c37c430f7f" + }, + { + "type": "WEB", + "url": "https://github.com/advisories/GHSA-2v6x-frw8-7r7f" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0629.json b/data/osv/GO-2022-0629.json new file mode 100644 index 00000000..4f104114 --- /dev/null +++ b/data/osv/GO-2022-0629.json @@ -0,0 +1,72 @@ +{ + "id": "GO-2022-0629", + "published": "2022-02-15T01:57:18Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-8568", + "GHSA-5cgx-vhfp-6cf9" + ], + "details": "Modifying pod status allows host directory traversal.\n\nKubernetes Secrets Store CSI Driver allows an attacker who can\nmodify a SecretProviderClassPodStatus/Status resource the ability\nto write content to the host filesystem and sync file contents\nto Kubernetes Secrets. This includes paths under var/lib/kubelet/pods\nthat contain other Kubernetes Secrets.\n", + "affected": [ + { + "package": { + "name": "sigs.k8s.io/secrets-store-csi-driver", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.15" + }, + { + "fixed": "0.0.17" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0629" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "sigs.k8s.io/secrets-store-csi-driver/controllers", + "symbols": [ + "SecretProviderClassPodStatusReconciler.Reconcile" + ] + }, + { + "path": "sigs.k8s.io/secrets-store-csi-driver/pkg/rotation", + "symbols": [ + "Reconciler.Run", + "Reconciler.reconcile" + ] + }, + { + "path": "sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store", + "symbols": [ + "SecretsStore.Run", + "nodeServer.NodeUnpublishVolume" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/pull/371" + }, + { + "type": "FIX", + "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/commit/c2cbb19e2eef16638fa0523383788a4bc22231fd" + }, + { + "type": "WEB", + "url": "https://github.com/advisories/GHSA-5cgx-vhfp-6cf9" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0643.json b/data/osv/GO-2022-0643.json new file mode 100644 index 00000000..348d3f9e --- /dev/null +++ b/data/osv/GO-2022-0643.json @@ -0,0 +1,59 @@ +{ + "id": "GO-2022-0643", + "published": "2022-02-15T01:57:18Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-11480", + "GHSA-9q3g-m353-cp4p" + ], + "details": "A local attacker can cause a panic if they are able to send arbitrary traffic\nto a monitored port, due to an out of bounds read.\n", + "affected": [ + { + "package": { + "name": "github.com/elastic/beats", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.1.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0643" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/elastic/beats/packetbeat/protos/pgsql", + "symbols": [ + "pgsqlFieldsParser", + "pgsqlPlugin.Parse" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/elastic/beats/pull/5457" + }, + { + "type": "FIX", + "url": "https://github.com/elastic/beats/commit/aeca65779d573976981587ca1d1461399e1b59dd" + }, + { + "type": "WEB", + "url": "https://github.com/advisories/GHSA-9q3g-m353-cp4p" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0646.json b/data/osv/GO-2022-0646.json new file mode 100644 index 00000000..5a5912c8 --- /dev/null +++ b/data/osv/GO-2022-0646.json @@ -0,0 +1,66 @@ +{ + "id": "GO-2022-0646", + "published": "2022-02-11T23:26:26Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-8911", + "CVE-2020-8912", + "GHSA-7f33-f4f5-xwgw", + "GHSA-f5pg-7wfw-84q9" + ], + "details": "The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker\nwith write access to a bucket to decrypt files in that bucket.\n\nFiles encrypted by the V1 EncryptionClient using either the AES-CBC\ncontent cipher or the KMS key wrap algorithm are vulnerable. Users should\nmigrate to the V1 EncryptionClientV2 API, which will not create vulnerable\nfiles. Old files will remain vulnerable until reencrypted with the new\nclient.", + "affected": [ + { + "package": { + "name": "github.com/aws/aws-sdk-go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0646" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/aws/aws-sdk-go/service/s3/s3crypto", + "symbols": [ + "NewDecryptionClient", + "NewEncryptionClient" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-7f33-f4f5-xwgw" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-f5pg-7wfw-84q9" + }, + { + "type": "FIX", + "url": "https://github.com/aws/aws-sdk-go/pull/3403" + }, + { + "type": "FIX", + "url": "https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0701.json b/data/osv/GO-2022-0701.json new file mode 100644 index 00000000..ebe6b526 --- /dev/null +++ b/data/osv/GO-2022-0701.json @@ -0,0 +1,89 @@ +{ + "id": "GO-2022-0701", + "published": "2022-02-15T01:57:18Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2015-5305", + "GHSA-jp32-vmm6-3vf5" + ], + "details": "Crafted object type names can cause directory traversal in Kubernetes.\n\nObject names are not validated before being passed to etcd. This allows\nattackers to write arbitrary files via a crafted object name, hence causing\ndirectory traversal vulnerability in Kubernetes, as used in Red Hat\nOpenShift Enterprise 3.0.\n", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0701" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "k8s.io/kubernetes/pkg/api/rest", + "symbols": [ + "BeforeCreate" + ] + }, + { + "path": "k8s.io/kubernetes/pkg/registry/generic/etcd", + "symbols": [ + "NamespaceKeyFunc" + ] + }, + { + "path": "k8s.io/kubernetes/pkg/storage", + "symbols": [ + "NamespaceKeyFunc", + "NoNamespaceKeyFunc" + ] + }, + { + "path": "k8s.io/kubernetes/pkg/registry/namespace/etcd", + "symbols": [ + "NewREST" + ] + }, + { + "path": "k8s.io/kubernetes/pkg/registry/node/etcd", + "symbols": [ + "NewREST" + ] + }, + { + "path": "k8s.io/kubernetes/pkg/registry/persistentvolume/etcd", + "symbols": [ + "NewREST" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/kubernetes/kubernetes/pull/16381" + }, + { + "type": "FIX", + "url": "https://github.com/kubernetes/kubernetes/commit/37f730f68c7f06e060f90714439bfb0dbb2df5e7" + }, + { + "type": "WEB", + "url": "https://github.com/advisories/GHSA-jp32-vmm6-3vf5" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0706.json b/data/osv/GO-2022-0706.json new file mode 100644 index 00000000..91877291 --- /dev/null +++ b/data/osv/GO-2022-0706.json @@ -0,0 +1,60 @@ +{ + "id": "GO-2022-0706", + "published": "2021-05-18T18:34:18Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-22133", + "GHSA-qqc5-rgcc-cjqh" + ], + "details": "Sensitive HTTP headers may not be properly sanitized before being sent to the\nAPM server if the program panics.\n", + "affected": [ + { + "package": { + "name": "go.elastic.co/apm", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0706" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "go.elastic.co/apm", + "symbols": [ + "NewTracer", + "NewTracerOptions", + "modelWriter.buildModelTransaction" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/elastic/apm-agent-go/pull/888" + }, + { + "type": "FIX", + "url": "https://github.com/elastic/apm-agent-go/commit/dd3e8c593580e7b80a98b57e1cc6e017e56747b4" + }, + { + "type": "WEB", + "url": "https://github.com/advisories/GHSA-qqc5-rgcc-cjqh" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0755.json b/data/osv/GO-2022-0755.json new file mode 100644 index 00000000..eaf9d6c7 --- /dev/null +++ b/data/osv/GO-2022-0755.json @@ -0,0 +1,64 @@ +{ + "id": "GO-2022-0755", + "published": "2021-05-18T15:42:40Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-13209", + "GHSA-xhg2-rvm8-w2jh" + ], + "details": "Rancher 2 is vulnerable to a Cross-Site Websocket Hijacking\nattack that allows an exploiter to gain access to clusters managed by\nRancher.\n", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.5-rc6.0.20190621200032-0ddffe484adc" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0755" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/rancher/rancher/server", + "symbols": [ + "Start" + ] + }, + { + "path": "github.com/rancher/rancher/pkg/clusterrouter", + "symbols": [ + "Router.ServeHTTP" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-xhg2-rvm8-w2jh" + }, + { + "type": "FIX", + "url": "https://github.com/rancher/rancher/commit/0ddffe484adccb9e37d9432e8e625d8ebbfb0088" + }, + { + "type": "WEB", + "url": "https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0761.json b/data/osv/GO-2022-0761.json new file mode 100644 index 00000000..112317e7 --- /dev/null +++ b/data/osv/GO-2022-0761.json @@ -0,0 +1,67 @@ +{ + "id": "GO-2022-0761", + "published": "2022-08-09T17:05:15Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2016-5386" + ], + "details": "An input validation flaw in the CGI components allows the HTTP_PROXY\nenvironment variable to be set by the incoming Proxy header, which changes\nwhere Go by default proxies all outbound HTTP requests.\n\nThis environment variable is also used to set the outgoing proxy, enabling\nan attacker to insert a proxy into outgoing requests of a CGI program.\n\nRead more about \"httpoxy\" here: https://httpoxy.org.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0761" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "Handler.ServeHTTP" + ] + }, + { + "path": "net/http/cgi", + "symbols": [ + "ProxyFromEnvironment" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/25010" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/b97df54c31d6c4cc2a28a3c83725366d52329223" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/16405" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/7jZDOQ8f8tM/m/eWRWHnc8CgAJ" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0762.json b/data/osv/GO-2022-0762.json new file mode 100644 index 00000000..3a41fd91 --- /dev/null +++ b/data/osv/GO-2022-0762.json @@ -0,0 +1,61 @@ +{ + "id": "GO-2022-0762", + "published": "2021-05-18T21:07:37Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-29272", + "GHSA-3x58-xr87-2fcj" + ], + "details": "An XSS injection was possible because the sanitization of the Cyrillic\ncharacter i bypass a protection mechanism against user-inputted HTML elements\nsuch as the \u003cscript\u003e tag.\n", + "affected": [ + { + "package": { + "name": "github.com/microcosm-cc/bluemonday", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0762" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/microcosm-cc/bluemonday", + "symbols": [ + "Policy.Sanitize", + "Policy.SanitizeBytes", + "Policy.SanitizeReader", + "Policy.sanitize" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/microcosm-cc/bluemonday/commit/524f142fe46e945b7dcd291d7805c4b7dcf75bee" + }, + { + "type": "WEB", + "url": "https://github.com/microcosm-cc/bluemonday/issues/111" + }, + { + "type": "WEB", + "url": "https://github.com/microcosm-cc/bluemonday/releases/tag/v1.0.5" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0942.json b/data/osv/GO-2022-0942.json new file mode 100644 index 00000000..21957ad5 --- /dev/null +++ b/data/osv/GO-2022-0942.json @@ -0,0 +1,51 @@ +{ + "id": "GO-2022-0942", + "published": "2022-08-23T13:19:13Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-37315", + "GHSA-h3qm-jrrf-cgj3" + ], + "details": "graphql-go (aka GraphQL for Go) has infinite recursion\nin the type definition parser.\n", + "affected": [ + { + "package": { + "name": "github.com/graphql-go/graphql", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0942" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/graphql-go/graphql/language/parser", + "symbols": [ + "Parse" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/graphql-go/graphql/pull/642" + }, + { + "type": "FIX", + "url": "https://github.com/graphql-go/graphql/pull/642/commits/4188bd5b3877f7badb951b421cf66e0af2eacb22" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0945.json b/data/osv/GO-2022-0945.json new file mode 100644 index 00000000..c7c4715f --- /dev/null +++ b/data/osv/GO-2022-0945.json @@ -0,0 +1,82 @@ +{ + "id": "GO-2022-0945", + "published": "2022-08-22T17:59:45Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2016-9122", + "GHSA-77gc-fj98-665h" + ], + "details": "The go-jose library suffers from multiple signatures exploitation. When\nvalidating a signed message, the API did not indicate which signature was\nvalid, which creates the potential for confusion.\n", + "affected": [ + { + "package": { + "name": "gopkg.in/square/go-jose.v1", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0945" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/square/go-jose.v1", + "symbols": [ + "JsonWebEncryption.Decrypt", + "JsonWebKey.UnmarshalJSON", + "JsonWebSignature.Verify", + "ecDecrypterSigner.decryptKey", + "rawJsonWebKey.ecPublicKey" + ] + }, + { + "path": "gopkg.in/square/go-jose.v1/cipher", + "symbols": [ + "DeriveECDHES", + "NewConcatKDF", + "cbcAEAD.Open", + "cbcAEAD.Seal", + "cbcAEAD.computeAuthTag", + "padBuffer", + "resize" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://www.openwall.com/lists/oss-security/2016/11/03/1" + }, + { + "type": "FIX", + "url": "https://github.com/square/go-jose/pull/111" + }, + { + "type": "FIX", + "url": "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6" + }, + { + "type": "WEB", + "url": "https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96" + }, + { + "type": "WEB", + "url": "https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0952.json b/data/osv/GO-2022-0952.json new file mode 100644 index 00000000..1d5406bc --- /dev/null +++ b/data/osv/GO-2022-0952.json @@ -0,0 +1,65 @@ +{ + "id": "GO-2022-0952", + "published": "2022-08-22T18:08:50Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-36009", + "GHSA-grvv-h2f9-7v9c" + ], + "details": "Power level parsing does not parse the \"events_default\" key of the\nm.room.power_levels event, setting the event default power level to\nzero in all cases. This can cause events to be improperly accepted or\nrejected in rooms where the event_default power level has been changed.\n", + "affected": [ + { + "package": { + "name": "github.com/matrix-org/gomatrixserverlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20220815091947-723fd495dde8" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0952" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/matrix-org/gomatrixserverlib", + "symbols": [ + "Allowed", + "Event.PowerLevels", + "EventsLoader.LoadAndVerify", + "HeaderedReverseTopologicalOrdering", + "NewPowerLevelContentFromAuthEvents", + "NewPowerLevelContentFromEvent", + "RequestBackfill", + "ResolveConflicts", + "ResolveStateConflicts", + "ResolveStateConflictsV2", + "RespSendJoin.Check", + "RespState.Check", + "RespState.Events", + "ReverseTopologicalOrdering", + "VerifyAuthRulesAtState", + "VerifyEventAuthChain" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/matrix-org/gomatrixserverlib/commit/723fd495dde835d078b9f2074b6b62c06dea4575" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0956.json b/data/osv/GO-2022-0956.json new file mode 100644 index 00000000..9e78631b --- /dev/null +++ b/data/osv/GO-2022-0956.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2022-0956", + "published": "2022-08-29T22:15:46Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-3064" + ], + "details": "Parsing malicious or large YAML documents can consume excessive amounts of\nCPU or memory.\n", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0956" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "decoder.unmarshal", + "yaml_parser_increase_flow_level", + "yaml_parser_roll_indent" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" + }, + { + "type": "WEB", + "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0957.json b/data/osv/GO-2022-0957.json new file mode 100644 index 00000000..021eb218 --- /dev/null +++ b/data/osv/GO-2022-0957.json @@ -0,0 +1,64 @@ +{ + "id": "GO-2022-0957", + "published": "2022-08-25T06:28:20Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-36066", + "GHSA-wjm3-fq3r-5x46" + ], + "details": "A maliciously crafted JSON input can cause a denial of service attack.", + "affected": [ + { + "package": { + "name": "github.com/tidwall/gjson", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0957" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tidwall/gjson", + "symbols": [ + "Get", + "GetBytes", + "GetMany", + "GetManyBytes", + "Result.Get", + "parseObject", + "queryMatches" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/195" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0962.json b/data/osv/GO-2022-0962.json new file mode 100644 index 00000000..56955bb9 --- /dev/null +++ b/data/osv/GO-2022-0962.json @@ -0,0 +1,65 @@ +{ + "id": "GO-2022-0962", + "published": "2022-09-02T15:19:52Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-36055", + "GHSA-7hfp-qfw3-5jxh" + ], + "details": "Applications that use the strvals package in the Helm SDK to parse user\nsupplied input can suffer a Denial of Service when that input causes a\npanic that cannot be recovered from.\n\nThe strvals package contains a parser that turns strings into Go\nstructures. For example, the Helm client has command line flags like --set,\n--set-string, and others that enable the user to pass in strings that are\nmerged into the values. The strvals package converts these strings into\nstructures Go can work with. Some string inputs can cause array data\nstructures to be created causing an out of memory panic.\n\nThe Helm Client will panic with input to --set, --set-string, and other\nvalue setting flags that causes an out of memory panic. Helm is not a long\nrunning service so the panic will not affect future uses of the Helm client.", + "affected": [ + { + "package": { + "name": "helm.sh/helm/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.9.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0962" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "helm.sh/helm/v3/pkg/strvals", + "symbols": [ + "Parse", + "ParseFile", + "ParseInto", + "ParseIntoFile", + "ParseIntoString", + "ParseString", + "ToYAML", + "setIndex" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh" + }, + { + "type": "FIX", + "url": "https://github.com/helm/helm/commit/10466e3e179cc8cad4b0bb451108d3c442c69fbc" + }, + { + "type": "WEB", + "url": "https://github.com/helm/helm/releases/tag/v3.9.4" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0963.json b/data/osv/GO-2022-0963.json new file mode 100644 index 00000000..3983703c --- /dev/null +++ b/data/osv/GO-2022-0963.json @@ -0,0 +1,91 @@ +{ + "id": "GO-2022-0963", + "published": "2022-09-02T18:37:03Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-36078", + "GHSA-4p6f-m4f9-ch88" + ], + "details": "A memory allocation vulnerability can be exploited to allocate arbitrarily\nlarge slices, which can exhaust available memory or crash the program.\n\nWhen parsing data from untrusted sources of input (e.g. the blockchain),\nthe length of the slice to allocate is read directly from the data itself\nwithout any checks, which could lead to an allocation of excessive memory.\n", + "affected": [ + { + "package": { + "name": "github.com/gagliardetto/binary", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0963" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gagliardetto/binary", + "symbols": [ + "BaseVariant.UnmarshalBinaryVariant", + "BinByteCount", + "BorshByteCount", + "CompactU16ByteCount", + "Decoder.Decode", + "Decoder.Discard", + "Decoder.ReadInt64", + "Decoder.ReadNBytes", + "Decoder.ReadRustString", + "Decoder.ReadTypeID", + "Decoder.ReadUint64", + "Decoder.decodeBin", + "Decoder.decodeBorsh", + "Decoder.decodeCompactU16", + "Encoder.Encode", + "Encoder.WriteFloat32", + "Encoder.WriteFloat64", + "Encoder.encodeBin", + "Encoder.encodeBorsh", + "Encoder.encodeCompactU16", + "Int64.UnmarshalWithDecoder", + "JSONFloat64.MarshalWithEncoder", + "MarshalBin", + "MarshalBorsh", + "MarshalCompactU16", + "MustBinByteCount", + "MustBorshByteCount", + "MustCompactU16ByteCount", + "Uint64.UnmarshalWithDecoder", + "UnmarshalBin", + "UnmarshalBorsh", + "UnmarshalCompactU16", + "discardNBytes", + "readNBytes" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/gagliardetto/binary/security/advisories/GHSA-4p6f-m4f9-ch88" + }, + { + "type": "FIX", + "url": "https://github.com/gagliardetto/binary/pull/7" + }, + { + "type": "WEB", + "url": "https://github.com/gagliardetto/binary/releases/tag/v0.7.1" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0965.json b/data/osv/GO-2022-0965.json new file mode 100644 index 00000000..95c8365a --- /dev/null +++ b/data/osv/GO-2022-0965.json @@ -0,0 +1,62 @@ +{ + "id": "GO-2022-0965", + "published": "2022-09-02T21:12:51Z", + "modified": "0001-01-01T00:00:00Z", + "details": "Unbounded recursion in JSON parsing allows malicious JSON input to\ncause excessive memory consumption or panics.", + "affected": [ + { + "package": { + "name": "k8s.io/apimachinery", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20190927203648-9ce6eca90e73" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0965" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "k8s.io/apimachinery/pkg/runtime/serializer/json", + "symbols": [ + "Serializer.Decode", + "Serializer.Encode", + "customNumberDecoder.Decode" + ] + }, + { + "path": "k8s.io/apimachinery/pkg/util/json", + "symbols": [ + "Unmarshal" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/kubernetes/kubernetes/pull/83261" + }, + { + "type": "WEB", + "url": "https://github.com/advisories/GHSA-pmqp-h87c-mr78" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11253" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0968.json b/data/osv/GO-2022-0968.json new file mode 100644 index 00000000..3c9424a5 --- /dev/null +++ b/data/osv/GO-2022-0968.json @@ -0,0 +1,61 @@ +{ + "id": "GO-2022-0968", + "published": "2022-09-13T03:32:38Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-43565" + ], + "details": "Unauthenticated clients can cause a panic in SSH servers.\n\nWhen using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which\ncontains an empty plaintext causes a panic.\n", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20211202192323-5770296d904e" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0968" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "Dial", + "NewClientConn", + "NewServerConn", + "chacha20Poly1305Cipher.readCipherPacket", + "gcmCipher.readCipherPacket" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs" + }, + { + "type": "REPORT", + "url": "https://go.dev/issues/49932" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/368814/" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0969.json b/data/osv/GO-2022-0969.json new file mode 100644 index 00000000..98a2014c --- /dev/null +++ b/data/osv/GO-2022-0969.json @@ -0,0 +1,105 @@ +{ + "id": "GO-2022-0969", + "published": "2022-09-12T20:23:06Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-27664" + ], + "details": "HTTP/2 server connections can hang forever waiting for a clean shutdown\nthat was preempted by a fatal error. This condition can be exploited\nby a malicious client to cause a denial of service.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.6" + }, + { + "introduced": "1.19.0" + }, + { + "fixed": "1.19.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0969" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "ListenAndServe", + "ListenAndServeTLS", + "Serve", + "ServeTLS", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "http2Server.ServeConn", + "http2serverConn.goAway" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20220906165146-f3363e06e74c" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0969" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.goAway" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/54658" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/428735" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0978.json b/data/osv/GO-2022-0978.json new file mode 100644 index 00000000..7cf6c512 --- /dev/null +++ b/data/osv/GO-2022-0978.json @@ -0,0 +1,223 @@ +{ + "id": "GO-2022-0978", + "published": "2022-09-13T17:40:16Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-36085" + ], + "details": "Open Policy Agent (OPA) is an open source, general-purpose policy engine.\nThe Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function,\nwhich allows users to provide a set of built-in functions that should be\ndeemed unsafe and rejected by the compiler if encountered in the policy\ncompilation stage.\n\nA bypass of this protection is possible when using the `with`\nkeyword to mock a built-in function that isn’t taken into account by\n`WithUnsafeBuiltins`.\n", + "affected": [ + { + "package": { + "name": "github.com/open-policy-agent/opa", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.40.0" + }, + { + "fixed": "0.44.0" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0978" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/open-policy-agent/opa/ast", + "symbols": [ + "Args.Copy", + "Args.Vars", + "Array.Copy", + "Array.Foreach", + "Array.Iter", + "Array.Until", + "ArrayComprehension.Copy", + "BeforeAfterVisitor.Walk", + "Body.Copy", + "Body.Vars", + "Call.Copy", + "CompileModules", + "CompileModulesWithOpt", + "Compiler.Compile", + "Compiler.GetRulesDynamic", + "Compiler.GetRulesDynamicWithOpts", + "Compiler.PassesTypeCheck", + "Compiler.rewriteWithModifiers", + "ContainsClosures", + "ContainsComprehensions", + "ContainsRefs", + "Copy", + "Every.Copy", + "Every.KeyValueVars", + "Expr.Copy", + "Expr.CopyWithoutTerms", + "Expr.Vars", + "GenericTransformer.Transform", + "GenericVisitor.Walk", + "Head.Copy", + "Head.Vars", + "Import.Copy", + "IsConstant", + "JSON", + "JSONWithOpt", + "Module.Copy", + "Module.UnmarshalJSON", + "MustCompileModules", + "MustCompileModulesWithOpts", + "MustJSON", + "MustParseBody", + "MustParseBodyWithOpts", + "MustParseExpr", + "MustParseImports", + "MustParseModule", + "MustParseModuleWithOpts", + "MustParsePackage", + "MustParseRef", + "MustParseRule", + "MustParseStatement", + "MustParseStatements", + "MustParseTerm", + "NewGraph", + "ObjectComprehension.Copy", + "OutputVarsFromBody", + "OutputVarsFromExpr", + "Package.Copy", + "ParseBody", + "ParseBodyWithOpts", + "ParseExpr", + "ParseImports", + "ParseModule", + "ParseModuleWithOpts", + "ParsePackage", + "ParseRef", + "ParseRule", + "ParseStatement", + "ParseStatements", + "ParseStatementsWithOpts", + "ParseTerm", + "Parser.Parse", + "Pretty", + "QueryContext.Copy", + "Ref.ConstantPrefix", + "Ref.Copy", + "Ref.Dynamic", + "Ref.Extend", + "Ref.OutputVars", + "Rule.Copy", + "SetComprehension.Copy", + "SomeDecl.Copy", + "Term.Copy", + "Term.Vars", + "Transform", + "TransformComprehensions", + "TransformRefs", + "TransformVars", + "TreeNode.DepthFirst", + "TypeEnv.Get", + "Unify", + "ValueMap.Copy", + "ValueMap.Equal", + "ValueMap.Hash", + "ValueMap.Iter", + "ValueMap.MarshalJSON", + "ValueMap.String", + "ValueToInterface", + "VarVisitor.Walk", + "Walk", + "WalkBeforeAndAfter", + "WalkBodies", + "WalkClosures", + "WalkExprs", + "WalkNodes", + "WalkRefs", + "WalkRules", + "WalkTerms", + "WalkVars", + "WalkWiths", + "With.Copy", + "baseDocEqIndex.AllRules", + "baseDocEqIndex.Build", + "baseDocEqIndex.Lookup", + "bodySafetyTransformer.Visit", + "comprehensionIndexNestedCandidateVisitor.Walk", + "comprehensionIndexRegressionCheckVisitor.Walk", + "isBuiltinRefOrVar", + "metadataParser.Parse", + "object.Copy", + "object.Diff", + "object.Filter", + "object.Foreach", + "object.Intersect", + "object.Iter", + "object.Map", + "object.Merge", + "object.MergeWith", + "object.Until", + "queryCompiler.Compile", + "queryCompiler.checkDeprecatedBuiltins", + "queryCompiler.checkUnsafeBuiltins", + "refChecker.Visit", + "refindices.Sorted", + "refindices.Update", + "rewriteNestedHeadVarLocalTransform.Visit", + "rewriteWithModifier", + "rewriteWithModifiersInBody", + "ruleArgLocalRewriter.Visit", + "ruleWalker.Do", + "set.Copy", + "set.Diff", + "set.Foreach", + "set.Intersect", + "set.Iter", + "set.Map", + "set.Reduce", + "set.Union", + "set.Until", + "trieNode.Do", + "trieNode.Traverse", + "trieTraversalResult.Add", + "typeChecker.CheckBody", + "typeChecker.CheckTypes", + "validateWith", + "validateWithFunctionValue" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr" + }, + { + "type": "FIX", + "url": "https://github.com/open-policy-agent/opa/pull/4540" + }, + { + "type": "FIX", + "url": "https://github.com/open-policy-agent/opa/pull/4616" + }, + { + "type": "FIX", + "url": "https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823" + }, + { + "type": "FIX", + "url": "https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8" + }, + { + "type": "WEB", + "url": "https://github.com/open-policy-agent/opa/releases/tag/v0.43.1" + } + ] +} \ No newline at end of file diff --git a/data/osv/GO-2022-0988.json b/data/osv/GO-2022-0988.json new file mode 100644 index 00000000..6b8be2b9 --- /dev/null +++ b/data/osv/GO-2022-0988.json @@ -0,0 +1,58 @@ +{ + "id": "GO-2022-0988", + "published": "2022-09-12T20:23:15Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-32190" + ], + "details": "JoinPath and URL.JoinPath do not remove ../ path elements appended\nto a relative path. For example, JoinPath(\"https://go.dev\", \"../go\")\nreturns the URL \"https://go.dev/../go\", despite the JoinPath documentation\nstating that ../ path elements are removed from the result.\n", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.19.0" + }, + { + "fixed": "1.19.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0988" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/url", + "symbols": [ + "JoinPath", + "URL.JoinPath" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/54385" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/423514" + } + ] +} \ No newline at end of file diff --git a/data/reports/GO-2022-0558.yaml b/data/reports/GO-2022-0558.yaml index 633f346f..2f0c9386 100644 --- a/data/reports/GO-2022-0558.yaml +++ b/data/reports/GO-2022-0558.yaml @@ -23,6 +23,7 @@ description: | The psgo package executes the 'nsenter' binary, potentially allowing privilege escalation when used in environments where nsenter is provided by an untrusted source. +published: 2022-08-22T18:07:59Z cves: - CVE-2022-1227 ghsas: diff --git a/data/reports/GO-2022-0569.yaml b/data/reports/GO-2022-0569.yaml index c4b7ae9f..f8ef10b9 100644 --- a/data/reports/GO-2022-0569.yaml +++ b/data/reports/GO-2022-0569.yaml @@ -238,6 +238,7 @@ modules: description: | The leafInfo.match() function uses path.join() to deal with wildcard values which can lead to cross directory risk. +published: 2022-08-23T13:24:17Z cves: - CVE-2022-31836 ghsas: diff --git a/data/reports/GO-2022-0572.yaml b/data/reports/GO-2022-0572.yaml index a0879ff2..5d61fdf9 100644 --- a/data/reports/GO-2022-0572.yaml +++ b/data/reports/GO-2022-0572.yaml @@ -192,6 +192,7 @@ modules: description: | An issue was discovered in the route lookup process in beego which attackers to bypass access control. +published: 2022-08-22T17:56:17Z cves: - CVE-2021-30080 ghsas: diff --git a/data/reports/GO-2022-0603.yaml b/data/reports/GO-2022-0603.yaml index 1f598e88..3d289d4e 100644 --- a/data/reports/GO-2022-0603.yaml +++ b/data/reports/GO-2022-0603.yaml @@ -11,6 +11,7 @@ modules: description: | An issue in the Unmarshal function can cause a program to panic when attempting to deserialize invalid input. +published: 2022-08-22T18:00:47Z cves: - CVE-2022-28948 ghsas: diff --git a/data/reports/GO-2022-0942.yaml b/data/reports/GO-2022-0942.yaml index 8f072429..5405cf17 100644 --- a/data/reports/GO-2022-0942.yaml +++ b/data/reports/GO-2022-0942.yaml @@ -8,6 +8,7 @@ modules: description: | graphql-go (aka GraphQL for Go) has infinite recursion in the type definition parser. +published: 2022-08-23T13:19:13Z cves: - CVE-2022-37315 ghsas: diff --git a/data/reports/GO-2022-0945.yaml b/data/reports/GO-2022-0945.yaml index b7eea73e..bcd9804b 100644 --- a/data/reports/GO-2022-0945.yaml +++ b/data/reports/GO-2022-0945.yaml @@ -26,6 +26,7 @@ description: | The go-jose library suffers from multiple signatures exploitation. When validating a signed message, the API did not indicate which signature was valid, which creates the potential for confusion. +published: 2022-08-22T17:59:45Z cves: - CVE-2016-9122 ghsas: diff --git a/data/reports/GO-2022-0952.yaml b/data/reports/GO-2022-0952.yaml index ba3e0af5..98b6a5c0 100644 --- a/data/reports/GO-2022-0952.yaml +++ b/data/reports/GO-2022-0952.yaml @@ -28,6 +28,7 @@ description: | m.room.power_levels event, setting the event default power level to zero in all cases. This can cause events to be improperly accepted or rejected in rooms where the event_default power level has been changed. +published: 2022-08-22T18:08:50Z cves: - CVE-2022-36009 ghsas: diff --git a/data/reports/GO-2022-0956.yaml b/data/reports/GO-2022-0956.yaml index 4a666a26..83f1705e 100644 --- a/data/reports/GO-2022-0956.yaml +++ b/data/reports/GO-2022-0956.yaml @@ -16,6 +16,7 @@ modules: description: | Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory. +published: 2022-08-29T22:15:46Z references: - fix: https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5 - web: https://github.com/go-yaml/yaml/releases/tag/v2.2.4 diff --git a/data/reports/GO-2022-0957.yaml b/data/reports/GO-2022-0957.yaml index 42d9da93..1e1456b9 100644 --- a/data/reports/GO-2022-0957.yaml +++ b/data/reports/GO-2022-0957.yaml @@ -15,6 +15,7 @@ modules: - GetManyBytes - Result.Get description: A maliciously crafted JSON input can cause a denial of service attack. +published: 2022-08-25T06:28:20Z cves: - CVE-2020-36066 ghsas: diff --git a/data/reports/GO-2022-0962.yaml b/data/reports/GO-2022-0962.yaml index 69c812e2..f5e1ea2c 100644 --- a/data/reports/GO-2022-0962.yaml +++ b/data/reports/GO-2022-0962.yaml @@ -30,6 +30,7 @@ description: |- The Helm Client will panic with input to --set, --set-string, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. +published: 2022-09-02T15:19:52Z cves: - CVE-2022-36055 ghsas: diff --git a/data/reports/GO-2022-0963.yaml b/data/reports/GO-2022-0963.yaml index 9b708acd..5347dee1 100644 --- a/data/reports/GO-2022-0963.yaml +++ b/data/reports/GO-2022-0963.yaml @@ -48,6 +48,7 @@ description: | When parsing data from untrusted sources of input (e.g. the blockchain), the length of the slice to allocate is read directly from the data itself without any checks, which could lead to an allocation of excessive memory. +published: 2022-09-02T18:37:03Z cves: - CVE-2022-36078 ghsas: diff --git a/data/reports/GO-2022-0965.yaml b/data/reports/GO-2022-0965.yaml index 0f226ff5..58436ce0 100644 --- a/data/reports/GO-2022-0965.yaml +++ b/data/reports/GO-2022-0965.yaml @@ -16,6 +16,7 @@ modules: description: |- Unbounded recursion in JSON parsing allows malicious JSON input to cause excessive memory consumption or panics. +published: 2022-09-02T21:12:51Z references: - fix: https://github.com/kubernetes/kubernetes/pull/83261 - web: https://github.com/advisories/GHSA-pmqp-h87c-mr78 diff --git a/data/reports/GO-2022-0968.yaml b/data/reports/GO-2022-0968.yaml index fbd13909..8a8e1e4a 100644 --- a/data/reports/GO-2022-0968.yaml +++ b/data/reports/GO-2022-0968.yaml @@ -17,6 +17,7 @@ description: | When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic. +published: 2022-09-13T03:32:38Z cves: - CVE-2021-43565 credit: Rod Hynes, Psiphon Inc. diff --git a/data/reports/GO-2022-0969.yaml b/data/reports/GO-2022-0969.yaml index cbf47dbe..5e5ce360 100644 --- a/data/reports/GO-2022-0969.yaml +++ b/data/reports/GO-2022-0969.yaml @@ -33,6 +33,7 @@ description: | HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service. +published: 2022-09-12T20:23:06Z cves: - CVE-2022-27664 credit: Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan diff --git a/data/reports/GO-2022-0978.yaml b/data/reports/GO-2022-0978.yaml index ba2c3140..76a53960 100644 --- a/data/reports/GO-2022-0978.yaml +++ b/data/reports/GO-2022-0978.yaml @@ -173,6 +173,7 @@ description: | A bypass of this protection is possible when using the `with` keyword to mock a built-in function that isn’t taken into account by `WithUnsafeBuiltins`. +published: 2022-09-13T17:40:16Z cves: - CVE-2022-36085 credit: anderseknert@ diff --git a/data/reports/GO-2022-0988.yaml b/data/reports/GO-2022-0988.yaml index 634ec9a9..dba696e7 100644 --- a/data/reports/GO-2022-0988.yaml +++ b/data/reports/GO-2022-0988.yaml @@ -15,6 +15,7 @@ description: | to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. +published: 2022-09-12T20:23:15Z credit: '@q0jt' references: - web: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s @@ -22,5 +23,5 @@ references: - fix: https://go.dev/cl/423514 cve_metadata: id: CVE-2022-32190 - cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted - Directory (''Path Traversal'')' + cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' diff --git a/data/version.md b/data/version.md index db6cbc4b..b7d77819 100644 --- a/data/version.md +++ b/data/version.md @@ -11,5 +11,12 @@ this file. ## Changelog + * Started storing the OSV for all reports in `data/osv`. + Database generation will use this data rather than the YAML, + ensuring that we always detect modifications to the generated + OSV when setting the `modified` timestamp. Recording this change + here in the same commit that adds `data/osv` ensures modification + times remain the same when we switch generation methods. + * Changed `affected.package` to contain the module path rather than the package path.