зеркало из https://github.com/golang/vulndb.git
31 строка
1.1 KiB
YAML
31 строка
1.1 KiB
YAML
modules:
|
|
- module: github.com/codenotary/immudb
|
|
versions:
|
|
- fixed: 1.4.1
|
|
vulnerable_at: 1.4.0
|
|
packages:
|
|
- package: github.com/codenotary/immudb/pkg/client
|
|
symbols:
|
|
- NewImmuClient
|
|
- DefaultOptions
|
|
- immuClient.OpenSession
|
|
derived_symbols:
|
|
- NewClient
|
|
description: |
|
|
A malicious server can trick a client into treating it as a different
|
|
server by changing the reported UUID.
|
|
|
|
immudb client SDKs use the server's UUID to distinguish between different
|
|
server instance so that the client can connect to different immudb
|
|
instances and keep the state for multiple servers. The SDK does not
|
|
validate this UUID and accepts any value reported by the server. A
|
|
malicious server can therefore change the reported UUID and trick the
|
|
client into treating it as a different server.
|
|
cves:
|
|
- CVE-2022-39199
|
|
ghsas:
|
|
- GHSA-6cqj-6969-p57x
|
|
references:
|
|
- advisory: https://github.com/codenotary/immudb/security/advisories/GHSA-6cqj-6969-p57x
|
|
- fix: https://github.com/codenotary/immudb/commit/cade04756ff3f0a3b9e8d24149062744574adf5d
|