vulndb/data/reports/GO-2022-0587.yaml

id: GO-2022-0587
modules:
  - module: github.com/open-policy-agent/opa
    versions:
      - fixed: 0.40.0
    vulnerable_at: 0.39.0
    packages:
      - package: github.com/open-policy-agent/opa/ast
        symbols:
          - Parser.parseSome
          - Parser.parseEvery
        derived_symbols:
          - CompileModules
          - CompileModulesWithOpt
          - MustCompileModules
          - MustCompileModulesWithOpts
          - MustParseBody
          - MustParseBodyWithOpts
          - MustParseExpr
          - MustParseImports
          - MustParseModule
          - MustParseModuleWithOpts
          - MustParsePackage
          - MustParseRef
          - MustParseRule
          - MustParseStatement
          - MustParseStatements
          - MustParseTerm
          - ParseBody
          - ParseBodyWithOpts
          - ParseExpr
          - ParseImports
          - ParseModule
          - ParseModuleWithOpts
          - ParsePackage
          - ParseRef
          - ParseRule
          - ParseStatement
          - ParseStatements
          - ParseStatementsWithOpts
          - ParseTerm
          - Parser.Parse
          - metadataParser.Parse
summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
description: |
    An issue in ast.Parser in Open Policy Agent causes the application to
    incorrectly interpret expressions, allowing a Denial of Service (DoS)
    via triggering out-of-range memory access.    
published: 2022-05-20T00:00:26Z
cves:
  - CVE-2022-28946
ghsas:
  - GHSA-x7f3-62pm-9p38
credits:
  - Norbert Szetei of Doyensec
references:
  - fix: https://github.com/open-policy-agent/opa/pull/4548
  - fix: https://github.com/open-policy-agent/opa/commit/e9d3828db670cbe11129885f37f08cbf04935264