[vulndb] data: add the published CVE5 JSON records and associated testing
12 views
Skip to first unread message
Maceo Thompson (Gerrit)
Oct 21, 2022, 11:49:23 AM10/21/22
to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Tatiana Bradley, Gopher Robot, golang-co...@googlegroups.com
Maceo Thompson submitted this change.
Approvals:
Maceo Thompson: Looks good to me, but someone else must approve; Run TryBots
Gopher Robot: TryBots succeeded
Tatiana Bradley: Looks good to me, approved
data: add the saved CVE 5.0 JSON records and associated testing
Tests now enforce that a CVE JSON 5.0 record is stored in data/cve/v5 for each YAML report that sets cve_metadata.
The now-required files for all existing reports are added.
Fixes golang/go#56302
Change-Id: I0731792cd80e672d5be7e753370d6f97e450562d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/444576
Reviewed-by: Maceo Thompson <maceot...@google.com>
TryBot-Result: Gopher Robot <go...@golang.org>
Run-TryBot: Maceo Thompson <maceot...@google.com>
Reviewed-by: Tatiana Bradley <tat...@golang.org>
---
M all_test.go
A data/cve/v5/GO-2020-0001.json
A data/cve/v5/GO-2020-0003.json
A data/cve/v5/GO-2020-0004.json
A data/cve/v5/GO-2020-0020.json
A data/cve/v5/GO-2020-0022.json
A data/cve/v5/GO-2020-0023.json
A data/cve/v5/GO-2020-0024.json
A data/cve/v5/GO-2020-0025.json
A data/cve/v5/GO-2020-0032.json
A data/cve/v5/GO-2020-0033.json
A data/cve/v5/GO-2020-0034.json
A data/cve/v5/GO-2020-0035.json
A data/cve/v5/GO-2020-0037.json
A data/cve/v5/GO-2020-0040.json
A data/cve/v5/GO-2020-0045.json
A data/cve/v5/GO-2020-0047.json
A data/cve/v5/GO-2020-0049.json
A data/cve/v5/GO-2021-0051.json
A data/cve/v5/GO-2021-0061.json
A data/cve/v5/GO-2021-0106.json
A data/cve/v5/GO-2021-0107.json
A data/cve/v5/GO-2022-0391.json
A data/cve/v5/GO-2022-0400.json
A data/cve/v5/GO-2022-0411.json
A data/cve/v5/GO-2022-0422.json
A data/cve/v5/GO-2022-0425.json
A data/cve/v5/GO-2022-0475.json
A data/cve/v5/GO-2022-0476.json
A data/cve/v5/GO-2022-0477.json
A data/cve/v5/GO-2022-0515.json
A data/cve/v5/GO-2022-0520.json
A data/cve/v5/GO-2022-0521.json
A data/cve/v5/GO-2022-0522.json
A data/cve/v5/GO-2022-0523.json
A data/cve/v5/GO-2022-0524.json
A data/cve/v5/GO-2022-0525.json
A data/cve/v5/GO-2022-0526.json
A data/cve/v5/GO-2022-0527.json
A data/cve/v5/GO-2022-0531.json
A data/cve/v5/GO-2022-0532.json
A data/cve/v5/GO-2022-0533.json
A data/cve/v5/GO-2022-0537.json
A data/cve/v5/GO-2022-0956.json
A data/cve/v5/GO-2022-0979.json
A data/cve/v5/GO-2022-0988.json
A data/cve/v5/GO-2022-1026.json
A data/cve/v5/GO-2022-1037.json
A data/cve/v5/GO-2022-1038.json
A data/cve/v5/GO-2022-1039.json
A data/cve/v5/GO-2022-1059.json
51 files changed, 3,632 insertions(+), 0 deletions(-)
diff --git a/all_test.go b/all_test.go
index a8ad8ef..061ca58 100644
--- a/all_test.go
+++ b/all_test.go
@@ -23,6 +23,7 @@
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
vulnc "golang.org/x/vuln/client"
+ "golang.org/x/vulndb/internal/cveschema5"
"golang.org/x/vulndb/internal/database"
"golang.org/x/vulndb/internal/report"
)
@@ -97,6 +98,21 @@
t.Errorf("data/osv/%v.json does not match report:\n%v", generated.ID, diff)
}
}
+ if r.CVEMetadata != nil {
+ generated, err := report.ToCVE5(filename)
+ if err != nil {
+ t.Fatal(err)
+ }
+ cvePath := fmt.Sprintf("data/cve/v5/%v.json", report.GetGoIDFromFilename(filename))
+ current, err := cveschema5.Read(cvePath)
+ if err != nil {
+ t.Fatal(err)
+ }
+ if diff := cmp.Diff(generated, current, cmpopts.EquateEmpty()); diff != "" {
+ t.Errorf("%s does not match report:\n%v", cvePath, diff)
+ }
+
+ }
})
}
}
diff --git a/data/cve/v5/GO-2020-0001.json b/data/cve/v5/GO-2020-0001.json
new file mode 100644
index 0000000..3bec10a
--- /dev/null
+++ b/data/cve/v5/GO-2020-0001.json
@@ -0,0 +1,76 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-36567"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/gin-gonic/gin",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.6.0",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "LoggerWithConfig"
+ },
+ {
+ "name": "Default"
+ },
+ {
+ "name": "Logger"
+ },
+ {
+ "name": "LoggerWithFormatter"
+ },
+ {
+ "name": "LoggerWithWriter"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-117 Improper Output Neutralization for Logs"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/gin-gonic/gin/pull/2237"
+ },
+ {
+ "url": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@thinkerou \u003cth...@gmail.com\u003e"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0003.json b/data/cve/v5/GO-2020-0003.json
new file mode 100644
index 0000000..42a9935
--- /dev/null
+++ b/data/cve/v5/GO-2020-0003.json
@@ -0,0 +1,62 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-36568"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Unsanitized input in the query parser in github.com/revel/revel before v1.0.0 allows remote attackers to cause resource exhaustion via memory allocation."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/revel/revel",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.0.0",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/revel/revel/pull/1427"
+ },
+ {
+ "url": "https://github.com/revel/revel/commit/d160ecb72207824005b19778594cbdc272e8a605"
+ },
+ {
+ "url": "https://github.com/revel/revel/issues/1424"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@SYM01"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0004.json b/data/cve/v5/GO-2020-0004.json
new file mode 100644
index 0000000..1a20d9a
--- /dev/null
+++ b/data/cve/v5/GO-2020-0004.json
@@ -0,0 +1,76 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-36569"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/nanobox-io/golang-nanoauth",
+ "versions": [
+ {
+ "version": "0.0.0-20160722212129-ac0cc4484ad4",
+ "lessThan": "0.0.0-20200131131040-063a3fb69896",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Auth.ServerHTTP"
+ },
+ {
+ "name": "Auth.ListenAndServeTLS"
+ },
+ {
+ "name": "Auth.ListenAndServe"
+ },
+ {
+ "name": "ListenAndServe"
+ },
+ {
+ "name": "ListenAndServeTLS"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-305: Authentication Bypass by Primary Weakness"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/nanobox-io/golang-nanoauth/pull/5"
+ },
+ {
+ "url": "https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@bouk"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0020.json b/data/cve/v5/GO-2020-0020.json
new file mode 100644
index 0000000..462c229
--- /dev/null
+++ b/data/cve/v5/GO-2020-0020.json
@@ -0,0 +1,64 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2017-20146"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/gorilla/handlers",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.3.0",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "cors.ServeHTTP"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 284: Improper Access Control"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/gorilla/handlers/pull/116"
+ },
+ {
+ "url": "https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Evan J Johnson"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0022.json b/data/cve/v5/GO-2020-0022.json
new file mode 100644
index 0000000..fd78a16
--- /dev/null
+++ b/data/cve/v5/GO-2020-0022.json
@@ -0,0 +1,64 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2014-125026"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/cloudflare/golz4",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.0.0-20140711154735-199f5f787806",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Uncompress"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 94: Improper Control of Generation of Code ('Code Injection')"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898"
+ },
+ {
+ "url": "https://github.com/cloudflare/golz4/issues/5"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Yann Collet"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0023.json b/data/cve/v5/GO-2020-0023.json
new file mode 100644
index 0000000..b638e3d
--- /dev/null
+++ b/data/cve/v5/GO-2020-0023.json
@@ -0,0 +1,58 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2015-10004"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/robbert229/jwt",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.0.0-20170426191122-ca1404ee6e83",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Algorithm.validateSignature"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 208: Information Exposure Through Timing Discrepancy"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654"
+ },
+ {
+ "url": "https://github.com/robbert229/jwt/issues/12"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0024.json b/data/cve/v5/GO-2020-0024.json
new file mode 100644
index 0000000..8050d2b
--- /dev/null
+++ b/data/cve/v5/GO-2020-0024.json
@@ -0,0 +1,79 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2013-10005"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The RemoteAddr and LocalAddr methods on the returned net.Conn may call themselves, leading to an infinite loop which will crash the program due to a stack overflow."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/btcsuite/go-socks/socks",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.0.0-20130808000456-233bccbb1abe",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "proxiedConn.LocalAddr"
+ },
+ {
+ "name": "proxiedConn.RemoteAddr"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ },
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/btcsuitereleases/go-socks/socks",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.0.0-20130808000456-233bccbb1abe",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "proxiedConn.LocalAddr"
+ },
+ {
+ "name": "proxiedConn.RemoteAddr"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/btcsuite/go-socks/commit/233bccbb1abe02f05750f7ace66f5bffdb13defc"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0025.json b/data/cve/v5/GO-2020-0025.json
new file mode 100644
index 0000000..c68ebef
--- /dev/null
+++ b/data/cve/v5/GO-2020-0025.json
@@ -0,0 +1,82 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2018-25046"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/cloudfoundry/archiver",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.0.0-20180523222229-09b5706aa936",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "tgzExtractor.Extract"
+ },
+ {
+ "name": "zipExtractor.Extract"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ },
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "code.cloudfoundry.org/archiver",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.0.0-20180523222229-09b5706aa936",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "tgzExtractor.Extract"
+ },
+ {
+ "name": "zipExtractor.Extract"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 29: Path Traversal: \"\\..\\filename\""
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/cloudfoundry/archiver/commit/09b5706aa9367972c09144a450bb4523049ee840"
+ },
+ {
+ "url": "https://snyk.io/research/zip-slip-vulnerability"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0032.json b/data/cve/v5/GO-2020-0032.json
new file mode 100644
index 0000000..0ac35a7
--- /dev/null
+++ b/data/cve/v5/GO-2020-0032.json
@@ -0,0 +1,100 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2019-25073"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Improper path santiziation in github.com/goadesign/goa before v3.0.9, v2.0.10, or v1.4.3 allow remote attackers to read files outside of the intended directory."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/goadesign/goa",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.4.3",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Controller.FileHandler"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ },
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "goa.design/goa",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.4.3",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Controller.FileHandler"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ },
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "goa.design/goa/v3",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "3.0.9",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Controller.FileHandler"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory('Path Traversal')"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/goadesign/goa/pull/2388"
+ },
+ {
+ "url": "https://github.com/goadesign/goa/commit/70b5a199d0f813d74423993832c424e1fc73fb39"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@christi3k"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0033.json b/data/cve/v5/GO-2020-0033.json
new file mode 100644
index 0000000..d4558be
--- /dev/null
+++ b/data/cve/v5/GO-2020-0033.json
@@ -0,0 +1,76 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-36559"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Due to improper santization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "aahframe.work",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.12.4",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "HTTPEngine.Handle"
+ },
+ {
+ "name": "Application.Run"
+ },
+ {
+ "name": "Application.ServeHTTP"
+ },
+ {
+ "name": "Application.Start"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 23: Relative Path Traversal"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/go-aah/aah/pull/267"
+ },
+ {
+ "url": "https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec"
+ },
+ {
+ "url": "https://github.com/go-aah/aah/issues/266"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@snyff"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0034.json b/data/cve/v5/GO-2020-0034.json
new file mode 100644
index 0000000..99c4f7d
--- /dev/null
+++ b/data/cve/v5/GO-2020-0034.json
@@ -0,0 +1,61 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-36560"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/artdarek/go-unzip",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.0.0",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Unzip.Extract"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 29: Path Traversal: \"\\..\\filename\""
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/artdarek/go-unzip/pull/2"
+ },
+ {
+ "url": "https://github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7dfe0"
+ },
+ {
+ "url": "https://snyk.io/research/zip-slip-vulnerability"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0035.json b/data/cve/v5/GO-2020-0035.json
new file mode 100644
index 0000000..1e50f01
--- /dev/null
+++ b/data/cve/v5/GO-2020-0035.json
@@ -0,0 +1,61 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-36561"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/yi-ge/unzip",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.0.3-0.20200308084313-2adbaa4891b9",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Unzip.Extract"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 29: Path Traversal: \"\\..\\filename\""
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/yi-ge/unzip/pull/1"
+ },
+ {
+ "url": "https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73"
+ },
+ {
+ "url": "https://snyk.io/research/zip-slip-vulnerability"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0037.json b/data/cve/v5/GO-2020-0037.json
new file mode 100644
index 0000000..320454a
--- /dev/null
+++ b/data/cve/v5/GO-2020-0037.json
@@ -0,0 +1,64 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2019-25072"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/tendermint/tendermint/rpc/client",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.31.1",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "makeHTTPClient"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/tendermint/tendermint/pull/3430"
+ },
+ {
+ "url": "https://github.com/tendermint/tendermint/commit/03085c2da23b179c4a51f59a03cb40aa4e85a613"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@guagualvcha"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0040.json b/data/cve/v5/GO-2020-0040.json
new file mode 100644
index 0000000..2a234da
--- /dev/null
+++ b/data/cve/v5/GO-2020-0040.json
@@ -0,0 +1,48 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-36562"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Due to unchecked type assertions, maliciously crafted messages can cause panics, which may be used as a denial of service vector."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/shiyanhui/dht",
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/shiyanhui/dht/issues/57"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@hMihaiDavid"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0045.json b/data/cve/v5/GO-2020-0045.json
new file mode 100644
index 0000000..940df97
--- /dev/null
+++ b/data/cve/v5/GO-2020-0045.json
@@ -0,0 +1,73 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2016-15005"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "CSRF tokens are generated using math/rand, which is not a cryptographically secure rander number generation, making predicting their values relatively trivial and allowing an attacker to bypass CSRF protections which relatively few requests."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/dinever/golf",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.3.0",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "randomBytes"
+ },
+ {
+ "name": "Context.Render"
+ },
+ {
+ "name": "Context.RenderFromString"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/dinever/golf/pull/24"
+ },
+ {
+ "url": "https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe"
+ },
+ {
+ "url": "https://github.com/dinever/golf/issues/20"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@elithrar"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0047.json b/data/cve/v5/GO-2020-0047.json
new file mode 100644
index 0000000..8cd929a
--- /dev/null
+++ b/data/cve/v5/GO-2020-0047.json
@@ -0,0 +1,53 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-36563"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "XML Digital Signatures generated and validated using this package use SHA-1, which may allow an attacker to craft inputs which cause hash collisions depending on their control over the input."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/RobotsAndPencils/go-saml",
+ "programRoutines": [
+ {
+ "name": "AuthnRequest.Validate"
+ },
+ {
+ "name": "NewAuthnRequest"
+ },
+ {
+ "name": "NewSignedResponse"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 328: Use of Weak Hash"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/RobotsAndPencils/go-saml/pull/38"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2020-0049.json b/data/cve/v5/GO-2020-0049.json
new file mode 100644
index 0000000..348f625
--- /dev/null
+++ b/data/cve/v5/GO-2020-0049.json
@@ -0,0 +1,70 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-36564"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/justinas/nosurf",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.1.1",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "VerifyToken"
+ },
+ {
+ "name": "verifyToken"
+ },
+ {
+ "name": "CSRFHandler.ServeHTTP"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 345: Insufficient Verification of Data Authenticity"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/justinas/nosurf/pull/60"
+ },
+ {
+ "url": "https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@aeneasr"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2021-0051.json b/data/cve/v5/GO-2021-0051.json
new file mode 100644
index 0000000..58892fd
--- /dev/null
+++ b/data/cve/v5/GO-2021-0051.json
@@ -0,0 +1,73 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-36565"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/labstack/echo/v4",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "4.1.18-0.20201215153152-4422e3b66b9f",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "platforms": [
+ "windows"
+ ],
+ "programRoutines": [
+ {
+ "name": "common.static"
+ },
+ {
+ "name": "Echo.Static"
+ },
+ {
+ "name": "Group.Static"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/labstack/echo/pull/1718"
+ },
+ {
+ "url": "https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@little-cui (Apache ServiceComb)"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2021-0061.json b/data/cve/v5/GO-2021-0061.json
new file mode 100644
index 0000000..7eed6b2
--- /dev/null
+++ b/data/cve/v5/GO-2021-0061.json
@@ -0,0 +1,92 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2021-4235"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "gopkg.in/yaml.v2",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "2.2.3",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "decoder.unmarshal"
+ },
+ {
+ "name": "Decoder.Decode"
+ },
+ {
+ "name": "Unmarshal"
+ },
+ {
+ "name": "UnmarshalStrict"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ },
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/go-yaml/yaml",
+ "programRoutines": [
+ {
+ "name": "decoder.unmarshal"
+ },
+ {
+ "name": "Decoder.Decode"
+ },
+ {
+ "name": "Unmarshal"
+ },
+ {
+ "name": "UnmarshalStrict"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/go-yaml/yaml/pull/375"
+ },
+ {
+ "url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@simonferquel"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2021-0106.json b/data/cve/v5/GO-2021-0106.json
new file mode 100644
index 0000000..a2195a1
--- /dev/null
+++ b/data/cve/v5/GO-2021-0106.json
@@ -0,0 +1,58 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-36566"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/whyrusleeping/tar-utils",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.0.0-20201201191210-20a61371de5b",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Extractor.outputPath"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227"
+ },
+ {
+ "url": "https://snyk.io/research/zip-slip-vulnerability"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2021-0107.json b/data/cve/v5/GO-2021-0107.json
new file mode 100644
index 0000000..18c5319
--- /dev/null
+++ b/data/cve/v5/GO-2021-0107.json
@@ -0,0 +1,58 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2021-4236"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/ecnepsnai/web",
+ "versions": [
+ {
+ "version": "1.4.0",
+ "lessThan": "1.5.2",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Server.socketHandler"
+ },
+ {
+ "name": "Server.Socket"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0391.json b/data/cve/v5/GO-2022-0391.json
new file mode 100644
index 0000000..91217e0
--- /dev/null
+++ b/data/cve/v5/GO-2022-0391.json
@@ -0,0 +1,88 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-2582"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/aws/aws-sdk-go/service/s3/s3crypto",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.34.0",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "encodeMeta"
+ },
+ {
+ "name": "DecryptionClient.GetObject"
+ },
+ {
+ "name": "DecryptionClient.GetObjectWithContext"
+ },
+ {
+ "name": "EncryptionClient.PutObject"
+ },
+ {
+ "name": "EncryptionClient.PutObjectWithContext"
+ },
+ {
+ "name": "S3LoadStrategy.Load"
+ },
+ {
+ "name": "S3SaveStrategy.Save"
+ },
+ {
+ "name": "defaultV2LoadStrategy.Load"
+ },
+ {
+ "name": "kmsKeyHandler.DecryptKey"
+ },
+ {
+ "name": "kmsKeyHandler.DecryptKeyWithContext"
+ },
+ {
+ "name": "kmsKeyHandler.GenerateCipherData"
+ },
+ {
+ "name": "kmsKeyHandler.GenerateCipherDataWithContext"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 311: Missing Encryption of Sensitive Data"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0400.json b/data/cve/v5/GO-2022-0400.json
new file mode 100644
index 0000000..9aa53d6
--- /dev/null
+++ b/data/cve/v5/GO-2022-0400.json
@@ -0,0 +1,58 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-2583"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A race condition can cause incorrect HTTP request routing."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/ntbosscher/gobase/auth/httpauth",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.7.2",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Setup"
+ },
+ {
+ "name": "middleware"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/ntbosscher/gobase/commit/a8d40bce9c429d324122d18c446924dab809e812"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0411.json b/data/cve/v5/GO-2022-0411.json
new file mode 100644
index 0000000..9a8307c
--- /dev/null
+++ b/data/cve/v5/GO-2022-0411.json
@@ -0,0 +1,58 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2021-4238"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by these functions."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/Masterminds/goutils",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.1.1",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "RandomAlphaNumeric"
+ },
+ {
+ "name": "CryptoRandomAlphaNumeric"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 330: Use of Insufficiently Random Values"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0422.json b/data/cve/v5/GO-2022-0422.json
new file mode 100644
index 0000000..957173f
--- /dev/null
+++ b/data/cve/v5/GO-2022-0422.json
@@ -0,0 +1,64 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-2584"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The dag-pb codec can panic when decoding invalid blocks."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/ipld/go-codec-dagpb",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.3.1",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "DecodeBytes"
+ },
+ {
+ "name": "Decode"
+ },
+ {
+ "name": "Decoder"
+ },
+ {
+ "name": "Unmarshal"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0425.json b/data/cve/v5/GO-2022-0425.json
new file mode 100644
index 0000000..b748770
--- /dev/null
+++ b/data/cve/v5/GO-2022-0425.json
@@ -0,0 +1,70 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2021-4239"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce. In a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/flynn/noise",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.0.0",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "CipherState.Encrypt"
+ },
+ {
+ "name": "CipherState.Decrypt"
+ },
+ {
+ "name": "symmetricState.EncryptAndHash"
+ },
+ {
+ "name": "HandshakeState.ReadMessage"
+ },
+ {
+ "name": "HandshakeState.WriteMessage"
+ },
+ {
+ "name": "symmetricState.DecryptAndHash"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/flynn/noise/pull/44"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0475.json b/data/cve/v5/GO-2022-0475.json
new file mode 100644
index 0000000..1e702e3
--- /dev/null
+++ b/data/cve/v5/GO-2022-0475.json
@@ -0,0 +1,100 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-28366"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "cmd/go",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.14.12",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.15.0",
+ "lessThan": "1.15.5",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Builder.cgo"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ },
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "cmd/cgo",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.14.12",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.15.0",
+ "lessThan": "1.15.5",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "dynimport"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/269658"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292"
+ },
+ {
+ "url": "https://go.dev/issue/42559"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Chris Brown and Tempus Ex"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0476.json b/data/cve/v5/GO-2022-0476.json
new file mode 100644
index 0000000..e6dda29
--- /dev/null
+++ b/data/cve/v5/GO-2022-0476.json
@@ -0,0 +1,76 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-28367"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "cmd/go",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.14.12",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.15.0",
+ "lessThan": "1.15.5",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "validCompilerFlags"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/267277"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561"
+ },
+ {
+ "url": "https://go.dev/issue/42556"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Imre Rad"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0477.json b/data/cve/v5/GO-2022-0477.json
new file mode 100644
index 0000000..ebf1cf9
--- /dev/null
+++ b/data/cve/v5/GO-2022-0477.json
@@ -0,0 +1,79 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-30634"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 \u003c\u003c 32 - 1 bytes."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "crypto/rand",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.11",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.3",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "platforms": [
+ "windows"
+ ],
+ "programRoutines": [
+ {
+ "name": "Read"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/402257"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/bb1f4416180511231de6d17a1f2f55c82aafc863"
+ },
+ {
+ "url": "https://go.dev/issue/52561"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Davis Goodin and Quim Muntal of Microsoft"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0515.json b/data/cve/v5/GO-2022-0515.json
new file mode 100644
index 0000000..918f4e0
--- /dev/null
+++ b/data/cve/v5/GO-2022-0515.json
@@ -0,0 +1,103 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-1962"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "go/parser",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.12",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.4",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "ParseFile"
+ },
+ {
+ "name": "ParseExprFrom"
+ },
+ {
+ "name": "parser.tryIdentOrType"
+ },
+ {
+ "name": "parser.parsePrimaryExpr"
+ },
+ {
+ "name": "parser.parseUnaryExpr"
+ },
+ {
+ "name": "parser.parseBinaryExpr"
+ },
+ {
+ "name": "parser.parseIfStmt"
+ },
+ {
+ "name": "parser.parseStmt"
+ },
+ {
+ "name": "resolver.openScope"
+ },
+ {
+ "name": "resolver.closeScope"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-674: Uncontrolled Recursion"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/417063"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/695be961d57508da5a82217f7415200a11845879"
+ },
+ {
+ "url": "https://go.dev/issue/53616"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Juho Nurminen of Mattermost"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0520.json b/data/cve/v5/GO-2022-0520.json
new file mode 100644
index 0000000..e47f06f
--- /dev/null
+++ b/data/cve/v5/GO-2022-0520.json
@@ -0,0 +1,76 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-32148"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "net/http",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.12",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.4",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Header.Clone"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-200: Information Exposure"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/412857"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a"
+ },
+ {
+ "url": "https://go.dev/issue/53423"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Christian Mehlmauer"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0521.json b/data/cve/v5/GO-2022-0521.json
new file mode 100644
index 0000000..4f65117
--- /dev/null
+++ b/data/cve/v5/GO-2022-0521.json
@@ -0,0 +1,76 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-28131"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "encoding/xml",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.12",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.4",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Decoder.Skip"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-674: Uncontrolled Recursion"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/417062"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3"
+ },
+ {
+ "url": "https://go.dev/issue/53614"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Go Security Team and Juho Nurminen of Mattermost"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0522.json b/data/cve/v5/GO-2022-0522.json
new file mode 100644
index 0000000..6d8dd5e
--- /dev/null
+++ b/data/cve/v5/GO-2022-0522.json
@@ -0,0 +1,76 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-30632"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "path/filepath",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.12",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.4",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Glob"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-674: Uncontrolled Recursion"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/417066"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/ac68c6c683409f98250d34ad282b9e1b0c9095ef"
+ },
+ {
+ "url": "https://go.dev/issue/53416"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Juho Nurminen of Mattermost"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0523.json b/data/cve/v5/GO-2022-0523.json
new file mode 100644
index 0000000..2785082
--- /dev/null
+++ b/data/cve/v5/GO-2022-0523.json
@@ -0,0 +1,76 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-30633"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "encoding/xml",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.12",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.4",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Decoder.DecodeElement"
+ },
+ {
+ "name": "Decoder.unmarshal"
+ },
+ {
+ "name": "Decoder.unmarshalPath"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-674: Uncontrolled Recursion"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/417061"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08"
+ },
+ {
+ "url": "https://go.dev/issue/53611"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0524.json b/data/cve/v5/GO-2022-0524.json
new file mode 100644
index 0000000..042ec98
--- /dev/null
+++ b/data/cve/v5/GO-2022-0524.json
@@ -0,0 +1,70 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-30631"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "compress/gzip",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.12",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.4",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Reader.Read"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-674: Uncontrolled Recursion"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/417067"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/b2b8872c876201eac2d0707276c6999ff3eb185e"
+ },
+ {
+ "url": "https://go.dev/issue/53168"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0525.json b/data/cve/v5/GO-2022-0525.json
new file mode 100644
index 0000000..28d01d9
--- /dev/null
+++ b/data/cve/v5/GO-2022-0525.json
@@ -0,0 +1,79 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-1705"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "net/http",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.12",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.4",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "transferReader.parseTransferEncoding"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/409874"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f"
+ },
+ {
+ "url": "https://go.dev/issue/53188"
+ },
+ {
+ "url": "https://go.dev/cl/410714"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Zeyu Zhang (https://www.zeyu2001.com/)"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0526.json b/data/cve/v5/GO-2022-0526.json
new file mode 100644
index 0000000..4724bbc
--- /dev/null
+++ b/data/cve/v5/GO-2022-0526.json
@@ -0,0 +1,76 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-30635"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "encoding/gob",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.12",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.4",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Decoder.decIgnoreOpFor"
+ },
+ {
+ "name": "Decoder.compileIgnoreSingle"
+ },
+ {
+ "name": "Decoder.compileDec"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-674: Uncontrolled Recursion"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/417064"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/6fa37e98ea4382bf881428ee0c150ce591500eb7"
+ },
+ {
+ "url": "https://go.dev/issue/53615"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0527.json b/data/cve/v5/GO-2022-0527.json
new file mode 100644
index 0000000..5de7619
--- /dev/null
+++ b/data/cve/v5/GO-2022-0527.json
@@ -0,0 +1,70 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-30630"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "io/fs",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.12",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.4",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Glob"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-674: Uncontrolled Recursion"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/417065"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59"
+ },
+ {
+ "url": "https://go.dev/issue/53415"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0531.json b/data/cve/v5/GO-2022-0531.json
new file mode 100644
index 0000000..10634d0
--- /dev/null
+++ b/data/cve/v5/GO-2022-0531.json
@@ -0,0 +1,76 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-30629"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "crypto/tls",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.11",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.3",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "serverHandshakeStateTLS13.sendSessionTickets"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-200: Information Exposure"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/405994"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a5"
+ },
+ {
+ "url": "https://go.dev/issue/52814"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Github user @nervuri"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0532.json b/data/cve/v5/GO-2022-0532.json
new file mode 100644
index 0000000..492bba3
--- /dev/null
+++ b/data/cve/v5/GO-2022-0532.json
@@ -0,0 +1,79 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-30580"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either \"..com\" or \"..exe\" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "os/exec",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.11",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.3",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "platforms": [
+ "windows"
+ ],
+ "programRoutines": [
+ {
+ "name": "Cmd.Start"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/403759"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e"
+ },
+ {
+ "url": "https://go.dev/issue/52574"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Chris Darroch (chris...@github.com), brian m. carlson (bk2...@github.com),\nand Mikhail Shcherbakov (https://twitter.com/yu5k3)\n"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0533.json b/data/cve/v5/GO-2022-0533.json
new file mode 100644
index 0000000..ee6e242
--- /dev/null
+++ b/data/cve/v5/GO-2022-0533.json
@@ -0,0 +1,79 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-29804"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "path/filepath",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.11",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.3",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "platforms": [
+ "windows"
+ ],
+ "programRoutines": [
+ {
+ "name": "Clean"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/401595"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290"
+ },
+ {
+ "url": "https://go.dev/issue/52476"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Unrud"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0537.json b/data/cve/v5/GO-2022-0537.json
new file mode 100644
index 0000000..79dfb6b
--- /dev/null
+++ b/data/cve/v5/GO-2022-0537.json
@@ -0,0 +1,79 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-32189"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "math/big",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.17.13",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.18.0",
+ "lessThan": "1.18.5",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Float.GobDecode"
+ },
+ {
+ "name": "Rat.GobDecode"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/417774"
+ },
+ {
+ "url": "https://go.googlesource.com/go/+/055113ef364337607e3e72ed7d48df67fde6fc66"
+ },
+ {
+ "url": "https://go.dev/issue/53871"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/YqYYG87xB10"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@catenacyber"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0956.json b/data/cve/v5/GO-2022-0956.json
new file mode 100644
index 0000000..60d3ef2
--- /dev/null
+++ b/data/cve/v5/GO-2022-0956.json
@@ -0,0 +1,73 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-3064"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "gopkg.in/yaml.v2",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "2.2.4",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "decoder.unmarshal"
+ },
+ {
+ "name": "yaml_parser_increase_flow_level"
+ },
+ {
+ "name": "yaml_parser_roll_indent"
+ },
+ {
+ "name": "Decoder.Decode"
+ },
+ {
+ "name": "Unmarshal"
+ },
+ {
+ "name": "UnmarshalStrict"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5"
+ },
+ {
+ "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0979.json b/data/cve/v5/GO-2022-0979.json
new file mode 100644
index 0000000..5a2920b
--- /dev/null
+++ b/data/cve/v5/GO-2022-0979.json
@@ -0,0 +1,42 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-3346"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/peterzen/goresolver",
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 347: Improper Verification of Cryptographic Signature"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/peterzen/goresolver/issues/5"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-0988.json b/data/cve/v5/GO-2022-0988.json
new file mode 100644
index 0000000..961f59c
--- /dev/null
+++ b/data/cve/v5/GO-2022-0988.json
@@ -0,0 +1,70 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-32190"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath(\"https://go.dev\", \"../go\") returns the URL \"https://go.dev/../go\", despite the JoinPath documentation stating that ../ path elements are removed from the result."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "net/url",
+ "versions": [
+ {
+ "version": "1.19.0",
+ "lessThan": "1.19.1",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "URL.JoinPath"
+ },
+ {
+ "name": "JoinPath"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
+ },
+ {
+ "url": "https://go.dev/issue/54385"
+ },
+ {
+ "url": "https://go.dev/cl/423514"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@q0jt"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-1026.json b/data/cve/v5/GO-2022-1026.json
new file mode 100644
index 0000000..3fa0715
--- /dev/null
+++ b/data/cve/v5/GO-2022-1026.json
@@ -0,0 +1,42 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-3347"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/peterzen/goresolver",
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 295: Improper Certificate Validation"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-1037.json b/data/cve/v5/GO-2022-1037.json
new file mode 100644
index 0000000..b12c6d2
--- /dev/null
+++ b/data/cve/v5/GO-2022-1037.json
@@ -0,0 +1,85 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-2879"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "archive/tar",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.18.7",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.19.0",
+ "lessThan": "1.19.2",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Reader.next"
+ },
+ {
+ "name": "parsePAX"
+ },
+ {
+ "name": "Writer.writePAXHeader"
+ },
+ {
+ "name": "Reader.Next"
+ },
+ {
+ "name": "Writer.WriteHeader"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/issue/54853"
+ },
+ {
+ "url": "https://go.dev/cl/439355"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Adam Korczynski (ADA Logics) and OSS-Fuzz"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-1038.json b/data/cve/v5/GO-2022-1038.json
new file mode 100644
index 0000000..b4756ee
--- /dev/null
+++ b/data/cve/v5/GO-2022-1038.json
@@ -0,0 +1,73 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-2880"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "net/http/httputil",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.18.7",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.19.0",
+ "lessThan": "1.19.2",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "ReverseProxy.ServeHTTP"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-444: Inconsistent Interpretation of HTTP Requests"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/issue/54663"
+ },
+ {
+ "url": "https://go.dev/cl/432976"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Gal Goldstein (Security Researcher, Oxeye) and Daniel Abeles (Head of Research, Oxeye)\n"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-1039.json b/data/cve/v5/GO-2022-1039.json
new file mode 100644
index 0000000..5d61b51
--- /dev/null
+++ b/data/cve/v5/GO-2022-1039.json
@@ -0,0 +1,85 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-41715"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "regexp/syntax",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.18.7",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.19.0",
+ "lessThan": "1.19.2",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "parser.push"
+ },
+ {
+ "name": "parser.repeat"
+ },
+ {
+ "name": "parser.factor"
+ },
+ {
+ "name": "parse"
+ },
+ {
+ "name": "Parse"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/issue/55949"
+ },
+ {
+ "url": "https://go.dev/cl/439356"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Adam Korczynski (ADA Logics) and OSS-Fuzz"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/cve/v5/GO-2022-1059.json b/data/cve/v5/GO-2022-1059.json
new file mode 100644
index 0000000..e451d73
--- /dev/null
+++ b/data/cve/v5/GO-2022-1059.json
@@ -0,0 +1,70 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-32149"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse."
+ }
+ ],
+ "affected": [
+ {
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "golang.org/x/text/language",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.3.8",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "ParseAcceptLanguage"
+ },
+ {
+ "name": "MatchStrings"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/issue/56152"
+ },
+ {
+ "url": "https://go.dev/cl/442235"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Adam Korczynski (ADA Logics) and OSS-Fuzz"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
To view, visit change 444576. To unsubscribe, or for help writing mail filters, visit settings.
Reply all
Reply to author
Forward
0 new messages