The Go Vulnerability Database

Related tags

Security vulndb
Overview

The Go Vulnerability Database golang.org/x/vulndb

This repository is a prototype of the Go Vulnerability Database. Read the Draft Design.

Neither the code, nor the data, nor the existence of this repository is to be considered stable until an approved proposal.

Important: vulnerability entries in this repository are represented in an internal, unstable format that can and will change without notice.

Consuming database entries

Database clients must not rely on the contents of this repository. Instead, they can access the tree of JSON entries rooted at

https://storage.googleapis.com/go-vulndb/

An index.json file maps package names to last modified timestamps. For each package name, a NAME.json file contains a list of vulnerability entries.

Note that this path and format are provisional and likely to change until an approved proposal.

Packages

Some of these packages can probably be coalesced, but for now are easier to work on in a more segmented fashion.

  • report provides a package for parsing and linting TOML reports
  • osv provides a package for generating OSV-style JSON vulnerability entries from a report.Report
  • client contains a client for accessing HTTP/fs based vulnerability databases, as well as a minimal caching implementation
  • cmd/gendb provides a tool for converting TOML reports into JSON database
  • cmd/genhtml provides a tool for converting TOML reports into a HTML website
  • cmd/linter provides a tool for linting individual reports
  • cmd/report2cve provides a tool for converting TOML reports into JSON CVEs

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries available at https://storage.googleapis.com/go-vulndb/ are distributed under the terms of the CC-BY 4.0 license.

Issues
  • cmd/gendb: fix flag defaults

    cmd/gendb: fix flag defaults

    Looks like the usage specification is wrong.

    Before:

    $ gendb -h
    Usage of gendb:
      -out string
             (default "Directory to write JSON database to")
      -reports string
             (default "Directory containing toml reports")
    

    After:

    $ gendb -h
    Usage of /var/folders/j7/pvz71jxn637dqd96gm80nhwm0000gn/T/go-build330871962/b001/exe/main:
      -out string
            Directory to write JSON database to (default "out")
      -reports string
            Directory containing toml reports (default "reports")
    
    cla: yes 
    opened by knqyf263 6
  • x/vulndb: potential Go vuln in std: CVE-2022-30634

    x/vulndb: potential Go vuln in std: CVE-2022-30634

    We need to update this record with MITRE and add a report to the database:

    https://github.com/CVEProject/cvelist/blob/acbd94267acd7a8750b7bbbea1d899a7f2bc3da1/2022/30xxx/CVE-2022-30634.json

    stdlib cve-year-2022 
    opened by julieqiu 4
  • x/vulndb: potential Go vuln in std: CVE-2022-23773

    x/vulndb: potential Go vuln in std: CVE-2022-23773

    In CVE-2022-23773, the reference URL std (and possibly others) refers to something in Go.

    module: std
    package: std
    description: |
        cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
    cves:
      - CVE-2022-23773
    links:
        context:
          - https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
    
    

    See doc/triage.md for instructions on how to triage this report.

    NeedsReport stdlib cve-year-2022 
    opened by GoVulnBot 4
  • Include module names

    Include module names

    Hi, thank you for the great database!

    Looks like the current JSON API is missing module names. For example, the following YAML file includes the module name as well as the package name.

    module: github.com/bytom/bytom
    package: github.com/bytom/bytom/p2p/discover
    

    https://github.com/golang/vulndb/blob/e0c00fae09e687ec6febda47ae3bc7552fc7b988/reports/GO-2021-0079.yaml#L1

    On the other hand, the API doesn't include it.

    $ curl https://storage.googleapis.com/go-vulndb/github.com/bytom/bytom/p2p/discover.json | jq .
    
    [
      {
        "ID": "GO-2021-0079",
        "Published": "2021-04-14T12:00:00Z",
        "Modified": "2021-04-14T12:00:00Z",
        "Withdrawn": null,
        "Aliases": [
          "CVE-2018-18206"
        ],
        "Package": {
          "Name": "github.com/bytom/bytom/p2p/discover",
          "Ecosystem": "go"
        },
        "Details": "A malformed query can cause an out-of-bounds panic due to improper\nvalidation of arguments. If processing queries from untrusted\nparties, this may be used as a vector for denial of service\nattacks.\n",
        "Affects": {
          "Ranges": [
            {
              "Type": 2,
              "Introduced": "",
              "Fixed": "v1.0.4-0.20180831054840-1ac3c8ac4f2b"
            }
          ]
        },
        "References": [
          {
            "Type": "code review",
            "URL": "https://github.com/Bytom/bytom/pull/1307"
          },
          {
            "Type": "fix",
            "URL": "https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42"
          }
        ],
        "Extra": {
          "Go": {
            "Symbols": [
              "Network.checkTopicRegister"
            ],
            "URL": "https://go.googlesource.com/vulndb/+/refs/heads/main/reports/GO-2021-0079.toml"
          }
        }
      }
    ]
    

    Is it possible to include it?

    opened by knqyf263 4
  • x/vulndb: potential Go vuln in std: CVE-2020-28366

    x/vulndb: potential Go vuln in std: CVE-2020-28366

    This was originally marked as a false positive, but we have since decided to include all standard library vulnerabilities, including ones that are not importable.

    https://github.com/CVEProject/cvelist/blob/master/2020/28xxx/CVE-2020-28366.json

    stdlib cve-year-2020 
    opened by julieqiu 3
  • x/vulndb: potential Go vuln in github.com/hashicorp/go-getter: CVE-2022-30323

    x/vulndb: potential Go vuln in github.com/hashicorp/go-getter: CVE-2022-30323

    CVE-2022-30323 references github.com/hashicorp/go-getter, which may be a Go module.

    Description: HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 3 of 3).

    Links:

    • NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-30323
    • JSON: https://github.com/CVEProject/cvelist/tree/ee44ec79ace298fd07b44c86fc38928d9785cdff/2022/30xxx/CVE-2022-30323.json
    • https://discuss.hashicorp.com
    • https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
    • https://github.com/hashicorp/go-getter/releases

    See doc/triage.md for instructions on how to triage this report.

    module: github.com/hashicorp/go-getter
    package: n/a
    description: |
        HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 3 of 3).
    cves:
      - CVE-2022-30323
    links:
        context:
          - https://discuss.hashicorp.com
          - https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
          - https://github.com/hashicorp/go-getter/releases
    
    
    opened by GoVulnBot 3
  • x/vulndb: potential Go vuln in github.com/hashicorp/go-getter: CVE-2022-30322

    x/vulndb: potential Go vuln in github.com/hashicorp/go-getter: CVE-2022-30322

    CVE-2022-30322 references github.com/hashicorp/go-getter, which may be a Go module.

    Description: HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 2 of 3).

    Links:

    • NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-30322
    • JSON: https://github.com/CVEProject/cvelist/tree/ee44ec79ace298fd07b44c86fc38928d9785cdff/2022/30xxx/CVE-2022-30322.json
    • https://discuss.hashicorp.com
    • https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
    • https://github.com/hashicorp/go-getter/releases

    See doc/triage.md for instructions on how to triage this report.

    module: github.com/hashicorp/go-getter
    package: n/a
    description: |
        HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 2 of 3).
    cves:
      - CVE-2022-30322
    links:
        context:
          - https://discuss.hashicorp.com
          - https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
          - https://github.com/hashicorp/go-getter/releases
    
    
    opened by GoVulnBot 3
  • x/vulndb: potential Go vuln in github.com/hashicorp/go-getter: CVE-2022-30321

    x/vulndb: potential Go vuln in github.com/hashicorp/go-getter: CVE-2022-30321

    CVE-2022-30321 references github.com/hashicorp/go-getter, which may be a Go module.

    Description: HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 1 of 3).

    Links:

    • NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-30321
    • JSON: https://github.com/CVEProject/cvelist/tree/ee44ec79ace298fd07b44c86fc38928d9785cdff/2022/30xxx/CVE-2022-30321.json
    • https://discuss.hashicorp.com
    • https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
    • https://github.com/hashicorp/go-getter/releases

    See doc/triage.md for instructions on how to triage this report.

    module: github.com/hashicorp/go-getter
    package: n/a
    description: |
        HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 1 of 3).
    cves:
      - CVE-2022-30321
    links:
        context:
          - https://discuss.hashicorp.com
          - https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
          - https://github.com/hashicorp/go-getter/releases
    
    
    opened by GoVulnBot 3
  • x/vulndb: potential Go vuln in github.com/ipld/go-ipfs: GHSA-mcq2-w56r-5w2w

    x/vulndb: potential Go vuln in github.com/ipld/go-ipfs: GHSA-mcq2-w56r-5w2w

    In GitHub Security Advisory GHSA-mcq2-w56r-5w2w, there is a vulnerability in the following Go packages or modules:

    | Unit | Fixed | Vulnerable Ranges | | - | - | - | | github.com/ipld/go-ipfs | 0.11.1 | < 0.11.1 || github.com/ipld/go-ipfs | 0.12.2 | >= 0.12.0, < 0.12.2 |

    See doc/triage.md for instructions on how to triage this report.

    package: github.com/ipld/go-ipfs
    additional_packages:
      - package: github.com/ipld/go-ipfs
        versions:
          - introduced: v0.12.0
            fixed: v0.12.2
    versions:
      - introduced: v0.0.0
        fixed: v0.11.1
    description: "### Impact\ngo-ipfs nodes with versions 0.10.0, 0.11.0, 0.12.0, or 0.12.1
        can crash when trying to traverse certain malformed graphs due to an issue in
        the go-codec-dagpb dependency.  Vulnerable nodes that work with these malformed
        graphs may crash leading to denial-of-service risks.\n\nThis particularly impacts
        nodes that download or export data that is controlled by external user input as
        there is the possibility that a malicious user of those services could (intentionally
        or unintentionally) cause the node to traverse a malformed graph. Some notable
        use cases include public gateways and pinning services which fetch data on behalf
        of users, as well as applications such as IPFS Companion which load data based
        on a user visiting a website with links to IPFS URLs.\n\n### Patches\nVersions
        v0.11.1 and v0.12.2 both resolve this issue. This should make it easy to upgrade,
        even if you have not yet performed the v0.12.0 migration.\n\nFor those running
        on forked versions of go-ipfs or who are on v0.10.0 and are having trouble with
        the v0.11.0 breaking changes, simply updating the version of `go-codec-dagpb`
        you are using to >=v1.3.2 should resolve the issue.\n\nAny users of libraries
        within the go-ipfs ecosystem, even if not the go-ipfs package or binary itself,
        may be affected and should upgrade their dependency on go-codec-dagpb. You can
        check if your Go module has a dependency on `go-codec-dagpb` by running a command
        such as `go mod graph | grep go-codec-dagpb` in your module root.\n\n### Workarounds\nThe
        best way to workaround this issue is to control exposure to any endpoints that
        allow for arbitrary IPLD traversals. This primarily includes the HTTP RPC API
        (https://docs.ipfs.io/reference/http/api ) and the Gateway API.  If you are exposing
        those APIs, then do so within an environment where only trusted users and applications
        you control have access to it.  You should be safe as long as your users and applications
        do not create malformed graphs, which should not happen using standard `go-ipfs`
        tooling.\n\nIf you previously had a more open access environment, then closing
        off access will only be sufficient if both of the following are true:\n* The experimental
        GraphSync feature is disabled (https://github.com/ipfs/go-ipfs/blob/master/docs/experimental-features.md#graphsync)
        \n* The only data being accessed is non-malformed data\n\n### References\nSee
        also the [go-codec-dagpb security advisory](https://github.com/ipld/go-codec-dagpb/security/advisories/GHSA-g3vv-g2j5-45f2).\n\n###
        For more information\nIf you have any questions or comments about this advisory:\n\n*
        Ask in [IPFS Discord #ipfs-chatter](https://discord.gg/ipfs)\n* Open an issue
        in [go-ipfs](https://github.com/ipld/go-ipfs)"
    published: 2022-04-08T22:09:23Z
    last_modified: 2022-04-12T21:40:52Z
    ghsas:
      - GHSA-mcq2-w56r-5w2w
    
    
    excluded: EFFECTIVELY_PRIVATE 
    opened by GoVulnBot 3
  • x/vulndb: potential Go vuln in github.com/russellhaering/goxmldsig: GHSA-rrfw-hg9m-j47h

    x/vulndb: potential Go vuln in github.com/russellhaering/goxmldsig: GHSA-rrfw-hg9m-j47h

    In GitHub Security Advisory GHSA-rrfw-hg9m-j47h, there is a vulnerability in the following Go packages or modules:

    | Unit | Fixed | Vulnerable Ranges | | - | - | - | | github.com/russellhaering/goxmldsig | 0.4.2 | <= 0.4.1 |

    See doc/triage.md for instructions on how to triage this report.

    package: github.com/russellhaering/goxmldsig
    versions:
      - introduced: TODO (earliest fixed "0.4.2", vuln range "<= 0.4.1")
    description: |-
        ### Impact
    
        An authentication bypass exists in the [goxmldsig](https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7) this library uses to determine if SAML assertions are genuine. An attacker could craft a SAML response that would appear to be valid but would not have been genuinely issued by the IDP.
    
        ### Patches
    
        Version 0.4.2 bumps the dependency which should fix the issue.
    
        ### For more information
    
        Please see [the advisory in goxmldsig](https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7)
    
        ## Credits
    
        The original vulnerability was discovered by @jupenur. Thanks to @russellhaering for the heads up.
    published: 2021-05-24T16:59:42Z
    last_modified: 2021-10-08T21:25:29Z
    ghsas:
      - GHSA-rrfw-hg9m-j47h
    
    
    NeedsReport 
    opened by GoVulnBot 3
  • x/vulndb: potential Go vuln in github.com/nats-io/nats-server/v2: GHSA-j756-f273-xhp4

    x/vulndb: potential Go vuln in github.com/nats-io/nats-server/v2: GHSA-j756-f273-xhp4

    In GitHub Security Advisory GHSA-j756-f273-xhp4, there is a vulnerability in the following Go packages or modules:

    | Unit | Fixed | Vulnerable Ranges | | - | - | - | | github.com/nats-io/nats-server/v2 | 2.2.0 | < 2.2.0 |

    See doc/triage.md for instructions on how to triage this report.

    package: github.com/nats-io/nats-server/v2
    versions:
      - introduced: v0.0.0
        fixed: v2.2.0
    description: |-
        (This advisory is canonically <https://advisories.nats.io/CVE/CVE-2021-3127.txt>)
    
        ## Problem Description
    
        The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects.  Some Exports are public, such that anyone can import the
        relevant subjects, and some Exports are private, such that the Import requires a token JWT to prove permission.
    
        The JWT library's validation of the bindings in the Import Token incorrectly warned on mismatches, instead of outright rejecting the token.
    
        As a result, any account can take an Import token used by any other account and re-use it for themselves because the binding to the
        importing account is not rejected, and use it to import *any* Subject from the Exporting account, not just the Subject referenced in the Import Token.
    
        The NATS account-server system treats account JWTs as semi-public information, such that an attacker can easily enumerate all account JWTs and retrieve all Import Tokens from those account JWTs.
    
        The CVE identifier should cover the JWT library repair and the nats-server containing the fixed JWT library, and any other application depending upon the fixed JWT library.
    
    
        ## Affected versions
    
        #### JWT library
    
         * all versions prior to 2.0.1
         * fixed after nats-io/jwt#149 landed (2021-03-14)
    
        #### NATS Server
    
         * Version 2 prior to 2.2.0
           + 2.0.0 through and including 2.1.9 are vulnerable
         * fixed with nats-io/[email protected] (2021-03-14)
    
    
        ## Impact
    
        In deployments with untrusted accounts able to update the Account Server with imports, a malicious account can access any Subject from an account which provides Exported Subjects.
    
        Abuse of this facility requires the malicious actor to upload their tampered Account JWT to the Account Server, providing the service operator with a data-store which can be scanned for signs of abuse.
    
    
        ## Workaround
    
        Deny access to clients to update their account JWT in the account server.
    
    
        ## Solution
    
        Upgrade the JWT dependency in any application using it.
    
        Upgrade the NATS server if using NATS Accounts (with private Exports; Account owners can create those at any time though).
    
        Audit all accounts JWTs to scan for exploit attempts; a Python script to audit the accounts can be found at <https://gist.github.com/philpennock/09d49524ad98043ff11d8a40c2bb0d5a>.
    published: 2021-05-21T16:22:20Z
    last_modified: 2021-05-21T16:22:20Z
    ghsas:
      - GHSA-j756-f273-xhp4
    
    
    duplicate 
    opened by GoVulnBot 3
  • x/vulndb: potential Go vuln in mellium.im/xmpp/websocket: CVE-2022-24968

    x/vulndb: potential Go vuln in mellium.im/xmpp/websocket: CVE-2022-24968

    Description

    Impact

    If no TLS configuration is provided by the user, the websocket package constructs its own TLS configuration using recommended defaults. When looking up a WSS endpoint using the DNS TXT record method described in XEP-0156: Discovering Alternative XMPP Connection Methods the ServerName field was incorrectly being set to the name of the server returned by the TXT record request, not the name of the initial server we were attempting to connect to. This means that any attacker that can spoof a DNS record (ie. in the absence of DNSSEC, DNS-over-TLS, DNS-over-HTTPS, or similar technologies) could redirect the user to a server of their choosing and as long as it had a valid TLS certificate for itself the connection would succeed, resulting in a MITM situation.

    Patches

    All users should upgrade to v0.21.1 or above.

    Workarounds

    To work around the issue, manually specify a TLS configuration with the correct hostname

    Affected Modules, Packages, Versions and Symbols

    Module: mellium.im/xmpp
    Package: mellium.im/xmpp/websocket
    Versions:
      - Introduced: 0.18.0
      - Fixed: 0.21.1
    Symbols:
      - Dial
      - DialDirect
      - DialSession
      - NewClient
      - Dialer.Dial
      - Dialer.DialDirect
    
    Module: github.com/example/module
    Package: github.com/example/module/v2/package
    Versions:
      - Fixed: 2.4.5
    Symbols:
      - anotherFunction
    

    Does this vulnerability already have an associated CVE ID?

    Yes

    CVE ID

    CVE-2022-24968

    Credit

    moparisthebest

    CWE ID

    CWE-295

    Pull Request

    https://codeberg.org/mellium/xmpp/pulls/260

    Commit

    https://codeberg.org/mellium/xmpp/commit/0d92aa486da69b71f2f4a30e62aa722c711b98ac

    References

    • https://mellium.im/cve/cve-2022-24968/
    • https://nvd.nist.gov/vuln/detail/CVE-2022-24968
    • https://mellium.im/issue/259

    Additional information

    No response

    NeedsReport Direct External Report 
    opened by SamWhited 1
  • x/vulndb: potential Go vuln in go.elastic.co/apm: GHSA-qqc5-rgcc-cjqh

    x/vulndb: potential Go vuln in go.elastic.co/apm: GHSA-qqc5-rgcc-cjqh

    In GitHub Security Advisory GHSA-qqc5-rgcc-cjqh, there is a vulnerability in the following Go packages or modules:

    | Unit | Fixed | Vulnerable Ranges | | - | - | - | | go.elastic.co/apm | 1.11.0 | < 1.11.0 |

    See doc/triage.md for instructions on how to triage this report.

    packages:
      - package: go.elastic.co/apm
        versions:
          - fixed: 1.11.0
    description: The Elastic APM agent for Go versions before 1.11.0 can leak sensitive
        HTTP header information when logging the details during an application panic.
        Normally, the APM agent will sanitize sensitive HTTP header details before sending
        the information to the APM server. During an application panic it is possible
        the headers will not be sanitized before being sent.
    published: 2021-05-18T18:34:18Z
    last_modified: 2021-05-18T18:34:18Z
    cves:
      - CVE-2021-22133
    ghsas:
      - GHSA-qqc5-rgcc-cjqh
    links:
        context:
          - https://github.com/advisories/GHSA-qqc5-rgcc-cjqh
    
    
    NeedsReport 
    opened by GoVulnBot 1
  • x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/apiserver: GHSA-pmqp-h87c-mr78

    x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/apiserver: GHSA-pmqp-h87c-mr78

    In GitHub Security Advisory GHSA-pmqp-h87c-mr78, there is a vulnerability in the following Go packages or modules:

    | Unit | Fixed | Vulnerable Ranges | | - | - | - | | k8s.io/kubernetes/pkg/apiserver | 1.16.2 | >= 1.16.0, < 1.16.2 || k8s.io/kubernetes/pkg/apiserver | 1.15.5 | >= 1.15.0, < 1.15.5 || k8s.io/kubernetes/pkg/apiserver | 1.14.8 | >= 1.14.0, < 1.14.8 || k8s.io/kubernetes/pkg/apiserver | 1.13.12 | >= 1.0.0, < 1.13.12 |

    See doc/triage.md for instructions on how to triage this report.

    packages:
      - package: k8s.io/kubernetes/pkg/apiserver
        versions:
          - introduced: 1.16.0
            fixed: 1.16.2
      - package: k8s.io/kubernetes/pkg/apiserver
        versions:
          - introduced: 1.15.0
            fixed: 1.15.5
      - package: k8s.io/kubernetes/pkg/apiserver
        versions:
          - introduced: 1.14.0
            fixed: 1.14.8
      - package: k8s.io/kubernetes/pkg/apiserver
        versions:
          - introduced: 1.0.0
            fixed: 1.13.12
    description: Improper input validation in the Kubernetes API server in versions v1.0-1.12
        and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized
        users to send malicious YAML or JSON payloads, causing the API server to consume
        excessive CPU or memory, potentially crashing and becoming unavailable. Prior
        to v1.14.0, default RBAC policy authorized anonymous users to submit requests
        that could trigger this vulnerability. Clusters upgraded from a version prior
        to v1.14.0 keep the more permissive policy by default for backwards compatibility.
    published: 2021-05-18T15:38:48Z
    last_modified: 2021-05-18T15:38:48Z
    cves:
      - CVE-2019-11253
    ghsas:
      - GHSA-pmqp-h87c-mr78
    links:
        context:
          - https://github.com/advisories/GHSA-pmqp-h87c-mr78
    
    
    Needs Triage 
    opened by GoVulnBot 0
  • x/vulndb: potential Go vuln in github.com/apache/trafficcontrol: GHSA-pw59-4qgf-jxr8

    x/vulndb: potential Go vuln in github.com/apache/trafficcontrol: GHSA-pw59-4qgf-jxr8

    In GitHub Security Advisory GHSA-pw59-4qgf-jxr8, there is a vulnerability in the following Go packages or modules:

    | Unit | Fixed | Vulnerable Ranges | | - | - | - | | github.com/apache/trafficcontrol | 5.0.0 | < 5.0.0 |

    See doc/triage.md for instructions on how to triage this report.

    packages:
      - package: github.com/apache/trafficcontrol
        versions:
          - fixed: 5.0.0
    description: When ORT (now via atstccfg) generates ip_allow.config files in Apache
        Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions
        that allow bad actors to push arbitrary content into and remove arbitrary content
        from CDN cache servers. Additionally, these permissions are potentially extended
        to IP addresses outside the desired range, resulting in them being granted to
        clients possibly outside the CDN arcitechture.
    published: 2021-12-16T19:20:21Z
    last_modified: 2022-04-12T22:17:55Z
    cves:
      - CVE-2020-17522
    ghsas:
      - GHSA-pw59-4qgf-jxr8
    links:
        context:
          - https://github.com/advisories/GHSA-pw59-4qgf-jxr8
    
    
    Needs Triage 
    opened by GoVulnBot 0
Owner
Go
The Go Programming Language
Go
A fast tool to scan CRLF vulnerability written in Go

CRLFuzz A fast tool to scan CRLF vulnerability written in Go Resources Installation from Binary from Source from GitHub Usage Basic Usage Flags Target

dw1 777 Aug 12, 2022
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

Vuls: VULnerability Scanner Vulnerability scanner for Linux/FreeBSD, agent-less, written in Go. We have a slack team. Join slack team Twitter: @vuls_e

Future Corp 9.4k Aug 16, 2022
Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.

Fast and customisable vulnerability scanner based on simple YAML based DSL. How • Install • For Security Engineers • For Developers • Documentation •

ProjectDiscovery 9.4k Aug 18, 2022
Super Java Vulnerability Scanner

XiuScan 不完善,正在开发中 介绍 一个纯Golang编写基于命令行的Java框架漏洞扫描工具 致力于参考xray打造一款高效方便的漏扫神器 计划支持Fastjson、Shiro、Struts2、Spring、WebLogic等框架 PS: 取名为XiuScan因为带我入安全的大哥是修君 特点

4ra1n 116 Dec 30, 2021
Proof-of-Concept tool for CVE-2021-29156, an LDAP injection vulnerability in ForgeRock OpenAM v13.0.0.

CVE-2021-29156 Proof-of-Concept (c) 2021 GuidePoint Security Charlton Trezevant [email protected]ntsecurity.com Background Today GuidePoint

GuidePoint Security, LLC 2 Apr 13, 2022
🔎 Help find Trojan Source vulnerability in code 👀 . Useful for code review in project with multiple collaborators

TrojanSourceFinder TrojanSourceFinder helps developers detect "Trojan Source" vulnerability in source code. Trojan Source vulnerability allows an atta

Ariary 44 Jun 13, 2022
A vulnerability scanner for container images and filesystems

A vulnerability scanner for container images and filesystems

Anchore, Inc. 4.3k Aug 17, 2022
Grafana Arbitrary File Reading Vulnerability

GrafanaArbitraryFileRead Usage 1. show info ❯ go run main.go -s [INF] VulnInfo: { "Name": "Grafana Ar

z3r0yu 25 Feb 2, 2022
Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers.

Log4ShellScanner Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers. Very Beta Warning!

null 56 Jun 17, 2022
A minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2021-44228.

jndi-ldap-test-server This is a minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2

Rakuten Group, Inc. 9 Aug 6, 2022
A tool for checking log4shell vulnerability mitigations

log4shell-ldap A tool for checking log4shell vulnerability mitigations. Usage: Build a container image: docker build . -t log4shell Run it: docker run

Jaromir Hamala 27 Jul 15, 2022
Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS

log4j-scanner Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS. Example Usage Usage .\log4j-scanner.exe Terminal is used to output resul

null 0 Dec 13, 2021
Scanner to send specially crafted requests and catch callbacks of systems that are impacted by Log4J Log4Shell vulnerability (CVE-2021-44228)

scan4log4shell Scanner to send specially crafted requests and catch callbacks of systems that are impacted by Log4J Log4Shell vulnerability CVE-2021-4

Frank Hübner 11 Feb 27, 2022
Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228

log4shell.tools log4shell.tools is a tool allows you to run a test to check whether one of your applications is affected by a vulnerability in log4j:

Alexander Bakker 61 Aug 8, 2022
Ghec vulnerability alerts report for golang

ghec-vulnerability-alerts-report TODO Install $ go get github.com/stoe/ghec-vulnerability-alerts-report Usage $ ghec-vulnerability-alerts-report [opti

Stefan Stölzle 3 Jan 14, 2022
Check and exploit log4j2 vulnerability with single Go program.

log4j2-exp Check and exploit log4j2 vulnerability with single Go program. You don't need to install anything except develop it. It supports ldaps and

鹫尾须美 48 Jul 9, 2022
Check and exploit log4j2 vulnerability with single Go program.

Log4Shell Check and exploit log4j2 vulnerability with single Go program. You don't need to install anything except develop it. It supports ldaps and h

鹫尾须美 48 Jul 9, 2022
log4jshell vulnerability checker tool

Description log4j-checker tool helps identify whether a certain system is running a vulnerable version of the log4j library. Download and run the tool

null 1 Dec 20, 2021
log4jshell vulnerability scanner for bug bounty

log4shell-looker a log4jshell vulnerability scanner for bug bounty (Written in G

Ravro 18 Jul 2, 2022