data/reports: add symbols to GO-2022-1130.yaml

tatianab · Tatiana Bradley · commit 3c9384c654bd · 2022-12-28T18:06:17.000Z
Aliases: CVE-2022-46146, GHSA-7rg2-cxvp-9p7p Updates #1130 Change-Id: I905dd3fb942d474b63098ae1aac6528e53f533f6 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/459755 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Tatiana Bradley <tatiana@golang.org>
diff --git a/data/osv/GO-2022-1130.json b/data/osv/GO-2022-1130.json
@@ -1,4 +1,5 @@
 {
+  "schema_version": "1.3.1",
   "id": "GO-2022-1130",
   "published": "0001-01-01T00:00:00Z",
   "modified": "0001-01-01T00:00:00Z",
@@ -38,7 +39,14 @@
       "ecosystem_specific": {
         "imports": [
           {
-            "path": "github.com/prometheus/exporter-toolkit/web"
+            "path": "github.com/prometheus/exporter-toolkit/web",
+            "symbols": [
+              "Listen",
+              "ListenAndServe",
+              "Serve",
+              "ServeMultiple",
+              "webHandler.ServeHTTP"
+            ]
           }
         ]
       }
@@ -58,6 +66,5 @@
     {
       "name": "Lei Wan"
     }
-  ],
-  "schema_version": "1.3.1"
+  ]
 }
diff --git a/data/reports/GO-2022-1130.yaml b/data/reports/GO-2022-1130.yaml
@@ -1,20 +1,28 @@
 modules:
-  - module: github.com/prometheus/exporter-toolkit
-    versions:
-      - fixed: 0.7.2
-      - introduced: 0.8.0
-        fixed: 0.8.2
-    packages:
-      - package: github.com/prometheus/exporter-toolkit/web
+    - module: github.com/prometheus/exporter-toolkit
+      versions:
+        - fixed: 0.7.2
+        - introduced: 0.8.0
+          fixed: 0.8.2
+      vulnerable_at: 0.8.1
+      packages:
+        - package: github.com/prometheus/exporter-toolkit/web
+          symbols:
+            - webHandler.ServeHTTP
+          derived_symbols:
+            - Listen
+            - ListenAndServe
+            - Serve
+            - ServeMultiple
 description: |
     If an attacker has access to a Prometheus web.yml file and users' bcrypted
     passwords, it would be possible to bypass security via the built-in
     authentication cache.
 cves:
-  - CVE-2022-46146
+    - CVE-2022-46146
 ghsas:
-  - GHSA-7rg2-cxvp-9p7p
+    - GHSA-7rg2-cxvp-9p7p
 credit: Lei Wan
 references:
-  - advisory: https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
-  - fix: https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
+    - advisory: https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
+    - fix: https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`{`
	`2`	`+ "schema_version": "1.3.1",`
`2`	`3`	`"id": "GO-2022-1130",`
`3`	`4`	`"published": "0001-01-01T00:00:00Z",`
`4`	`5`	`"modified": "0001-01-01T00:00:00Z",`
`@@ -38,7 +39,14 @@`
`38`	`39`	`"ecosystem_specific": {`
`39`	`40`	`"imports": [`
`40`	`41`	`{`
`41`		`- "path": "github.com/prometheus/exporter-toolkit/web"`
	`42`	`+ "path": "github.com/prometheus/exporter-toolkit/web",`
	`43`	`+ "symbols": [`
	`44`	`+ "Listen",`
	`45`	`+ "ListenAndServe",`
	`46`	`+ "Serve",`
	`47`	`+ "ServeMultiple",`
	`48`	`+ "webHandler.ServeHTTP"`
	`49`	`+ ]`
`42`	`50`	`}`
`43`	`51`	`]`
`44`	`52`	`}`
`@@ -58,6 +66,5 @@`
`58`	`66`	`{`
`59`	`67`	`"name": "Lei Wan"`
`60`	`68`	`}`
`61`		`- ],`
`62`		`- "schema_version": "1.3.1"`
	`69`	`+ ]`
`63`	`70`	`}`