data/reports: add 2 reports

tatianab · gopherbot · commit 455ee1e471a2 · 2024-07-02T19:27:52.000Z
- data/reports/GO-2024-2961.yaml - data/reports/GO-2024-2962.yaml Updates #2961 Updates #2962 Change-Id: I99256f208f954f881aaf677c7a38151ad4ee1f0d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/596177 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org>
diff --git a/data/cve/v5/GO-2024-2961.json b/data/cve/v5/GO-2024-2961.json
@@ -0,0 +1,97 @@
+{
+  "dataType": "CVE_RECORD",
+  "dataVersion": "5.0",
+  "cveMetadata": {
+    "cveId": "CVE-2022-30636"
+  },
+  "containers": {
+    "cna": {
+      "providerMetadata": {
+        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+      },
+      "title": "Limited directory traversal vulnerability on Windows in golang.org/x/crypto",
+      "descriptions": [
+        {
+          "lang": "en",
+          "value": "httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\..\\asd becomes ..\\..\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix."
+        }
+      ],
+      "affected": [
+        {
+          "vendor": "golang.org/x/crypto",
+          "product": "golang.org/x/crypto/acme/autocert",
+          "collectionURL": "https://pkg.go.dev",
+          "packageName": "golang.org/x/crypto/acme/autocert",
+          "versions": [
+            {
+              "version": "0",
+              "lessThan": "0.0.0-20220525230936-793ad666bf5e",
+              "status": "affected",
+              "versionType": "semver"
+            }
+          ],
+          "platforms": [
+            "windows"
+          ],
+          "programRoutines": [
+            {
+              "name": "DirCache.Get"
+            },
+            {
+              "name": "DirCache.Put"
+            },
+            {
+              "name": "DirCache.Delete"
+            },
+            {
+              "name": "HostWhitelist"
+            },
+            {
+              "name": "Manager.GetCertificate"
+            },
+            {
+              "name": "Manager.Listener"
+            },
+            {
+              "name": "NewListener"
+            },
+            {
+              "name": "listener.Accept"
+            },
+            {
+              "name": "listener.Close"
+            }
+          ],
+          "defaultStatus": "unaffected"
+        }
+      ],
+      "problemTypes": [
+        {
+          "descriptions": [
+            {
+              "lang": "en",
+              "description": "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+            }
+          ]
+        }
+      ],
+      "references": [
+        {
+          "url": "https://go.dev/cl/408694"
+        },
+        {
+          "url": "https://go.dev/issue/53082"
+        },
+        {
+          "url": "https://pkg.go.dev/vuln/GO-2024-2961"
+        }
+      ],
+      "credits": [
+        {
+          "lang": "en",
+          "value": "Juho Nurminen of Mattermost"
+        }
+      ]
+    }
+  }
+}
diff --git a/data/cve/v5/GO-2024-2962.json b/data/cve/v5/GO-2024-2962.json
@@ -0,0 +1,71 @@
+{
+  "dataType": "CVE_RECORD",
+  "dataVersion": "5.0",
+  "cveMetadata": {
+    "cveId": "CVE-2023-24531"
+  },
+  "containers": {
+    "cna": {
+      "providerMetadata": {
+        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+      },
+      "title": "Output of \"go env\" does not sanitize values in cmd/go",
+      "descriptions": [
+        {
+          "lang": "en",
+          "value": "Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making \"go env\" print them out."
+        }
+      ],
+      "affected": [
+        {
+          "vendor": "Go toolchain",
+          "product": "cmd/go",
+          "collectionURL": "https://pkg.go.dev",
+          "packageName": "cmd/go",
+          "versions": [
+            {
+              "version": "0",
+              "lessThan": "1.21.0-0",
+              "status": "affected",
+              "versionType": "semver"
+            }
+          ],
+          "defaultStatus": "unaffected"
+        }
+      ],
+      "problemTypes": [
+        {
+          "descriptions": [
+            {
+              "lang": "en",
+              "description": "CWE-138: Improper Neutralization of Special Elements"
+            }
+          ]
+        }
+      ],
+      "references": [
+        {
+          "url": "https://go.dev/cl/488375"
+        },
+        {
+          "url": "https://go.dev/cl/493535"
+        },
+        {
+          "url": "https://go.dev/issue/58508"
+        },
+        {
+          "url": "https://groups.google.com/g/golang-dev/c/ixHOFpSbajE/m/8EjlbKVWAwAJ"
+        },
+        {
+          "url": "https://pkg.go.dev/vuln/GO-2024-2962"
+        }
+      ],
+      "credits": [
+        {
+          "lang": "en",
+          "value": "Hunter Wittenborn (https://hunterwittenborn.com/)"
+        }
+      ]
+    }
+  }
+}
diff --git a/data/osv/GO-2024-2961.json b/data/osv/GO-2024-2961.json
@@ -0,0 +1,72 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2961",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2022-30636"
+  ],
+  "summary": "Limited directory traversal vulnerability on Windows in golang.org/x/crypto",
+  "details": "httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\..\\asd becomes ..\\..\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened.\n\nSince the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.",
+  "affected": [
+    {
+      "package": {
+        "name": "golang.org/x/crypto",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20220525230936-793ad666bf5e"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "golang.org/x/crypto/acme/autocert",
+            "goos": [
+              "windows"
+            ],
+            "symbols": [
+              "DirCache.Delete",
+              "DirCache.Get",
+              "DirCache.Put",
+              "HostWhitelist",
+              "Manager.GetCertificate",
+              "Manager.Listener",
+              "NewListener",
+              "listener.Accept",
+              "listener.Close"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "FIX",
+      "url": "https://go.dev/cl/408694"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://go.dev/issue/53082"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Juho Nurminen of Mattermost"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2961",
+    "review_status": "REVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2962.json b/data/osv/GO-2024-2962.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2962",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2023-24531"
+  ],
+  "summary": "Output of \"go env\" does not sanitize values in cmd/go",
+  "details": "Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables.\n\nThis issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making \"go env\" print them out.",
+  "affected": [
+    {
+      "package": {
+        "name": "toolchain",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.21.0-0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "cmd/go"
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "FIX",
+      "url": "https://go.dev/cl/488375"
+    },
+    {
+      "type": "FIX",
+      "url": "https://go.dev/cl/493535"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://go.dev/issue/58508"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/golang-dev/c/ixHOFpSbajE/m/8EjlbKVWAwAJ"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Hunter Wittenborn (https://hunterwittenborn.com/)"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2962",
+    "review_status": "REVIEWED"
+  }
+}
diff --git a/data/reports/GO-2024-2961.yaml b/data/reports/GO-2024-2961.yaml
@@ -0,0 +1,45 @@
+id: GO-2024-2961
+modules:
+    - module: golang.org/x/crypto
+      versions:
+        - fixed: 0.0.0-20220525230936-793ad666bf5e
+      vulnerable_at: 0.0.0-20220518034528-6f7dac969898
+      packages:
+        - package: golang.org/x/crypto/acme/autocert
+          goos:
+            - windows
+          symbols:
+            - DirCache.Get
+            - DirCache.Put
+            - DirCache.Delete
+          derived_symbols:
+            - HostWhitelist
+            - Manager.GetCertificate
+            - Manager.Listener
+            - NewListener
+            - listener.Accept
+            - listener.Close
+summary: Limited directory traversal vulnerability on Windows in golang.org/x/crypto
+description: |-
+    httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to
+    lookup in the DirCache implementation. On Windows, path.Base acts differently to
+    filepath.Base, since Windows uses a different path separator (\ vs. /), allowing
+    a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd
+    becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined
+    with the cache directory, and opened.
+
+    Since the controlled path is suffixed with +http-01 before opening, the impact
+    of this is significantly limited, since it only allows reading arbitrary files
+    on the system if and only if they have this suffix.
+credits:
+    - Juho Nurminen of Mattermost
+references:
+    - fix: https://go.dev/cl/408694
+    - report: https://go.dev/issue/53082
+cve_metadata:
+    id: CVE-2022-30636
+    cwe: 'CWE 22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')'
+source:
+    id: go-security-team
+    created: 2024-07-02T12:55:35.249465-04:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2024-2962.yaml b/data/reports/GO-2024-2962.yaml
@@ -0,0 +1,32 @@
+id: GO-2024-2962
+modules:
+    - module: cmd
+      versions:
+        - fixed: 1.21.0-0
+      vulnerable_at: 1.20.14
+      packages:
+        - package: cmd/go
+summary: Output of "go env" does not sanitize values in cmd/go
+description: |-
+    Command go env is documented as outputting a shell script containing the Go
+    environment. However, go env doesn't sanitize values, so executing its output as
+    a shell script can cause various bad bahaviors, including executing arbitrary
+    commands or inserting new environment variables.
+
+    This issue is relatively minor because, in general, if an attacker can set
+    arbitrary environment variables on a system, they have better attack vectors
+    than making "go env" print them out.
+credits:
+    - Hunter Wittenborn (https://hunterwittenborn.com/)
+references:
+    - fix: https://go.dev/cl/488375
+    - fix: https://go.dev/cl/493535
+    - report: https://go.dev/issue/58508
+    - web: https://groups.google.com/g/golang-dev/c/ixHOFpSbajE/m/8EjlbKVWAwAJ
+cve_metadata:
+    id: CVE-2023-24531
+    cwe: 'CWE-138: Improper Neutralization of Special Elements'
+source:
+    id: go-security-team
+    created: 2024-07-02T12:32:20.378304-04:00
+review_status: REVIEWED
