From 6c9e647012db4163939ceeae67c7ff5fa34ac134 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Wed, 4 Sep 2024 17:30:10 -0400 Subject: [PATCH] data/reports: update GO-2022-0578 - data/reports/GO-2022-0578.yaml Updates golang/vulndb#578 Fixes golang/vulndb#3115 Change-Id: Iad3d980038a8750ffc6b3c63001b0010f1b7cc9c Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/610798 Auto-Submit: Tatiana Bradley TryBot-Bypass: Tatiana Bradley Reviewed-by: Damien Neil --- data/osv/GO-2022-0578.json | 3 +++ data/reports/GO-2022-0578.yaml | 10 +++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/data/osv/GO-2022-0578.json b/data/osv/GO-2022-0578.json index eecac01e..5fd8bf90 100644 --- a/data/osv/GO-2022-0578.json +++ b/data/osv/GO-2022-0578.json @@ -21,6 +21,9 @@ "events": [ { "introduced": "1.8.0" + }, + { + "fixed": "1.8.5" } ] } diff --git a/data/reports/GO-2022-0578.yaml b/data/reports/GO-2022-0578.yaml index e373e161..19ca0b3c 100644 --- a/data/reports/GO-2022-0578.yaml +++ b/data/reports/GO-2022-0578.yaml @@ -3,9 +3,8 @@ modules: - module: github.com/hashicorp/vault versions: - introduced: 1.8.0 - unsupported_versions: - - last_affected: 1.8.4 - vulnerable_at: 1.17.3 + - fixed: 1.8.5 + vulnerable_at: 1.8.4 summary: Incorrect Privilege Assignment in HashiCorp Vault in github.com/hashicorp/vault cves: - CVE-2021-42135 @@ -16,6 +15,11 @@ references: - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-42135 - web: https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards - web: https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#180 +notes: + - | + manually changed 'last_affected: 1.8.4' to 'fixed: 1.8.5'. The fix appears to be + only a documentation clarification; but this is an old enough vulnerability that + the new documentation should have had enough time to reach users. source: id: GHSA-362v-wg5p-64w2 created: 2024-08-20T14:05:02.493104-04:00