Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/fkie-cad/yapscan: GHSA-wxwq-525w-hcqx #1607

Closed
GoVulnBot opened this issue Mar 4, 2023 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/fkie-cad/yapscan: GHSA-wxwq-525w-hcqx #1607

GoVulnBot opened this issue Mar 4, 2023 · 3 comments
Assignees
@zpavlinovic
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-wxwq-525w-hcqx, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/fkie-cad/yapscan 0.19.2 >= 0.18.0, < 0.19.2

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/fkie-cad/yapscan
    versions:
      - introduced: 0.18.0
        fixed: 0.19.2
    packages:
      - package: github.com/fkie-cad/yapscan
description: |
    ### Impact

    If you use the report server, it may be vulnerable to a Denial of Service attack.

    ### Patches

    Has been patched in v0.19.2.

    ### References

    The vulnerability was inherited by the following upstream vulnerabilites

    - [golang.org/x/text < v0.3.7](https://github.com/advisories/GHSA-ppp9-7jff-5vj2)
    - [golang.org/x/net < 0.0.0-20220906165146-f3363e06e74c](https://github.com/advisories/GHSA-69cg-p879-7622)
ghsas:
  - GHSA-wxwq-525w-hcqx
references:
  - advisory: https://github.com/fkie-cad/yapscan/security/advisories/GHSA-wxwq-525w-hcqx
  - fix: https://github.com/fkie-cad/yapscan/pull/46
  - fix: https://github.com/fkie-cad/yapscan/commit/242b4b25b107deacddd4ca276b45d23e16bb3b88
  - fix: https://github.com/fkie-cad/yapscan/commit/65f277662c6475eb3f592e0e4fdfee902ecd9326
  - advisory: https://github.com/advisories/GHSA-69cg-p879-7622
  - advisory: https://github.com/advisories/GHSA-ppp9-7jff-5vj2
  - web: https://github.com/fkie-cad/yapscan/releases/tag/v0.19.2
  - advisory: https://github.com/advisories/GHSA-wxwq-525w-hcqx
@zpavlinovic zpavlinovic self-assigned this Mar 4, 2023
@zpavlinovic zpavlinovic added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Mar 4, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/473376 mentions this issue: data/excluded: batch add GO-2023-1607

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592759 mentions this issue: data/reports: unexclude 75 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606783 mentions this issue: data/reports: unexclude 20 reports (3)

gopherbot pushed a commit that referenced this issue Aug 20, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (3)
f2aa411 
  - data/reports/GO-2023-1590.yaml
  - data/reports/GO-2023-1592.yaml
  - data/reports/GO-2023-1596.yaml
  - data/reports/GO-2023-1607.yaml
  - data/reports/GO-2023-1612.yaml
  - data/reports/GO-2023-1613.yaml
  - data/reports/GO-2023-1614.yaml
  - data/reports/GO-2023-1615.yaml
  - data/reports/GO-2023-1616.yaml
  - data/reports/GO-2023-1617.yaml
  - data/reports/GO-2023-1618.yaml
  - data/reports/GO-2023-1619.yaml
  - data/reports/GO-2023-1620.yaml
  - data/reports/GO-2023-1622.yaml
  - data/reports/GO-2023-1627.yaml
  - data/reports/GO-2023-1628.yaml
  - data/reports/GO-2023-1629.yaml
  - data/reports/GO-2023-1630.yaml
  - data/reports/GO-2023-1633.yaml
  - data/reports/GO-2023-1639.yaml

Updates #1590
Updates #1592
Updates #1596
Updates #1607
Updates #1612
Updates #1613
Updates #1614
Updates #1615
Updates #1616
Updates #1617
Updates #1618
Updates #1619
Updates #1620
Updates #1622
Updates #1627
Updates #1628
Updates #1629
Updates #1630
Updates #1633
Updates #1639

Change-Id: I2441a82107b88955ddb98c7d3c55b7b2fe3e3aa7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606783
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@zpavlinovic zpavlinovic

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zpavlinovic @gopherbot @GoVulnBot