x/vulndb: potential Go vuln in github.com/swoole/swoole-src: CVE-2020-24275

[GoVulnBot]

CVE-2020-24275 references github.com/swoole/swoole-src, which may be a Go module.

Description:
A HTTP response header injection vulnerability in Swoole v4.5.2 allows attackers to execute arbitrary code via supplying a crafted URL.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-24275
• JSON: https://github.com/CVEProject/cvelist/tree/4c7730c207de308db09f5bac1f5a19bd139cf535/2020/24xxx/CVE-2020-24275.json
• fix: Fixed: fix header inject when use CRLF swoole/swoole-src#3539
• fix: Fixed: check cookie injection swoole/swoole-src#3545
• web: https://blog.cal1.cn/post/HTTP%20Response%20Header%20Injection%20in%20Swoole%3C%3D4.5.2
• report: https://portswigger.net/kb/issues/00200200_http-response-header-injection
• Imported by: https://pkg.go.dev/github.com/swoole/swoole-src?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/swoole/swoole-src
      vulnerable_at: 5.0.3+incompatible
      packages:
        - package: n/a
description: |-
    A HTTP response header injection vulnerability in Swoole v4.5.2 allows attackers
    to execute arbitrary code via supplying a crafted URL.
cves:
    - CVE-2020-24275
references:
    - fix: https://github.com/swoole/swoole-src/pull/3539
    - fix: https://github.com/swoole/swoole-src/pull/3545
    - web: https://blog.cal1.cn/post/HTTP%20Response%20Header%20Injection%20in%20Swoole%3C%3D4.5.2
    - report: https://portswigger.net/kb/issues/00200200_http-response-header-injection

[neild]

Swoole is an event-driven, asynchronous, coroutine-based concurrency library with high performance for PHP.

[gopherbot]

Change https://go.dev/cl/514636 mentions this issue: data/excluded: batch add 31 excluded reports