x/vulndb: potential Go vuln in github.com/ossf/malicious-packages: CVE-2023-49210

[GoVulnBot]

CVE-2023-49210 references github.com/ossf/malicious-packages, which may be a Go module.

Description:
** UNSUPPORTED WHEN ASSIGNED ** The openssl (aka node-openssl) NPM package through 2.0.0 was characterized as "a nonsense wrapper with no real purpose" by its author, and accepts an opts argument that contains a verb field (used for command execution). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-49210
• JSON: https://github.com/CVEProject/cvelist/tree/763560f04c567e9b77ffbce73af42ed411fed4cb/2023/49xxx/CVE-2023-49210.json
• web: https://gist.github.com/mcoimbra/b05a55a5760172dccaa0a827647ad63e
• web: https://github.com/ossf/malicious-packages/tree/main/malicious/npm
• web: https://www.npmjs.com/package/openssl
• Imported by: https://pkg.go.dev/github.com/ossf/malicious-packages?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/ossf/malicious-packages
      vulnerable_at: 0.0.0-20231122220647-08b04d19b9e2
      packages:
        - package: n/a
cves:
    - CVE-2023-49210
references:
    - web: https://gist.github.com/mcoimbra/b05a55a5760172dccaa0a827647ad63e
    - web: https://github.com/ossf/malicious-packages/tree/main/malicious/npm
    - web: https://www.npmjs.com/package/openssl

[gopherbot]

Change https://go.dev/cl/546035 mentions this issue: data/excluded: batch add 6 excluded reports