x/vulndb: potential Go vuln in github.com/prest/prest: GHSA-wm25-j4gw-6vr3

[GoVulnBot]

Advisory GHSA-wm25-j4gw-6vr3 references a vulnerability in the following Go modules:

Module
github.com/prest/prest

Description:

Summary

Probably jwt bypass + sql injection
or what i'm doing wrong?

PoC (how to reproduce)

1. Create following files:

docker-compose.yml:

services:
  postgres:
    image: postgres
    container_name: postgres_container_mre
    environment:
      POSTGRES_USER: test_user_pg
      POSTGRES_PASSWORD: test_pass_pg
      POSTGRES_DB: test_db
  prest:
    image: prest/prest
    build: .
    volumes:
      - ./queries:/queries
      - ./migrations:/migrations
    ports:
      - "3000:3000"

Dockerfile:

from prest/prest:latest

COPY ./prest.toml prest.toml

prest.toml:

...

References:
- ADVISORY: https://github.com/advisories/GHSA-wm25-j4gw-6vr3
- ADVISORY: https://github.com/prest/prest/security/advisories/GHSA-wm25-j4gw-6vr3
- FIX: https://github.com/prest/prest/commit/96ff96cfdc7ad6dd86e2289fcd5a37ee70c8926e

No existing reports found with this module or alias.
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
- module: github.com/prest/prest
versions:
- fixed: 1.5.4
vulnerable_at: 1.5.3
summary: pREST vulnerable to jwt bypass + sql injection in github.com/prest/prest
ghsas:
- GHSA-wm25-j4gw-6vr3
references:
- advisory: GHSA-wm25-j4gw-6vr3
- advisory: GHSA-wm25-j4gw-6vr3
- fix: prest/prest@96ff96c
source:
id: GHSA-wm25-j4gw-6vr3
created: 2024-07-30T16:01:17.332838989Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports