Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45326 #309

Closed
GoVulnBot opened this issue Feb 8, 2022 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45326 #309

GoVulnBot opened this issue Feb 8, 2022 · 3 comments
Assignees
@neild
Labels
cve-year-2021 excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In CVE-2021-45326, the reference URL github.com/go-gitea/gitea (and possibly others) refers to something in Go.

module: github.com/go-gitea/gitea
package: n/a
description: |
    Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests.
cves:
  - CVE-2021-45326
links:
    pr: https://github.com/go-gitea/gitea/pull/4840
    context:
      - https://blog.gitea.io/2018/10/gitea-1.5.2-is-released/
      - https://github.com/go-gitea/gitea/issues/4838

See doc/triage.md for instructions on how to triage this report.
@neild
Copy link
Contributor

neild commented Mar 14, 2022

This appears to be a vulnerability in a binary, not a user-imported package.

@neild neild closed this as completed Mar 14, 2022
@neild neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 10, 2022
@GoVulnBot GoVulnBot mentioned this issue Aug 7, 2023
Closed
This was referenced Nov 8, 2023
Closed
Closed
Closed
Closed
Closed
This was referenced Apr 24, 2024
Closed
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592766 mentions this issue: data/reports: unexclude 50 reports

@GoVulnBot GoVulnBot mentioned this issue Aug 6, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607215 mentions this issue: data/reports: unexclude 20 reports (13)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (13)
774eacc 
  - data/reports/GO-2022-0231.yaml
  - data/reports/GO-2022-0249.yaml
  - data/reports/GO-2022-0250.yaml
  - data/reports/GO-2022-0260.yaml
  - data/reports/GO-2022-0261.yaml
  - data/reports/GO-2022-0270.yaml
  - data/reports/GO-2022-0278.yaml
  - data/reports/GO-2022-0281.yaml
  - data/reports/GO-2022-0291.yaml
  - data/reports/GO-2022-0295.yaml
  - data/reports/GO-2022-0298.yaml
  - data/reports/GO-2022-0302.yaml
  - data/reports/GO-2022-0303.yaml
  - data/reports/GO-2022-0304.yaml
  - data/reports/GO-2022-0305.yaml
  - data/reports/GO-2022-0306.yaml
  - data/reports/GO-2022-0307.yaml
  - data/reports/GO-2022-0308.yaml
  - data/reports/GO-2022-0309.yaml
  - data/reports/GO-2022-0310.yaml

Updates #231
Updates #249
Updates #250
Updates #260
Updates #261
Updates #270
Updates #278
Updates #281
Updates #291
Updates #295
Updates #298
Updates #302
Updates #303
Updates #304
Updates #305
Updates #306
Updates #307
Updates #308
Updates #309
Updates #310

Change-Id: Idffc4951124598d58d8ebf3b1c44fc141f192639
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607215
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@neild neild

Labels
cve-year-2021 excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @julieqiu @gopherbot @GoVulnBot