Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/google/exposure-notifications-server: GHSA-3wxm-m9m4-cprj #381

Closed
GoVulnBot opened this issue Mar 24, 2022 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/google/exposure-notifications-server: GHSA-3wxm-m9m4-cprj #381

GoVulnBot opened this issue Mar 24, 2022 · 3 comments
Assignees
@neild
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-3wxm-m9m4-cprj, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/google/exposure-notifications-server 0.19.2 >= 0.19.0, < 0.19.2

See doc/triage.md for instructions on how to triage this report.

package: github.com/google/exposure-notifications-server
additional_packages:
  - package: github.com/google/exposure-notifications-server
    versions:
      - introduced: v0.0.0
        fixed: v0.18.3
versions:
  - introduced: v0.19.0
    fixed: v0.19.2
description: "### Impact\n\nIf your installation is using the `export-importer` service,
    there is potential impact.\nIf your installation is not importing keys via the
    `export-importer` services, your installation is not impacted.\n\nIn versions
    `0.19.1` and earlier, the `export-importer` service assumed that the server it
    was importing from had properly embargoed keys for at least 2 hours after their
    expiry time. There are now known instances of servers that did not properly embargo
    keys.\n\nThis could allow allow for imported keys to be re-published before they
    have expired, allowing for potential replay of RPIs.\n\n### Patches\n\nThis is
    patched in `v0.18.3` and all versions `0.19.2` and later.\n\n### Workarounds\n\nEnsure
    that the servers you are importing export zip files from are not publishing keys
    too early. \n\n### References\n\nn/a\n\n### For more information\n\nIf you have
    any questions or comments about this advisory\n* Open an issue in [exposure-notifications-server](https://github.com/google/exposure-notifications-server/)\n*
    Email us at [exposure-notifications-feedback@google.com](mailto:exposure-notifications-feedback@google.com)"
published: 2021-05-21T16:24:44Z
last_modified: 2021-05-21T16:24:44Z
ghsas:
  - GHSA-3wxm-m9m4-cprj
@neild
Copy link
Contributor

neild commented Jul 8, 2022

Vulnerability in tool.

@neild neild closed this as completed Jul 8, 2022
@neild neild self-assigned this Jul 8, 2022
@neild neild added the NotGoVuln label Jul 8, 2022
@neild neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 11, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592767 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607217 mentions this issue: data/reports: unexclude 20 reports (15)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (15)
229cf45 
  - data/reports/GO-2022-0367.yaml
  - data/reports/GO-2022-0368.yaml
  - data/reports/GO-2022-0369.yaml
  - data/reports/GO-2022-0372.yaml
  - data/reports/GO-2022-0374.yaml
  - data/reports/GO-2022-0375.yaml
  - data/reports/GO-2022-0377.yaml
  - data/reports/GO-2022-0378.yaml
  - data/reports/GO-2022-0381.yaml
  - data/reports/GO-2022-0387.yaml
  - data/reports/GO-2022-0388.yaml
  - data/reports/GO-2022-0389.yaml
  - data/reports/GO-2022-0390.yaml
  - data/reports/GO-2022-0392.yaml
  - data/reports/GO-2022-0393.yaml
  - data/reports/GO-2022-0395.yaml
  - data/reports/GO-2022-0396.yaml
  - data/reports/GO-2022-0398.yaml
  - data/reports/GO-2022-0405.yaml
  - data/reports/GO-2022-0406.yaml

Updates #367
Updates #368
Updates #369
Updates #372
Updates #374
Updates #375
Updates #377
Updates #378
Updates #381
Updates #387
Updates #388
Updates #389
Updates #390
Updates #392
Updates #393
Updates #395
Updates #396
Updates #398
Updates #405
Updates #406

Change-Id: I001f245aa4d9225668c2b30e3d5b4ca7a7e9b3b3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607217
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@neild neild

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @rolandshoemaker @gopherbot @GoVulnBot