data/reports: add GO-2023-2137.yaml

Aliases: CVE-2023-45825, GHSA-q24m-6h38-5xj8 Fixes #2137 Change-Id: Iad3a188d978a32ab56a39b6ac08db0600b1719d3 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/537495 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]>
golang · Oct 24, 2023 · b6d933a · b6d933a
1 parent 06e31f5
commit b6d933a
Show file tree

Hide file tree

Showing 2 changed files with 201 additions and 0 deletions.
diff --git a/data/osv/GO-2023-2137.json b/data/osv/GO-2023-2137.json
@@ -0,0 +1,124 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2023-2137",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2023-45825",
+    "GHSA-q24m-6h38-5xj8"
+  ],
+  "summary": "Credentials leak in github.com/ydb-platform/ydb-go-sdk/v3",
+  "details": "A custom credentials object that does not implement the fmt.Stringer interface may leak sensitive information (e.g., credentials) via logs.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/ydb-platform/ydb-go-sdk/v3",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "3.48.6"
+            },
+            {
+              "fixed": "3.53.3"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/ydb-platform/ydb-go-sdk/v3",
+            "symbols": [
+              "Connector",
+              "Driver.Close",
+              "Driver.Coordination",
+              "Driver.Discovery",
+              "Driver.Ratelimiter",
+              "Driver.Scheme",
+              "Driver.Scripting",
+              "Driver.Table",
+              "Driver.Topic",
+              "Driver.With",
+              "IsTimeoutError",
+              "IsTransportError",
+              "MustConnector",
+              "MustOpen",
+              "New",
+              "Open",
+              "Unwrap",
+              "WithAccessTokenCredentials",
+              "WithAnonymousCredentials",
+              "WithCertificatesFromFile",
+              "WithRequestType",
+              "WithTraceID",
+              "connect",
+              "initOnce.Close",
+              "initOnce.Init",
+              "sqlDriver.OpenConnector"
+            ]
+          },
+          {
+            "path": "github.com/ydb-platform/ydb-go-sdk/v3/credentials",
+            "symbols": [
+              "NewAccessTokenCredentials",
+              "NewAnonymousCredentials",
+              "NewStaticCredentials",
+              "WithSourceInfo",
+              "staticCredentialsConfig.Endpoint",
+              "staticCredentialsConfig.GrpcDialOptions"
+            ]
+          },
+          {
+            "path": "github.com/ydb-platform/ydb-go-sdk/v3/internal/balancer",
+            "symbols": [
+              "Balancer.Invoke",
+              "Balancer.NewStream",
+              "Balancer.clusterDiscovery",
+              "Balancer.wrapCall",
+              "New"
+            ]
+          },
+          {
+            "path": "github.com/ydb-platform/ydb-go-sdk/v3/internal/conn",
+            "symbols": [
+              "WithAfterFunc"
+            ]
+          },
+          {
+            "path": "github.com/ydb-platform/ydb-go-sdk/v3/internal/credentials",
+            "symbols": [
+              "AccessToken.String",
+              "Anonymous.String",
+              "NewAccessTokenCredentials",
+              "NewAnonymousCredentials",
+              "NewStaticCredentials",
+              "Static.String",
+              "WithSourceInfo"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/ydb-platform/ydb-go-sdk/pull/859"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/ydb-platform/ydb-go-sdk/commit/a0d92057c4e1bbdc5e85ae8d649edb0232b8fd4c"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2023-2137"
+  }
+}
diff --git a/data/reports/GO-2023-2137.yaml b/data/reports/GO-2023-2137.yaml
@@ -0,0 +1,77 @@
+id: GO-2023-2137
+modules:
+    - module: github.com/ydb-platform/ydb-go-sdk/v3
+      versions:
+        - introduced: 3.48.6
+          fixed: 3.53.3
+      vulnerable_at: 3.53.2
+      packages:
+        - package: github.com/ydb-platform/ydb-go-sdk/v3
+          symbols:
+            - connect
+          derived_symbols:
+            - Connector
+            - Driver.Close
+            - Driver.Coordination
+            - Driver.Discovery
+            - Driver.Ratelimiter
+            - Driver.Scheme
+            - Driver.Scripting
+            - Driver.Table
+            - Driver.Topic
+            - Driver.With
+            - IsTimeoutError
+            - IsTransportError
+            - MustConnector
+            - MustOpen
+            - New
+            - Open
+            - Unwrap
+            - WithAccessTokenCredentials
+            - WithAnonymousCredentials
+            - WithCertificatesFromFile
+            - WithRequestType
+            - WithTraceID
+            - initOnce.Close
+            - initOnce.Init
+            - sqlDriver.OpenConnector
+        - package: github.com/ydb-platform/ydb-go-sdk/v3/credentials
+          symbols:
+            - NewAccessTokenCredentials
+            - NewAnonymousCredentials
+            - staticCredentialsConfig.Endpoint
+            - staticCredentialsConfig.GrpcDialOptions
+            - NewStaticCredentials
+            - WithSourceInfo
+        - package: github.com/ydb-platform/ydb-go-sdk/v3/internal/balancer
+          symbols:
+            - Balancer.clusterDiscovery
+            - Balancer.wrapCall
+          derived_symbols:
+            - Balancer.Invoke
+            - Balancer.NewStream
+            - New
+        - package: github.com/ydb-platform/ydb-go-sdk/v3/internal/conn
+          symbols:
+            - WithAfterFunc
+        - package: github.com/ydb-platform/ydb-go-sdk/v3/internal/credentials
+          symbols:
+            - NewAccessTokenCredentials
+            - AccessToken.String
+            - NewAnonymousCredentials
+            - Anonymous.String
+            - WithSourceInfo
+            - NewStaticCredentials
+            - Static.String
+summary: Credentials leak in github.com/ydb-platform/ydb-go-sdk/v3
+description: |-
+    A custom credentials object that does not implement the fmt.Stringer interface
+    may leak sensitive information (e.g., credentials) via logs.
+cves:
+    - CVE-2023-45825
+ghsas:
+    - GHSA-q24m-6h38-5xj8
+references:
+    - advisory: https://github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8
+    - fix: https://github.com/ydb-platform/ydb-go-sdk/pull/859
+    - fix: https://github.com/ydb-platform/ydb-go-sdk/commit/a0d92057c4e1bbdc5e85ae8d649edb0232b8fd4c