From b6d933a12971e26f0e9f7343c20a123ede0d09c3 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Tue, 24 Oct 2023 15:15:51 -0400 Subject: [PATCH] data/reports: add GO-2023-2137.yaml Aliases: CVE-2023-45825, GHSA-q24m-6h38-5xj8 Fixes golang/vulndb#2137 Change-Id: Iad3a188d978a32ab56a39b6ac08db0600b1719d3 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/537495 TryBot-Result: Gopher Robot Run-TryBot: Tatiana Bradley Reviewed-by: Damien Neil --- data/osv/GO-2023-2137.json | 124 +++++++++++++++++++++++++++++++++ data/reports/GO-2023-2137.yaml | 77 ++++++++++++++++++++ 2 files changed, 201 insertions(+) create mode 100644 data/osv/GO-2023-2137.json create mode 100644 data/reports/GO-2023-2137.yaml diff --git a/data/osv/GO-2023-2137.json b/data/osv/GO-2023-2137.json new file mode 100644 index 00000000..c1638238 --- /dev/null +++ b/data/osv/GO-2023-2137.json @@ -0,0 +1,124 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2137", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-45825", + "GHSA-q24m-6h38-5xj8" + ], + "summary": "Credentials leak in github.com/ydb-platform/ydb-go-sdk/v3", + "details": "A custom credentials object that does not implement the fmt.Stringer interface may leak sensitive information (e.g., credentials) via logs.", + "affected": [ + { + "package": { + "name": "github.com/ydb-platform/ydb-go-sdk/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.48.6" + }, + { + "fixed": "3.53.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/ydb-platform/ydb-go-sdk/v3", + "symbols": [ + "Connector", + "Driver.Close", + "Driver.Coordination", + "Driver.Discovery", + "Driver.Ratelimiter", + "Driver.Scheme", + "Driver.Scripting", + "Driver.Table", + "Driver.Topic", + "Driver.With", + "IsTimeoutError", + "IsTransportError", + "MustConnector", + "MustOpen", + "New", + "Open", + "Unwrap", + "WithAccessTokenCredentials", + "WithAnonymousCredentials", + "WithCertificatesFromFile", + "WithRequestType", + "WithTraceID", + "connect", + "initOnce.Close", + "initOnce.Init", + "sqlDriver.OpenConnector" + ] + }, + { + "path": "github.com/ydb-platform/ydb-go-sdk/v3/credentials", + "symbols": [ + "NewAccessTokenCredentials", + "NewAnonymousCredentials", + "NewStaticCredentials", + "WithSourceInfo", + "staticCredentialsConfig.Endpoint", + "staticCredentialsConfig.GrpcDialOptions" + ] + }, + { + "path": "github.com/ydb-platform/ydb-go-sdk/v3/internal/balancer", + "symbols": [ + "Balancer.Invoke", + "Balancer.NewStream", + "Balancer.clusterDiscovery", + "Balancer.wrapCall", + "New" + ] + }, + { + "path": "github.com/ydb-platform/ydb-go-sdk/v3/internal/conn", + "symbols": [ + "WithAfterFunc" + ] + }, + { + "path": "github.com/ydb-platform/ydb-go-sdk/v3/internal/credentials", + "symbols": [ + "AccessToken.String", + "Anonymous.String", + "NewAccessTokenCredentials", + "NewAnonymousCredentials", + "NewStaticCredentials", + "Static.String", + "WithSourceInfo" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8" + }, + { + "type": "FIX", + "url": "https://github.com/ydb-platform/ydb-go-sdk/pull/859" + }, + { + "type": "FIX", + "url": "https://github.com/ydb-platform/ydb-go-sdk/commit/a0d92057c4e1bbdc5e85ae8d649edb0232b8fd4c" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2137" + } +} \ No newline at end of file diff --git a/data/reports/GO-2023-2137.yaml b/data/reports/GO-2023-2137.yaml new file mode 100644 index 00000000..71a3de27 --- /dev/null +++ b/data/reports/GO-2023-2137.yaml @@ -0,0 +1,77 @@ +id: GO-2023-2137 +modules: + - module: github.com/ydb-platform/ydb-go-sdk/v3 + versions: + - introduced: 3.48.6 + fixed: 3.53.3 + vulnerable_at: 3.53.2 + packages: + - package: github.com/ydb-platform/ydb-go-sdk/v3 + symbols: + - connect + derived_symbols: + - Connector + - Driver.Close + - Driver.Coordination + - Driver.Discovery + - Driver.Ratelimiter + - Driver.Scheme + - Driver.Scripting + - Driver.Table + - Driver.Topic + - Driver.With + - IsTimeoutError + - IsTransportError + - MustConnector + - MustOpen + - New + - Open + - Unwrap + - WithAccessTokenCredentials + - WithAnonymousCredentials + - WithCertificatesFromFile + - WithRequestType + - WithTraceID + - initOnce.Close + - initOnce.Init + - sqlDriver.OpenConnector + - package: github.com/ydb-platform/ydb-go-sdk/v3/credentials + symbols: + - NewAccessTokenCredentials + - NewAnonymousCredentials + - staticCredentialsConfig.Endpoint + - staticCredentialsConfig.GrpcDialOptions + - NewStaticCredentials + - WithSourceInfo + - package: github.com/ydb-platform/ydb-go-sdk/v3/internal/balancer + symbols: + - Balancer.clusterDiscovery + - Balancer.wrapCall + derived_symbols: + - Balancer.Invoke + - Balancer.NewStream + - New + - package: github.com/ydb-platform/ydb-go-sdk/v3/internal/conn + symbols: + - WithAfterFunc + - package: github.com/ydb-platform/ydb-go-sdk/v3/internal/credentials + symbols: + - NewAccessTokenCredentials + - AccessToken.String + - NewAnonymousCredentials + - Anonymous.String + - WithSourceInfo + - NewStaticCredentials + - Static.String +summary: Credentials leak in github.com/ydb-platform/ydb-go-sdk/v3 +description: |- + A custom credentials object that does not implement the fmt.Stringer interface + may leak sensitive information (e.g., credentials) via logs. +cves: + - CVE-2023-45825 +ghsas: + - GHSA-q24m-6h38-5xj8 +references: + - advisory: https://github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8 + - fix: https://github.com/ydb-platform/ydb-go-sdk/pull/859 + - fix: https://github.com/ydb-platform/ydb-go-sdk/commit/a0d92057c4e1bbdc5e85ae8d649edb0232b8fd4c