x/vulndb: add newly reserved CVE IDs to reports without a CVE ID

Adds cve_metadata with a CVE ID and CWE ID for each report that did not
have a CVE ID.

Note: we still need to publish CVE records for each of these reports.

Change-Id: I762370deb6c721fa413058b7d153b565371bff1c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/420035
Reviewed-by: Julie Qiu <[email protected]>
Run-TryBot: Tatiana Bradley <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>

Author: tatianab

reports/GO-2020-0001.yaml

@@ -14,8 +14,8 @@ links:
     pr: https://github.com/gin-gonic/gin/pull/2237
     commit: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
 cve_metadata:
-    id: CVE-9999-0001
-    cwe: 'CWE-20: Improper Input Validation'
+    id: CVE-2020-36567
+    cwe: "CWE-117 Improper Output Neutralization for Logs"
     description: |
         Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0
         allows remote attackers to inject arbitrary log lines.

reports/GO-2020-0003.yaml

@@ -14,7 +14,7 @@ links:
     context:
       - https://github.com/revel/revel/issues/1424
 cve_metadata:
-    id: CVE-9999-0002
+    id: CVE-2020-36568
     cwe: 'CWE-400: Uncontrolled Resource Consumption'
     description: |
         Unsanitized input in the query parser in github.com/revel/revel before v1.0.0

reports/GO-2020-0004.yaml

@@ -23,7 +23,7 @@ links:
     pr: https://github.com/nanobox-io/golang-nanoauth/pull/5
     commit: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
 cve_metadata:
-    id: CVE-9999-0003
+    id: CVE-2020-36569
     cwe: 'CWE-305: Authentication Bypass by Primary Weakness'
     description: |
         Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between

reports/GO-2020-0020.yaml

@@ -10,6 +10,9 @@ description: |
     header, which bypasses the expected behavior of the Same Origin Policy.
 published: 2021-04-14T20:04:52Z
 credit: Evan J Johnson
+cve_metadata:
+    id: CVE-2017-20146
+    cwe: "CWE 284: Improper Access Control"
 links:
     pr: https://github.com/gorilla/handlers/pull/116
     commit: https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145

reports/GO-2020-0022.yaml

@@ -10,6 +10,9 @@ description: |
     if called with untrusted user input.
 published: 2021-04-14T20:04:52Z
 credit: Yann Collet
+cve_metadata:
+    id: CVE-2014-125026
+    cwe: "CWE 94: Improper Control of Generation of Code ('Code Injection')"
 links:
     commit: https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898
     context:

reports/GO-2020-0023.yaml

@@ -10,6 +10,9 @@ description: |
     over a low latency connection, an attacker may use this to determine
     the expected HMAC.
 published: 2021-04-14T20:04:52Z
+cve_metadata:
+    id: CVE-2015-10004
+    cwe: "CWE 208: Information Exposure Through Timing Discrepancy"
 links:
     commit: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
     context:

reports/GO-2020-0024.yaml

@@ -18,5 +18,8 @@ description: |
     call themselves, leading to an infinite loop which will crash the
     program due to a stack overflow.
 published: 2021-04-14T20:04:52Z
+cve_metadata:
+    id: CVE-2013-10005
+    cwe: "CWE 400: Uncontrolled Resource Consumption"
 links:
     commit: https://github.com/btcsuite/go-socks/commit/233bccbb1abe02f05750f7ace66f5bffdb13defc

reports/GO-2020-0025.yaml

@@ -16,6 +16,9 @@ description: |
     paths can cause files to be written (or overwritten) outside of the
     target directory.
 published: 2021-04-14T20:04:52Z
+cve_metadata:
+    id: CVE-2018-25046
+    cwe: 'CWE 29: Path Traversal: "\..\filename"'
 links:
     commit: https://github.com/cloudfoundry/archiver/commit/09b5706aa9367972c09144a450bb4523049ee840
     context:

reports/GO-2020-0029.yaml

@@ -10,6 +10,8 @@ description: |
     a user to bypass IP based restrictions, or obfuscate their true source.
 published: 2021-04-14T20:04:52Z
 credit: '@nl5887'
+cves:
+  - CVE-2020-28483
 links:
     pr: https://github.com/gin-gonic/gin/pull/182
     commit: https://github.com/gin-gonic/gin/commit/0099840c98ae1473c5ff0f18bc93a8e13ceed829

reports/GO-2020-0032.yaml

@@ -24,9 +24,8 @@ links:
     pr: https://github.com/goadesign/goa/pull/2388
     commit: https://github.com/goadesign/goa/commit/70b5a199d0f813d74423993832c424e1fc73fb39
 cve_metadata:
-    id: CVE-9999-0012
-    cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
-        Traversal'')'
+    id: CVE-2019-25073
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory('Path Traversal')"
     description: |
         Improper path santiziation in github.com/goadesign/goa before v3.0.9, v2.0.10, or
         v1.4.3 allow remote attackers to read files outside of the intended directory.

reports/GO-2020-0033.yaml

@@ -14,6 +14,9 @@ description: |
     the target directory that the server has permission to read.
 published: 2021-04-14T20:04:52Z
 credit: '@snyff'
+cve_metadata:
+    id: CVE-2020-36559
+    cwe: "CWE 23: Relative Path Traversal"
 links:
     pr: https://github.com/go-aah/aah/pull/267
     commit: https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec

reports/GO-2020-0034.yaml

@@ -9,6 +9,9 @@ description: |
     paths can cause files to be written (or overwritten) outside of the
     target directory.
 published: 2021-04-14T20:04:52Z
+cve_metadata:
+    id: CVE-2020-36560
+    cwe: 'CWE 29: Path Traversal: "\..\filename"'
 links:
     pr: https://github.com/artdarek/go-unzip/pull/2
     commit: https://github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7dfe0

reports/GO-2020-0035.yaml

@@ -9,6 +9,9 @@ description: |
     paths can cause files to be written (or overwritten) outside of the
     target directory.
 published: 2021-04-14T20:04:52Z
+cve_metadata:
+    id: CVE-2020-36561
+    cwe: 'CWE 29: Path Traversal: "\..\filename"'
 links:
     pr: https://github.com/yi-ge/unzip/pull/1
     commit: https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73

reports/GO-2020-0037.yaml

@@ -12,6 +12,9 @@ description: |
     resources, which may be used as a denial of service vector.
 published: 2021-04-14T20:04:52Z
 credit: '@guagualvcha'
+cve_metadata:
+    id: CVE-2019-25072
+    cwe: "CWE-400: Uncontrolled Resource Consumption"
 links:
     pr: https://github.com/tendermint/tendermint/pull/3430
     commit: https://github.com/tendermint/tendermint/commit/03085c2da23b179c4a51f59a03cb40aa4e85a613

reports/GO-2020-0040.yaml

@@ -5,6 +5,9 @@ description: |
     cause panics, which may be used as a denial of service vector.
 published: 2021-04-14T20:04:52Z
 credit: '@hMihaiDavid'
+cve_metadata:
+    id: CVE-2020-36562
+    cwe: "CWE-400: Uncontrolled Resource Consumption"
 links:
     context:
       - https://github.com/shiyanhui/dht/issues/57

reports/GO-2020-0045.yaml

@@ -13,6 +13,9 @@ description: |
     allowing an attacker to bypass CSRF protections which relatively few requests.
 published: 2021-04-14T20:04:52Z
 credit: '@elithrar'
+cve_metadata:
+    id: CVE-2016-15005
+    cwe: "CWE 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
 links:
     pr: https://github.com/dinever/golf/pull/24
     commit: https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe

reports/GO-2020-0047.yaml

@@ -9,6 +9,9 @@ description: |
     SHA-1, which may allow an attacker to craft inputs which cause hash
     collisions depending on their control over the input.
 published: 2021-04-14T20:04:52Z
+cve_metadata:
+    id: CVE-2020-36563
+    cwe: "CWE 328: Use of Weak Hash"
 links:
     context:
       - https://github.com/RobotsAndPencils/go-saml/pull/38

reports/GO-2020-0049.yaml

@@ -13,6 +13,9 @@ description: |
     to be considered valid.
 published: 2021-04-14T20:04:52Z
 credit: '@aeneasr'
+cve_metadata:
+    id: CVE-2020-36564
+    cwe: "CWE 345: Insufficient Verification of Data Authenticity"
 links:
     pr: https://github.com/justinas/nosurf/pull/60
     commit: https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314

reports/GO-2021-0051.yaml

@@ -10,6 +10,9 @@ description: |
     the target directory that the server has permission to read.
 published: 2021-04-14T20:04:52Z
 credit: '@little-cui (Apache ServiceComb)'
+cve_metadata:
+    id: CVE-2020-36565
+    cwe: "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
 os:
   - windows
 links:

reports/GO-2021-0058.yaml

@@ -30,5 +30,3 @@ ghsas:
   - GHSA-4hq8-gmxx-h6w9
 links:
     commit: https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053
-    context:
-      - https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9

reports/GO-2021-0061.yaml

@@ -19,6 +19,9 @@ description: |
     Due to unbounded alias chasing, a maliciously crafted YAML file
     can cause the system to consume significant system resources. If
     parsing user input, this may be used as a denial of service vector.
+cve_metadata:
+    id: CVE-2021-4235
+    cwe: "CWE 400: Uncontrolled Resource Consumption"
 published: 2021-04-14T20:04:52Z
 credit: '@simonferquel'
 links:

reports/GO-2021-0106.yaml

@@ -9,6 +9,9 @@ description: |
     paths can cause files to be written (or overwritten) outside of the
     target directory.
 published: 2021-07-28T18:08:05Z
+cve_metadata:
+    id: CVE-2020-36566
+    cwe: "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
 links:
     commit: https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227
     context:

reports/GO-2021-0107.yaml

@@ -7,11 +7,14 @@ packages:
     versions:
       - fixed: 1.5.2
 description: |
-    Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a
+    Web Sockets do not execute any AuthenticateMethod methods which may be set,leading to a
     nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or
     authentication bypass.
 published: 2021-07-28T18:08:05Z
+cve_metadata:
+    id: CVE-2021-4236
+    cwe: 'CWE-400: Uncontrolled Resource Consumption'
+ghsas:
+  - GHSA-5gjg-jgh4-gppm
 links:
     commit: https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
-    context:
-      - https://github.com/advisories/GHSA-5gjg-jgh4-gppm

reports/GO-2022-0384.yaml

@@ -21,6 +21,8 @@ description: |
 
     For further details, see
     https://github.com/advisories/GHSA-56hp-xqp3-w2jf.
+cves:
+  - CVE-2021-32690
 ghsas:
   - GHSA-56hp-xqp3-w2jf
 links:

reports/GO-2022-0385.yaml

@@ -15,6 +15,9 @@ description: |
     This issue only affects WebSockets with an AuthenticateMethod hook.
     Request handlers that do not explicitly use WebSockets are not
     vulnerable.
+cve_metadata:
+    id: CVE-2021-4237
+    cwe: "CWE 287: Improper Authentication"
 ghsas:
   - GHSA-5gjg-jgh4-gppm
 links:

reports/GO-2022-0391.yaml

@@ -24,6 +24,9 @@ description: |
     the plaintext, if the hash is readable to the attacker.
 
     AWS now blocks this metadata field, but older SDK versions still send it.
+cve_metadata:
+    id: CVE-2022-2582
+    cwe: "CWE 311: Missing Encryption of Sensitive Data"
 ghsas:
   - GHSA-76wf-9vgp-pj7w
 links:

reports/GO-2022-0400.yaml

@@ -10,5 +10,8 @@ packages:
 description: A race condition can cause incorrect HTTP request routing.
 ghsas:
   - GHSA-h2x7-2ff6-v32p
+cve_metadata:
+    id: CVE-2022-2583
+    cwe: "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"
 links:
     commit: https://github.com/ntbosscher/gobase/commit/a8d40bce9c429d324122d18c446924dab809e812

reports/GO-2022-0411.yaml

@@ -15,5 +15,8 @@ description: |
     reduces the amount of entropy in short strings generated by these functions.
 ghsas:
   - GHSA-xg2h-wx96-xgxr
+cve_metadata:
+    id: CVE-2021-4238
+    cwe: "CWE 330: Use of Insufficiently Random Values"
 links:
     commit: https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1

reports/GO-2022-0422.yaml

@@ -12,5 +12,8 @@ packages:
 description: The dag-pb codec can panic when decoding invalid blocks.
 ghsas:
   - GHSA-g3vv-g2j5-45f2
+cve_metadata:
+    id: CVE-2022-2584
+    cwe: "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"
 links:
     commit: https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57

reports/GO-2022-0425.yaml

@@ -29,5 +29,8 @@ published: 2022-02-15T01:57:18Z
 last_modified: 2022-04-12T22:48:22Z
 ghsas:
   - GHSA-g9mp-8g3h-3c5c
+cve_metadata:
+    id: CVE-2021-4239
+    cwe: "CWE 400: Uncontrolled Resource Consumption"
 links:
     pr: https://github.com/flynn/noise/pull/44