data/reports: update GO-2022-0248 to include later fix

neild · neild · commit 62db6f333c70 · 2023-11-06T21:39:09.000Z
GHSA-cqh2-vc2f-q4fh reported a path traversal vulnerability in github.com/cloudflare/cfrpki/pki, which was subsequently fixed in v1.4.0. GHSA-8459-6rc9-8vf8 is a later GHSA reporting that the fix was insufficient. This report was addressed by a followup fix in v1.4.4. Since the vulnerability has a single root cause, update GO-2022-0248 to reference both GHSAs and list 1.4.4 as the fix version. For #248 Fixes #362 Change-Id: I3861168ab3ac7d18e33e95c37ab8616a34c2f624 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/539338 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2022-0248.json b/data/osv/GO-2022-0248.json
@@ -5,7 +5,8 @@
   "published": "2022-07-15T23:07:18Z",
   "aliases": [
     "CVE-2021-3907",
-    "GHSA-cqh2-vc2f-q4fh"
+    "GHSA-cqh2-vc2f-q4fh",
+    "GHSA-8459-6rc9-8vf8"
   ],
   "summary": "Directory traversal in manifest path extraction in github.com/cloudflare/cfrpki",
   "details": "Manifest path extraction is vulnerable to directory traversal attacks.\n\nThe ExtractPathManifest function permits file paths containing relative directory components (\"..\"), permitting files to reference arbitrary locations on the filesystem.",
@@ -23,7 +24,7 @@
               "introduced": "0"
             },
             {
-              "fixed": "1.4.3"
+              "fixed": "1.4.4"
             }
           ]
         }
@@ -48,6 +49,10 @@
     {
       "type": "FIX",
       "url": "https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cloudflare/cfrpki/commit/a053a808feeb3115c76b6cc263ee55598ce6e8cd"
     }
   ],
   "credits": [
diff --git a/data/reports/GO-2022-0248.yaml b/data/reports/GO-2022-0248.yaml
@@ -2,7 +2,7 @@ id: GO-2022-0248
 modules:
     - module: github.com/cloudflare/cfrpki
       versions:
-        - fixed: 1.4.3
+        - fixed: 1.4.4
       vulnerable_at: 1.4.2
       packages:
         - package: github.com/cloudflare/cfrpki/validator/pki
@@ -25,7 +25,9 @@ cves:
     - CVE-2021-3907
 ghsas:
     - GHSA-cqh2-vc2f-q4fh
+    - GHSA-8459-6rc9-8vf8
 credits:
     - Koen van Hove
 references:
     - fix: https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284
+    - fix: https://github.com/cloudflare/cfrpki/commit/a053a808feeb3115c76b6cc263ee55598ce6e8cd

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,8 @@`
`5`	`5`	`"published": "2022-07-15T23:07:18Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2021-3907",`
`8`		`- "GHSA-cqh2-vc2f-q4fh"`
	`8`	`+ "GHSA-cqh2-vc2f-q4fh",`
	`9`	`+ "GHSA-8459-6rc9-8vf8"`
`9`	`10`	`],`
`10`	`11`	`"summary": "Directory traversal in manifest path extraction in github.com/cloudflare/cfrpki",`
`11`	`12`	`"details": "Manifest path extraction is vulnerable to directory traversal attacks.\n\nThe ExtractPathManifest function permits file paths containing relative directory components (\"..\"), permitting files to reference arbitrary locations on the filesystem.",`
`@@ -23,7 +24,7 @@`
`23`	`24`	`"introduced": "0"`
`24`	`25`	`},`
`25`	`26`	`{`
`26`		`- "fixed": "1.4.3"`
	`27`	`+ "fixed": "1.4.4"`
`27`	`28`	`}`
`28`	`29`	`]`
`29`	`30`	`}`
`@@ -48,6 +49,10 @@`
`48`	`49`	`{`
`49`	`50`	`"type": "FIX",`
`50`	`51`	`"url": "https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284"`
	`52`	`+ },`
	`53`	`+ {`
	`54`	`+ "type": "FIX",`
	`55`	`+ "url": "https://github.com/cloudflare/cfrpki/commit/a053a808feeb3115c76b6cc263ee55598ce6e8cd"`
`51`	`56`	`}`
`52`	`57`	`],`
`53`	`58`	`"credits": [`