x/vulndb: add reports/GO-2022-0322.yaml for CVE-2022-21698

neild · neild · commit 7e8999ed7950 · 2022-07-15T23:29:02.000Z
Fixes #322 Change-Id: I8637bf1ceca5aef9de8e7dddcc584c1cecdf5df4 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/392756 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/reports/GO-2022-0322.yaml b/reports/GO-2022-0322.yaml
@@ -0,0 +1,38 @@
+packages:
+  - module: github.com/prometheus/client_golang
+    package: github.com/prometheus/client_golang/prometheus/promhttp
+    symbols:
+      - sanitizeMethod
+    derived_symbols:
+      - Handler
+      - HandlerFor
+      - InstrumentHandlerCounter
+      - InstrumentHandlerDuration
+      - InstrumentHandlerRequestSize
+      - InstrumentHandlerResponseSize
+      - InstrumentHandlerTimeToWriteHeader
+      - InstrumentMetricHandler
+      - InstrumentRoundTripperCounter
+      - InstrumentRoundTripperDuration
+      - flusherDelegator.Flush
+      - init
+      - readerFromDelegator.ReadFrom
+      - responseWriterDelegator.Write
+      - responseWriterDelegator.WriteHeader
+    versions:
+      - fixed: 1.11.1
+    vulnerable_at: 1.11.0
+description: |
+    The Prometheus client_golang HTTP server is vulnerable to a denial of
+    service attack when handling requests with non-standard HTTP methods.
+
+    In order to be affected, an instrumented software must use any of
+    the promhttp.InstrumentHandler* middleware except `RequestsInFlight`;
+    not filter any specific methods (e.g GET) before middleware;
+    pass a metric with a "method" label name to a middleware; and not
+    have any firewall/LB/proxy that filters away requests with unknown
+    "method".
+cves:
+  - CVE-2022-21698
+ghsas:
+  - GHSA-cg3q-j54f-5p7p
