x/vulndb: add reports/GO-2022-0322.yaml for CVE-2022-21698

Fixes #322 Change-Id: I8637bf1ceca5aef9de8e7dddcc584c1cecdf5df4 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/392756 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
golang · Jul 15, 2022 · 7e8999e · 7e8999e
1 parent 1123a15
commit 7e8999e
Showing 1 changed file with 38 additions and 0 deletions.
diff --git a/reports/GO-2022-0322.yaml b/reports/GO-2022-0322.yaml
@@ -0,0 +1,38 @@
+packages:
+  - module: github.com/prometheus/client_golang
+    package: github.com/prometheus/client_golang/prometheus/promhttp
+    symbols:
+      - sanitizeMethod
+    derived_symbols:
+      - Handler
+      - HandlerFor
+      - InstrumentHandlerCounter
+      - InstrumentHandlerDuration
+      - InstrumentHandlerRequestSize
+      - InstrumentHandlerResponseSize
+      - InstrumentHandlerTimeToWriteHeader
+      - InstrumentMetricHandler
+      - InstrumentRoundTripperCounter
+      - InstrumentRoundTripperDuration
+      - flusherDelegator.Flush
+      - init
+      - readerFromDelegator.ReadFrom
+      - responseWriterDelegator.Write
+      - responseWriterDelegator.WriteHeader
+    versions:
+      - fixed: 1.11.1
+    vulnerable_at: 1.11.0
+description: |
+    The Prometheus client_golang HTTP server is vulnerable to a denial of
+    service attack when handling requests with non-standard HTTP methods.
+
+    In order to be affected, an instrumented software must use any of
+    the promhttp.InstrumentHandler* middleware except `RequestsInFlight`;
+    not filter any specific methods (e.g GET) before middleware;
+    pass a metric with a "method" label name to a middleware; and not
+    have any firewall/LB/proxy that filters away requests with unknown
+    "method".
+cves:
+  - CVE-2022-21698
+ghsas:
+  - GHSA-cg3q-j54f-5p7p