data/reports: add GO-2023-1859.yaml

Aliases: GHSA-rm8v-mxj3-5rmq Fixes #1859 Change-Id: I697ba68c4e140066b3ed9e151450c1faef7486d0 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/504859 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
golang · Jun 22, 2023 · 94e0581 · 94e0581
1 parent bad1d26
commit 94e0581
Show file tree

Hide file tree

Showing 2 changed files with 117 additions and 0 deletions.
diff --git a/data/osv/GO-2023-1859.json b/data/osv/GO-2023-1859.json
@@ -0,0 +1,86 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2023-1859",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-rm8v-mxj3-5rmq"
+  ],
+  "summary": "Padding oracle vulnerability in github.com/lestrrat-go/jwx",
+  "details": "AES-CBC decryption is vulnerable to a timing attack which may permit an attacker to recover the plaintext of JWE data.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/lestrrat-go/jwx",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.2.26"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/lestrrat-go/jwx/jwe/internal/aescbc",
+            "symbols": [
+              "Hmac.Open",
+              "unpad"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "github.com/lestrrat-go/jwx/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.11-0.20230614080639-c8b6bec919a1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/lestrrat-go/jwx/v2/jwe/internal/aescbc",
+            "symbols": [
+              "Hmac.Open",
+              "unpad"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "FIX",
+      "url": "https://github.com/lestrrat-go/jwx/commit/6c41e3822485fc7e11dd70b4b0524b075d66b103"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/lestrrat-go/jwx/commit/d9ddbc8e5009cfdd8c28413390b67afa7f576dd6"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2023-1859"
+  }
+}
diff --git a/data/reports/GO-2023-1859.yaml b/data/reports/GO-2023-1859.yaml
@@ -0,0 +1,31 @@
+id: GO-2023-1859
+modules:
+    - module: github.com/lestrrat-go/jwx
+      versions:
+        - fixed: 1.2.26
+      vulnerable_at: 1.2.25
+      packages:
+        - package: github.com/lestrrat-go/jwx/jwe/internal/aescbc
+          symbols:
+            - unpad
+          derived_symbols:
+            - Hmac.Open
+    - module: github.com/lestrrat-go/jwx/v2
+      versions:
+        - fixed: 2.0.11-0.20230614080639-c8b6bec919a1
+      vulnerable_at: 2.0.10
+      packages:
+        - package: github.com/lestrrat-go/jwx/v2/jwe/internal/aescbc
+          symbols:
+            - unpad
+          derived_symbols:
+            - Hmac.Open
+summary: Padding oracle vulnerability in github.com/lestrrat-go/jwx
+description: |
+    AES-CBC decryption is vulnerable to a timing attack which may permit
+    an attacker to recover the plaintext of JWE data.
+ghsas:
+    - GHSA-rm8v-mxj3-5rmq
+references:
+    - fix: https://github.com/lestrrat-go/jwx/commit/6c41e3822485fc7e11dd70b4b0524b075d66b103
+    - fix: https://github.com/lestrrat-go/jwx/commit/d9ddbc8e5009cfdd8c28413390b67afa7f576dd6