data/reports: add GO-2023-1713.yaml

Aliases: CVE-2023-1800, GHSA-xq3x-grrj-fj6x Fixes #1713 Change-Id: Ie249047608ebb0cd2b49fa4428a5e8bbcda5c9d5 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/483978 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> Commit-Queue: Tim King <taking@google.com> Run-TryBot: Tim King <taking@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
golang · Apr 12, 2023 · e2687ad · e2687ad
1 parent e19cbc7
commit e2687ad
Show file tree

Hide file tree

Showing 2 changed files with 108 additions and 0 deletions.
diff --git a/data/osv/GO-2023-1713.json b/data/osv/GO-2023-1713.json
@@ -0,0 +1,75 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2023-1713",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2023-1800",
+    "GHSA-xq3x-grrj-fj6x"
+  ],
+  "details": "An attacker can craft a remote request to upload a file to `/group1/upload` that uses path traversal to instead write the file contents to an attacker controlled path on the server.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/sjqzhang/go-fastdfs",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.4.5-0.20230408141131-61cbff5124c6"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/sjqzhang/go-fastdfs/server",
+            "symbols": [
+              "HttpHandler.ServeHTTP",
+              "Server.ConsumerUpload",
+              "Server.CrossOrigin",
+              "Server.Download",
+              "Server.DownloadNormalFileByURI",
+              "Server.Start",
+              "Server.Upload",
+              "Server.upload",
+              "Start"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/yangyanglo/ForCVE/blob/93a16663cd32a36d37d8a0f0102e1592254d0279/2023-0x05.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.224768"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.224768"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/sjqzhang/go-fastdfs/commit/61cbff5124c61e292994099372b11c06cdb5b80b"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-xq3x-grrj-fj6x"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2023-1713"
+  }
+}
diff --git a/data/reports/GO-2023-1713.yaml b/data/reports/GO-2023-1713.yaml
@@ -0,0 +1,33 @@
+modules:
+  - module: github.com/sjqzhang/go-fastdfs
+    versions:
+      - fixed: 1.4.5-0.20230408141131-61cbff5124c6
+    vulnerable_at: 1.4.4
+    packages:
+      - package: github.com/sjqzhang/go-fastdfs/server
+        symbols:
+          - Server.upload
+          - Server.CrossOrigin
+          - Server.Download
+        derived_symbols:
+          - HttpHandler.ServeHTTP
+          - Server.ConsumerUpload
+          - Server.DownloadNormalFileByURI
+          - Server.Start
+          - Server.Upload
+          - Start
+summary: sjqzhang go-fastdfs vulnerable to path traversal
+description: |
+    An attacker can craft a remote request to upload a file to `/group1/upload`
+    that uses path traversal to instead write the file contents to an attacker
+    controlled path on the server.
+cves:
+  - CVE-2023-1800
+ghsas:
+  - GHSA-xq3x-grrj-fj6x
+references:
+  - web: https://github.com/yangyanglo/ForCVE/blob/93a16663cd32a36d37d8a0f0102e1592254d0279/2023-0x05.md
+  - web: https://vuldb.com/?ctiid.224768
+  - web: https://vuldb.com/?id.224768
+  - fix: https://github.com/sjqzhang/go-fastdfs/commit/61cbff5124c61e292994099372b11c06cdb5b80b
+  - advisory: https://github.com/advisories/GHSA-xq3x-grrj-fj6x