x/vulndb: potential Go vuln in github.com/schollz/croc/v9: GHSA-ppjh-xp5v-46wc #2073

GoVulnBot · 2023-09-21T17:01:30Z

In GitHub Security Advisory GHSA-ppjh-xp5v-46wc, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/schollz/croc/v9		<= 9.6.5

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/schollz/croc/v9
      versions:
        - {}
      vulnerable_at: 9.6.5
      packages:
        - package: github.com/schollz/croc/v9
summary: Croc sender may send dangerous new files to receiver
description: |-
    An issue was discovered in Croc through 9.6.5. A sender may send dangerous new
    files to a receiver, such as executable content or a `.ssh/authorized_keys`
    file.
cves:
    - CVE-2023-43619
ghsas:
    - GHSA-ppjh-xp5v-46wc
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2023-43619
    - report: https://github.com/schollz/croc/issues/593
    - web: https://www.openwall.com/lists/oss-security/2023/09/08/2
    - advisory: https://github.com/advisories/GHSA-ppjh-xp5v-46wc

The text was updated successfully, but these errors were encountered:

zpavlinovic · 2023-09-21T21:02:15Z

Vulnerability in tool.

gopherbot · 2023-09-21T21:12:20Z

Change https://go.dev/cl/530118 mentions this issue: data/excluded: batch add 7 excluded reports

gopherbot · 2024-06-14T17:47:53Z

Change https://go.dev/cl/592763 mentions this issue: data/reports: unexclude 75 reports

gopherbot · 2024-08-20T16:56:32Z

Change https://go.dev/cl/606791 mentions this issue: data/reports: unexclude 20 reports (11)

- data/reports/GO-2023-2051.yaml - data/reports/GO-2023-2053.yaml - data/reports/GO-2023-2055.yaml - data/reports/GO-2023-2063.yaml - data/reports/GO-2023-2065.yaml - data/reports/GO-2023-2066.yaml - data/reports/GO-2023-2067.yaml - data/reports/GO-2023-2068.yaml - data/reports/GO-2023-2069.yaml - data/reports/GO-2023-2070.yaml - data/reports/GO-2023-2071.yaml - data/reports/GO-2023-2072.yaml - data/reports/GO-2023-2073.yaml - data/reports/GO-2023-2075.yaml - data/reports/GO-2023-2078.yaml - data/reports/GO-2023-2079.yaml - data/reports/GO-2023-2080.yaml - data/reports/GO-2023-2084.yaml - data/reports/GO-2023-2085.yaml - data/reports/GO-2023-2088.yaml Updates #2051 Updates #2053 Updates #2055 Updates #2063 Updates #2065 Updates #2066 Updates #2067 Updates #2068 Updates #2069 Updates #2070 Updates #2071 Updates #2072 Updates #2073 Updates #2075 Updates #2078 Updates #2079 Updates #2080 Updates #2084 Updates #2085 Updates #2088 Change-Id: I0103dfe39411ae2cf3d74933349260db7dc3496b Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606791 Commit-Queue: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>

zpavlinovic self-assigned this Sep 21, 2023

zpavlinovic added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Sep 21, 2023

gopherbot closed this as completed in 4d3c9e3 Sep 22, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/schollz/croc/v9: GHSA-ppjh-xp5v-46wc #2073

x/vulndb: potential Go vuln in github.com/schollz/croc/v9: GHSA-ppjh-xp5v-46wc #2073

GoVulnBot commented Sep 21, 2023

zpavlinovic commented Sep 21, 2023

gopherbot commented Sep 21, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in github.com/schollz/croc/v9: GHSA-ppjh-xp5v-46wc #2073

x/vulndb: potential Go vuln in github.com/schollz/croc/v9: GHSA-ppjh-xp5v-46wc #2073

Comments

GoVulnBot commented Sep 21, 2023

zpavlinovic commented Sep 21, 2023

gopherbot commented Sep 21, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024