x/vulndb: potential Go vuln in github.com/spdk/spdk: CVE-2019-9547

[tatianab]

CVE-2019-9547 references github.com/spdk/spdk, which may be a Go module.

Description:
In Storage Performance Development Kit (SPDK) before 19.01, a malicious vhost client (i.e., virtual machine) could carefully construct a circular descriptor chain that would result in a partial denial of service in the SPDK vhost target, because the vhost target did not properly detect such chains.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-9547
• web: https://github.com/spdk/spdk/releases/tag/v19.01
• fix: spdk/spdk@eca42c6
• Imported by: https://pkg.go.dev/github.com/spdk/spdk?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/spdk/spdk
      vulnerable_at: 19.10.1+incompatible
      packages:
        - package: n/a
cves:
    - CVE-2019-9547
references:
    - web: https://github.com/spdk/spdk/releases/tag/v19.01
    - fix: https://github.com/spdk/spdk/commit/eca42c66092b9031711afe215fbc1891ee55f143

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports