x/vulndb: potential Go vuln in github.com/slackhq/nebula: CVE-2020-11498

[tatianab]

CVE-2020-11498 references github.com/slackhq/nebula, which may be a Go module.

Description:
Slack Nebula through 1.1.0 contains a relative path vulnerability that allows a low-privileged attacker to execute code in the context of the root user via tun_darwin.go or tun_windows.go. A user can also use Nebula to execute arbitrary code in the user's own context, e.g., for user-level persistence or to bypass security controls. NOTE: the vendor states that this "requires a high degree of access and other preconditions that are tough to achieve."

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-11498
• fix: use absolute paths on darwin and windows slackhq/nebula#191
• web: http://www.pwn3d.org/posts/7918501-slack-nebula-relative-path-bug-bounty-disclosure
• Imported by: https://pkg.go.dev/github.com/slackhq/nebula?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/slackhq/nebula
      vulnerable_at: 1.7.2
      packages:
        - package: n/a
cves:
    - CVE-2020-11498
references:
    - fix: https://github.com/slackhq/nebula/pull/191
    - web: http://www.pwn3d.org/posts/7918501-slack-nebula-relative-path-bug-bounty-disclosure

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports