Skip to content

Commit

Permalink
Capture affected modules and functions (#148)
Browse files Browse the repository at this point in the history 
* Affected functions

Signed-off-by: Prabhu Subramanian <[email protected]>

* Affected modules

Signed-off-by: Prabhu Subramanian <[email protected]>

* Affected modules

Signed-off-by: Prabhu Subramanian <[email protected]>

* Show affected symbols in cli

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>
  • Loading branch information
@prabhu
prabhu authored Jun 16, 2024
1 parent b99446b commit 64ce70c
Show file tree
Hide file tree
Showing 15 changed files with 751 additions and 79 deletions.
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[project]
name = "appthreat-vulnerability-db"
version = "6.0.6"
version = "6.0.7"
description = "AppThreat's vulnerability database and package search library with a built-in sqlite based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities."
authors = [
{name = "Team AppThreat", email = "[email protected]"},
Expand Down
145 changes: 145 additions & 0 deletions test/data/GHSA-vc2p-r46x-m3vx.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,145 @@
{
"id": "GHSA-vc2p-r46x-m3vx",
"summary": "Argument injection in lettre",
"details": "### Impact\n\nAffected versions of lettre allowed argument injection to the sendmail command. It was possible, using forged to addresses, to pass arbitrary arguments to the sendmail executable.\n\nDepending on the implementation (original sendmail, postfix, exim, etc.) it could be possible in some cases to write email data into abritrary files (using sendmail's logging features).\n\n*NOTE*: This vulnerability only affects the sendmail transport. Others, including smtp, are not affected.\n\n### Fix\n\nThe flaw is corrected by modifying the executed command to stop parsing arguments before passing the destination addresses.\n\n### References\n\n* [RUSTSEC-2020-0069](https://rustsec.org/advisories/RUSTSEC-2020-0069.html)\n* [CVE-2020-28247](https://nvd.nist.gov/vuln/detail/CVE-2020-28247)",
"aliases": [
"CVE-2020-28247",
"RUSTSEC-2020-0069"
],
"modified": "2023-11-08T04:03:24.160094Z",
"published": "2021-08-25T20:56:48Z",
"database_specific": {
"nvd_published_at": null,
"cwe_ids": [
"CWE-77"
],
"severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2021-08-18T20:59:57Z"
},
"references": [
{
"type": "WEB",
"url": "https://github.com/lettre/lettre/security/advisories/GHSA-vc2p-r46x-m3vx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28247"
},
{
"type": "WEB",
"url": "https://github.com/RustSec/advisory-db/pull/478/files"
},
{
"type": "WEB",
"url": "https://github.com/lettre/lettre/pull/508/commits/bbe7cc5381c5380b54fb8bbb4f77a3725917ff0b"
},
{
"type": "PACKAGE",
"url": "https://github.com/lettre/lettre"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0069.html"
}
],
"affected": [
{
"package": {
"name": "lettre",
"ecosystem": "crates.io",
"purl": "pkg:cargo/lettre"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.9.0"
},
{
"fixed": "0.9.5"
}
]
}
],
"ecosystem_specific": {
"affected_functions": [
"lettre::sendmail::SendmailTransport::send",
"lettre::transport::sendmail::SendmailTransport::send",
"lettre::transport::sendmail::SendmailTransport::send_raw"
]
},
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-vc2p-r46x-m3vx/GHSA-vc2p-r46x-m3vx.json"
}
},
{
"package": {
"name": "lettre",
"ecosystem": "crates.io",
"purl": "pkg:cargo/lettre"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.8.4"
}
]
}
],
"ecosystem_specific": {
"affected_functions": [
"lettre::sendmail::SendmailTransport::send",
"lettre::transport::sendmail::SendmailTransport::send",
"lettre::transport::sendmail::SendmailTransport::send_raw"
]
},
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-vc2p-r46x-m3vx/GHSA-vc2p-r46x-m3vx.json"
}
},
{
"package": {
"name": "lettre",
"ecosystem": "crates.io",
"purl": "pkg:cargo/lettre"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.7.0"
},
{
"fixed": "0.7.1"
}
]
}
],
"ecosystem_specific": {
"affected_functions": [
"lettre::sendmail::SendmailTransport::send",
"lettre::transport::sendmail::SendmailTransport::send",
"lettre::transport::sendmail::SendmailTransport::send_raw"
]
},
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-vc2p-r46x-m3vx/GHSA-vc2p-r46x-m3vx.json"
}
}
],
"schema_version": "1.6.0",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
]
}
183 changes: 183 additions & 0 deletions test/data/GHSA-xrjj-mj9h-534m.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,183 @@
{
"id": "GHSA-xrjj-mj9h-534m",
"summary": "golang.org/x/net/http2 vulnerable to possible excessive memory growth",
"details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"aliases": [
"BIT-golang-2022-41717",
"CVE-2022-41717",
"GO-2022-1144"
],
"modified": "2024-05-20T21:41:40Z",
"published": "2022-12-08T21:30:19Z",
"database_specific": {
"nvd_published_at": "2022-12-08T20:15:00Z",
"cwe_ids": [
"CWE-770"
],
"severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2023-01-18T00:05:16Z"
},
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-09"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"type": "WEB",
"url": "https://go.dev/issue/56350"
},
{
"type": "WEB",
"url": "https://go.dev/cl/455717"
},
{
"type": "WEB",
"url": "https://go.dev/cl/455635"
},
{
"type": "PACKAGE",
"url": "https://cs.opensource.google/go/x/net"
}
],
"affected": [
{
"package": {
"name": "golang.org/x/net/http2",
"ecosystem": "Go",
"purl": "pkg:golang/golang.org/x/net/http2"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.0"
}
]
}
],
"ecosystem_specific": {
"affected_functions": [
"Server.ServeConn"
]
},
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-xrjj-mj9h-534m/GHSA-xrjj-mj9h-534m.json"
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go",
"purl": "pkg:golang/golang.org/x/net"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.0"
}
]
}
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-xrjj-mj9h-534m/GHSA-xrjj-mj9h-534m.json"
}
}
],
"schema_version": "1.6.0",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
]
}
Loading

0 comments on commit 64ce70c

Please sign in to comment.