data/reports: update GO-2022-0578

- data/reports/GO-2022-0578.yaml Updates #578 Fixes #3115 Change-Id: Iad3d980038a8750ffc6b3c63001b0010f1b7cc9c Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/610798 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> TryBot-Bypass: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com>
golang · Sep 5, 2024 · 6c9e647 · 6c9e647
1 parent 22fa4ff
commit 6c9e647
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/data/osv/GO-2022-0578.json b/data/osv/GO-2022-0578.json
@@ -21,6 +21,9 @@
           "events": [
             {
               "introduced": "1.8.0"
+            },
+            {
+              "fixed": "1.8.5"
             }
           ]
         }

diff --git a/data/reports/GO-2022-0578.yaml b/data/reports/GO-2022-0578.yaml
@@ -3,9 +3,8 @@ modules:
     - module: github.com/hashicorp/vault
       versions:
         - introduced: 1.8.0
-      unsupported_versions:
-        - last_affected: 1.8.4
-      vulnerable_at: 1.17.3
+        - fixed: 1.8.5
+      vulnerable_at: 1.8.4
 summary: Incorrect Privilege Assignment in HashiCorp Vault in github.com/hashicorp/vault
 cves:
     - CVE-2021-42135
@@ -16,6 +15,11 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-42135
     - web: https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards
     - web: https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#180
+notes:
+    - |
+      manually changed 'last_affected: 1.8.4' to 'fixed: 1.8.5'. The fix appears to be
+      only a documentation clarification; but this is an old enough vulnerability that
+      the new documentation should have had enough time to reach users.
 source:
     id: GHSA-362v-wg5p-64w2
     created: 2024-08-20T14:05:02.493104-04:00