Skip to content

Commit

Permalink
data/reports: add GO-2023-2399.yaml
Browse files Browse the repository at this point in the history 
Aliases: CVE-2023-6337, GHSA-6p62-6cg9-f5f5

Fixes #2399

Change-Id: Ib7a3ac1cf3977dcc0345786f706d5169df79eac9
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/551996
Run-TryBot: Tim King <taking@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
  • Loading branch information
@timothy-king
timothy-king committed Jan 3, 2024
1 parent e9e1530 commit e7ffd94
Show file tree
Hide file tree
Showing 3 changed files with 176 additions and 0 deletions.
105 changes: 105 additions & 0 deletions data/osv/GO-2023-2399.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
{
"schema_version": "1.3.1",
"id": "GO-2023-2399",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2023-6337",
"GHSA-6p62-6cg9-f5f5"
],
"summary": "Denial of service via memory exhaustion in github.com/hashicorp/vault",
"details": "Unauthenticated and authenticated HTTP requests from a client will be attempted to be mapped to memory. Large requests may result in the exhaustion of available memory on the host, which may cause crashes and denial of service.",
"affected": [
{
"package": {
"name": "github.com/hashicorp/vault",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.13.12"
},
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.8"
},
{
"introduced": "1.15.0"
},
{
"fixed": "1.15.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/hashicorp/vault/helper/forwarding",
"symbols": [
"GenerateForwardedHTTPRequest",
"GenerateForwardedRequest"
]
},
{
"path": "github.com/hashicorp/vault/http",
"symbols": [
"HandlerAnchor.Handler",
"TestServer",
"TestServerWithListener",
"TestServerWithListenerAndProperties",
"handler",
"parseFormRequest",
"parseJSONRequest",
"rateLimitQuotaWrapping",
"wrapGenericHandler"
]
},
{
"path": "github.com/hashicorp/vault/vault",
"symbols": [
"Core.DetermineRoleFromLoginRequest",
"Core.DetermineRoleFromLoginRequestFromBytes",
"Core.ForwardRequest",
"Core.HandleRequest",
"NewSystemBackend",
"NewTestCluster",
"SystemBackend.handleStorageRaftSnapshotWrite",
"TestCluster.InitCores",
"TestCoreUnsealed",
"TestCoreUnsealedRaw",
"TestCoreUnsealedWithConfig",
"TestCoreUnsealedWithMetrics",
"TestCoreWithCustomResponseHeaderAndUI"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6337"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741"
},
{
"type": "FIX",
"url": "https://github.com/hashicorp/vault/pull/24354"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-2399"
}
}
61 changes: 61 additions & 0 deletions data/reports/GO-2023-2399.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
id: GO-2023-2399
modules:
- module: github.com/hashicorp/vault
versions:
- introduced: 1.12.0
fixed: 1.13.12
- introduced: 1.14.0
fixed: 1.14.8
- introduced: 1.15.0
fixed: 1.15.4
vulnerable_at: 1.15.3
packages:
- package: github.com/hashicorp/vault/helper/forwarding
symbols:
- GenerateForwardedRequest
derived_symbols:
- GenerateForwardedHTTPRequest
- package: github.com/hashicorp/vault/http
symbols:
- handler
- wrapGenericHandler
- parseJSONRequest
- parseFormRequest
- rateLimitQuotaWrapping
derived_symbols:
- HandlerAnchor.Handler
- TestServer
- TestServerWithListener
- TestServerWithListenerAndProperties
skip_fix: 'TODO: module github.com/hashicorp/vault must be updated with go get github.com/hashicorp/vault/sdk@v0.10.2 to reproduce.'
- package: github.com/hashicorp/vault/vault
symbols:
- Core.DetermineRoleFromLoginRequestFromBytes
- Core.DetermineRoleFromLoginRequest
- SystemBackend.handleStorageRaftSnapshotWrite
derived_symbols:
- Core.ForwardRequest
- Core.HandleRequest
- NewSystemBackend
- NewTestCluster
- TestCluster.InitCores
- TestCoreUnsealed
- TestCoreUnsealedRaw
- TestCoreUnsealedWithConfig
- TestCoreUnsealedWithMetrics
- TestCoreWithCustomResponseHeaderAndUI
skip_fix: 'TODO: module github.com/hashicorp/vault must be updated with go get github.com/hashicorp/vault/sdk@v0.10.2 to reproduce.'
summary: Denial of service via memory exhaustion in github.com/hashicorp/vault
description: |-
Unauthenticated and authenticated HTTP requests from a client
will be attempted to be mapped to memory.
Large requests may result in the exhaustion of available
memory on the host, which may cause crashes and denial of service.
cves:
- CVE-2023-6337
ghsas:
- GHSA-6p62-6cg9-f5f5
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-6337
- web: https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741
- fix: https://github.com/hashicorp/vault/pull/24354
10 changes: 10 additions & 0 deletions internal/symbols/exported_functions.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,16 @@ func Exported(m *report.Module, p *report.Package, errlog *log.Logger) (_ []stri
return nil, err
}
}
// TODO: This is the logical place to update the vulnerable module to locally
// use a different version of a module when necessary for .
// Example: data/reports/GO-2023-2399.yaml
// go mod edit -require github.com/hashicorp/vault@1.15.3
// which requires
// go get github.com/hashicorp/vault/sdk@v0.10.2
// to locally derive symbols.
// It may potentially make sense to extend yaml report format with
// these if this is a recurring problem.

// Create a package that imports the package we're interested in.
var content bytes.Buffer
fmt.Fprintf(&content, "package p\n")
Expand Down

0 comments on commit e7ffd94

Please sign in to comment.