data/reports: add GO-2024-3098

- data/reports/GO-2024-3098.yaml Fixes #3098 Change-Id: Ib825ff7ad0ce477240d44355b00b37befdd6eae4 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/613257 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Zvonimir Pavlinovic <[email protected]> Auto-Submit: Tatiana Bradley <[email protected]>
golang · Sep 13, 2024 · 5b8657f · 5b8657f
1 parent d0b10b7
commit 5b8657f
Show file tree

Hide file tree

Showing 2 changed files with 228 additions and 0 deletions.
diff --git a/data/osv/GO-2024-3098.json b/data/osv/GO-2024-3098.json
@@ -0,0 +1,144 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3098",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-45258",
+    "GHSA-cj55-gc7m-wvcq"
+  ],
+  "summary": "The req library may send an unintended request when a malformed URL is provided in github.com/imroc/req",
+  "details": "The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in applications relying on this library for handling HTTP requests.\n\nDespite developers potentially utilizing the net/url library to parse malformed URLs and implement blocklists to prevent HTTP requests to listed URLs, inconsistencies exist between how the net/url and req libraries parse URLs. These discrepancies can lead to the failure of defensive strategies, resulting in potential security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE).",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/imroc/req",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/imroc/req"
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "github.com/imroc/req/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/imroc/req/v2"
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "github.com/imroc/req/v3",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.43.4"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/imroc/req/v3",
+            "symbols": [
+              "Delete",
+              "Get",
+              "Head",
+              "HttpRoundTripFunc.RoundTrip",
+              "MustDelete",
+              "MustGet",
+              "MustHead",
+              "MustOptions",
+              "MustPatch",
+              "MustPost",
+              "MustPut",
+              "Options",
+              "ParallelDownload.Do",
+              "Patch",
+              "Post",
+              "Put",
+              "Request.Delete",
+              "Request.Do",
+              "Request.Get",
+              "Request.Head",
+              "Request.MustDelete",
+              "Request.MustGet",
+              "Request.MustHead",
+              "Request.MustOptions",
+              "Request.MustPatch",
+              "Request.MustPost",
+              "Request.MustPut",
+              "Request.Options",
+              "Request.Patch",
+              "Request.Post",
+              "Request.Put",
+              "Request.Send",
+              "Transport.CancelRequest",
+              "Transport.CloseIdleConnections",
+              "Transport.RoundTrip",
+              "cleanHost",
+              "persistConn.writeRequest",
+              "roundTripImpl.RoundTrip"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-cj55-gc7m-wvcq"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/imroc/req/commit/04e3ece5b380ecad9da3551c449f1b8a9aa76d3d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/imroc/req/compare/v3.43.3...v3.43.4"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3098",
+    "review_status": "REVIEWED"
+  }
+}
diff --git a/data/reports/GO-2024-3098.yaml b/data/reports/GO-2024-3098.yaml
@@ -0,0 +1,84 @@
+id: GO-2024-3098
+modules:
+    - module: github.com/imroc/req
+      vulnerable_at: 0.3.2
+      packages:
+        - package: github.com/imroc/req
+    - module: github.com/imroc/req/v2
+      vulnerable_at: 2.1.0
+      packages:
+        - package: github.com/imroc/req/v2
+    - module: github.com/imroc/req/v3
+      versions:
+        - fixed: 3.43.4
+      vulnerable_at: 3.43.3
+      packages:
+        - package: github.com/imroc/req/v3
+          symbols:
+            - cleanHost
+            - persistConn.writeRequest
+          derived_symbols:
+            - Delete
+            - Get
+            - Head
+            - HttpRoundTripFunc.RoundTrip
+            - MustDelete
+            - MustGet
+            - MustHead
+            - MustOptions
+            - MustPatch
+            - MustPost
+            - MustPut
+            - Options
+            - ParallelDownload.Do
+            - Patch
+            - Post
+            - Put
+            - Request.Delete
+            - Request.Do
+            - Request.Get
+            - Request.Head
+            - Request.MustDelete
+            - Request.MustGet
+            - Request.MustHead
+            - Request.MustOptions
+            - Request.MustPatch
+            - Request.MustPost
+            - Request.MustPut
+            - Request.Options
+            - Request.Patch
+            - Request.Post
+            - Request.Put
+            - Request.Send
+            - Transport.CancelRequest
+            - Transport.CloseIdleConnections
+            - Transport.RoundTrip
+            - roundTripImpl.RoundTrip
+summary: |-
+    The req library may send an unintended request when a malformed URL is provided
+    in github.com/imroc/req
+description: |-
+    The req library is a widely used HTTP library in Go. However, it does not handle
+    malformed URLs effectively. As a result, after parsing a malformed URL, the
+    library may send HTTP requests to unexpected destinations, potentially leading
+    to security vulnerabilities or unintended behavior in applications relying on
+    this library for handling HTTP requests.
+
+    Despite developers potentially utilizing the net/url library to parse malformed
+    URLs and implement blocklists to prevent HTTP requests to listed URLs,
+    inconsistencies exist between how the net/url and req libraries parse URLs.
+    These discrepancies can lead to the failure of defensive strategies, resulting
+    in potential security threats such as Server-Side Request Forgery (SSRF) and
+    Remote Code Execution (RCE).
+cves:
+    - CVE-2024-45258
+ghsas:
+    - GHSA-cj55-gc7m-wvcq
+references:
+    - advisory: https://github.com/advisories/GHSA-cj55-gc7m-wvcq
+    - fix: https://github.com/imroc/req/commit/04e3ece5b380ecad9da3551c449f1b8a9aa76d3d
+    - web: https://github.com/imroc/req/compare/v3.43.3...v3.43.4
+source:
+    id: GHSA-cj55-gc7m-wvcq
+    created: 2024-09-13T15:12:56.781299-04:00
+review_status: REVIEWED