data/reports: add GO-2024-2730.yaml

Fixes #2730 Change-Id: I9c60734d2ad51989ad9137260cbebfee22128872 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/579655 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
golang · Apr 17, 2024 · cd4d4fe · cd4d4fe
1 parent b9f311b
commit cd4d4fe
Show file tree

Hide file tree

Showing 2 changed files with 95 additions and 0 deletions.
diff --git a/data/osv/GO-2024-2730.json b/data/osv/GO-2024-2730.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2730",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "related": [
+    "CVE-2024-3400"
+  ],
+  "summary": "Directory traversal in FilesystemStore in github.com/gorilla/sessions",
+  "details": "FilesystemStore does not sanitize the Session.ID value, making it vulnerable to directory traversal attacks. If an attacker has control over the contents of the session ID, this can be exploited to write to arbitrary files in the filesystem.\n\nPrograms which do not set session IDs explicitly, or which only set session IDs that will not be interpreted by the filesystem, are not vulnerable.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/gorilla/sessions",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/gorilla/sessions",
+            "symbols": [
+              "CookieStore.Get",
+              "FilesystemStore.Get",
+              "FilesystemStore.New",
+              "FilesystemStore.Save",
+              "FilesystemStore.erase",
+              "FilesystemStore.load",
+              "FilesystemStore.save",
+              "Registry.Get",
+              "Registry.Save",
+              "Save",
+              "Session.Save"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "FIX",
+      "url": "https://github.com/gorilla/sessions/pull/274"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2730"
+  }
+}
diff --git a/data/reports/GO-2024-2730.yaml b/data/reports/GO-2024-2730.yaml
@@ -0,0 +1,37 @@
+id: GO-2024-2730
+modules:
+    - module: github.com/gorilla/sessions
+      vulnerable_at: 1.2.2
+      packages:
+        - package: github.com/gorilla/sessions
+          symbols:
+            - FilesystemStore.save
+            - FilesystemStore.load
+            - FilesystemStore.erase
+          derived_symbols:
+            - CookieStore.Get
+            - FilesystemStore.Get
+            - FilesystemStore.New
+            - FilesystemStore.Save
+            - Registry.Get
+            - Registry.Save
+            - Save
+            - Session.Save
+summary: Directory traversal in FilesystemStore in github.com/gorilla/sessions
+description: |-
+    FilesystemStore does not sanitize the Session.ID value,
+    making it vulnerable to directory traversal attacks.
+    If an attacker has control over the contents of the session ID,
+    this can be exploited to write to arbitrary files in the
+    filesystem.
+
+    Programs which do not set session IDs explicitly,
+    or which only set session IDs that will not be
+    interpreted by the filesystem, are not vulnerable.
+related:
+    - CVE-2024-3400
+references:
+    - fix: https://github.com/gorilla/sessions/pull/274
+source:
+    id: go-security-team
+    created: 2024-04-17T07:45:30.470362-07:00