x/vulndb: potential Go vuln in github.com/hashicorp/boundary: GHSA-xqv2-3vvq-qg6r

[GoVulnBot]

In GitHub Security Advisory GHSA-xqv2-3vvq-qg6r, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/hashicorp/boundary		<= 0.11.0

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - {}
    packages:
      - package: github.com/hashicorp/boundary
description: Hashicorp Boundary is vulnerable to Clickjacking which allow for the
    interception of login credentials, re-direction of users to malicious sites, or
    causing users to perform malicious actions on the site.
cves:
  - CVE-2022-36182
ghsas:
  - GHSA-xqv2-3vvq-qg6r

[neild]

Unclear whether this is a real issue or not; I can find no evidence that this is something the Boundary developers have identified as an issue.

If it is real, the CVE/GHSA are extremely light on details as to what the actual issue is, but presumably it would be a failure to set CSP headers in a web UI. That would be an issue affecting a web server process, not importable code in Boundary's APIs.

[gopherbot]

Change https://go.dev/cl/446695 mentions this issue: data/excluded: add GO-2022-1090.yaml

[gopherbot]

Change https://go.dev/cl/592835 mentions this issue: data/reports: unexclude 50 reports