search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
562 stars 61 forks source link

x/vulndb: potential Go vuln in github.com/ydb-platform/ydb-go-sdk/v3: GHSA-q24m-6h38-5xj8 #2137

Closed GoVulnBot closed 1 year ago

GoVulnBot commented 1 year ago

In GitHub Security Advisory GHSA-q24m-6h38-5xj8, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/ydb-platform/ydb-go-sdk/v3 3.53.3 >= 3.48.6, < 3.53.3

Cross references: No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/ydb-platform/ydb-go-sdk/v3
      versions:
        - introduced: 3.48.6
          fixed: 3.53.3
      vulnerable_at: 3.53.2
      packages:
        - package: github.com/ydb-platform/ydb-go-sdk/v3
summary: ydb-go-sdk token in custom credentials object can leak through logs
ghsas:
    - GHSA-q24m-6h38-5xj8
references:
    - advisory: https://github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8
    - fix: https://github.com/ydb-platform/ydb-go-sdk/pull/859
    - fix: https://github.com/ydb-platform/ydb-go-sdk/commit/a0d92057c4e1bbdc5e85ae8d649edb0232b8fd4c
    - web: https://github.com/ydb-platform/ydb-go-sdk/blob/master/credentials/credentials.go#L10
    - web: https://github.com/ydb-platform/ydb-go-sdk/blob/v3.48.6/internal/balancer/balancer.go#L71
    - advisory: https://github.com/advisories/GHSA-q24m-6h38-5xj8
gopherbot commented 1 year ago

Change https://go.dev/cl/537495 mentions this issue: data/reports: add GO-2023-2137.yaml