x/vulndb: potential Go vuln in github.com/Ericsson/codechecker: CVE-2023-49793

GoVulnBot commented 5 months ago

Advisory CVE-2023-49793 references a vulnerability in the following Go modules:

Module
github.com/Ericsson/codechecker

Description: CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of CodeChecker store are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine of CodeChecker server. The vulnerable endpoint is /Default/v6.53/CodeCheckerService@massStoreRun. The path traversal vulnerability allows reading data on the machine of the CodeChecker server, with the same permission level as the CodeChecker server. The attack requires a user account on the `...

References:

Cross references:

Module github.com/Ericsson/codechecker appears in issue #287 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/Ericsson/codechecker
      vulnerable_at: 6.24.0+incompatible
      packages:
        - package: codechecker
summary: CVE-2023-49793 in github.com/Ericsson/codechecker
cves:
    - CVE-2023-49793
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-49793
    - fix: https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a
    - web: https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf
source:
    id: CVE-2023-49793
    created: 2024-06-24T19:01:10.205137364Z
review_status: UNREVIEWED

gopherbot commented 5 months ago

Change https://go.dev/cl/594995 mentions this issue: data/excluded: add GO-2024-2946

gopherbot commented 5 months ago

Change https://go.dev/cl/594901 mentions this issue: data/reports: add 18 unreviewed reports

golang / vulndb

x/vulndb: potential Go vuln in github.com/Ericsson/codechecker: CVE-2023-49793 #2946