x/vulndb: potential Go vuln in github.com/apache/trafficcontrol: GHSA-wp47-9r3h-xfgq

[julieqiu]

In GitHub Security Advisory GHSA-wp47-9r3h-xfgq, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/apache/trafficcontrol	5.1.6	< 5.1.6	github.com/apache/trafficcontrol	6.1.0	>= 6.0.0, < 6.1.0

See doc/triage.md for instructions on how to triage this report.

packages:
  - package: github.com/apache/trafficcontrol
    versions:
      - fixed: 5.1.6
  - package: github.com/apache/trafficcontrol
    versions:
      - introduced: 6.0.0
        fixed: 6.1.0
description: In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged
    user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request
    to /user/login/oauth to scan a port of a server that Traffic Ops can reach.
published: 2022-02-07T00:00:23Z
last_modified: 2022-02-15T00:18:47Z
cves:
  - CVE-2022-23206
ghsas:
  - GHSA-wp47-9r3h-xfgq
links:
    context:
      - https://github.com/advisories/GHSA-wp47-9r3h-xfgq

[zpavlinovic]

Looks like a private package or a binary. Also no links to fixes or any code in general.

[gopherbot]

Change https://go.dev/cl/592769 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607221 mentions this issue: data/reports: unexclude 20 reports (19)