x/vulndb: potential Go vuln in github.com/couchbase/sync_gateway/db: GHSA-g622-r636-qfqh

[julieqiu]

In GitHub Security Advisory GHSA-g622-r636-qfqh, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/couchbase/sync_gateway/db	2.5	< 2.5

See doc/triage.md for instructions on how to triage this report.

packages:
  - package: github.com/couchbase/sync_gateway/db
    versions:
      - fixed: 2.5.0
description: The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server
    is affected by a previously undisclosed N1QL-injection vulnerability in the REST
    API. An attacker with access to the public REST API can insert additional N1QL
    statements through the parameters ?startkey? and ?endkey? of the ?_all_docs? endpoint.
published: 2022-02-15T01:57:18Z
last_modified: 2022-04-12T22:49:51Z
cves:
  - CVE-2019-9039
ghsas:
  - GHSA-g622-r636-qfqh
links:
    context:
      - https://github.com/advisories/GHSA-g622-r636-qfqh

[neild]

Vulnerability in tool.

Fix is in an effectively private package.

[gopherbot]

Change https://go.dev/cl/592770 mentions this issue: data/reports: unexclude 50 reports