data/reports: add alias and fix symbol in GO-2020-0004.yaml

Adds GHSA and fixes typo in symbol. Aliases: CVE-2020-36569, GHSA-hrm3-3xm6-x33h Updates #4 Fixes #1227 Updates #1282 Change-Id: I027596c711959a8704c674a7e377dcb0dca535e6 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/461235 Run-TryBot: Tatiana Bradley <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]>
golang · Jan 13, 2023 · bfcb8f1 · bfcb8f1
1 parent d4a57b5
commit bfcb8f1
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 6 deletions.
diff --git a/data/cve/v5/GO-2020-0004.json b/data/cve/v5/GO-2020-0004.json
@@ -31,7 +31,7 @@
           ],
           "programRoutines": [
             {
-              "name": "Auth.ServerHTTP"
+              "name": "Auth.ServeHTTP"
             },
             {
               "name": "Auth.ListenAndServeTLS"

diff --git a/data/osv/GO-2020-0004.json b/data/osv/GO-2020-0004.json
@@ -3,9 +3,10 @@
   "published": "2021-04-14T20:04:52Z",
   "modified": "0001-01-01T00:00:00Z",
   "aliases": [
-    "CVE-2020-36569"
+    "CVE-2020-36569",
+    "GHSA-hrm3-3xm6-x33h"
   ],
-  "details": "If any of the ListenAndServe functions are called with an empty token, token authentication is disabled globally for all listeners.\n\nAlso, a minor timing side channel was present allowing attackers with very low latency and able to make a lot of requests to potentially recover the token.",
+  "details": "If any of the ListenAndServe functions are called with an empty token, token authentication is disabled globally for all listeners.\n\nAlso, a minor timing side channel was present allowing attackers with very low latency and able to make many requests to potentially recover the token.",
   "affected": [
     {
       "package": {
@@ -35,7 +36,7 @@
             "symbols": [
               "Auth.ListenAndServe",
               "Auth.ListenAndServeTLS",
-              "Auth.ServerHTTP",
+              "Auth.ServeHTTP",
               "ListenAndServe",
               "ListenAndServeTLS"
             ]

diff --git a/data/reports/GO-2020-0004.yaml b/data/reports/GO-2020-0004.yaml
@@ -3,10 +3,11 @@ modules:
     versions:
       - introduced: 0.0.0-20160722212129-ac0cc4484ad4
         fixed: 0.0.0-20200131131040-063a3fb69896
+    vulnerable_at: 0.0.0-20190311151057-c2ebbac481bb
     packages:
       - package: github.com/nanobox-io/golang-nanoauth
         symbols:
-          - Auth.ServerHTTP
+          - Auth.ServeHTTP
           - Auth.ListenAndServeTLS
           - Auth.ListenAndServe
         derived_symbols:
@@ -17,9 +18,11 @@ description: |
     token authentication is disabled globally for all listeners.
 
     Also, a minor timing side channel was present allowing attackers with
-    very low latency and able to make a lot of requests to potentially
+    very low latency and able to make many requests to potentially
     recover the token.
 published: 2021-04-14T20:04:52Z
+ghsas:
+  - GHSA-hrm3-3xm6-x33h
 credit: '@bouk'
 references:
   - fix: https://github.com/nanobox-io/golang-nanoauth/pull/5