Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/minio/console: GHSA-jv3f-7m33-qp65 #1794

Closed
GoVulnBot opened this issue May 26, 2023 · 1 comment
Closed
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-jv3f-7m33-qp65, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/minio/console 0.28.0 < 0.28.0

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/minio/console
    versions:
      - fixed: 0.28.0
    packages:
      - package: github.com/minio/console
summary: Minio console object names with RIGHT-TO-LEFT OVERRIDE unicode character
    can be exploited
description: "### Impact\nUnicode RIGHT-TO-LEFT OVERRIDE characters can be used to
    mask the original filename.\n\n### Reported-By\nThanks to the report from Mio
    Li [[email protected]](mailto:[email protected])\n\n### Patches\n```\ncommit
    17e791afb90c9ad27c65f63c6be14f2f6a3a9d60\nAuthor: Daniel Valdivia <[email protected]>\nDate:
    \  Tue May 23 08:47:12 2023 -0700\n\n    Replace RIGHT-TO-LEFT OVERRIDE unicode
    (#2828)\n    \n    Signed-off-by: Daniel Valdivia <[email protected]>\n```\n\n###
    Workarounds\nWorkarounds are to remove the concerned file and rewrite it properly
    with the right file and extensions.  Avoid using RTLO characters in your filenames."
cves:
  - CVE-2023-33955
ghsas:
  - GHSA-jv3f-7m33-qp65
references:
  - advisory: https://github.com/minio/console/security/advisories/GHSA-jv3f-7m33-qp65
  - fix: https://github.com/minio/console/commit/17e791afb90c9ad27c65f63c6be14f2f6a3a9d60
  - advisory: https://github.com/advisories/GHSA-jv3f-7m33-qp65

@tatianab tatianab self-assigned this May 31, 2023
@tatianab tatianab added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels Jun 2, 2023
@tatianab tatianab removed their assignment Jun 2, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/500496 mentions this issue: data/excluded: batch add 9 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Development

No branches or pull requests

3 participants