x/vulndb: potential Go vuln in github.com/nghttp2/nghttp2: CVE-2017-2428

[tatianab]

CVE-2017-2428 references github.com/nghttp2/nghttp2, which may be a Go module.

Description:
An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. watchOS before 3.2 is affected. The issue involves nghttp2 before 1.17.0 in the "HTTPProtocol" component. It allows remote HTTP/2 servers to have an unspecified impact via unknown vectors.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2017-2428
• web: http://www.securityfocus.com/bid/97146
• web: https://support.apple.com/HT207601
• web: https://support.apple.com/HT207615
• web: http://www.securitytracker.com/id/1038138
• web: https://github.com/nghttp2/nghttp2/releases/tag/v1.17.0
• web: https://support.apple.com/HT207602
• web: https://support.apple.com/HT207617
• Imported by: https://pkg.go.dev/github.com/nghttp2/nghttp2?tab=importedby

Cross references:

• Module github.com/nghttp2/nghttp2 appears in issue x/vulndb: potential Go vuln in github.com/nghttp2/nghttp2: GHSA-vx74-f528-fxqg #2108 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/nghttp2/nghttp2
      vulnerable_at: 1.58.0
      packages:
        - package: n/a
cves:
    - CVE-2017-2428
references:
    - web: http://www.securityfocus.com/bid/97146
    - web: https://support.apple.com/HT207601
    - web: https://support.apple.com/HT207615
    - web: http://www.securitytracker.com/id/1038138
    - web: https://github.com/nghttp2/nghttp2/releases/tag/v1.17.0
    - web: https://support.apple.com/HT207602
    - web: https://support.apple.com/HT207617

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports