data/reports: add GO-2022-0965.yaml

Fixes #965 Change-Id: I9264290c514657fb559301bb1d34c57b4a597945 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/428038 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org>
golang · Sep 2, 2022 · 3859e52 · 3859e52
1 parent 9abc6be
commit 3859e52
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/data/reports/GO-2022-0965.yaml b/data/reports/GO-2022-0965.yaml
@@ -0,0 +1,22 @@
+modules:
+  - module: k8s.io/apimachinery
+    versions:
+      - fixed: 0.0.0-20190927203648-9ce6eca90e73
+    vulnerable_at: 0.0.0-20190925125216-3ddb1b485b38
+    packages:
+      - package: k8s.io/apimachinery/pkg/runtime/serializer/json
+        symbols:
+          - customNumberDecoder.Decode
+        derived_symbols:
+          - Serializer.Decode
+          - Serializer.Encode
+      - package: k8s.io/apimachinery/pkg/util/json
+        symbols:
+          - Unmarshal
+description: |-
+    Unbounded recursion in JSON parsing allows malicious JSON input to
+    cause excessive memory consumption or panics.
+references:
+  - fix: https://github.com/kubernetes/kubernetes/pull/83261
+  - web: https://github.com/advisories/GHSA-pmqp-h87c-mr78
+  - web: https://nvd.nist.gov/vuln/detail/CVE-2019-11253