Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/minio/console: GHSA-jv3f-7m33-qp65 #1794

Closed
GoVulnBot opened this issue May 26, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/minio/console: GHSA-jv3f-7m33-qp65 #1794

GoVulnBot opened this issue May 26, 2023 · 1 comment
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-jv3f-7m33-qp65, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/minio/console 0.28.0 < 0.28.0

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/minio/console
    versions:
      - fixed: 0.28.0
    packages:
      - package: github.com/minio/console
summary: Minio console object names with RIGHT-TO-LEFT OVERRIDE unicode character
    can be exploited
description: "### Impact\nUnicode RIGHT-TO-LEFT OVERRIDE characters can be used to
    mask the original filename.\n\n### Reported-By\nThanks to the report from Mio
    Li [wulilixi1@gmail.com](mailto:wulilixi1@gmail.com)\n\n### Patches\n```\ncommit
    17e791afb90c9ad27c65f63c6be14f2f6a3a9d60\nAuthor: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>\nDate:
    \  Tue May 23 08:47:12 2023 -0700\n\n    Replace RIGHT-TO-LEFT OVERRIDE unicode
    (#2828)\n    \n    Signed-off-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>\n```\n\n###
    Workarounds\nWorkarounds are to remove the concerned file and rewrite it properly
    with the right file and extensions.  Avoid using RTLO characters in your filenames."
cves:
  - CVE-2023-33955
ghsas:
  - GHSA-jv3f-7m33-qp65
references:
  - advisory: https://github.com/minio/console/security/advisories/GHSA-jv3f-7m33-qp65
  - fix: https://github.com/minio/console/commit/17e791afb90c9ad27c65f63c6be14f2f6a3a9d60
  - advisory: https://github.com/advisories/GHSA-jv3f-7m33-qp65
@tatianab tatianab self-assigned this May 31, 2023
@tatianab tatianab added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels Jun 2, 2023
@tatianab tatianab mentioned this issue Jun 2, 2023
Closed
@tatianab tatianab removed their assignment Jun 2, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/500496 mentions this issue: data/excluded: batch add 9 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot