Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/prasmussen/glot-code-runner: GHSA-vj95-2f9q-x7h6 #1951

Closed
GoVulnBot opened this issue Jul 20, 2023 · 2 comments
Assignees
Labels
excluded: NOT_A_VULNERABILITY This is not a vulnerability.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-vj95-2f9q-x7h6, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/prasmussen/glot-code-runner <= 2018-05-19

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/prasmussen/glot-code-runner
      versions:
        - {}
      vulnerable_at: 0.0.0-20201226114206-32fe564fd21d
      packages:
        - package: github.com/prasmussen/glot-code-runner
summary: glot-code-runner RCE
description: |-
    The default configuration of glot-www through 2018-05-19 allows remote attackers
    to execute arbitrary code because glot-code-runner supports os.system within a
    "python" "files" "content" JSON file.
cves:
    - CVE-2018-15747
ghsas:
    - GHSA-vj95-2f9q-x7h6
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2018-15747
    - report: https://github.com/prasmussen/glot-code-runner/issues/15
    - advisory: https://github.com/advisories/GHSA-vj95-2f9q-x7h6

@neild neild self-assigned this Jul 31, 2023
@neild neild added the excluded: NOT_A_VULNERABILITY This is not a vulnerability. label Jul 31, 2023
@neild
Copy link
Contributor

neild commented Jul 31, 2023

prasmussen/glot-code-runner#15 indicates that this is working as intended.

Alternatively, this could be EFFECTIVELY_PRIVATE, since this seems to be a tool rather than a library.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/514636 mentions this issue: data/excluded: batch add 31 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: NOT_A_VULNERABILITY This is not a vulnerability.
Projects
None yet
Development

No branches or pull requests

3 participants