x/vulndb: potential Go vuln in github.com/ewen-lbh/ffcss: CVE-2023-52081 #2426
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
zpavlinovic
added
the
excluded: EFFECTIVELY_PRIVATE
|
Vulnerability in CLI tool, no importers. |
|
Change https://go.dev/cl/552596 mentions this issue: |
|
Change https://go.dev/cl/592764 mentions this issue: |
|
Change https://go.dev/cl/606793 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2023-2340.yaml - data/reports/GO-2023-2341.yaml - data/reports/GO-2023-2344.yaml - data/reports/GO-2023-2351.yaml - data/reports/GO-2023-2355.yaml - data/reports/GO-2023-2376.yaml - data/reports/GO-2023-2377.yaml - data/reports/GO-2023-2378.yaml - data/reports/GO-2023-2381.yaml - data/reports/GO-2023-2388.yaml - data/reports/GO-2023-2397.yaml - data/reports/GO-2023-2398.yaml - data/reports/GO-2023-2414.yaml - data/reports/GO-2023-2422.yaml - data/reports/GO-2023-2426.yaml Updates #2340 Updates #2341 Updates #2344 Updates #2351 Updates #2355 Updates #2376 Updates #2377 Updates #2378 Updates #2381 Updates #2388 Updates #2397 Updates #2398 Updates #2414 Updates #2422 Updates #2426 Change-Id: I279f769375f27873ced76b136c88665f610ac68c Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606793 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Commit-Queue: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-52081 references github.com/ewen-lbh/ffcss, which may be a Go module.
Description:
ffcss is a CLI interface to apply and configure Firefox CSS themes. Prior to 0.2.0, the function
lookupPreprocess()is meant to apply some transformations to a string by disabling characters in the regex[-_ .]. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypass that validation and re-introduce all the characters in the regex[-_ .]. ThelookupPreprocess()can be easily bypassed with equivalent Unicode characters like U+FE4D (﹍), which would result in the omitted U+005F (_), for instance. ThelookupPreprocess()function is only ever used to search for themes loosely (case insensitively, while ignoring dashes, underscores and dots), so the actual security impact is classified as low. This vulnerability is fixed in 0.2.0. There are no known workarounds.References:
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: