GO-2022-1118

Source
https://pkg.go.dev/vuln/GO-2022-1118
Import Source
https://vuln.go.dev/ID/GO-2022-1118.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-1118
Aliases
Published
2022-12-22T20:40:16Z
Modified
2024-05-20T16:03:47Z
Summary
Improper validation of UUIDs in github.com/codenotary/immudb
Details

A malicious server can trick a client into treating it as a different server by changing the reported UUID.

immudb client SDKs use the server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. The SDK does not validate this UUID and accepts any value reported by the server. A malicious server can therefore change the reported UUID and trick the client into treating it as a different server.

Database specific
{
    "url": "https://pkg.go.dev/vuln/GO-2022-1118",
    "review_status": "REVIEWED"
}
References

Affected packages

Go / github.com/codenotary/immudb

Package

Name
github.com/codenotary/immudb
View open source insights on deps.dev
Purl
pkg:golang/github.com/codenotary/immudb

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.1

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "DefaultOptions",
                "NewClient",
                "NewImmuClient",
                "immuClient.OpenSession"
            ],
            "path": "github.com/codenotary/immudb/pkg/client"
        }
    ]
}