Skip to content

Commit

Permalink
data/reports: add GO-2025-3396
Browse files Browse the repository at this point in the history 
  - data/reports/GO-2025-3396.yaml

Fixes #3396

Change-Id: I796a927cca620e97ed8348798a8a926fd2a9efd8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/643176
Auto-Submit: Zvonimir Pavlinovic <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
  • Loading branch information
@zpavlinovic @gopherbot
zpavlinovic authored and gopherbot committed Jan 16, 2025
1 parent 812e71d commit fd78d89
Show file tree
Hide file tree
Showing 2 changed files with 178 additions and 0 deletions.
107 changes: 107 additions & 0 deletions data/osv/GO-2025-3396.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
{
"schema_version": "1.3.1",
"id": "GO-2025-3396",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-52594"
],
"summary": "Server-Side Request Forgery (SSRF) on redirects and federation in github.com/matrix-org/gomatrixserverlib",
"details": "Server-Side Request Forgery (SSRF) on redirects and federation in github.com/matrix-org/gomatrixserverlib",
"affected": [
{
"package": {
"name": "github.com/matrix-org/gomatrixserverlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20250116181547-c4f1e01eab0d"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/matrix-org/gomatrixserverlib/fclient",
"symbols": [
"Client.CreateMediaDownloadRequest",
"Client.DoHTTPRequest",
"Client.DoRequestAndParseResponse",
"Client.GetServerKeys",
"Client.GetVersion",
"Client.LookupServerKeys",
"Client.LookupUserInfo",
"DNSCache.DialContext",
"LookupWellKnown",
"NewClient",
"NewDNSCache",
"NewFederationClient",
"ResolveServer",
"destinationTripper.RoundTrip",
"destinationTripper.getTransport",
"federationClient.Backfill",
"federationClient.ClaimKeys",
"federationClient.DoRequestAndParseResponse",
"federationClient.DownloadMedia",
"federationClient.ExchangeThirdPartyInvite",
"federationClient.GetEvent",
"federationClient.GetEventAuth",
"federationClient.GetPublicRooms",
"federationClient.GetPublicRoomsFiltered",
"federationClient.GetUserDevices",
"federationClient.LookupMissingEvents",
"federationClient.LookupProfile",
"federationClient.LookupRoomAlias",
"federationClient.LookupState",
"federationClient.LookupStateIDs",
"federationClient.MSC2836EventRelationships",
"federationClient.MakeJoin",
"federationClient.MakeKnock",
"federationClient.MakeLeave",
"federationClient.P2PGetTransactionFromRelay",
"federationClient.P2PSendTransactionToRelay",
"federationClient.Peek",
"federationClient.QueryKeys",
"federationClient.RoomHierarchy",
"federationClient.SendInvite",
"federationClient.SendInviteV2",
"federationClient.SendInviteV3",
"federationClient.SendJoin",
"federationClient.SendJoinPartialState",
"federationClient.SendKnock",
"federationClient.SendLeave",
"federationClient.SendTransaction",
"newDestinationTripper"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52594"
},
{
"type": "FIX",
"url": "https://github.com/matrix-org/gomatrixserverlib/commit/c4f1e01eab0dd435709ad15463ed38a079ad6128"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/gomatrixserverlib/security/advisories/GHSA-4ff6-858j-r822"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2025-3396",
"review_status": "REVIEWED"
}
}
71 changes: 71 additions & 0 deletions data/reports/GO-2025-3396.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
id: GO-2025-3396
modules:
- module: github.com/matrix-org/gomatrixserverlib
versions:
- fixed: 0.0.0-20250116181547-c4f1e01eab0d
vulnerable_at: 0.0.0-20241215094829-e86ab16eabe8
packages:
- package: github.com/matrix-org/gomatrixserverlib/fclient
symbols:
- NewClient
- destinationTripper.getTransport
- DNSCache.DialContext
- newDestinationTripper
- NewDNSCache
- destinationTripper.RoundTrip
derived_symbols:
- Client.CreateMediaDownloadRequest
- Client.DoHTTPRequest
- Client.DoRequestAndParseResponse
- Client.GetServerKeys
- Client.GetVersion
- Client.LookupServerKeys
- Client.LookupUserInfo
- LookupWellKnown
- NewFederationClient
- ResolveServer
- federationClient.Backfill
- federationClient.ClaimKeys
- federationClient.DoRequestAndParseResponse
- federationClient.DownloadMedia
- federationClient.ExchangeThirdPartyInvite
- federationClient.GetEvent
- federationClient.GetEventAuth
- federationClient.GetPublicRooms
- federationClient.GetPublicRoomsFiltered
- federationClient.GetUserDevices
- federationClient.LookupMissingEvents
- federationClient.LookupProfile
- federationClient.LookupRoomAlias
- federationClient.LookupState
- federationClient.LookupStateIDs
- federationClient.MSC2836EventRelationships
- federationClient.MakeJoin
- federationClient.MakeKnock
- federationClient.MakeLeave
- federationClient.P2PGetTransactionFromRelay
- federationClient.P2PSendTransactionToRelay
- federationClient.Peek
- federationClient.QueryKeys
- federationClient.RoomHierarchy
- federationClient.SendInvite
- federationClient.SendInviteV2
- federationClient.SendInviteV3
- federationClient.SendJoin
- federationClient.SendJoinPartialState
- federationClient.SendKnock
- federationClient.SendLeave
- federationClient.SendTransaction
summary: |-
Server-Side Request Forgery (SSRF) on redirects and federation in
github.com/matrix-org/gomatrixserverlib
cves:
- CVE-2024-52594
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52594
- fix: https://github.com/matrix-org/gomatrixserverlib/commit/c4f1e01eab0dd435709ad15463ed38a079ad6128
- web: https://github.com/matrix-org/gomatrixserverlib/security/advisories/GHSA-4ff6-858j-r822
source:
id: CVE-2024-52594
created: 2025-01-16T21:41:31.447885903Z
review_status: REVIEWED

0 comments on commit fd78d89

Please sign in to comment.