x/vulndb: potential Go vuln in github.com/Ericsson/codechecker: CVE-2023-49793

[GoVulnBot]

Advisory CVE-2023-49793 references a vulnerability in the following Go modules:

Module
github.com/Ericsson/codechecker

Description:
CodeChecker is an analyzer tooling, defect database and viewer extension for the
Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint
of CodeChecker store are not properly sanitized. An attacker, using a path
traversal attack, can load and display files on the machine of CodeChecker server. The vulnerable endpoint is
/Default/v6.53/CodeCheckerService@massStoreRun. The path traversal
vulnerability allows reading data on the machine of the CodeChecker server,
with the same permission level as the CodeChecker server. The attack requires
a user account on the `...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2023-49793
• FIX: Ericsson/codechecker@46bada4
• WEB: GHSA-h26w-r4m5-8rrf

Cross references:

• Module github.com/Ericsson/codechecker appears in issue x/vulndb: potential Go vuln in github.com/Ericsson/codechecker: CVE-2021-44217 #287 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/Ericsson/codechecker
      vulnerable_at: 6.24.0+incompatible
      packages:
        - package: codechecker
summary: CVE-2023-49793 in github.com/Ericsson/codechecker
cves:
    - CVE-2023-49793
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-49793
    - fix: https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a
    - web: https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf
source:
    id: CVE-2023-49793
    created: 2024-06-24T19:01:10.205137364Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/594995 mentions this issue: data/excluded: add GO-2024-2946

[gopherbot]

Change https://go.dev/cl/594901 mentions this issue: data/reports: add 18 unreviewed reports