sqlite3 data/github/results/results.db "select record from results where id like '%GHSA-v7hc-87jc-qrrr%';" | jq .
produces:
{
"schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/github-security-advisory/schema-1.0.1.json",
"identifier": "github:go/ghsa-v7hc-87jc-qrrr",
"item": {
"Vulnerability": {},
"Advisory": {
"Classification": "GENERAL",
"Severity": "Low",
"FixedIn": [
{
"name": "knative.dev/eventing-github",
"identifier": "0.39.1",
"ecosystem": "go",
"namespace": "github:go",
"range": "< 0.39.1"
}
],
"Summary": "eventing-github vulnerable to denial of service caused by improper enforcement of the timeout on individual read operations",
"url": "https://github.com/advisories/GHSA-v7hc-87jc-qrrr",
"CVE": [],
"Metadata": {
"CVE": []
},
"ghsaId": "GHSA-v7hc-87jc-qrrr",
"published": "2023-12-06T19:19:35Z",
"updated": "2023-12-06T19:19:36Z",
"withdrawn": null,
"namespace": "github:go"
}
}
}
But
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/advisories/GHSA-v7hc-87jc-qrrr | jq .
produces:
{
"ghsa_id": "GHSA-v7hc-87jc-qrrr",
"cve_id": null,
"url": "https://api.github.com/advisories/GHSA-v7hc-87jc-qrrr",
"html_url": "https://github.com/advisories/GHSA-v7hc-87jc-qrrr",
"summary": "eventing-github vulnerable to denial of service caused by improper enforcement of the timeout on individual read operations",
"description": "### Impact\n\nThe eventing-github cluster-local server doesn't set `ReadHeaderTimeout` which could lead do a DDoS attack, where a large group of users send requests to the server causing the server to hang for long enough to deny it from being available to other users, also know as a Slowloris attack.\n\n### Patches\n\nFix in `v1.12.1` and `v1.11.3`\n\n### Credits\n\nThe vulnerability was reported by Ada Logics during an ongoing security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF.\n",
"type": "reviewed",
"severity": "low",
"repository_advisory_url": "https://api.github.com/repos/knative-extensions/eventing-github/security-advisories/GHSA-v7hc-87jc-qrrr",
"source_code_location": "https://github.com/knative-extensions/eventing-github",
"identifiers": [
{
"value": "GHSA-v7hc-87jc-qrrr",
"type": "GHSA"
}
],
"references": [
"https://github.com/knative-extensions/eventing-github/security/advisories/GHSA-v7hc-87jc-qrrr",
"https://github.com/knative-extensions/eventing-github/pull/442",
"https://github.com/knative-extensions/eventing-github/pull/446",
"https://github.com/knative-extensions/eventing-github/pull/447",
"https://github.com/knative-extensions/eventing-github/commit/ea5cb8b25fc3410dde45ce2eb95454e4cfe77c40",
"https://github.com/advisories/GHSA-v7hc-87jc-qrrr"
],
"published_at": "2023-12-06T19:19:35Z",
"updated_at": "2023-12-06T19:19:36Z",
"github_reviewed_at": "2023-12-06T19:19:35Z",
"nvd_published_at": null,
"withdrawn_at": null,
"vulnerabilities": [
{
"package": {
"ecosystem": "go",
"name": "knative.dev/eventing-github"
},
"vulnerable_version_range": "< 0.39.1",
"first_patched_version": "0.39.1",
"vulnerable_functions": []
}
],
"cvss": {
"vector_string": null,
"score": null
},
"cwes": [
{
"cwe_id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
}
],
"credits": []
}