GO-2022-0470

Source
https://pkg.go.dev/vuln/GO-2022-0470
Import Source
https://vuln.go.dev/ID/GO-2022-0470.json
JSON Data
https://api.test.osv.dev/v1/vulns/GO-2022-0470
Aliases
Published
2022-07-15T23:29:55Z
Modified
2024-09-11T06:12:25.372982Z
Summary
No access control in github.com/blevesearch/bleve and bleve/v2
Details

HTTP handlers provide unauthenticated access to the local filesystem.

The Bleve http package is intended for demonstration purposes and contains no authentication, authorization, or validation of user inputs. Exposing handlers from this package can permit attackers to create files and delete directories.

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0470"
}
References

Affected packages

Go / github.com/blevesearch/bleve

Package

Name
github.com/blevesearch/bleve
View open source insights on deps.dev
Purl
pkg:golang/github.com/blevesearch/bleve

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/blevesearch/bleve/http",
            "symbols": [
                "AliasHandler.ServeHTTP",
                "CreateIndexHandler.ServeHTTP",
                "DebugDocumentHandler.ServeHTTP",
                "DeleteIndexHandler.ServeHTTP",
                "DocCountHandler.ServeHTTP",
                "DocDeleteHandler.ServeHTTP",
                "DocGetHandler.ServeHTTP",
                "DocIndexHandler.ServeHTTP",
                "GetIndexHandler.ServeHTTP",
                "ListFieldsHandler.ServeHTTP",
                "SearchHandler.ServeHTTP"
            ]
        }
    ]
}

Go / github.com/blevesearch/bleve/v2

Package

Name
github.com/blevesearch/bleve/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/blevesearch/bleve/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/blevesearch/bleve/v2/http",
            "symbols": [
                "AliasHandler.ServeHTTP",
                "CreateIndexHandler.ServeHTTP",
                "DebugDocumentHandler.ServeHTTP",
                "DeleteIndexHandler.ServeHTTP",
                "DocCountHandler.ServeHTTP",
                "DocDeleteHandler.ServeHTTP",
                "DocGetHandler.ServeHTTP",
                "DocIndexHandler.ServeHTTP",
                "GetIndexHandler.ServeHTTP",
                "ListFieldsHandler.ServeHTTP",
                "SearchHandler.ServeHTTP"
            ]
        }
    ]
}