Add additional CVE entries to VEX document (#1176)

* add product identifier section for hash to vex doc * Update projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json * make json valid for vex * simplify vex document for testing * add 1.19 and another 1.18 cve entry to the go vex document
aws · Sep 26, 2023 · 5898afd · 5898afd
1 parent 18f5e98
commit 5898afd
Showing 1 changed file with 66 additions and 0 deletions.
diff --git a/projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json b/projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json
@@ -96,6 +96,72 @@
           "url": "https://nvd.nist.gov/vuln/detail/cve-2022-41723"
         }
       ]
+    },
+    {
+      "cve": "CVE-2022-41724",
+      "notes": [
+        {
+          "category": "description",
+          "text": "Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).",
+          "title": "CVE description"
+        }
+      ],
+      "product_status": {
+        "fixed": [
+          "eks-distro-golang:v1-18-10-eks-8"
+        ]
+      },
+      "references": [
+        {
+          "category": "external",
+          "summary": "NVD - CVE-2022-41724",
+          "url": "https://nvd.nist.gov/vuln/detail/cve-2022-41724"
+        }
+      ]
+    },
+    {
+      "cve": "CVE-2023-39318",
+      "notes": [
+        {
+          "category": "description",
+          "text": "The html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.",
+          "title": "CVE description"
+        }
+      ],
+      "product_status": {
+        "fixed": [
+          "eks-distro-golang:v1-19-12-eks-10"
+        ]
+      },
+      "references": [
+        {
+          "category": "external",
+          "summary": "NVD - CVE-2023-39318",
+          "url": "https://nvd.nist.gov/vuln/detail/cve-2023-39318"
+        }
+      ]
+    },
+    {
+      "cve": "CVE-2023-39319",
+      "notes": [
+        {
+          "category": "description",
+          "text": "The html/template package does not apply the proper rules for handling occurrences of \"<script\", \"<!--\", and \"</script\" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.",
+          "title": "CVE description"
+        }
+      ],
+      "product_status": {
+        "fixed": [
+          "eks-distro-golang:v1-19-12-eks-10"
+        ]
+      },
+      "references": [
+        {
+          "category": "external",
+          "summary": "NVD - CVE-2023-39318",
+          "url": "https://nvd.nist.gov/vuln/detail/cve-2023-39319"
+        }
+      ]
     }
   ]
 }