x/vulndb: potential Go vuln in github.com/agnivade/easy-scrypt: CVE-2014-125055

[GoVulnBot]

CVE-2014-125055 references github.com/agnivade/easy-scrypt, which may be a Go module.

Description:
A vulnerability, which was classified as problematic, was found in agnivade easy-scrypt. Affected is the function VerifyPassphrase of the file scrypt.go. The manipulation leads to observable timing discrepancy. Upgrading to version 1.0.0 is able to address this issue. The name of the patch is 477c10cf3b144ddf96526aa09f5fdea613f21812. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217596.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2014-125055
• JSON: https://github.com/CVEProject/cvelist/tree/be70b51680d79fe429b271c400f41c9bfc472098/2014/125xxx/CVE-2014-125055.json
• web: https://vuldb.com/?id.217596
• web: https://vuldb.com/?ctiid.217596
• fix: agnivade/easy-scrypt@477c10c
• web: https://github.com/agnivade/easy-scrypt/releases/tag/v1.0.0
• Imported by: https://pkg.go.dev/github.com/agnivade/easy-scrypt?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/agnivade/easy-scrypt
    packages:
      - package: easy-scrypt
description: |
    A vulnerability, which was classified as problematic, was found in agnivade easy-scrypt. Affected is the function VerifyPassphrase of the file scrypt.go. The manipulation leads to observable timing discrepancy. Upgrading to version 1.0.0 is able to address this issue. The name of the patch is 477c10cf3b144ddf96526aa09f5fdea613f21812. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217596.
    Es wurde eine Schwachstelle in agnivade easy-scrypt gefunden. Sie wurde als problematisch eingestuft. Hiervon betroffen ist die Funktion VerifyPassphrase der Datei scrypt.go. Mittels dem Manipulieren mit unbekannten Daten kann eine observable timing discrepancy-Schwachstelle ausgenutzt werden. Ein Aktualisieren auf die Version 1.0.0 vermag dieses Problem zu lösen. Der Patch wird als 477c10cf3b144ddf96526aa09f5fdea613f21812 bezeichnet. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
cves:
  - CVE-2014-125055
references:
  - web: https://vuldb.com/?id.217596
  - web: https://vuldb.com/?ctiid.217596
  - fix: https://github.com/agnivade/easy-scrypt/commit/477c10cf3b144ddf96526aa09f5fdea613f21812
  - web: https://github.com/agnivade/easy-scrypt/releases/tag/v1.0.0

[neild]

This is a real vulnerability, but it's in an eight-year-old version of the package which predates Go modules, has no go.mod file, and doesn't build any more because it imports code.google.com/p/go.crypto/scrypt which no longer exists.

OUT_OF_SCOPE seems like the clearest status here.

[tatianab]

Changing to NOT_IMPORTABLE so we'll still get an excluded report for this one

[gopherbot]

Change https://go.dev/cl/461640 mentions this issue: data/excluded: batch add excluded reports

[gopherbot]

Change https://go.dev/cl/461643 mentions this issue: data/excluded: batch add GO-2023-1471, GO-2023-1469, GO-2023-1465, GO-2023-1462, GO-2023-1461, GO-2023-1449, GO-2023-1292, GO-2023-1291, GO-2023-1286, GO-2023-1285, GO-2023-1467, GO-2023-1460, GO-2023-1267, GO-2023-1490, GO-2023-1489, GO-2023-1294

[gopherbot]

Change https://go.dev/cl/592759 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606781 mentions this issue: data/reports: unexclude 20 reports (1)