x/vulndb: potential Go vuln in github.com/containrrr/shoutrrr: CVE-2022-25891

[jba]

CVE-2022-25891 references github.com/containrrr/shoutrrr, which may be a Go module.

Description:
The package github.com/containrrr/shoutrrr/pkg/util before 0.6.0 are vulnerable to Denial of Service (DoS) via the util.PartitionMessage function. Exploiting this vulnerability is possible by sending exactly 2000, 4000, or 6000 characters messages.

Links:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-25891
• JSON: https://github.com/CVEProject/cvelist/tree/d5a3000796d3ca21881993f37dadf8c869eb5f70/2022/25xxx/CVE-2022-25891.json
• Commit: containrrr/shoutrrr@6a27056
• PR: discord message size fixes containrrr/shoutrrr#242
• Sending 2000, 4000 or 6000 characters to Discord panics in util.PartitionMessage (index out of range) containrrr/shoutrrr#240
• https://github.com/containrrr/shoutrrr/releases/tag/v0.6.0
• https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINRRRSHOUTRRRPKGUTIL-2849059

See doc/triage.md for instructions on how to triage this report.

module: github.com/containrrr/shoutrrr
package: github.com/containrrr/shoutrrr/pkg/util
description: |+
    The package github.com/containrrr/shoutrrr/pkg/util before 0.6.0 are vulnerable to Denial of Service (DoS) via the util.PartitionMessage function. Exploiting this vulnerability is possible by sending exactly 2000, 4000, or 6000 characters messages.

cves:
  - CVE-2022-25891
credit: justinsteven
links:
    pr: https://github.com/containrrr/shoutrrr/pull/242
    commit: https://github.com/containrrr/shoutrrr/commit/6a27056f9d7522a8b493216195cb7634bf4b5c42
    context:
      - https://github.com/containrrr/shoutrrr/issues/240
      - https://github.com/containrrr/shoutrrr/releases/tag/v0.6.0
      - https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINRRRSHOUTRRRPKGUTIL-2849059