x/vulndb: potential Go vuln in tailscale.com/cmd: GHSA-vqp6-rc3h-83cp

[GoVulnBot]

In GitHub Security Advisory GHSA-vqp6-rc3h-83cp, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
tailscale/tailscale.com/cmd	1.32.3	< 1.32.3

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - fixed: 1.32.3
    packages:
      - package: tailscale/tailscale.com/cmd
description: "A vulnerability identified in the Tailscale Windows client allows a
    malicious website to reconfigure the Tailscale daemon `tailscaled`, which can
    then be used to remotely execute code.\n\n**Affected platforms:** Windows\n**Patched
    Tailscale client versions:** v1.32.3 or later, v1.33.257 or later (unstable)\n\n###
    What happened?\nIn the Tailscale Windows client, the local API was bound to a
    local TCP socket, and communicated with the Windows client GUI in cleartext with
    no Host header verification. This allowed an attacker-controlled website visited
    by the node to rebind DNS to an attacker-controlled DNS server, and then make
    local API requests in the client, including changing the coordination server to
    an attacker-controlled coordination server.\n\n### Who is affected?\nAll Windows
    clients prior to version v.1.32.3 are affected.\n\n### What should I do?\nIf you
    are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the
    issue.\n\n### What is the impact?\nAn attacker-controlled coordination server
    can send malicious URL responses to the client, including pushing executables
    or installing an SMB share. These allow the attacker to remotely execute code
    on the node.\n\nReviewing all logs confirms this vulnerability was not triggered
    or exploited. \n\n### Credits\nWe would like to thank [Emily Trau](https://github.com/emilytrau)
    and [Jamie McClymont (CyberCX)](https://twitter.com/JJJollyjim) for reporting
    this issue. Further detail is available in [their blog post](https://emily.id.au/tailscale).\n\n###
    References\n* [TS-2022-004](https://tailscale.com/security-bulletins/#ts-2022-004)\n*
    [Researcher blog post](https://emily.id.au/tailscale)\n\n### For more information\nIf
    you have any questions or comments about this advisory, [contact Tailscale support](https://tailscale.com/contact/support/).\n"
cves:
  - CVE-2022-41924
ghsas:
  - GHSA-vqp6-rc3h-83cp

[gopherbot]

Change https://go.dev/cl/453935 mentions this issue: data/excluded: batch add GO-2022-1119 and GO-2022-1120

[gopherbot]

Change https://go.dev/cl/592835 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607231 mentions this issue: data/reports: unexclude 20 reports (29)