x/vulndb: potential Go vuln in github.com/jinzhu/gorm: CVE-2019-15562

[tatianab]

CVE-2019-15562 references github.com/jinzhu/gorm, which may be a Go module.

Description:
** DISPUTED ** GORM before 1.9.10 allows SQL injection via incomplete parentheses. NOTE: Misusing Gorm by passing untrusted user input where Gorm expects trusted SQL fragments is a vulnerability in the application, not in Gorm.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-15562
• web: https://github.com/jinzhu/gorm/releases/tag/v1.9.10
• fix: Fix #2517 : Check for incomplete parentheses to prevent SQL injection. go-gorm/gorm#2519
• fix: Revert check for incomplete parentheses go-gorm/gorm#2674
• report: SQL injection in Gorm With using first and find. go-gorm/gorm#2517 (comment)
• Imported by: https://pkg.go.dev/github.com/jinzhu/gorm?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/jinzhu/gorm
      vulnerable_at: 1.9.16
      packages:
        - package: n/a
cves:
    - CVE-2019-15562
references:
    - web: https://github.com/jinzhu/gorm/releases/tag/v1.9.10
    - fix: https://github.com/go-gorm/gorm/pull/2519
    - fix: https://github.com/go-gorm/gorm/pull/2674
    - report: https://github.com/go-gorm/gorm/issues/2517#issuecomment-638145427

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports