x/vulndb: potential Go vuln in github.com/prasmussen/glot-code-runner: GHSA-vj95-2f9q-x7h6

[GoVulnBot]

In GitHub Security Advisory GHSA-vj95-2f9q-x7h6, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/prasmussen/glot-code-runner		<= 2018-05-19

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/prasmussen/glot-code-runner
      versions:
        - {}
      vulnerable_at: 0.0.0-20201226114206-32fe564fd21d
      packages:
        - package: github.com/prasmussen/glot-code-runner
summary: glot-code-runner RCE
description: |-
    The default configuration of glot-www through 2018-05-19 allows remote attackers
    to execute arbitrary code because glot-code-runner supports os.system within a
    "python" "files" "content" JSON file.
cves:
    - CVE-2018-15747
ghsas:
    - GHSA-vj95-2f9q-x7h6
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2018-15747
    - report: https://github.com/prasmussen/glot-code-runner/issues/15
    - advisory: https://github.com/advisories/GHSA-vj95-2f9q-x7h6

[neild]

prasmussen/glot-code-runner#15 indicates that this is working as intended.

Alternatively, this could be EFFECTIVELY_PRIVATE, since this seems to be a tool rather than a library.

[gopherbot]

Change https://go.dev/cl/514636 mentions this issue: data/excluded: batch add 31 excluded reports