From 96f0f48a7e730dbffce8767252da4ae4fca1da56 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Mon, 3 Jun 2024 15:15:57 -0400 Subject: [PATCH] data/reports: add 51 unreviewed reports Add 51 completely auto-generated reports. - data/reports/GO-2024-2647.yaml - data/reports/GO-2024-2728.yaml - data/reports/GO-2024-2568.yaml - data/reports/GO-2024-2569.yaml - data/reports/GO-2024-2597.yaml - data/reports/GO-2024-2756.yaml - data/reports/GO-2024-2765.yaml - data/reports/GO-2024-2853.yaml - data/reports/GO-2024-2860.yaml - data/reports/GO-2024-2785.yaml - data/reports/GO-2024-2579.yaml - data/reports/GO-2024-2747.yaml - data/reports/GO-2024-2645.yaml - data/reports/GO-2024-2723.yaml - data/reports/GO-2024-2690.yaml - data/reports/GO-2024-2766.yaml - data/reports/GO-2024-2863.yaml - data/reports/GO-2024-2641.yaml - data/reports/GO-2024-2754.yaml - data/reports/GO-2024-2846.yaml - data/reports/GO-2024-2580.yaml - data/reports/GO-2024-2791.yaml - data/reports/GO-2024-2859.yaml - data/reports/GO-2024-2752.yaml - data/reports/GO-2024-2779.yaml - data/reports/GO-2024-2636.yaml - data/reports/GO-2024-2675.yaml - data/reports/GO-2024-2727.yaml - data/reports/GO-2024-2689.yaml - data/reports/GO-2024-2803.yaml - data/reports/GO-2024-2648.yaml - data/reports/GO-2024-2792.yaml - data/reports/GO-2024-2861.yaml - data/reports/GO-2024-2644.yaml - data/reports/GO-2024-2741.yaml - data/reports/GO-2024-2692.yaml - data/reports/GO-2024-2575.yaml - data/reports/GO-2024-2729.yaml - data/reports/GO-2024-2757.yaml - data/reports/GO-2024-2649.yaml - data/reports/GO-2024-2763.yaml - data/reports/GO-2024-2703.yaml - data/reports/GO-2024-2716.yaml - data/reports/GO-2024-2642.yaml - data/reports/GO-2024-2704.yaml - data/reports/GO-2024-2578.yaml - data/reports/GO-2024-2814.yaml - data/reports/GO-2024-2581.yaml - data/reports/GO-2024-2836.yaml - data/reports/GO-2024-2701.yaml - data/reports/GO-2024-2746.yaml Fixes golang/vulndb#2647 Fixes golang/vulndb#2728 Fixes golang/vulndb#2568 Fixes golang/vulndb#2569 Fixes golang/vulndb#2597 Fixes golang/vulndb#2756 Fixes golang/vulndb#2765 Fixes golang/vulndb#2853 Fixes golang/vulndb#2860 Fixes golang/vulndb#2785 Fixes golang/vulndb#2579 Fixes golang/vulndb#2747 Fixes golang/vulndb#2645 Fixes golang/vulndb#2723 Fixes golang/vulndb#2690 Fixes golang/vulndb#2766 Fixes golang/vulndb#2863 Fixes golang/vulndb#2641 Fixes golang/vulndb#2754 Fixes golang/vulndb#2846 Fixes golang/vulndb#2580 Fixes golang/vulndb#2791 Fixes golang/vulndb#2859 Fixes golang/vulndb#2752 Fixes golang/vulndb#2779 Fixes golang/vulndb#2636 Fixes golang/vulndb#2675 Fixes golang/vulndb#2727 Fixes golang/vulndb#2689 Fixes golang/vulndb#2803 Fixes golang/vulndb#2648 Fixes golang/vulndb#2792 Fixes golang/vulndb#2861 Fixes golang/vulndb#2644 Fixes golang/vulndb#2741 Fixes golang/vulndb#2692 Fixes golang/vulndb#2575 Fixes golang/vulndb#2729 Fixes golang/vulndb#2757 Fixes golang/vulndb#2649 Fixes golang/vulndb#2763 Fixes golang/vulndb#2703 Fixes golang/vulndb#2716 Fixes golang/vulndb#2642 Fixes golang/vulndb#2704 Fixes golang/vulndb#2578 Fixes golang/vulndb#2814 Fixes golang/vulndb#2581 Fixes golang/vulndb#2836 Fixes golang/vulndb#2701 Fixes golang/vulndb#2746 Change-Id: I0a5da056b5ccdc1125855a24e7fd6228a2f6d326 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590039 Commit-Queue: Tatiana Bradley Auto-Submit: Tatiana Bradley Reviewed-by: Damien Neil LUCI-TryBot-Result: Go LUCI --- data/osv/GO-2024-2568.json | 56 +++++++++++++++++++++ data/osv/GO-2024-2569.json | 60 ++++++++++++++++++++++ data/osv/GO-2024-2575.json | 52 +++++++++++++++++++ data/osv/GO-2024-2578.json | 56 +++++++++++++++++++++ data/osv/GO-2024-2579.json | 56 +++++++++++++++++++++ data/osv/GO-2024-2580.json | 56 +++++++++++++++++++++ data/osv/GO-2024-2581.json | 47 +++++++++++++++++ data/osv/GO-2024-2597.json | 52 +++++++++++++++++++ data/osv/GO-2024-2636.json | 68 +++++++++++++++++++++++++ data/osv/GO-2024-2641.json | 52 +++++++++++++++++++ data/osv/GO-2024-2642.json | 52 +++++++++++++++++++ data/osv/GO-2024-2644.json | 56 +++++++++++++++++++++ data/osv/GO-2024-2645.json | 68 +++++++++++++++++++++++++ data/osv/GO-2024-2647.json | 47 +++++++++++++++++ data/osv/GO-2024-2648.json | 47 +++++++++++++++++ data/osv/GO-2024-2649.json | 47 +++++++++++++++++ data/osv/GO-2024-2675.json | 52 +++++++++++++++++++ data/osv/GO-2024-2689.json | 76 ++++++++++++++++++++++++++++ data/osv/GO-2024-2690.json | 52 +++++++++++++++++++ data/osv/GO-2024-2692.json | 90 +++++++++++++++++++++++++++++++++ data/osv/GO-2024-2701.json | 60 ++++++++++++++++++++++ data/osv/GO-2024-2703.json | 51 +++++++++++++++++++ data/osv/GO-2024-2704.json | 52 +++++++++++++++++++ data/osv/GO-2024-2716.json | 56 +++++++++++++++++++++ data/osv/GO-2024-2723.json | 56 +++++++++++++++++++++ data/osv/GO-2024-2727.json | 47 +++++++++++++++++ data/osv/GO-2024-2728.json | 72 ++++++++++++++++++++++++++ data/osv/GO-2024-2729.json | 52 +++++++++++++++++++ data/osv/GO-2024-2741.json | 59 ++++++++++++++++++++++ data/osv/GO-2024-2746.json | 92 ++++++++++++++++++++++++++++++++++ data/osv/GO-2024-2747.json | 60 ++++++++++++++++++++++ data/osv/GO-2024-2752.json | 64 +++++++++++++++++++++++ data/osv/GO-2024-2754.json | 88 ++++++++++++++++++++++++++++++++ data/osv/GO-2024-2756.json | 56 +++++++++++++++++++++ data/osv/GO-2024-2757.json | 52 +++++++++++++++++++ data/osv/GO-2024-2763.json | 68 +++++++++++++++++++++++++ data/osv/GO-2024-2765.json | 68 +++++++++++++++++++++++++ data/osv/GO-2024-2766.json | 68 +++++++++++++++++++++++++ data/osv/GO-2024-2779.json | 56 +++++++++++++++++++++ data/osv/GO-2024-2785.json | 68 +++++++++++++++++++++++++ data/osv/GO-2024-2791.json | 76 ++++++++++++++++++++++++++++ data/osv/GO-2024-2792.json | 72 ++++++++++++++++++++++++++ data/osv/GO-2024-2803.json | 48 ++++++++++++++++++ data/osv/GO-2024-2814.json | 52 +++++++++++++++++++ data/osv/GO-2024-2836.json | 56 +++++++++++++++++++++ data/osv/GO-2024-2846.json | 49 ++++++++++++++++++ data/osv/GO-2024-2853.json | 56 +++++++++++++++++++++ data/osv/GO-2024-2859.json | 56 +++++++++++++++++++++ data/osv/GO-2024-2860.json | 51 +++++++++++++++++++ data/osv/GO-2024-2861.json | 70 ++++++++++++++++++++++++++ data/osv/GO-2024-2863.json | 68 +++++++++++++++++++++++++ data/reports/GO-2024-2568.yaml | 20 ++++++++ data/reports/GO-2024-2569.yaml | 21 ++++++++ data/reports/GO-2024-2575.yaml | 21 ++++++++ data/reports/GO-2024-2578.yaml | 20 ++++++++ data/reports/GO-2024-2579.yaml | 20 ++++++++ data/reports/GO-2024-2580.yaml | 20 ++++++++ data/reports/GO-2024-2581.yaml | 19 +++++++ data/reports/GO-2024-2597.yaml | 19 +++++++ data/reports/GO-2024-2636.yaml | 23 +++++++++ data/reports/GO-2024-2641.yaml | 19 +++++++ data/reports/GO-2024-2642.yaml | 19 +++++++ data/reports/GO-2024-2644.yaml | 20 ++++++++ data/reports/GO-2024-2645.yaml | 24 +++++++++ data/reports/GO-2024-2647.yaml | 16 ++++++ data/reports/GO-2024-2648.yaml | 16 ++++++ data/reports/GO-2024-2649.yaml | 16 ++++++ data/reports/GO-2024-2675.yaml | 19 +++++++ data/reports/GO-2024-2689.yaml | 26 ++++++++++ data/reports/GO-2024-2690.yaml | 21 ++++++++ data/reports/GO-2024-2692.yaml | 30 +++++++++++ data/reports/GO-2024-2701.yaml | 22 ++++++++ data/reports/GO-2024-2703.yaml | 19 +++++++ data/reports/GO-2024-2704.yaml | 24 +++++++++ data/reports/GO-2024-2716.yaml | 22 ++++++++ data/reports/GO-2024-2723.yaml | 23 +++++++++ data/reports/GO-2024-2727.yaml | 16 ++++++ data/reports/GO-2024-2728.yaml | 28 +++++++++++ data/reports/GO-2024-2729.yaml | 20 ++++++++ data/reports/GO-2024-2741.yaml | 19 +++++++ data/reports/GO-2024-2746.yaml | 32 ++++++++++++ data/reports/GO-2024-2747.yaml | 22 ++++++++ data/reports/GO-2024-2752.yaml | 24 +++++++++ data/reports/GO-2024-2754.yaml | 29 +++++++++++ data/reports/GO-2024-2756.yaml | 20 ++++++++ data/reports/GO-2024-2757.yaml | 22 ++++++++ data/reports/GO-2024-2763.yaml | 23 +++++++++ data/reports/GO-2024-2765.yaml | 23 +++++++++ data/reports/GO-2024-2766.yaml | 23 +++++++++ data/reports/GO-2024-2779.yaml | 20 ++++++++ data/reports/GO-2024-2785.yaml | 23 +++++++++ data/reports/GO-2024-2791.yaml | 26 ++++++++++ data/reports/GO-2024-2792.yaml | 27 ++++++++++ data/reports/GO-2024-2803.yaml | 18 +++++++ data/reports/GO-2024-2814.yaml | 19 +++++++ data/reports/GO-2024-2836.yaml | 20 ++++++++ data/reports/GO-2024-2846.yaml | 17 +++++++ data/reports/GO-2024-2853.yaml | 23 +++++++++ data/reports/GO-2024-2859.yaml | 20 ++++++++ data/reports/GO-2024-2860.yaml | 18 +++++++ data/reports/GO-2024-2861.yaml | 24 +++++++++ data/reports/GO-2024-2863.yaml | 23 +++++++++ 102 files changed, 4139 insertions(+) create mode 100644 data/osv/GO-2024-2568.json create mode 100644 data/osv/GO-2024-2569.json create mode 100644 data/osv/GO-2024-2575.json create mode 100644 data/osv/GO-2024-2578.json create mode 100644 data/osv/GO-2024-2579.json create mode 100644 data/osv/GO-2024-2580.json create mode 100644 data/osv/GO-2024-2581.json create mode 100644 data/osv/GO-2024-2597.json create mode 100644 data/osv/GO-2024-2636.json create mode 100644 data/osv/GO-2024-2641.json create mode 100644 data/osv/GO-2024-2642.json create mode 100644 data/osv/GO-2024-2644.json create mode 100644 data/osv/GO-2024-2645.json create mode 100644 data/osv/GO-2024-2647.json create mode 100644 data/osv/GO-2024-2648.json create mode 100644 data/osv/GO-2024-2649.json create mode 100644 data/osv/GO-2024-2675.json create mode 100644 data/osv/GO-2024-2689.json create mode 100644 data/osv/GO-2024-2690.json create mode 100644 data/osv/GO-2024-2692.json create mode 100644 data/osv/GO-2024-2701.json create mode 100644 data/osv/GO-2024-2703.json create mode 100644 data/osv/GO-2024-2704.json create mode 100644 data/osv/GO-2024-2716.json create mode 100644 data/osv/GO-2024-2723.json create mode 100644 data/osv/GO-2024-2727.json create mode 100644 data/osv/GO-2024-2728.json create mode 100644 data/osv/GO-2024-2729.json create mode 100644 data/osv/GO-2024-2741.json create mode 100644 data/osv/GO-2024-2746.json create mode 100644 data/osv/GO-2024-2747.json create mode 100644 data/osv/GO-2024-2752.json create mode 100644 data/osv/GO-2024-2754.json create mode 100644 data/osv/GO-2024-2756.json create mode 100644 data/osv/GO-2024-2757.json create mode 100644 data/osv/GO-2024-2763.json create mode 100644 data/osv/GO-2024-2765.json create mode 100644 data/osv/GO-2024-2766.json create mode 100644 data/osv/GO-2024-2779.json create mode 100644 data/osv/GO-2024-2785.json create mode 100644 data/osv/GO-2024-2791.json create mode 100644 data/osv/GO-2024-2792.json create mode 100644 data/osv/GO-2024-2803.json create mode 100644 data/osv/GO-2024-2814.json create mode 100644 data/osv/GO-2024-2836.json create mode 100644 data/osv/GO-2024-2846.json create mode 100644 data/osv/GO-2024-2853.json create mode 100644 data/osv/GO-2024-2859.json create mode 100644 data/osv/GO-2024-2860.json create mode 100644 data/osv/GO-2024-2861.json create mode 100644 data/osv/GO-2024-2863.json create mode 100644 data/reports/GO-2024-2568.yaml create mode 100644 data/reports/GO-2024-2569.yaml create mode 100644 data/reports/GO-2024-2575.yaml create mode 100644 data/reports/GO-2024-2578.yaml create mode 100644 data/reports/GO-2024-2579.yaml create mode 100644 data/reports/GO-2024-2580.yaml create mode 100644 data/reports/GO-2024-2581.yaml create mode 100644 data/reports/GO-2024-2597.yaml create mode 100644 data/reports/GO-2024-2636.yaml create mode 100644 data/reports/GO-2024-2641.yaml create mode 100644 data/reports/GO-2024-2642.yaml create mode 100644 data/reports/GO-2024-2644.yaml create mode 100644 data/reports/GO-2024-2645.yaml create mode 100644 data/reports/GO-2024-2647.yaml create mode 100644 data/reports/GO-2024-2648.yaml create mode 100644 data/reports/GO-2024-2649.yaml create mode 100644 data/reports/GO-2024-2675.yaml create mode 100644 data/reports/GO-2024-2689.yaml create mode 100644 data/reports/GO-2024-2690.yaml create mode 100644 data/reports/GO-2024-2692.yaml create mode 100644 data/reports/GO-2024-2701.yaml create mode 100644 data/reports/GO-2024-2703.yaml create mode 100644 data/reports/GO-2024-2704.yaml create mode 100644 data/reports/GO-2024-2716.yaml create mode 100644 data/reports/GO-2024-2723.yaml create mode 100644 data/reports/GO-2024-2727.yaml create mode 100644 data/reports/GO-2024-2728.yaml create mode 100644 data/reports/GO-2024-2729.yaml create mode 100644 data/reports/GO-2024-2741.yaml create mode 100644 data/reports/GO-2024-2746.yaml create mode 100644 data/reports/GO-2024-2747.yaml create mode 100644 data/reports/GO-2024-2752.yaml create mode 100644 data/reports/GO-2024-2754.yaml create mode 100644 data/reports/GO-2024-2756.yaml create mode 100644 data/reports/GO-2024-2757.yaml create mode 100644 data/reports/GO-2024-2763.yaml create mode 100644 data/reports/GO-2024-2765.yaml create mode 100644 data/reports/GO-2024-2766.yaml create mode 100644 data/reports/GO-2024-2779.yaml create mode 100644 data/reports/GO-2024-2785.yaml create mode 100644 data/reports/GO-2024-2791.yaml create mode 100644 data/reports/GO-2024-2792.yaml create mode 100644 data/reports/GO-2024-2803.yaml create mode 100644 data/reports/GO-2024-2814.yaml create mode 100644 data/reports/GO-2024-2836.yaml create mode 100644 data/reports/GO-2024-2846.yaml create mode 100644 data/reports/GO-2024-2853.yaml create mode 100644 data/reports/GO-2024-2859.yaml create mode 100644 data/reports/GO-2024-2860.yaml create mode 100644 data/reports/GO-2024-2861.yaml create mode 100644 data/reports/GO-2024-2863.yaml diff --git a/data/osv/GO-2024-2568.json b/data/osv/GO-2024-2568.json new file mode 100644 index 00000000..2bbef690 --- /dev/null +++ b/data/osv/GO-2024-2568.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2568", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-25630", + "GHSA-7496-fgv9-xw82" + ], + "summary": "Unencrypted ingress/health traffic when using Wireguard transparent encryption in github.com/cilium/cilium", + "details": "Unencrypted ingress/health traffic when using Wireguard transparent encryption in github.com/cilium/cilium", + "affected": [ + { + "package": { + "name": "github.com/cilium/cilium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.14.7" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cilium/cilium/security/advisories/GHSA-7496-fgv9-xw82" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25630" + }, + { + "type": "WEB", + "url": "https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.14.7" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2568", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2569.json b/data/osv/GO-2024-2569.json new file mode 100644 index 00000000..485992f3 --- /dev/null +++ b/data/osv/GO-2024-2569.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2569", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-25631", + "GHSA-x989-52fc-4vr4" + ], + "summary": "Unencrypted traffic between pods when using Wireguard and an external kvstore in github.com/cilium/cilium", + "details": "Unencrypted traffic between pods when using Wireguard and an external kvstore in github.com/cilium/cilium", + "affected": [ + { + "package": { + "name": "github.com/cilium/cilium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.14.7" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cilium/cilium/security/advisories/GHSA-x989-52fc-4vr4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25631" + }, + { + "type": "WEB", + "url": "https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore" + }, + { + "type": "WEB", + "url": "https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.14.7" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2569", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2575.json b/data/osv/GO-2024-2575.json new file mode 100644 index 00000000..b4f9e614 --- /dev/null +++ b/data/osv/GO-2024-2575.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2575", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-26147", + "GHSA-r53h-jv2g-vpx6" + ], + "summary": "Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3", + "details": "Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3", + "affected": [ + { + "package": { + "name": "helm.sh/helm/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.14.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/helm/helm/security/advisories/GHSA-r53h-jv2g-vpx6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26147" + }, + { + "type": "WEB", + "url": "https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2575", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2578.json b/data/osv/GO-2024-2578.json new file mode 100644 index 00000000..0cb38605 --- /dev/null +++ b/data/osv/GO-2024-2578.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2578", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-23349", + "GHSA-8pf2-qj4v-fj64" + ], + "summary": "Apache Answer Cross-site Scripting vulnerability in github.com/apache/incubator-answer", + "details": "Apache Answer Cross-site Scripting vulnerability in github.com/apache/incubator-answer", + "affected": [ + { + "package": { + "name": "github.com/apache/incubator-answer", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8pf2-qj4v-fj64" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23349" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/22/2" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqg" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2578", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2579.json b/data/osv/GO-2024-2579.json new file mode 100644 index 00000000..a038707a --- /dev/null +++ b/data/osv/GO-2024-2579.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2579", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-22393", + "GHSA-rmqp-mvv2-54c6" + ], + "summary": "Apache Answer Unrestricted Upload of File with Dangerous Type vulnerability in github.com/apache/incubator-answer", + "details": "Apache Answer Unrestricted Upload of File with Dangerous Type vulnerability in github.com/apache/incubator-answer", + "affected": [ + { + "package": { + "name": "github.com/apache/incubator-answer", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-rmqp-mvv2-54c6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22393" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/22/1" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/f58l6dr4r74hl6o71gn47kmn44vw12cv" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2579", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2580.json b/data/osv/GO-2024-2580.json new file mode 100644 index 00000000..5d3ba7e4 --- /dev/null +++ b/data/osv/GO-2024-2580.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2580", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-26578", + "GHSA-9q24-hwmc-797x" + ], + "summary": "Apache Answer Race Condition vulnerability in github.com/apache/incubator-answer", + "details": "Apache Answer Race Condition vulnerability in github.com/apache/incubator-answer", + "affected": [ + { + "package": { + "name": "github.com/apache/incubator-answer", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9q24-hwmc-797x" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26578" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/22/3" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/ko0ksnznt2484lxt0zts2ygr82ldkhcb" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2580", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2581.json b/data/osv/GO-2024-2581.json new file mode 100644 index 00000000..ae4b58df --- /dev/null +++ b/data/osv/GO-2024-2581.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2581", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-fvv5-h29g-f6w5" + ], + "summary": "User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs", + "details": "User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs", + "affected": [ + { + "package": { + "name": "github.com/treeverse/lakefs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.90.0" + }, + { + "fixed": "1.12.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/treeverse/lakeFS/security/advisories/GHSA-fvv5-h29g-f6w5" + }, + { + "type": "WEB", + "url": "https://github.com/treeverse/lakeFS/commit/56556ee5406fc5425b9302cd08a8d412635fdcd7" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2581", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2597.json b/data/osv/GO-2024-2597.json new file mode 100644 index 00000000..1a303bba --- /dev/null +++ b/data/osv/GO-2024-2597.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2597", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-27101", + "GHSA-h3m7-rqc4-7h9p" + ], + "summary": "Integer overflow in chunking helper causes dispatching to miss elements or panic in github.com/authzed/spicedb", + "details": "Integer overflow in chunking helper causes dispatching to miss elements or panic in github.com/authzed/spicedb", + "affected": [ + { + "package": { + "name": "github.com/authzed/spicedb", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.29.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-h3m7-rqc4-7h9p" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27101" + }, + { + "type": "FIX", + "url": "https://github.com/authzed/spicedb/commit/ef443c442b96909694390324a99849b0407007fe" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2597", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2636.json b/data/osv/GO-2024-2636.json new file mode 100644 index 00000000..6263e3fe --- /dev/null +++ b/data/osv/GO-2024-2636.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2636", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-2352", + "GHSA-x2vg-5wrf-vj6v" + ], + "summary": "1Panel is vulnerable to command injection in github.com/1Panel-dev/1Panel", + "details": "1Panel is vulnerable to command injection in github.com/1Panel-dev/1Panel", + "affected": [ + { + "package": { + "name": "github.com/1Panel-dev/1Panel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.1-lts" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-x2vg-5wrf-vj6v" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2352" + }, + { + "type": "FIX", + "url": "https://github.com/1Panel-dev/1Panel/pull/4131" + }, + { + "type": "FIX", + "url": "https://github.com/1Panel-dev/1Panel/pull/4131#issue-2176105990" + }, + { + "type": "FIX", + "url": "https://github.com/1Panel-dev/1Panel/pull/4131/commits/0edd7a9f6f5100aab98a0ea6e5deedff7700396c" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.256304" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.256304" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2636", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2641.json b/data/osv/GO-2024-2641.json new file mode 100644 index 00000000..c309e633 --- /dev/null +++ b/data/osv/GO-2024-2641.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2641", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-28236", + "GHSA-pwx5-6wxg-px5h" + ], + "summary": "Insecure Variable Substitution in Vela in github.com/go-vela/worker", + "details": "Insecure Variable Substitution in Vela in github.com/go-vela/worker", + "affected": [ + { + "package": { + "name": "github.com/go-vela/worker", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.23.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/go-vela/worker/security/advisories/GHSA-pwx5-6wxg-px5h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28236" + }, + { + "type": "FIX", + "url": "https://github.com/go-vela/worker/commit/e1572743b008e4fbce31ebb1dcd23bf6a1a30297" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2641", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2642.json b/data/osv/GO-2024-2642.json new file mode 100644 index 00000000..67862664 --- /dev/null +++ b/data/osv/GO-2024-2642.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2642", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-27102", + "GHSA-494h-9924-xww9" + ], + "summary": "Pterodactyl Wings vulnerable to improper isolation of server file access in github.com/pterodactyl/wings", + "details": "Pterodactyl Wings vulnerable to improper isolation of server file access in github.com/pterodactyl/wings", + "affected": [ + { + "package": { + "name": "github.com/pterodactyl/wings", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.9" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-494h-9924-xww9" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27102" + }, + { + "type": "FIX", + "url": "https://github.com/pterodactyl/wings/commit/d1c0ca526007113a0f74f56eba99511b4e989287" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2642", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2644.json b/data/osv/GO-2024-2644.json new file mode 100644 index 00000000..73f29464 --- /dev/null +++ b/data/osv/GO-2024-2644.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2644", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-51699", + "GHSA-wx8q-4gm9-rj2g" + ], + "summary": "Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime in github.com/fluid-cloudnative/fluid", + "details": "Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime in github.com/fluid-cloudnative/fluid", + "affected": [ + { + "package": { + "name": "github.com/fluid-cloudnative/fluid", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/fluid-cloudnative/fluid/security/advisories/GHSA-wx8q-4gm9-rj2g" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51699" + }, + { + "type": "FIX", + "url": "https://github.com/fluid-cloudnative/fluid/commit/02b7cd8b79a26092df95d625664994bda485c722" + }, + { + "type": "FIX", + "url": "https://github.com/fluid-cloudnative/fluid/commit/e0184cff8790ad000c3e8943392c7f544fad7d66" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2644", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2645.json b/data/osv/GO-2024-2645.json new file mode 100644 index 00000000..943c812e --- /dev/null +++ b/data/osv/GO-2024-2645.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2645", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-27920", + "GHSA-w5wx-6g2r-r78q" + ], + "summary": "Nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei/v3", + "details": "Nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei/v3", + "affected": [ + { + "package": { + "name": "github.com/projectdiscovery/nuclei/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.2.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-w5wx-6g2r-r78q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27920" + }, + { + "type": "WEB", + "url": "https://docs.projectdiscovery.io/templates/protocols/code" + }, + { + "type": "WEB", + "url": "https://docs.projectdiscovery.io/templates/reference/template-signing" + }, + { + "type": "WEB", + "url": "https://docs.projectdiscovery.io/templates/workflows/overview" + }, + { + "type": "WEB", + "url": "https://github.com/projectdiscovery/nuclei/commit/e86f38299765b82ad724fdb701557e0eaff3884d" + }, + { + "type": "WEB", + "url": "https://github.com/projectdiscovery/nuclei/pull/4822" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2645", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2647.json b/data/osv/GO-2024-2647.json new file mode 100644 index 00000000..a303f498 --- /dev/null +++ b/data/osv/GO-2024-2647.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2647", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-4jhj-3gv3-c3gr" + ], + "summary": "CLI for Vela Insecure Variable Substitution in github.com/go-vela/cli", + "details": "CLI for Vela Insecure Variable Substitution in github.com/go-vela/cli", + "affected": [ + { + "package": { + "name": "github.com/go-vela/cli", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.23.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/go-vela/cli/security/advisories/GHSA-4jhj-3gv3-c3gr" + }, + { + "type": "FIX", + "url": "https://github.com/go-vela/cli/commit/0349a2060c35722e341bf65a4215592c6c4bc5b4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2647", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2648.json b/data/osv/GO-2024-2648.json new file mode 100644 index 00000000..05f4cda1 --- /dev/null +++ b/data/osv/GO-2024-2648.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2648", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-69p4-j5v5-x234" + ], + "summary": "Server/API for Vela Insecure Variable Substitution in github.com/go-vela/server", + "details": "Server/API for Vela Insecure Variable Substitution in github.com/go-vela/server", + "affected": [ + { + "package": { + "name": "github.com/go-vela/server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.23.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/go-vela/server/security/advisories/GHSA-69p4-j5v5-x234" + }, + { + "type": "FIX", + "url": "https://github.com/go-vela/server/commit/a645c822da1d91e1f4159b69685224232683bebb" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2648", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2649.json b/data/osv/GO-2024-2649.json new file mode 100644 index 00000000..ccb03319 --- /dev/null +++ b/data/osv/GO-2024-2649.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2649", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-7v38-w32m-wx4m" + ], + "summary": "Types for Vela Insecure Variable Substitution in github.com/go-vela/types", + "details": "Types for Vela Insecure Variable Substitution in github.com/go-vela/types", + "affected": [ + { + "package": { + "name": "github.com/go-vela/types", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.23.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/go-vela/types/security/advisories/GHSA-7v38-w32m-wx4m" + }, + { + "type": "FIX", + "url": "https://github.com/go-vela/types/commit/2e046fceb8fe56fb7170495962f24475cee78d46" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2649", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2675.json b/data/osv/GO-2024-2675.json new file mode 100644 index 00000000..7efff01c --- /dev/null +++ b/data/osv/GO-2024-2675.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2675", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-2435", + "GHSA-8f25-w7qj-r7hc" + ], + "summary": "Temporal UI Server cross-site scripting vulnerability in github.com/temporalio/ui-server/v2", + "details": "Temporal UI Server cross-site scripting vulnerability in github.com/temporalio/ui-server/v2", + "affected": [ + { + "package": { + "name": "github.com/temporalio/ui-server/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.25.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8f25-w7qj-r7hc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2435" + }, + { + "type": "WEB", + "url": "https://github.com/temporalio/ui-server/releases/tag/v2.25.0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2675", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2689.json b/data/osv/GO-2024-2689.json new file mode 100644 index 00000000..4bb95d15 --- /dev/null +++ b/data/osv/GO-2024-2689.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2689", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-2689", + "GHSA-wmxc-v39r-p9wf" + ], + "summary": "Temporal Server Denial of Service in go.temporal.io/server", + "details": "Temporal Server Denial of Service in go.temporal.io/server", + "affected": [ + { + "package": { + "name": "go.temporal.io/server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.5" + }, + { + "introduced": "1.21.0" + }, + { + "fixed": "1.21.6" + }, + { + "introduced": "1.22.0-rc1" + }, + { + "fixed": "1.22.7" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-wmxc-v39r-p9wf" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2689" + }, + { + "type": "WEB", + "url": "https://github.com/temporalio/temporal/commit/2099dfd945accbf794404c3b8d990d109de19f06" + }, + { + "type": "WEB", + "url": "https://github.com/temporalio/temporal/commit/679e3dc2ca8bd39e02c760f686cc8807f817bbfd" + }, + { + "type": "WEB", + "url": "https://github.com/temporalio/temporal/commit/f1fab97129f964dcca17d1f7c344f38666d1ee5f" + }, + { + "type": "WEB", + "url": "https://github.com/temporalio/temporal/releases" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2689", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2690.json b/data/osv/GO-2024-2690.json new file mode 100644 index 00000000..c0511530 --- /dev/null +++ b/data/osv/GO-2024-2690.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2690", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-2660", + "GHSA-j2rp-gmqv-frhv" + ], + "summary": "HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault", + "details": "HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-j2rp-gmqv-frhv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2660" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2690", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2692.json b/data/osv/GO-2024-2692.json new file mode 100644 index 00000000..ae195fee --- /dev/null +++ b/data/osv/GO-2024-2692.json @@ -0,0 +1,90 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2692", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-3250", + "GHSA-4685-2x5r-65pj" + ], + "summary": "Pebble service manager's file pull API allows access by any user in github.com/canonical/pebble", + "details": "Pebble service manager's file pull API allows access by any user in github.com/canonical/pebble", + "affected": [ + { + "package": { + "name": "github.com/canonical/pebble", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.1" + }, + { + "introduced": "1.2.0" + }, + { + "fixed": "1.4.2" + }, + { + "introduced": "1.5.0" + }, + { + "fixed": "1.7.3" + }, + { + "introduced": "1.8.0" + }, + { + "fixed": "1.10.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/canonical/pebble/security/advisories/GHSA-4685-2x5r-65pj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3250" + }, + { + "type": "ADVISORY", + "url": "https://www.cve.org/CVERecord?id=CVE-2024-3250" + }, + { + "type": "FIX", + "url": "https://github.com/canonical/pebble/commit/4ca343d3889533143477e21c63867f2f3c3b5645" + }, + { + "type": "FIX", + "url": "https://github.com/canonical/pebble/commit/a5f6f062a11ea156697b854264385ff7e1985fd8" + }, + { + "type": "FIX", + "url": "https://github.com/canonical/pebble/commit/b8abd1ff0090f3e0749e81eb1fc3ea16ba95f514" + }, + { + "type": "FIX", + "url": "https://github.com/canonical/pebble/commit/cd326225b9b0be067da7d8858e2c912078cbbbd5" + }, + { + "type": "FIX", + "url": "https://github.com/canonical/pebble/pull/406" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2692", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2701.json b/data/osv/GO-2024-2701.json new file mode 100644 index 00000000..3a81fa94 --- /dev/null +++ b/data/osv/GO-2024-2701.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2701", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-31455", + "GHSA-ggp5-28x4-xcj9" + ], + "summary": "Minder GetRepositoryByName data leak in github.com/stacklok/minder", + "details": "Minder GetRepositoryByName data leak in github.com/stacklok/minder", + "affected": [ + { + "package": { + "name": "github.com/stacklok/minder", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.39" + }, + { + "fixed": "0.0.40" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/stacklok/minder/security/advisories/GHSA-ggp5-28x4-xcj9" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31455" + }, + { + "type": "FIX", + "url": "https://github.com/stacklok/minder/commit/11b6573ad62cfdd783a8bb52f3fce461466037f4" + }, + { + "type": "FIX", + "url": "https://github.com/stacklok/minder/commit/5c381cfbf3e4b7ce040ed8511a1fae1a78a0014b" + }, + { + "type": "FIX", + "url": "https://github.com/stacklok/minder/pull/2941" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2701", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2703.json b/data/osv/GO-2024-2703.json new file mode 100644 index 00000000..7c4d2f1d --- /dev/null +++ b/data/osv/GO-2024-2703.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2703", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-j5vm-7qcc-2wwg" + ], + "summary": "Kopia: Storage connection credentials written to console on \"repository status\" CLI command with JSON output in github.com/kopia/kopia", + "details": "Kopia: Storage connection credentials written to console on \"repository status\" CLI command with JSON output in github.com/kopia/kopia", + "affected": [ + { + "package": { + "name": "github.com/kopia/kopia", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.16.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kopia/kopia/security/advisories/GHSA-j5vm-7qcc-2wwg" + }, + { + "type": "FIX", + "url": "https://github.com/kopia/kopia/commit/1d6f852cd6534f4bea978cbdc85c583803d79f77" + }, + { + "type": "FIX", + "url": "https://github.com/kopia/kopia/pull/3589" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2703", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2704.json b/data/osv/GO-2024-2704.json new file mode 100644 index 00000000..69cfadb7 --- /dev/null +++ b/data/osv/GO-2024-2704.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2704", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-3518", + "GHSA-9rhf-q362-77mx" + ], + "summary": "Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers in github.com/hashicorp/consul", + "details": "Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers in github.com/hashicorp/consul", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/consul", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9rhf-q362-77mx" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3518" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2023-25-consul-jwt-auth-in-l7-intentions-allow-for-mismatched-service-identity-and-jwt-providers/57004" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2704", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2716.json b/data/osv/GO-2024-2716.json new file mode 100644 index 00000000..dda11c11 --- /dev/null +++ b/data/osv/GO-2024-2716.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2716", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-32001", + "GHSA-j85q-46hg-36p2" + ], + "summary": "SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used in github.com/authzed/spicedb", + "details": "SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used in github.com/authzed/spicedb", + "affected": [ + { + "package": { + "name": "github.com/authzed/spicedb", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.30.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-j85q-46hg-36p2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32001" + }, + { + "type": "FIX", + "url": "https://github.com/authzed/spicedb/commit/a244ed1edfaf2382711dccdb699971ec97190c7b" + }, + { + "type": "WEB", + "url": "https://github.com/authzed/spicedb/releases/tag/v1.30.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2716", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2723.json b/data/osv/GO-2024-2723.json new file mode 100644 index 00000000..7683bdc0 --- /dev/null +++ b/data/osv/GO-2024-2723.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2723", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-31391", + "GHSA-g9qx-25vj-rf53" + ], + "summary": "Apache Solr Operator liveness and readiness probes may leak basic auth credentials in github.com/apache/solr-operator", + "details": "Apache Solr Operator liveness and readiness probes may leak basic auth credentials in github.com/apache/solr-operator", + "affected": [ + { + "package": { + "name": "github.com/apache/solr-operator", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.3.0" + }, + { + "fixed": "0.8.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-g9qx-25vj-rf53" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31391" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/04/12/7" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/w7011s78lzywzwyszvy4d8zm99ybt8c7" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2723", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2727.json b/data/osv/GO-2024-2727.json new file mode 100644 index 00000000..d95a8b81 --- /dev/null +++ b/data/osv/GO-2024-2727.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2727", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-g8fc-vrcg-8vjg" + ], + "summary": "Constallation has pods exposed to peers in VPC in github.com/edgelesssys/constellation/v2", + "details": "Constallation has pods exposed to peers in VPC in github.com/edgelesssys/constellation/v2", + "affected": [ + { + "package": { + "name": "github.com/edgelesssys/constellation/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.16.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/edgelesssys/constellation/security/advisories/GHSA-g8fc-vrcg-8vjg" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/issues/25626" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2727", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2728.json b/data/osv/GO-2024-2728.json new file mode 100644 index 00000000..20528148 --- /dev/null +++ b/data/osv/GO-2024-2728.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2728", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-31990", + "GHSA-2gvw-w6fj-7m3c" + ], + "summary": "Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd/v2", + "details": "Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd/v2", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-cd/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.4.0" + }, + { + "fixed": "2.8.16" + }, + { + "introduced": "2.9.0" + }, + { + "fixed": "2.9.12" + }, + { + "introduced": "2.10.0" + }, + { + "fixed": "2.10.7" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31990" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2728", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2729.json b/data/osv/GO-2024-2729.json new file mode 100644 index 00000000..dedf857c --- /dev/null +++ b/data/osv/GO-2024-2729.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2729", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-31452", + "GHSA-8cph-m685-6v6r" + ], + "summary": "OpenFGA Authorization Bypass in github.com/openfga/openfga", + "details": "OpenFGA Authorization Bypass in github.com/openfga/openfga", + "affected": [ + { + "package": { + "name": "github.com/openfga/openfga", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.0" + }, + { + "fixed": "1.5.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31452" + }, + { + "type": "FIX", + "url": "https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2729", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2741.json b/data/osv/GO-2024-2741.json new file mode 100644 index 00000000..1e705eb2 --- /dev/null +++ b/data/osv/GO-2024-2741.json @@ -0,0 +1,59 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2741", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-31450" + ], + "summary": "Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277) in github.com/owncast/owncast", + "details": "Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277) in github.com/owncast/owncast", + "affected": [ + { + "package": { + "name": "github.com/owncast/owncast", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.1.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31450" + }, + { + "type": "FIX", + "url": "https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e" + }, + { + "type": "WEB", + "url": "https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63" + }, + { + "type": "WEB", + "url": "https://github.com/owncast/owncast/releases/tag/v0.1.3" + }, + { + "type": "WEB", + "url": "https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2741", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2746.json b/data/osv/GO-2024-2746.json new file mode 100644 index 00000000..f321b065 --- /dev/null +++ b/data/osv/GO-2024-2746.json @@ -0,0 +1,92 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2746", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-3177", + "GHSA-pxhw-596r-rwq5" + ], + "summary": "Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin in k8s.io/kubernetes", + "details": "Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.27.13" + }, + { + "introduced": "1.28.0" + }, + { + "fixed": "1.28.9" + }, + { + "introduced": "1.29.0" + }, + { + "fixed": "1.29.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-pxhw-596r-rwq5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3177" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/04/16/4" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/7c861b1ecad97e1ab9332c970c9294a72065111a" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/a619ca3fd3ee3c222d9df784622020de398076d2" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/f9fb6cf52a769a599a45e700375115c2ecc86e9b" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/124336" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL54MTLGMTBZZO5PYGEGEBERTMADC4WC" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2746", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2747.json b/data/osv/GO-2024-2747.json new file mode 100644 index 00000000..270b5b21 --- /dev/null +++ b/data/osv/GO-2024-2747.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2747", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-32875", + "GHSA-ppf8-hhpp-f5hj" + ], + "summary": "Hugo Markdown titles do not escaped in internal render hooks in github.com/gohugoio/hugo", + "details": "Hugo Markdown titles do not escaped in internal render hooks in github.com/gohugoio/hugo", + "affected": [ + { + "package": { + "name": "github.com/gohugoio/hugo", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.123.0" + }, + { + "fixed": "0.125.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32875" + }, + { + "type": "FIX", + "url": "https://github.com/gohugoio/hugo/commit/15a4b9b33715887001f6eff30721d41c0d4cfdd1" + }, + { + "type": "WEB", + "url": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3" + }, + { + "type": "WEB", + "url": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2747", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2752.json b/data/osv/GO-2024-2752.json new file mode 100644 index 00000000..b382673d --- /dev/null +++ b/data/osv/GO-2024-2752.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2752", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-1058", + "GHSA-4rqq-rxvc-v2rc" + ], + "summary": "Gitea Open Redirect in code.gitea.io/gitea", + "details": "Gitea Open Redirect in code.gitea.io/gitea", + "affected": [ + { + "package": { + "name": "code.gitea.io/gitea", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-4rqq-rxvc-v2rc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1058" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/commit/e3d8e92bdc67562783de9a76b5b7842b68daeb48" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/pull/19175" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/pull/19186" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2752", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2754.json b/data/osv/GO-2024-2754.json new file mode 100644 index 00000000..86faa56c --- /dev/null +++ b/data/osv/GO-2024-2754.json @@ -0,0 +1,88 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2754", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-8566", + "GHSA-5x96-j797-5qqw" + ], + "summary": "Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes", + "details": "Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.13" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.10" + }, + { + "introduced": "1.19.0" + }, + { + "fixed": "1.19.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-5x96-j797-5qqw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8566" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886640" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/95624" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/95245" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/95245/commits/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20210122-0006" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2754", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2756.json b/data/osv/GO-2024-2756.json new file mode 100644 index 00000000..144ece34 --- /dev/null +++ b/data/osv/GO-2024-2756.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2756", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-14316", + "GHSA-828r-r2c8-rfw3" + ], + "summary": "Privilege Escalation in kubevirt in kubevirt.io/kubevirt", + "details": "Privilege Escalation in kubevirt in kubevirt.io/kubevirt", + "affected": [ + { + "package": { + "name": "kubevirt.io/kubevirt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.30.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-828r-r2c8-rfw3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14316" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848951" + }, + { + "type": "WEB", + "url": "https://github.com/kubevirt/kubevirt/pull/3686" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2756", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2757.json b/data/osv/GO-2024-2757.json new file mode 100644 index 00000000..02614ff6 --- /dev/null +++ b/data/osv/GO-2024-2757.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2757", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3382", + "GHSA-9f8c-pfvv-p4gm" + ], + "summary": "Buffer Overflow in gitea in code.gitea.io/gitea", + "details": "Buffer Overflow in gitea in code.gitea.io/gitea", + "affected": [ + { + "package": { + "name": "code.gitea.io/gitea", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.9.0" + }, + { + "fixed": "1.13.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9f8c-pfvv-p4gm" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3382" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/pull/14390" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2757", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2763.json b/data/osv/GO-2024-2763.json new file mode 100644 index 00000000..6ea748ca --- /dev/null +++ b/data/osv/GO-2024-2763.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2763", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-15103", + "GHSA-6g56-v9qg-jp92" + ], + "summary": "Heketi Arbitrary Code Execution in github.com/heketi/heketi", + "details": "Heketi Arbitrary Code Execution in github.com/heketi/heketi", + "affected": [ + { + "package": { + "name": "github.com/heketi/heketi", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.0.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-6g56-v9qg-jp92" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15103" + }, + { + "type": "FIX", + "url": "https://github.com/heketi/heketi/commit/787bae461b23003a4daa4d1d639016a754cf6b00" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2017:3481" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2017-15103" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1510147" + }, + { + "type": "WEB", + "url": "https://github.com/heketi/heketi/releases/tag/v5.0.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2763", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2765.json b/data/osv/GO-2024-2765.json new file mode 100644 index 00000000..db1bbc22 --- /dev/null +++ b/data/osv/GO-2024-2765.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2765", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-1701", + "GHSA-849r-8wvp-4wwg" + ], + "summary": "Permissions bypass in KubeVirt in kubevirt.io/kubevirt", + "details": "Permissions bypass in KubeVirt in kubevirt.io/kubevirt", + "affected": [ + { + "package": { + "name": "kubevirt.io/kubevirt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.26.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-849r-8wvp-4wwg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1701" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1792092" + }, + { + "type": "WEB", + "url": "https://github.com/kubevirt/containerized-data-importer/pull/1098" + }, + { + "type": "WEB", + "url": "https://github.com/kubevirt/kubevirt/commit/9efa8d7388d4fe1c698c6980aa7122c06bd141be" + }, + { + "type": "WEB", + "url": "https://github.com/kubevirt/kubevirt/issues/2967" + }, + { + "type": "WEB", + "url": "https://github.com/kubevirt/kubevirt/pull/3001" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2765", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2766.json b/data/osv/GO-2024-2766.json new file mode 100644 index 00000000..fbdc8ffa --- /dev/null +++ b/data/osv/GO-2024-2766.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2766", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-14370", + "GHSA-c3wv-qmjj-45r6" + ], + "summary": "Information disclosure in podman in github.com/containers/libpod/v2", + "details": "Information disclosure in podman in github.com/containers/libpod/v2", + "affected": [ + { + "package": { + "name": "github.com/containers/libpod/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-c3wv-qmjj-45r6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14370" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1874268" + }, + { + "type": "WEB", + "url": "https://github.com/containers/podman/commit/a7e864e6e7de894d4edde4fff00e53dc6a0b5074" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G6BPCZX4ASKNONL3MSCK564IVXNYSKLP" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y74V7HGQBNLT6XECCSNZNFZIB7G7XSAR" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z4Y2FSGQWP4AFT5AZ6UBN6RKHVXUBRFV" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2766", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2779.json b/data/osv/GO-2024-2779.json new file mode 100644 index 00000000..0c435042 --- /dev/null +++ b/data/osv/GO-2024-2779.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2779", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-10937", + "GHSA-r23h-3jmw-q7hr" + ], + "summary": "Access Restriction Bypass in go-ipfs in github.com/ipfs/go-ipfs", + "details": "Access Restriction Bypass in go-ipfs in github.com/ipfs/go-ipfs", + "affected": [ + { + "package": { + "name": "github.com/ipfs/go-ipfs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-r23h-3jmw-q7hr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10937" + }, + { + "type": "WEB", + "url": "https://blog.ipfs.io/2020-10-30-dht-hardening" + }, + { + "type": "WEB", + "url": "https://graz.pure.elsevier.com/en/publications/total-eclipse-of-the-heart-disrupting-the-interplanetary-file-sys" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2779", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2785.json b/data/osv/GO-2024-2785.json new file mode 100644 index 00000000..195cf1a6 --- /dev/null +++ b/data/osv/GO-2024-2785.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2785", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-0874", + "GHSA-m9w6-wp3h-vq8g" + ], + "summary": "CoreDNS may return invalid cache entries in github.com/coredns/coredns", + "details": "CoreDNS may return invalid cache entries in github.com/coredns/coredns", + "affected": [ + { + "package": { + "name": "github.com/coredns/coredns", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-m9w6-wp3h-vq8g" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0874" + }, + { + "type": "FIX", + "url": "https://github.com/coredns/coredns/commit/997c7f953962d47c242273f0e41398fdfb5b0151" + }, + { + "type": "FIX", + "url": "https://github.com/coredns/coredns/pull/6354" + }, + { + "type": "REPORT", + "url": "https://github.com/coredns/coredns/issues/6186" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-0874" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219234" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2785", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2791.json b/data/osv/GO-2024-2791.json new file mode 100644 index 00000000..51f5b38a --- /dev/null +++ b/data/osv/GO-2024-2791.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2791", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-3154", + "GHSA-2cgq-h8xw-2v5j" + ], + "summary": "CRI-O vulnerable to an arbitrary systemd property injection in github.com/cri-o/cri-o", + "details": "CRI-O vulnerable to an arbitrary systemd property injection in github.com/cri-o/cri-o", + "affected": [ + { + "package": { + "name": "github.com/cri-o/cri-o", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.27.6" + }, + { + "introduced": "1.28.0" + }, + { + "fixed": "1.28.6" + }, + { + "introduced": "1.29.0" + }, + { + "fixed": "1.29.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3154" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-3154" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272532" + }, + { + "type": "WEB", + "url": "https://github.com/opencontainers/runc/pull/4217" + }, + { + "type": "WEB", + "url": "https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-annotations-in-configjson" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2791", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2792.json b/data/osv/GO-2024-2792.json new file mode 100644 index 00000000..6a3c34f6 --- /dev/null +++ b/data/osv/GO-2024-2792.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2792", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-32476", + "GHSA-9m6p-x4h2-6frq" + ], + "summary": "Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences in github.com/argoproj/argo-cd/v2", + "details": "Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences in github.com/argoproj/argo-cd/v2", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-cd/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.8.17" + }, + { + "introduced": "2.9.0" + }, + { + "fixed": "2.9.13" + }, + { + "introduced": "2.10.0" + }, + { + "fixed": "2.10.8" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-9m6p-x4h2-6frq" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32476" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/commit/7893979a1e78d59cedd0ba790ded24e30bb40657" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/commit/9e5cc5a26ff0920a01816231d59fdb5eae032b5a" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/commit/e2df7315fb7d96652186bf7435773a27be330cac" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2792", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2803.json b/data/osv/GO-2024-2803.json new file mode 100644 index 00000000..a82c42c6 --- /dev/null +++ b/data/osv/GO-2024-2803.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2803", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-32963", + "GHSA-4jrx-5w4h-3gpm" + ], + "summary": "Navidrome Parameter Tampering vulnerability in github.com/navidrome/navidrome", + "details": "Navidrome Parameter Tampering vulnerability in github.com/navidrome/navidrome", + "affected": [ + { + "package": { + "name": "github.com/navidrome/navidrome", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.52.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32963" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2803", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2814.json b/data/osv/GO-2024-2814.json new file mode 100644 index 00000000..bcfc0846 --- /dev/null +++ b/data/osv/GO-2024-2814.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2814", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-34066", + "GHSA-gqmf-jqgv-v8fw" + ], + "summary": "Pterodactyl Wings vulnerable to Arbitrary File Write/Read in github.com/pterodactyl/wings", + "details": "Pterodactyl Wings vulnerable to Arbitrary File Write/Read in github.com/pterodactyl/wings", + "affected": [ + { + "package": { + "name": "github.com/pterodactyl/wings", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.12" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34066" + }, + { + "type": "FIX", + "url": "https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2814", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2836.json b/data/osv/GO-2024-2836.json new file mode 100644 index 00000000..c470fb97 --- /dev/null +++ b/data/osv/GO-2024-2836.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2836", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-34713", + "GHSA-jmqp-37m5-49wh" + ], + "summary": "sshproxy vulnerable to SSH option injection in github.com/cea-hpc/sshproxy", + "details": "sshproxy vulnerable to SSH option injection in github.com/cea-hpc/sshproxy", + "affected": [ + { + "package": { + "name": "github.com/cea-hpc/sshproxy", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34713" + }, + { + "type": "FIX", + "url": "https://github.com/cea-hpc/sshproxy/commit/3b8bccc874dc4ca2c80c956cad65722abb46f0b9" + }, + { + "type": "FIX", + "url": "https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2836", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2846.json b/data/osv/GO-2024-2846.json new file mode 100644 index 00000000..95ec836f --- /dev/null +++ b/data/osv/GO-2024-2846.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2846", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-c9cp-9c75-9v8c" + ], + "summary": "containerd started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd", + "details": "containerd started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd", + "affected": [ + { + "package": { + "name": "github.com/containerd/containerd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.11" + }, + { + "introduced": "1.6.0" + }, + { + "fixed": "1.6.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2846", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2853.json b/data/osv/GO-2024-2853.json new file mode 100644 index 00000000..825fa416 --- /dev/null +++ b/data/osv/GO-2024-2853.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2853", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-35175", + "GHSA-4w53-6jvp-gg52" + ], + "summary": "sshpiper's enabling of proxy protocol without proper feature flagging allows faking source address in github.com/tg123/sshpiper", + "details": "sshpiper's enabling of proxy protocol without proper feature flagging allows faking source address in github.com/tg123/sshpiper", + "affected": [ + { + "package": { + "name": "github.com/tg123/sshpiper", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.0.50" + }, + { + "fixed": "1.3.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35175" + }, + { + "type": "FIX", + "url": "https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430" + }, + { + "type": "FIX", + "url": "https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2853", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2859.json b/data/osv/GO-2024-2859.json new file mode 100644 index 00000000..5f82cecd --- /dev/null +++ b/data/osv/GO-2024-2859.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2859", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-31216", + "GHSA-v554-xwgw-hc3w" + ], + "summary": "source-controller leaks Azure Storage SAS token into logs in github.com/fluxcd/source-controller", + "details": "source-controller leaks Azure Storage SAS token into logs in github.com/fluxcd/source-controller", + "affected": [ + { + "package": { + "name": "github.com/fluxcd/source-controller", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31216" + }, + { + "type": "FIX", + "url": "https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9" + }, + { + "type": "FIX", + "url": "https://github.com/fluxcd/source-controller/pull/1430" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2859", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2860.json b/data/osv/GO-2024-2860.json new file mode 100644 index 00000000..f37c4a4f --- /dev/null +++ b/data/osv/GO-2024-2860.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2860", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-f6mm-5fc7-3g3c" + ], + "summary": "goreleaser shows environment by default in github.com/goreleaser/goreleaser", + "details": "goreleaser shows environment by default in github.com/goreleaser/goreleaser", + "affected": [ + { + "package": { + "name": "github.com/goreleaser/goreleaser", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.26.0" + }, + { + "fixed": "1.26.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/goreleaser/goreleaser/security/advisories/GHSA-f6mm-5fc7-3g3c" + }, + { + "type": "FIX", + "url": "https://github.com/goreleaser/goreleaser/commit/22f734e41f7a5111a031a3a4eb714c1b6aa6456b" + }, + { + "type": "FIX", + "url": "https://github.com/goreleaser/goreleaser/pull/4787" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2860", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2861.json b/data/osv/GO-2024-2861.json new file mode 100644 index 00000000..78afa405 --- /dev/null +++ b/data/osv/GO-2024-2861.json @@ -0,0 +1,70 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2861", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-3744", + "GHSA-qjqg-4wg7-957h" + ], + "summary": "azure-file-csi-driver leaks service account tokens in the logs in sigs.k8s.io/azurefile-csi-driver", + "details": "azure-file-csi-driver leaks service account tokens in the logs in sigs.k8s.io/azurefile-csi-driver", + "affected": [ + { + "package": { + "name": "sigs.k8s.io/azurefile-csi-driver", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.29.4" + }, + { + "introduced": "1.30.0" + }, + { + "fixed": "1.30.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-qjqg-4wg7-957h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3744" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes-sigs/azurefile-csi-driver/commit/a1b7446de942136419f07394efeef804523f87ae" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes-sigs/azurefile-csi-driver/commit/e11ff3dc2c03894cde692213308f9991e7bbd5bf" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/124759" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/hcgZE2MQo1A/m/Y4C6q-CYAgAJ" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2861", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2863.json b/data/osv/GO-2024-2863.json new file mode 100644 index 00000000..5f0f0acb --- /dev/null +++ b/data/osv/GO-2024-2863.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2863", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-35183", + "GHSA-8fg7-hp93-qhvr" + ], + "summary": "wolfictl leaks GitHub tokens to remote non-GitHub git servers in github.com/wolfi-dev/wolfictl", + "details": "wolfictl leaks GitHub tokens to remote non-GitHub git servers in github.com/wolfi-dev/wolfictl", + "affected": [ + { + "package": { + "name": "github.com/wolfi-dev/wolfictl", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.16.10" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/wolfi-dev/wolfictl/security/advisories/GHSA-8fg7-hp93-qhvr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35183" + }, + { + "type": "FIX", + "url": "https://github.com/wolfi-dev/wolfictl/commit/0d06e1578300327c212dda26a5ab31d09352b9d0" + }, + { + "type": "FIX", + "url": "https://github.com/wolfi-dev/wolfictl/commit/403e93569f46766b4e26e06cf9cd0cae5ee0c2a2" + }, + { + "type": "WEB", + "url": "https://github.com/wolfi-dev/wolfictl/blob/488b53823350caa706de3f01ec0eded9350c7da7/pkg/update/update.go#L143" + }, + { + "type": "WEB", + "url": "https://github.com/wolfi-dev/wolfictl/blob/4dd6c95abb4bc0f9306350a8601057bd7a92bded/pkg/update/deps/cleanup.go#L49" + }, + { + "type": "WEB", + "url": "https://github.com/wolfi-dev/wolfictl/blob/6d99909f7b1aa23f732d84dad054b02a61f530e6/pkg/git/git.go#L22" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2863", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-2568.yaml b/data/reports/GO-2024-2568.yaml new file mode 100644 index 00000000..f4981c6a --- /dev/null +++ b/data/reports/GO-2024-2568.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2568 +modules: + - module: github.com/cilium/cilium + versions: + - fixed: 1.14.7 + vulnerable_at: 1.14.6 +summary: Unencrypted ingress/health traffic when using Wireguard transparent encryption in github.com/cilium/cilium +cves: + - CVE-2024-25630 +ghsas: + - GHSA-7496-fgv9-xw82 +references: + - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-7496-fgv9-xw82 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-25630 + - web: https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg + - web: https://github.com/cilium/cilium/releases/tag/v1.14.7 +source: + id: GHSA-7496-fgv9-xw82 + created: 2024-05-17T16:15:20.303526-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2569.yaml b/data/reports/GO-2024-2569.yaml new file mode 100644 index 00000000..d0c10cbb --- /dev/null +++ b/data/reports/GO-2024-2569.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2569 +modules: + - module: github.com/cilium/cilium + versions: + - fixed: 1.14.7 + vulnerable_at: 1.14.6 +summary: Unencrypted traffic between pods when using Wireguard and an external kvstore in github.com/cilium/cilium +cves: + - CVE-2024-25631 +ghsas: + - GHSA-x989-52fc-4vr4 +references: + - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-x989-52fc-4vr4 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-25631 + - web: https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore + - web: https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg + - web: https://github.com/cilium/cilium/releases/tag/v1.14.7 +source: + id: GHSA-x989-52fc-4vr4 + created: 2024-05-17T16:15:17.501208-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2575.yaml b/data/reports/GO-2024-2575.yaml new file mode 100644 index 00000000..3e6aa15e --- /dev/null +++ b/data/reports/GO-2024-2575.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2575 +modules: + - module: helm.sh/helm/v3 + versions: + - fixed: 3.14.2 + vulnerable_at: 3.14.1 +summary: Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3 +cves: + - CVE-2024-26147 +ghsas: + - GHSA-r53h-jv2g-vpx6 +unknown_aliases: + - BIT-helm-2024-26147 +references: + - advisory: https://github.com/helm/helm/security/advisories/GHSA-r53h-jv2g-vpx6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-26147 + - web: https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af +source: + id: GHSA-r53h-jv2g-vpx6 + created: 2024-05-17T16:15:14.868015-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2578.yaml b/data/reports/GO-2024-2578.yaml new file mode 100644 index 00000000..4d85ced4 --- /dev/null +++ b/data/reports/GO-2024-2578.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2578 +modules: + - module: github.com/apache/incubator-answer + versions: + - fixed: 1.2.5 + vulnerable_at: 1.2.5-RC2 +summary: Apache Answer Cross-site Scripting vulnerability in github.com/apache/incubator-answer +cves: + - CVE-2024-23349 +ghsas: + - GHSA-8pf2-qj4v-fj64 +references: + - advisory: https://github.com/advisories/GHSA-8pf2-qj4v-fj64 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-23349 + - web: http://www.openwall.com/lists/oss-security/2024/02/22/2 + - web: https://lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqg +source: + id: GHSA-8pf2-qj4v-fj64 + created: 2024-05-17T16:15:07.683729-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2579.yaml b/data/reports/GO-2024-2579.yaml new file mode 100644 index 00000000..1f4c0924 --- /dev/null +++ b/data/reports/GO-2024-2579.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2579 +modules: + - module: github.com/apache/incubator-answer + versions: + - fixed: 1.2.5 + vulnerable_at: 1.2.5-RC2 +summary: Apache Answer Unrestricted Upload of File with Dangerous Type vulnerability in github.com/apache/incubator-answer +cves: + - CVE-2024-22393 +ghsas: + - GHSA-rmqp-mvv2-54c6 +references: + - advisory: https://github.com/advisories/GHSA-rmqp-mvv2-54c6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-22393 + - web: http://www.openwall.com/lists/oss-security/2024/02/22/1 + - web: https://lists.apache.org/thread/f58l6dr4r74hl6o71gn47kmn44vw12cv +source: + id: GHSA-rmqp-mvv2-54c6 + created: 2024-05-17T16:15:05.172081-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2580.yaml b/data/reports/GO-2024-2580.yaml new file mode 100644 index 00000000..5ae08b2a --- /dev/null +++ b/data/reports/GO-2024-2580.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2580 +modules: + - module: github.com/apache/incubator-answer + versions: + - fixed: 1.2.5 + vulnerable_at: 1.2.5-RC2 +summary: Apache Answer Race Condition vulnerability in github.com/apache/incubator-answer +cves: + - CVE-2024-26578 +ghsas: + - GHSA-9q24-hwmc-797x +references: + - advisory: https://github.com/advisories/GHSA-9q24-hwmc-797x + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-26578 + - web: http://www.openwall.com/lists/oss-security/2024/02/22/3 + - web: https://lists.apache.org/thread/ko0ksnznt2484lxt0zts2ygr82ldkhcb +source: + id: GHSA-9q24-hwmc-797x + created: 2024-05-17T16:15:02.863423-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2581.yaml b/data/reports/GO-2024-2581.yaml new file mode 100644 index 00000000..5d4a643f --- /dev/null +++ b/data/reports/GO-2024-2581.yaml @@ -0,0 +1,19 @@ +id: GO-2024-2581 +modules: + - module: github.com/treeverse/lakefs + versions: + - introduced: 0.90.0 + fixed: 1.12.1 + vulnerable_at: 1.12.0 +summary: |- + User with ci:ReadAction permissions and write permissions to one path in a + repository may copy objects from any path in the repository in github.com/treeverse/lakefs +ghsas: + - GHSA-fvv5-h29g-f6w5 +references: + - advisory: https://github.com/treeverse/lakeFS/security/advisories/GHSA-fvv5-h29g-f6w5 + - web: https://github.com/treeverse/lakeFS/commit/56556ee5406fc5425b9302cd08a8d412635fdcd7 +source: + id: GHSA-fvv5-h29g-f6w5 + created: 2024-05-17T16:15:01.346474-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2597.yaml b/data/reports/GO-2024-2597.yaml new file mode 100644 index 00000000..59922af1 --- /dev/null +++ b/data/reports/GO-2024-2597.yaml @@ -0,0 +1,19 @@ +id: GO-2024-2597 +modules: + - module: github.com/authzed/spicedb + versions: + - fixed: 1.29.2 + vulnerable_at: 1.29.1 +summary: Integer overflow in chunking helper causes dispatching to miss elements or panic in github.com/authzed/spicedb +cves: + - CVE-2024-27101 +ghsas: + - GHSA-h3m7-rqc4-7h9p +references: + - advisory: https://github.com/authzed/spicedb/security/advisories/GHSA-h3m7-rqc4-7h9p + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-27101 + - fix: https://github.com/authzed/spicedb/commit/ef443c442b96909694390324a99849b0407007fe +source: + id: GHSA-h3m7-rqc4-7h9p + created: 2024-05-17T16:14:59.533653-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2636.yaml b/data/reports/GO-2024-2636.yaml new file mode 100644 index 00000000..449d5337 --- /dev/null +++ b/data/reports/GO-2024-2636.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2636 +modules: + - module: github.com/1Panel-dev/1Panel + versions: + - fixed: 1.10.1-lts + vulnerable_at: 1.10.0-lts +summary: 1Panel is vulnerable to command injection in github.com/1Panel-dev/1Panel +cves: + - CVE-2024-2352 +ghsas: + - GHSA-x2vg-5wrf-vj6v +references: + - advisory: https://github.com/advisories/GHSA-x2vg-5wrf-vj6v + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-2352 + - fix: https://github.com/1Panel-dev/1Panel/pull/4131 + - fix: https://github.com/1Panel-dev/1Panel/pull/4131#issue-2176105990 + - fix: https://github.com/1Panel-dev/1Panel/pull/4131/commits/0edd7a9f6f5100aab98a0ea6e5deedff7700396c + - web: https://vuldb.com/?ctiid.256304 + - web: https://vuldb.com/?id.256304 +source: + id: GHSA-x2vg-5wrf-vj6v + created: 2024-05-17T16:14:46.922117-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2641.yaml b/data/reports/GO-2024-2641.yaml new file mode 100644 index 00000000..80bc80f3 --- /dev/null +++ b/data/reports/GO-2024-2641.yaml @@ -0,0 +1,19 @@ +id: GO-2024-2641 +modules: + - module: github.com/go-vela/worker + versions: + - fixed: 0.23.2 + vulnerable_at: 0.23.1 +summary: Insecure Variable Substitution in Vela in github.com/go-vela/worker +cves: + - CVE-2024-28236 +ghsas: + - GHSA-pwx5-6wxg-px5h +references: + - advisory: https://github.com/go-vela/worker/security/advisories/GHSA-pwx5-6wxg-px5h + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-28236 + - fix: https://github.com/go-vela/worker/commit/e1572743b008e4fbce31ebb1dcd23bf6a1a30297 +source: + id: GHSA-pwx5-6wxg-px5h + created: 2024-05-17T16:14:41.981889-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2642.yaml b/data/reports/GO-2024-2642.yaml new file mode 100644 index 00000000..5a2fd6c2 --- /dev/null +++ b/data/reports/GO-2024-2642.yaml @@ -0,0 +1,19 @@ +id: GO-2024-2642 +modules: + - module: github.com/pterodactyl/wings + versions: + - fixed: 1.11.9 + vulnerable_at: 1.11.8 +summary: Pterodactyl Wings vulnerable to improper isolation of server file access in github.com/pterodactyl/wings +cves: + - CVE-2024-27102 +ghsas: + - GHSA-494h-9924-xww9 +references: + - advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-494h-9924-xww9 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-27102 + - fix: https://github.com/pterodactyl/wings/commit/d1c0ca526007113a0f74f56eba99511b4e989287 +source: + id: GHSA-494h-9924-xww9 + created: 2024-05-17T16:14:39.536444-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2644.yaml b/data/reports/GO-2024-2644.yaml new file mode 100644 index 00000000..68c4ed96 --- /dev/null +++ b/data/reports/GO-2024-2644.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2644 +modules: + - module: github.com/fluid-cloudnative/fluid + versions: + - fixed: 0.9.3 + vulnerable_at: 0.9.2 +summary: Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime in github.com/fluid-cloudnative/fluid +cves: + - CVE-2023-51699 +ghsas: + - GHSA-wx8q-4gm9-rj2g +references: + - advisory: https://github.com/fluid-cloudnative/fluid/security/advisories/GHSA-wx8q-4gm9-rj2g + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-51699 + - fix: https://github.com/fluid-cloudnative/fluid/commit/02b7cd8b79a26092df95d625664994bda485c722 + - fix: https://github.com/fluid-cloudnative/fluid/commit/e0184cff8790ad000c3e8943392c7f544fad7d66 +source: + id: GHSA-wx8q-4gm9-rj2g + created: 2024-05-17T16:14:37.080903-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2645.yaml b/data/reports/GO-2024-2645.yaml new file mode 100644 index 00000000..98c33b0c --- /dev/null +++ b/data/reports/GO-2024-2645.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2645 +modules: + - module: github.com/projectdiscovery/nuclei/v3 + versions: + - introduced: 3.0.0 + fixed: 3.2.0 + vulnerable_at: 3.1.10 +summary: Nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei/v3 +cves: + - CVE-2024-27920 +ghsas: + - GHSA-w5wx-6g2r-r78q +references: + - advisory: https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-w5wx-6g2r-r78q + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-27920 + - web: https://docs.projectdiscovery.io/templates/protocols/code + - web: https://docs.projectdiscovery.io/templates/reference/template-signing + - web: https://docs.projectdiscovery.io/templates/workflows/overview + - web: https://github.com/projectdiscovery/nuclei/commit/e86f38299765b82ad724fdb701557e0eaff3884d + - web: https://github.com/projectdiscovery/nuclei/pull/4822 +source: + id: GHSA-w5wx-6g2r-r78q + created: 2024-05-17T16:14:34.657915-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2647.yaml b/data/reports/GO-2024-2647.yaml new file mode 100644 index 00000000..8cfb869a --- /dev/null +++ b/data/reports/GO-2024-2647.yaml @@ -0,0 +1,16 @@ +id: GO-2024-2647 +modules: + - module: github.com/go-vela/cli + versions: + - fixed: 0.23.2 + vulnerable_at: 0.23.1 +summary: CLI for Vela Insecure Variable Substitution in github.com/go-vela/cli +ghsas: + - GHSA-4jhj-3gv3-c3gr +references: + - advisory: https://github.com/go-vela/cli/security/advisories/GHSA-4jhj-3gv3-c3gr + - fix: https://github.com/go-vela/cli/commit/0349a2060c35722e341bf65a4215592c6c4bc5b4 +source: + id: GHSA-4jhj-3gv3-c3gr + created: 2024-05-17T16:14:32.912261-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2648.yaml b/data/reports/GO-2024-2648.yaml new file mode 100644 index 00000000..47548348 --- /dev/null +++ b/data/reports/GO-2024-2648.yaml @@ -0,0 +1,16 @@ +id: GO-2024-2648 +modules: + - module: github.com/go-vela/server + versions: + - fixed: 0.23.2 + vulnerable_at: 0.23.1 +summary: Server/API for Vela Insecure Variable Substitution in github.com/go-vela/server +ghsas: + - GHSA-69p4-j5v5-x234 +references: + - advisory: https://github.com/go-vela/server/security/advisories/GHSA-69p4-j5v5-x234 + - fix: https://github.com/go-vela/server/commit/a645c822da1d91e1f4159b69685224232683bebb +source: + id: GHSA-69p4-j5v5-x234 + created: 2024-05-17T16:14:32.195885-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2649.yaml b/data/reports/GO-2024-2649.yaml new file mode 100644 index 00000000..9bf732c4 --- /dev/null +++ b/data/reports/GO-2024-2649.yaml @@ -0,0 +1,16 @@ +id: GO-2024-2649 +modules: + - module: github.com/go-vela/types + versions: + - fixed: 0.23.2 + vulnerable_at: 0.23.1 +summary: Types for Vela Insecure Variable Substitution in github.com/go-vela/types +ghsas: + - GHSA-7v38-w32m-wx4m +references: + - advisory: https://github.com/go-vela/types/security/advisories/GHSA-7v38-w32m-wx4m + - fix: https://github.com/go-vela/types/commit/2e046fceb8fe56fb7170495962f24475cee78d46 +source: + id: GHSA-7v38-w32m-wx4m + created: 2024-05-17T16:14:31.393087-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2675.yaml b/data/reports/GO-2024-2675.yaml new file mode 100644 index 00000000..6224867a --- /dev/null +++ b/data/reports/GO-2024-2675.yaml @@ -0,0 +1,19 @@ +id: GO-2024-2675 +modules: + - module: github.com/temporalio/ui-server/v2 + versions: + - fixed: 2.25.0 + vulnerable_at: 2.24.0 +summary: Temporal UI Server cross-site scripting vulnerability in github.com/temporalio/ui-server/v2 +cves: + - CVE-2024-2435 +ghsas: + - GHSA-8f25-w7qj-r7hc +references: + - advisory: https://github.com/advisories/GHSA-8f25-w7qj-r7hc + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-2435 + - web: https://github.com/temporalio/ui-server/releases/tag/v2.25.0 +source: + id: GHSA-8f25-w7qj-r7hc + created: 2024-05-17T16:14:23.676744-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2689.yaml b/data/reports/GO-2024-2689.yaml new file mode 100644 index 00000000..0e39f9ae --- /dev/null +++ b/data/reports/GO-2024-2689.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2689 +modules: + - module: go.temporal.io/server + versions: + - fixed: 1.20.5 + - introduced: 1.21.0 + fixed: 1.21.6 + - introduced: 1.22.0-rc1 + fixed: 1.22.7 + vulnerable_at: 1.22.6 +summary: Temporal Server Denial of Service in go.temporal.io/server +cves: + - CVE-2024-2689 +ghsas: + - GHSA-wmxc-v39r-p9wf +references: + - advisory: https://github.com/advisories/GHSA-wmxc-v39r-p9wf + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-2689 + - web: https://github.com/temporalio/temporal/commit/2099dfd945accbf794404c3b8d990d109de19f06 + - web: https://github.com/temporalio/temporal/commit/679e3dc2ca8bd39e02c760f686cc8807f817bbfd + - web: https://github.com/temporalio/temporal/commit/f1fab97129f964dcca17d1f7c344f38666d1ee5f + - web: https://github.com/temporalio/temporal/releases +source: + id: GHSA-wmxc-v39r-p9wf + created: 2024-05-17T16:14:10.920801-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2690.yaml b/data/reports/GO-2024-2690.yaml new file mode 100644 index 00000000..0bd655fc --- /dev/null +++ b/data/reports/GO-2024-2690.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2690 +modules: + - module: github.com/hashicorp/vault + versions: + - fixed: 1.16.0 + vulnerable_at: 1.16.0-rc3 +summary: HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault +cves: + - CVE-2024-2660 +ghsas: + - GHSA-j2rp-gmqv-frhv +unknown_aliases: + - BIT-vault-2024-2660 +references: + - advisory: https://github.com/advisories/GHSA-j2rp-gmqv-frhv + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-2660 + - web: https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573 +source: + id: GHSA-j2rp-gmqv-frhv + created: 2024-05-17T16:14:08.514546-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2692.yaml b/data/reports/GO-2024-2692.yaml new file mode 100644 index 00000000..4359dd26 --- /dev/null +++ b/data/reports/GO-2024-2692.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2692 +modules: + - module: github.com/canonical/pebble + versions: + - fixed: 1.1.1 + - introduced: 1.2.0 + fixed: 1.4.2 + - introduced: 1.5.0 + fixed: 1.7.3 + - introduced: 1.8.0 + fixed: 1.10.2 + vulnerable_at: 1.10.1 +summary: Pebble service manager's file pull API allows access by any user in github.com/canonical/pebble +cves: + - CVE-2024-3250 +ghsas: + - GHSA-4685-2x5r-65pj +references: + - advisory: https://github.com/canonical/pebble/security/advisories/GHSA-4685-2x5r-65pj + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-3250 + - advisory: https://www.cve.org/CVERecord?id=CVE-2024-3250 + - fix: https://github.com/canonical/pebble/commit/4ca343d3889533143477e21c63867f2f3c3b5645 + - fix: https://github.com/canonical/pebble/commit/a5f6f062a11ea156697b854264385ff7e1985fd8 + - fix: https://github.com/canonical/pebble/commit/b8abd1ff0090f3e0749e81eb1fc3ea16ba95f514 + - fix: https://github.com/canonical/pebble/commit/cd326225b9b0be067da7d8858e2c912078cbbbd5 + - fix: https://github.com/canonical/pebble/pull/406 +source: + id: GHSA-4685-2x5r-65pj + created: 2024-05-17T16:14:05.567804-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2701.yaml b/data/reports/GO-2024-2701.yaml new file mode 100644 index 00000000..bc1c938b --- /dev/null +++ b/data/reports/GO-2024-2701.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2701 +modules: + - module: github.com/stacklok/minder + versions: + - introduced: 0.0.39 + fixed: 0.0.40 + vulnerable_at: 0.0.39 +summary: Minder GetRepositoryByName data leak in github.com/stacklok/minder +cves: + - CVE-2024-31455 +ghsas: + - GHSA-ggp5-28x4-xcj9 +references: + - advisory: https://github.com/stacklok/minder/security/advisories/GHSA-ggp5-28x4-xcj9 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-31455 + - fix: https://github.com/stacklok/minder/commit/11b6573ad62cfdd783a8bb52f3fce461466037f4 + - fix: https://github.com/stacklok/minder/commit/5c381cfbf3e4b7ce040ed8511a1fae1a78a0014b + - fix: https://github.com/stacklok/minder/pull/2941 +source: + id: GHSA-ggp5-28x4-xcj9 + created: 2024-05-17T16:13:47.983144-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2703.yaml b/data/reports/GO-2024-2703.yaml new file mode 100644 index 00000000..fdc2e7ff --- /dev/null +++ b/data/reports/GO-2024-2703.yaml @@ -0,0 +1,19 @@ +id: GO-2024-2703 +modules: + - module: github.com/kopia/kopia + versions: + - fixed: 0.16.0 + vulnerable_at: 0.15.0 +summary: |- + Kopia: Storage connection credentials written to console on "repository status" + CLI command with JSON output in github.com/kopia/kopia +ghsas: + - GHSA-j5vm-7qcc-2wwg +references: + - advisory: https://github.com/kopia/kopia/security/advisories/GHSA-j5vm-7qcc-2wwg + - fix: https://github.com/kopia/kopia/commit/1d6f852cd6534f4bea978cbdc85c583803d79f77 + - fix: https://github.com/kopia/kopia/pull/3589 +source: + id: GHSA-j5vm-7qcc-2wwg + created: 2024-05-17T16:13:46.760398-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2704.yaml b/data/reports/GO-2024-2704.yaml new file mode 100644 index 00000000..899d2562 --- /dev/null +++ b/data/reports/GO-2024-2704.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2704 +modules: + - module: github.com/hashicorp/consul + versions: + - introduced: 1.16.0 + fixed: 1.16.1 + vulnerable_at: 1.16.0 +summary: |- + Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT + Providers in github.com/hashicorp/consul +cves: + - CVE-2023-3518 +ghsas: + - GHSA-9rhf-q362-77mx +unknown_aliases: + - BIT-consul-2023-3518 +references: + - advisory: https://github.com/advisories/GHSA-9rhf-q362-77mx + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-3518 + - web: https://discuss.hashicorp.com/t/hcsec-2023-25-consul-jwt-auth-in-l7-intentions-allow-for-mismatched-service-identity-and-jwt-providers/57004 +source: + id: GHSA-9rhf-q362-77mx + created: 2024-05-17T16:13:44.520242-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2716.yaml b/data/reports/GO-2024-2716.yaml new file mode 100644 index 00000000..8301c73e --- /dev/null +++ b/data/reports/GO-2024-2716.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2716 +modules: + - module: github.com/authzed/spicedb + versions: + - fixed: 1.30.1 + vulnerable_at: 1.30.0 +summary: |- + SpiceDB: LookupSubjects may return partial results if a specific kind of + relation is used in github.com/authzed/spicedb +cves: + - CVE-2024-32001 +ghsas: + - GHSA-j85q-46hg-36p2 +references: + - advisory: https://github.com/authzed/spicedb/security/advisories/GHSA-j85q-46hg-36p2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32001 + - fix: https://github.com/authzed/spicedb/commit/a244ed1edfaf2382711dccdb699971ec97190c7b + - web: https://github.com/authzed/spicedb/releases/tag/v1.30.1 +source: + id: GHSA-j85q-46hg-36p2 + created: 2024-05-17T16:13:26.196238-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2723.yaml b/data/reports/GO-2024-2723.yaml new file mode 100644 index 00000000..a8c875c9 --- /dev/null +++ b/data/reports/GO-2024-2723.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2723 +modules: + - module: github.com/apache/solr-operator + versions: + - introduced: 0.3.0 + fixed: 0.8.1 + vulnerable_at: 0.8.0 +summary: |- + Apache Solr Operator liveness and readiness probes may leak basic auth + credentials in github.com/apache/solr-operator +cves: + - CVE-2024-31391 +ghsas: + - GHSA-g9qx-25vj-rf53 +references: + - advisory: https://github.com/advisories/GHSA-g9qx-25vj-rf53 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-31391 + - web: http://www.openwall.com/lists/oss-security/2024/04/12/7 + - web: https://lists.apache.org/thread/w7011s78lzywzwyszvy4d8zm99ybt8c7 +source: + id: GHSA-g9qx-25vj-rf53 + created: 2024-05-17T16:13:13.550401-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2727.yaml b/data/reports/GO-2024-2727.yaml new file mode 100644 index 00000000..7c5f5a31 --- /dev/null +++ b/data/reports/GO-2024-2727.yaml @@ -0,0 +1,16 @@ +id: GO-2024-2727 +modules: + - module: github.com/edgelesssys/constellation/v2 + versions: + - fixed: 2.16.3 + vulnerable_at: 2.16.2 +summary: Constallation has pods exposed to peers in VPC in github.com/edgelesssys/constellation/v2 +ghsas: + - GHSA-g8fc-vrcg-8vjg +references: + - advisory: https://github.com/edgelesssys/constellation/security/advisories/GHSA-g8fc-vrcg-8vjg + - web: https://github.com/cilium/cilium/issues/25626 +source: + id: GHSA-g8fc-vrcg-8vjg + created: 2024-05-17T16:13:11.122289-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2728.yaml b/data/reports/GO-2024-2728.yaml new file mode 100644 index 00000000..9277a7e8 --- /dev/null +++ b/data/reports/GO-2024-2728.yaml @@ -0,0 +1,28 @@ +id: GO-2024-2728 +modules: + - module: github.com/argoproj/argo-cd/v2 + versions: + - introduced: 2.4.0 + fixed: 2.8.16 + - introduced: 2.9.0 + fixed: 2.9.12 + - introduced: 2.10.0 + fixed: 2.10.7 + vulnerable_at: 2.10.6 +summary: Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd/v2 +cves: + - CVE-2024-31990 +ghsas: + - GHSA-2gvw-w6fj-7m3c +unknown_aliases: + - BIT-argo-cd-2024-31990 +references: + - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-31990 + - web: https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c + - web: https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5 + - web: https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17 +source: + id: GHSA-2gvw-w6fj-7m3c + created: 2024-05-17T16:13:08.904151-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2729.yaml b/data/reports/GO-2024-2729.yaml new file mode 100644 index 00000000..c2e3b59b --- /dev/null +++ b/data/reports/GO-2024-2729.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2729 +modules: + - module: github.com/openfga/openfga + versions: + - introduced: 1.5.0 + fixed: 1.5.3 + vulnerable_at: 1.5.2 +summary: OpenFGA Authorization Bypass in github.com/openfga/openfga +cves: + - CVE-2024-31452 +ghsas: + - GHSA-8cph-m685-6v6r +references: + - advisory: https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-31452 + - fix: https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2 +source: + id: GHSA-8cph-m685-6v6r + created: 2024-05-17T16:13:06.3276-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2741.yaml b/data/reports/GO-2024-2741.yaml new file mode 100644 index 00000000..cfedc425 --- /dev/null +++ b/data/reports/GO-2024-2741.yaml @@ -0,0 +1,19 @@ +id: GO-2024-2741 +modules: + - module: github.com/owncast/owncast + versions: + - fixed: 0.1.3 + vulnerable_at: 0.1.2 +summary: Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277) in github.com/owncast/owncast +cves: + - CVE-2024-31450 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-31450 + - fix: https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e + - web: https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63 + - web: https://github.com/owncast/owncast/releases/tag/v0.1.3 + - web: https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/ +source: + id: CVE-2024-31450 + created: 2024-05-17T16:12:46.896265-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2746.yaml b/data/reports/GO-2024-2746.yaml new file mode 100644 index 00000000..b37a68bb --- /dev/null +++ b/data/reports/GO-2024-2746.yaml @@ -0,0 +1,32 @@ +id: GO-2024-2746 +modules: + - module: k8s.io/kubernetes + versions: + - fixed: 1.27.13 + - introduced: 1.28.0 + fixed: 1.28.9 + - introduced: 1.29.0 + fixed: 1.29.4 + vulnerable_at: 1.29.3 +summary: |- + Kubernetes allows bypassing mountable secrets policy imposed by the + ServiceAccount admission plugin in k8s.io/kubernetes +cves: + - CVE-2024-3177 +ghsas: + - GHSA-pxhw-596r-rwq5 +references: + - advisory: https://github.com/advisories/GHSA-pxhw-596r-rwq5 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-3177 + - web: http://www.openwall.com/lists/oss-security/2024/04/16/4 + - web: https://github.com/kubernetes/kubernetes/commit/7c861b1ecad97e1ab9332c970c9294a72065111a + - web: https://github.com/kubernetes/kubernetes/commit/a619ca3fd3ee3c222d9df784622020de398076d2 + - web: https://github.com/kubernetes/kubernetes/commit/f9fb6cf52a769a599a45e700375115c2ecc86e9b + - web: https://github.com/kubernetes/kubernetes/issues/124336 + - web: https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL54MTLGMTBZZO5PYGEGEBERTMADC4WC +source: + id: GHSA-pxhw-596r-rwq5 + created: 2024-05-17T16:12:44.610818-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2747.yaml b/data/reports/GO-2024-2747.yaml new file mode 100644 index 00000000..63c7259b --- /dev/null +++ b/data/reports/GO-2024-2747.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2747 +modules: + - module: github.com/gohugoio/hugo + versions: + - introduced: 0.123.0 + fixed: 0.125.3 + vulnerable_at: 0.125.2 +summary: Hugo Markdown titles do not escaped in internal render hooks in github.com/gohugoio/hugo +cves: + - CVE-2024-32875 +ghsas: + - GHSA-ppf8-hhpp-f5hj +references: + - advisory: https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32875 + - fix: https://github.com/gohugoio/hugo/commit/15a4b9b33715887001f6eff30721d41c0d4cfdd1 + - web: https://github.com/gohugoio/hugo/releases/tag/v0.125.3 + - web: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault +source: + id: GHSA-ppf8-hhpp-f5hj + created: 2024-05-17T16:12:42.192064-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2752.yaml b/data/reports/GO-2024-2752.yaml new file mode 100644 index 00000000..6c50a2fa --- /dev/null +++ b/data/reports/GO-2024-2752.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2752 +modules: + - module: code.gitea.io/gitea + versions: + - fixed: 1.16.5 + vulnerable_at: 1.16.4 +summary: Gitea Open Redirect in code.gitea.io/gitea +cves: + - CVE-2022-1058 +ghsas: + - GHSA-4rqq-rxvc-v2rc +unknown_aliases: + - BIT-gitea-2022-1058 +references: + - advisory: https://github.com/advisories/GHSA-4rqq-rxvc-v2rc + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-1058 + - web: https://github.com/go-gitea/gitea/commit/e3d8e92bdc67562783de9a76b5b7842b68daeb48 + - web: https://github.com/go-gitea/gitea/pull/19175 + - web: https://github.com/go-gitea/gitea/pull/19186 + - web: https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d +source: + id: GHSA-4rqq-rxvc-v2rc + created: 2024-05-17T16:12:33.556783-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2754.yaml b/data/reports/GO-2024-2754.yaml new file mode 100644 index 00000000..d575e008 --- /dev/null +++ b/data/reports/GO-2024-2754.yaml @@ -0,0 +1,29 @@ +id: GO-2024-2754 +modules: + - module: k8s.io/kubernetes + versions: + - fixed: 1.17.13 + - introduced: 1.18.0 + fixed: 1.18.10 + - introduced: 1.19.0 + fixed: 1.19.3 + vulnerable_at: 1.19.3-rc.0 +summary: Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes +cves: + - CVE-2020-8566 +ghsas: + - GHSA-5x96-j797-5qqw +references: + - advisory: https://github.com/advisories/GHSA-5x96-j797-5qqw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-8566 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=1886640 + - web: https://github.com/kubernetes/kubernetes/issues/95624 + - web: https://github.com/kubernetes/kubernetes/pull/95245 + - web: https://github.com/kubernetes/kubernetes/pull/95245/commits/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea + - web: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk + - web: https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ + - web: https://security.netapp.com/advisory/ntap-20210122-0006 +source: + id: GHSA-5x96-j797-5qqw + created: 2024-05-17T16:12:22.166508-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2756.yaml b/data/reports/GO-2024-2756.yaml new file mode 100644 index 00000000..e8626ec8 --- /dev/null +++ b/data/reports/GO-2024-2756.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2756 +modules: + - module: kubevirt.io/kubevirt + versions: + - fixed: 0.30.0 + vulnerable_at: 0.30.0-rc.4 +summary: Privilege Escalation in kubevirt in kubevirt.io/kubevirt +cves: + - CVE-2020-14316 +ghsas: + - GHSA-828r-r2c8-rfw3 +references: + - advisory: https://github.com/advisories/GHSA-828r-r2c8-rfw3 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-14316 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=1848951 + - web: https://github.com/kubevirt/kubevirt/pull/3686 +source: + id: GHSA-828r-r2c8-rfw3 + created: 2024-05-17T16:12:17.184908-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2757.yaml b/data/reports/GO-2024-2757.yaml new file mode 100644 index 00000000..161ba72f --- /dev/null +++ b/data/reports/GO-2024-2757.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2757 +modules: + - module: code.gitea.io/gitea + versions: + - introduced: 1.9.0 + fixed: 1.13.2 + vulnerable_at: 1.13.1 +summary: Buffer Overflow in gitea in code.gitea.io/gitea +cves: + - CVE-2021-3382 +ghsas: + - GHSA-9f8c-pfvv-p4gm +unknown_aliases: + - BIT-gitea-2021-3382 +references: + - advisory: https://github.com/advisories/GHSA-9f8c-pfvv-p4gm + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-3382 + - web: https://github.com/go-gitea/gitea/pull/14390 +source: + id: GHSA-9f8c-pfvv-p4gm + created: 2024-05-17T16:12:14.05802-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2763.yaml b/data/reports/GO-2024-2763.yaml new file mode 100644 index 00000000..4c5d0725 --- /dev/null +++ b/data/reports/GO-2024-2763.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2763 +modules: + - module: github.com/heketi/heketi + versions: + - fixed: 5.0.1+incompatible + vulnerable_at: 5.0.0+incompatible +summary: Heketi Arbitrary Code Execution in github.com/heketi/heketi +cves: + - CVE-2017-15103 +ghsas: + - GHSA-6g56-v9qg-jp92 +references: + - advisory: https://github.com/advisories/GHSA-6g56-v9qg-jp92 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2017-15103 + - fix: https://github.com/heketi/heketi/commit/787bae461b23003a4daa4d1d639016a754cf6b00 + - web: https://access.redhat.com/errata/RHSA-2017:3481 + - web: https://access.redhat.com/security/cve/CVE-2017-15103 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=1510147 + - web: https://github.com/heketi/heketi/releases/tag/v5.0.1 +source: + id: GHSA-6g56-v9qg-jp92 + created: 2024-05-17T16:12:01.544224-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2765.yaml b/data/reports/GO-2024-2765.yaml new file mode 100644 index 00000000..c19f5b54 --- /dev/null +++ b/data/reports/GO-2024-2765.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2765 +modules: + - module: kubevirt.io/kubevirt + versions: + - fixed: 0.26.0 + vulnerable_at: 0.26.0-rc.0 +summary: Permissions bypass in KubeVirt in kubevirt.io/kubevirt +cves: + - CVE-2020-1701 +ghsas: + - GHSA-849r-8wvp-4wwg +references: + - advisory: https://github.com/advisories/GHSA-849r-8wvp-4wwg + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-1701 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=1792092 + - web: https://github.com/kubevirt/containerized-data-importer/pull/1098 + - web: https://github.com/kubevirt/kubevirt/commit/9efa8d7388d4fe1c698c6980aa7122c06bd141be + - web: https://github.com/kubevirt/kubevirt/issues/2967 + - web: https://github.com/kubevirt/kubevirt/pull/3001 +source: + id: GHSA-849r-8wvp-4wwg + created: 2024-05-17T16:11:56.381692-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2766.yaml b/data/reports/GO-2024-2766.yaml new file mode 100644 index 00000000..365b083a --- /dev/null +++ b/data/reports/GO-2024-2766.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2766 +modules: + - module: github.com/containers/libpod/v2 + versions: + - fixed: 2.0.5 + vulnerable_at: 2.0.4 +summary: Information disclosure in podman in github.com/containers/libpod/v2 +cves: + - CVE-2020-14370 +ghsas: + - GHSA-c3wv-qmjj-45r6 +references: + - advisory: https://github.com/advisories/GHSA-c3wv-qmjj-45r6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-14370 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=1874268 + - web: https://github.com/containers/podman/commit/a7e864e6e7de894d4edde4fff00e53dc6a0b5074 + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G6BPCZX4ASKNONL3MSCK564IVXNYSKLP + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y74V7HGQBNLT6XECCSNZNFZIB7G7XSAR + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z4Y2FSGQWP4AFT5AZ6UBN6RKHVXUBRFV +source: + id: GHSA-c3wv-qmjj-45r6 + created: 2024-05-17T16:11:53.682052-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2779.yaml b/data/reports/GO-2024-2779.yaml new file mode 100644 index 00000000..12864dd0 --- /dev/null +++ b/data/reports/GO-2024-2779.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2779 +modules: + - module: github.com/ipfs/go-ipfs + versions: + - fixed: 0.7.0 + vulnerable_at: 0.7.0-rc2 +summary: Access Restriction Bypass in go-ipfs in github.com/ipfs/go-ipfs +cves: + - CVE-2020-10937 +ghsas: + - GHSA-r23h-3jmw-q7hr +references: + - advisory: https://github.com/advisories/GHSA-r23h-3jmw-q7hr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-10937 + - web: https://blog.ipfs.io/2020-10-30-dht-hardening + - web: https://graz.pure.elsevier.com/en/publications/total-eclipse-of-the-heart-disrupting-the-interplanetary-file-sys +source: + id: GHSA-r23h-3jmw-q7hr + created: 2024-05-17T16:11:32.240595-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2785.yaml b/data/reports/GO-2024-2785.yaml new file mode 100644 index 00000000..f98df157 --- /dev/null +++ b/data/reports/GO-2024-2785.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2785 +modules: + - module: github.com/coredns/coredns + versions: + - fixed: 1.11.2 + vulnerable_at: 1.11.1 +summary: CoreDNS may return invalid cache entries in github.com/coredns/coredns +cves: + - CVE-2024-0874 +ghsas: + - GHSA-m9w6-wp3h-vq8g +references: + - advisory: https://github.com/advisories/GHSA-m9w6-wp3h-vq8g + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-0874 + - fix: https://github.com/coredns/coredns/commit/997c7f953962d47c242273f0e41398fdfb5b0151 + - fix: https://github.com/coredns/coredns/pull/6354 + - report: https://github.com/coredns/coredns/issues/6186 + - web: https://access.redhat.com/security/cve/CVE-2024-0874 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2219234 +source: + id: GHSA-m9w6-wp3h-vq8g + created: 2024-05-17T16:10:54.00605-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2791.yaml b/data/reports/GO-2024-2791.yaml new file mode 100644 index 00000000..1fb6a2ba --- /dev/null +++ b/data/reports/GO-2024-2791.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2791 +modules: + - module: github.com/cri-o/cri-o + versions: + - fixed: 1.27.6 + - introduced: 1.28.0 + fixed: 1.28.6 + - introduced: 1.29.0 + fixed: 1.29.4 + vulnerable_at: 1.29.3 +summary: CRI-O vulnerable to an arbitrary systemd property injection in github.com/cri-o/cri-o +cves: + - CVE-2024-3154 +ghsas: + - GHSA-2cgq-h8xw-2v5j +references: + - advisory: https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-3154 + - web: https://access.redhat.com/security/cve/CVE-2024-3154 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2272532 + - web: https://github.com/opencontainers/runc/pull/4217 + - web: https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-annotations-in-configjson +source: + id: GHSA-2cgq-h8xw-2v5j + created: 2024-05-17T16:10:42.126408-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2792.yaml b/data/reports/GO-2024-2792.yaml new file mode 100644 index 00000000..451a1ba4 --- /dev/null +++ b/data/reports/GO-2024-2792.yaml @@ -0,0 +1,27 @@ +id: GO-2024-2792 +modules: + - module: github.com/argoproj/argo-cd/v2 + versions: + - fixed: 2.8.17 + - introduced: 2.9.0 + fixed: 2.9.13 + - introduced: 2.10.0 + fixed: 2.10.8 + vulnerable_at: 2.10.7 +summary: |- + Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in + ignoreDifferences in github.com/argoproj/argo-cd/v2 +cves: + - CVE-2024-32476 +ghsas: + - GHSA-9m6p-x4h2-6frq +references: + - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-9m6p-x4h2-6frq + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32476 + - web: https://github.com/argoproj/argo-cd/commit/7893979a1e78d59cedd0ba790ded24e30bb40657 + - web: https://github.com/argoproj/argo-cd/commit/9e5cc5a26ff0920a01816231d59fdb5eae032b5a + - web: https://github.com/argoproj/argo-cd/commit/e2df7315fb7d96652186bf7435773a27be330cac +source: + id: GHSA-9m6p-x4h2-6frq + created: 2024-05-17T16:10:38.953722-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2803.yaml b/data/reports/GO-2024-2803.yaml new file mode 100644 index 00000000..524b417e --- /dev/null +++ b/data/reports/GO-2024-2803.yaml @@ -0,0 +1,18 @@ +id: GO-2024-2803 +modules: + - module: github.com/navidrome/navidrome + versions: + - fixed: 0.52.0 + vulnerable_at: 0.51.1 +summary: Navidrome Parameter Tampering vulnerability in github.com/navidrome/navidrome +cves: + - CVE-2024-32963 +ghsas: + - GHSA-4jrx-5w4h-3gpm +references: + - advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32963 +source: + id: GHSA-4jrx-5w4h-3gpm + created: 2024-05-17T16:10:05.196852-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2814.yaml b/data/reports/GO-2024-2814.yaml new file mode 100644 index 00000000..0caa6d94 --- /dev/null +++ b/data/reports/GO-2024-2814.yaml @@ -0,0 +1,19 @@ +id: GO-2024-2814 +modules: + - module: github.com/pterodactyl/wings + versions: + - fixed: 1.11.12 + vulnerable_at: 1.11.11 +summary: Pterodactyl Wings vulnerable to Arbitrary File Write/Read in github.com/pterodactyl/wings +cves: + - CVE-2024-34066 +ghsas: + - GHSA-gqmf-jqgv-v8fw +references: + - advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-34066 + - fix: https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de +source: + id: GHSA-gqmf-jqgv-v8fw + created: 2024-05-17T16:09:43.792794-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2836.yaml b/data/reports/GO-2024-2836.yaml new file mode 100644 index 00000000..9886cc5d --- /dev/null +++ b/data/reports/GO-2024-2836.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2836 +modules: + - module: github.com/cea-hpc/sshproxy + versions: + - fixed: 1.6.3 + vulnerable_at: 1.6.2 +summary: sshproxy vulnerable to SSH option injection in github.com/cea-hpc/sshproxy +cves: + - CVE-2024-34713 +ghsas: + - GHSA-jmqp-37m5-49wh +references: + - advisory: https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-34713 + - fix: https://github.com/cea-hpc/sshproxy/commit/3b8bccc874dc4ca2c80c956cad65722abb46f0b9 + - fix: https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580 +source: + id: GHSA-jmqp-37m5-49wh + created: 2024-05-17T16:09:33.514363-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2846.yaml b/data/reports/GO-2024-2846.yaml new file mode 100644 index 00000000..60cf2333 --- /dev/null +++ b/data/reports/GO-2024-2846.yaml @@ -0,0 +1,17 @@ +id: GO-2024-2846 +modules: + - module: github.com/containerd/containerd + versions: + - fixed: 1.5.11 + - introduced: 1.6.0 + fixed: 1.6.2 + vulnerable_at: 1.6.1 +summary: containerd started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd +ghsas: + - GHSA-c9cp-9c75-9v8c +references: + - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c +source: + id: GHSA-c9cp-9c75-9v8c + created: 2024-05-17T16:09:26.822128-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2853.yaml b/data/reports/GO-2024-2853.yaml new file mode 100644 index 00000000..d9662f7b --- /dev/null +++ b/data/reports/GO-2024-2853.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2853 +modules: + - module: github.com/tg123/sshpiper + versions: + - introduced: 1.0.50 + fixed: 1.3.0 + vulnerable_at: 1.2.8 +summary: |- + sshpiper's enabling of proxy protocol without proper feature flagging allows + faking source address in github.com/tg123/sshpiper +cves: + - CVE-2024-35175 +ghsas: + - GHSA-4w53-6jvp-gg52 +references: + - advisory: https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-35175 + - fix: https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430 + - fix: https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53 +source: + id: GHSA-4w53-6jvp-gg52 + created: 2024-05-17T16:09:07.811118-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2859.yaml b/data/reports/GO-2024-2859.yaml new file mode 100644 index 00000000..443870fc --- /dev/null +++ b/data/reports/GO-2024-2859.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2859 +modules: + - module: github.com/fluxcd/source-controller + versions: + - fixed: 1.2.5 + vulnerable_at: 1.2.4 +summary: source-controller leaks Azure Storage SAS token into logs in github.com/fluxcd/source-controller +cves: + - CVE-2024-31216 +ghsas: + - GHSA-v554-xwgw-hc3w +references: + - advisory: https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-31216 + - fix: https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9 + - fix: https://github.com/fluxcd/source-controller/pull/1430 +source: + id: GHSA-v554-xwgw-hc3w + created: 2024-05-17T16:08:47.429447-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2860.yaml b/data/reports/GO-2024-2860.yaml new file mode 100644 index 00000000..94eec259 --- /dev/null +++ b/data/reports/GO-2024-2860.yaml @@ -0,0 +1,18 @@ +id: GO-2024-2860 +modules: + - module: github.com/goreleaser/goreleaser + versions: + - introduced: 1.26.0 + fixed: 1.26.1 + vulnerable_at: 1.26.0 +summary: goreleaser shows environment by default in github.com/goreleaser/goreleaser +ghsas: + - GHSA-f6mm-5fc7-3g3c +references: + - advisory: https://github.com/goreleaser/goreleaser/security/advisories/GHSA-f6mm-5fc7-3g3c + - fix: https://github.com/goreleaser/goreleaser/commit/22f734e41f7a5111a031a3a4eb714c1b6aa6456b + - fix: https://github.com/goreleaser/goreleaser/pull/4787 +source: + id: GHSA-f6mm-5fc7-3g3c + created: 2024-05-17T16:08:46.141932-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2861.yaml b/data/reports/GO-2024-2861.yaml new file mode 100644 index 00000000..3948cb5e --- /dev/null +++ b/data/reports/GO-2024-2861.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2861 +modules: + - module: sigs.k8s.io/azurefile-csi-driver + versions: + - fixed: 1.29.4 + - introduced: 1.30.0 + fixed: 1.30.1 + vulnerable_at: 1.30.0 +summary: azure-file-csi-driver leaks service account tokens in the logs in sigs.k8s.io/azurefile-csi-driver +cves: + - CVE-2024-3744 +ghsas: + - GHSA-qjqg-4wg7-957h +references: + - advisory: https://github.com/advisories/GHSA-qjqg-4wg7-957h + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-3744 + - web: https://github.com/kubernetes-sigs/azurefile-csi-driver/commit/a1b7446de942136419f07394efeef804523f87ae + - web: https://github.com/kubernetes-sigs/azurefile-csi-driver/commit/e11ff3dc2c03894cde692213308f9991e7bbd5bf + - web: https://github.com/kubernetes/kubernetes/issues/124759 + - web: https://groups.google.com/g/kubernetes-security-announce/c/hcgZE2MQo1A/m/Y4C6q-CYAgAJ +source: + id: GHSA-qjqg-4wg7-957h + created: 2024-05-17T16:08:44.342946-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2863.yaml b/data/reports/GO-2024-2863.yaml new file mode 100644 index 00000000..9100d307 --- /dev/null +++ b/data/reports/GO-2024-2863.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2863 +modules: + - module: github.com/wolfi-dev/wolfictl + versions: + - fixed: 0.16.10 + vulnerable_at: 0.16.9 +summary: wolfictl leaks GitHub tokens to remote non-GitHub git servers in github.com/wolfi-dev/wolfictl +cves: + - CVE-2024-35183 +ghsas: + - GHSA-8fg7-hp93-qhvr +references: + - advisory: https://github.com/wolfi-dev/wolfictl/security/advisories/GHSA-8fg7-hp93-qhvr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-35183 + - fix: https://github.com/wolfi-dev/wolfictl/commit/0d06e1578300327c212dda26a5ab31d09352b9d0 + - fix: https://github.com/wolfi-dev/wolfictl/commit/403e93569f46766b4e26e06cf9cd0cae5ee0c2a2 + - web: https://github.com/wolfi-dev/wolfictl/blob/488b53823350caa706de3f01ec0eded9350c7da7/pkg/update/update.go#L143 + - web: https://github.com/wolfi-dev/wolfictl/blob/4dd6c95abb4bc0f9306350a8601057bd7a92bded/pkg/update/deps/cleanup.go#L49 + - web: https://github.com/wolfi-dev/wolfictl/blob/6d99909f7b1aa23f732d84dad054b02a61f530e6/pkg/git/git.go#L22 +source: + id: GHSA-8fg7-hp93-qhvr + created: 2024-05-17T16:08:41.113015-04:00 +review_status: UNREVIEWED