data/excluded,data/reports: review 2 reports, add GO-2024-2983

- data/excluded/GO-2024-2983.yaml - data/reports/GO-2024-2747.yaml - data/reports/GO-2024-2900.yaml Fixes #2983 Fixes #2747 Fixes #2900 Change-Id: I5780e4654faa189cb5fe052f6a5d203ac35d75db Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/598592 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
golang · Jul 19, 2024 · bb794fc · bb794fc
1 parent dd7900b
commit bb794fc
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 33 deletions.
diff --git a/data/excluded/GO-2024-2983.yaml b/data/excluded/GO-2024-2983.yaml
@@ -0,0 +1,6 @@
+id: GO-2024-2983
+excluded: DEPENDENT_VULNERABILITY
+modules:
+    - module: github.com/zitadel/zitadel-go/v3
+ghsas:
+    - GHSA-qc6v-5g5m-8cw2
diff --git a/data/osv/GO-2024-2747.json b/data/osv/GO-2024-2747.json
@@ -7,8 +7,8 @@
     "CVE-2024-32875",
     "GHSA-ppf8-hhpp-f5hj"
   ],
-  "summary": "Hugo Markdown titles do not escaped in internal render hooks in github.com/gohugoio/hugo",
-  "details": "Hugo Markdown titles do not escaped in internal render hooks in github.com/gohugoio/hugo",
+  "summary": "Hugo Markdown titles are not escaped in internal render hooks in github.com/gohugoio/hugo",
+  "details": "Hugo Markdown titles are not escaped in internal render hooks in github.com/gohugoio/hugo",
   "affected": [
     {
       "package": {
@@ -28,18 +28,20 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/gohugoio/hugo/hugolib"
+          }
+        ]
+      }
     }
   ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj"
     },
-    {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32875"
-    },
     {
       "type": "FIX",
       "url": "https://github.com/gohugoio/hugo/commit/15a4b9b33715887001f6eff30721d41c0d4cfdd1"
@@ -55,6 +57,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-2747",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/osv/GO-2024-2900.json b/data/osv/GO-2024-2900.json
@@ -8,7 +8,7 @@
     "GHSA-c74f-6mfw-mm4v"
   ],
   "summary": "Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC in go.opentelemetry.io/collector/config/configgrpc",
-  "details": "Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC in go.opentelemetry.io/collector/config/configgrpc",
+  "details": "An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption.",
   "affected": [
     {
       "package": {
@@ -28,7 +28,17 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "go.opentelemetry.io/collector/config/configgrpc",
+            "symbols": [
+              "ClientConfig.ToClientConn",
+              "getGRPCCompressionName"
+            ]
+          }
+        ]
+      }
     },
     {
       "package": {
@@ -48,7 +58,19 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "go.opentelemetry.io/collector/config/confighttp",
+            "symbols": [
+              "ServerConfig.ToServer",
+              "clientInfoHandler.ServeHTTP",
+              "decompressor.ServeHTTP",
+              "httpContentDecompressor"
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
@@ -57,15 +79,11 @@
       "url": "https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v"
     },
     {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36129"
-    },
-    {
-      "type": "WEB",
+      "type": "FIX",
       "url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10289"
     },
     {
-      "type": "WEB",
+      "type": "FIX",
       "url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10323"
     },
     {
@@ -75,6 +93,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-2900",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/reports/GO-2024-2747.yaml b/data/reports/GO-2024-2747.yaml
@@ -3,20 +3,21 @@ modules:
     - module: github.com/gohugoio/hugo
       versions:
         - introduced: 0.123.0
-          fixed: 0.125.3
+        - fixed: 0.125.3
       vulnerable_at: 0.125.2
-summary: Hugo Markdown titles do not escaped in internal render hooks in github.com/gohugoio/hugo
+      packages:
+        - package: github.com/gohugoio/hugo/hugolib
+summary: Hugo Markdown titles are not escaped in internal render hooks in github.com/gohugoio/hugo
 cves:
     - CVE-2024-32875
 ghsas:
     - GHSA-ppf8-hhpp-f5hj
 references:
     - advisory: https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj
-    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32875
     - fix: https://github.com/gohugoio/hugo/commit/15a4b9b33715887001f6eff30721d41c0d4cfdd1
     - web: https://github.com/gohugoio/hugo/releases/tag/v0.125.3
     - web: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault
 source:
     id: GHSA-ppf8-hhpp-f5hj
-    created: 2024-05-17T16:12:42.192064-04:00
-review_status: UNREVIEWED
+    created: 2024-07-16T11:10:41.124714-04:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2024-2900.yaml b/data/reports/GO-2024-2900.yaml
@@ -4,26 +4,40 @@ modules:
       versions:
         - fixed: 0.102.1
       vulnerable_at: 0.102.0
+      packages:
+        - package: go.opentelemetry.io/collector/config/configgrpc
+          symbols:
+            - getGRPCCompressionName
+          derived_symbols:
+            - ClientConfig.ToClientConn
     - module: go.opentelemetry.io/collector/config/confighttp
       versions:
         - fixed: 0.102.0
       vulnerable_at: 0.101.0
-summary: Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC in go.opentelemetry.io/collector/config/configgrpc
+      packages:
+        - package: go.opentelemetry.io/collector/config/confighttp
+          symbols:
+            - httpContentDecompressor
+            - decompressor.ServeHTTP
+            - ServerConfig.ToServer
+          derived_symbols:
+            - clientInfoHandler.ServeHTTP
+summary: |-
+    Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC in
+    go.opentelemetry.io/collector/config/configgrpc
+description: |-
+    An unsafe decompression vulnerability allows unauthenticated attackers to crash
+    the collector via excessive memory consumption.
 cves:
     - CVE-2024-36129
 ghsas:
     - GHSA-c74f-6mfw-mm4v
-unknown_aliases:
-    - CGA-6j3r-jg3v-43qf
-    - CGA-c8pv-52m7-2mhm
-    - CGA-f48r-hvmp-wx9g
 references:
     - advisory: https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v
-    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36129
-    - web: https://github.com/open-telemetry/opentelemetry-collector/pull/10289
-    - web: https://github.com/open-telemetry/opentelemetry-collector/pull/10323
+    - fix: https://github.com/open-telemetry/opentelemetry-collector/pull/10289
+    - fix: https://github.com/open-telemetry/opentelemetry-collector/pull/10323
     - web: https://opentelemetry.io/blog/2024/cve-2024-36129
 source:
     id: GHSA-c74f-6mfw-mm4v
-    created: 2024-06-26T14:08:43.597373-04:00
-review_status: UNREVIEWED
+    created: 2024-07-16T10:53:58.646682-04:00
+review_status: REVIEWED