From bcdceff87f16e0e6f7e912f1b441b3a50bef2576 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Tue, 20 Aug 2024 15:32:36 -0400 Subject: [PATCH] data/reports: unexclude 20 reports (27) - data/reports/GO-2022-0922.yaml - data/reports/GO-2022-0923.yaml - data/reports/GO-2022-0924.yaml - data/reports/GO-2022-0925.yaml - data/reports/GO-2022-0928.yaml - data/reports/GO-2022-0929.yaml - data/reports/GO-2022-0933.yaml - data/reports/GO-2022-0936.yaml - data/reports/GO-2022-0937.yaml - data/reports/GO-2022-0938.yaml - data/reports/GO-2022-0939.yaml - data/reports/GO-2022-0953.yaml - data/reports/GO-2022-0959.yaml - data/reports/GO-2022-0960.yaml - data/reports/GO-2022-0964.yaml - data/reports/GO-2022-0970.yaml - data/reports/GO-2022-0971.yaml - data/reports/GO-2022-0981.yaml - data/reports/GO-2022-0982.yaml - data/reports/GO-2022-0983.yaml Updates golang/vulndb#922 Updates golang/vulndb#923 Updates golang/vulndb#924 Updates golang/vulndb#925 Updates golang/vulndb#928 Updates golang/vulndb#929 Updates golang/vulndb#933 Updates golang/vulndb#936 Updates golang/vulndb#937 Updates golang/vulndb#938 Updates golang/vulndb#939 Updates golang/vulndb#953 Updates golang/vulndb#959 Updates golang/vulndb#960 Updates golang/vulndb#964 Updates golang/vulndb#970 Updates golang/vulndb#971 Updates golang/vulndb#981 Updates golang/vulndb#982 Updates golang/vulndb#983 Change-Id: I2c7e7a823ba3bf18dab1234a40c08ac4825903f6 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607229 LUCI-TryBot-Result: Go LUCI Auto-Submit: Tatiana Bradley Commit-Queue: Tatiana Bradley Reviewed-by: Damien Neil --- data/excluded/GO-2022-0922.yaml | 8 --- data/excluded/GO-2022-0923.yaml | 8 --- data/excluded/GO-2022-0924.yaml | 8 --- data/excluded/GO-2022-0925.yaml | 8 --- data/excluded/GO-2022-0928.yaml | 8 --- data/excluded/GO-2022-0929.yaml | 8 --- data/excluded/GO-2022-0933.yaml | 11 ---- data/excluded/GO-2022-0936.yaml | 8 --- data/excluded/GO-2022-0937.yaml | 8 --- data/excluded/GO-2022-0938.yaml | 8 --- data/excluded/GO-2022-0939.yaml | 8 --- data/excluded/GO-2022-0953.yaml | 8 --- data/excluded/GO-2022-0959.yaml | 6 -- data/excluded/GO-2022-0960.yaml | 8 --- data/excluded/GO-2022-0964.yaml | 8 --- data/excluded/GO-2022-0970.yaml | 8 --- data/excluded/GO-2022-0971.yaml | 8 --- data/excluded/GO-2022-0981.yaml | 8 --- data/excluded/GO-2022-0982.yaml | 8 --- data/excluded/GO-2022-0983.yaml | 8 --- data/osv/GO-2022-0922.json | 90 ++++++++++++++++++++++++++++++ data/osv/GO-2022-0923.json | 73 ++++++++++++++++++++++++ data/osv/GO-2022-0924.json | 64 +++++++++++++++++++++ data/osv/GO-2022-0925.json | 60 ++++++++++++++++++++ data/osv/GO-2022-0928.json | 98 +++++++++++++++++++++++++++++++++ data/osv/GO-2022-0929.json | 60 ++++++++++++++++++++ data/osv/GO-2022-0933.json | 56 +++++++++++++++++++ data/osv/GO-2022-0936.json | 52 +++++++++++++++++ data/osv/GO-2022-0937.json | 52 +++++++++++++++++ data/osv/GO-2022-0938.json | 94 +++++++++++++++++++++++++++++++ data/osv/GO-2022-0939.json | 56 +++++++++++++++++++ data/osv/GO-2022-0953.json | 76 +++++++++++++++++++++++++ data/osv/GO-2022-0959.json | 67 ++++++++++++++++++++++ data/osv/GO-2022-0960.json | 52 +++++++++++++++++ data/osv/GO-2022-0964.json | 69 +++++++++++++++++++++++ data/osv/GO-2022-0970.json | 56 +++++++++++++++++++ data/osv/GO-2022-0971.json | 56 +++++++++++++++++++ data/osv/GO-2022-0981.json | 56 +++++++++++++++++++ data/osv/GO-2022-0982.json | 56 +++++++++++++++++++ data/osv/GO-2022-0983.json | 64 +++++++++++++++++++++ data/reports/GO-2022-0922.yaml | 31 +++++++++++ data/reports/GO-2022-0923.yaml | 25 +++++++++ data/reports/GO-2022-0924.yaml | 23 ++++++++ data/reports/GO-2022-0925.yaml | 22 ++++++++ data/reports/GO-2022-0928.yaml | 28 ++++++++++ data/reports/GO-2022-0929.yaml | 22 ++++++++ data/reports/GO-2022-0933.yaml | 21 +++++++ data/reports/GO-2022-0936.yaml | 20 +++++++ data/reports/GO-2022-0937.yaml | 20 +++++++ data/reports/GO-2022-0938.yaml | 31 +++++++++++ data/reports/GO-2022-0939.yaml | 23 ++++++++ data/reports/GO-2022-0953.yaml | 28 ++++++++++ data/reports/GO-2022-0959.yaml | 25 +++++++++ data/reports/GO-2022-0960.yaml | 21 +++++++ data/reports/GO-2022-0964.yaml | 23 ++++++++ data/reports/GO-2022-0970.yaml | 21 +++++++ data/reports/GO-2022-0971.yaml | 21 +++++++ data/reports/GO-2022-0981.yaml | 22 ++++++++ data/reports/GO-2022-0982.yaml | 21 +++++++ data/reports/GO-2022-0983.yaml | 23 ++++++++ 60 files changed, 1778 insertions(+), 161 deletions(-) delete mode 100644 data/excluded/GO-2022-0922.yaml delete mode 100644 data/excluded/GO-2022-0923.yaml delete mode 100644 data/excluded/GO-2022-0924.yaml delete mode 100644 data/excluded/GO-2022-0925.yaml delete mode 100644 data/excluded/GO-2022-0928.yaml delete mode 100644 data/excluded/GO-2022-0929.yaml delete mode 100644 data/excluded/GO-2022-0933.yaml delete mode 100644 data/excluded/GO-2022-0936.yaml delete mode 100644 data/excluded/GO-2022-0937.yaml delete mode 100644 data/excluded/GO-2022-0938.yaml delete mode 100644 data/excluded/GO-2022-0939.yaml delete mode 100644 data/excluded/GO-2022-0953.yaml delete mode 100644 data/excluded/GO-2022-0959.yaml delete mode 100644 data/excluded/GO-2022-0960.yaml delete mode 100644 data/excluded/GO-2022-0964.yaml delete mode 100644 data/excluded/GO-2022-0970.yaml delete mode 100644 data/excluded/GO-2022-0971.yaml delete mode 100644 data/excluded/GO-2022-0981.yaml delete mode 100644 data/excluded/GO-2022-0982.yaml delete mode 100644 data/excluded/GO-2022-0983.yaml create mode 100644 data/osv/GO-2022-0922.json create mode 100644 data/osv/GO-2022-0923.json create mode 100644 data/osv/GO-2022-0924.json create mode 100644 data/osv/GO-2022-0925.json create mode 100644 data/osv/GO-2022-0928.json create mode 100644 data/osv/GO-2022-0929.json create mode 100644 data/osv/GO-2022-0933.json create mode 100644 data/osv/GO-2022-0936.json create mode 100644 data/osv/GO-2022-0937.json create mode 100644 data/osv/GO-2022-0938.json create mode 100644 data/osv/GO-2022-0939.json create mode 100644 data/osv/GO-2022-0953.json create mode 100644 data/osv/GO-2022-0959.json create mode 100644 data/osv/GO-2022-0960.json create mode 100644 data/osv/GO-2022-0964.json create mode 100644 data/osv/GO-2022-0970.json create mode 100644 data/osv/GO-2022-0971.json create mode 100644 data/osv/GO-2022-0981.json create mode 100644 data/osv/GO-2022-0982.json create mode 100644 data/osv/GO-2022-0983.json create mode 100644 data/reports/GO-2022-0922.yaml create mode 100644 data/reports/GO-2022-0923.yaml create mode 100644 data/reports/GO-2022-0924.yaml create mode 100644 data/reports/GO-2022-0925.yaml create mode 100644 data/reports/GO-2022-0928.yaml create mode 100644 data/reports/GO-2022-0929.yaml create mode 100644 data/reports/GO-2022-0933.yaml create mode 100644 data/reports/GO-2022-0936.yaml create mode 100644 data/reports/GO-2022-0937.yaml create mode 100644 data/reports/GO-2022-0938.yaml create mode 100644 data/reports/GO-2022-0939.yaml create mode 100644 data/reports/GO-2022-0953.yaml create mode 100644 data/reports/GO-2022-0959.yaml create mode 100644 data/reports/GO-2022-0960.yaml create mode 100644 data/reports/GO-2022-0964.yaml create mode 100644 data/reports/GO-2022-0970.yaml create mode 100644 data/reports/GO-2022-0971.yaml create mode 100644 data/reports/GO-2022-0981.yaml create mode 100644 data/reports/GO-2022-0982.yaml create mode 100644 data/reports/GO-2022-0983.yaml diff --git a/data/excluded/GO-2022-0922.yaml b/data/excluded/GO-2022-0922.yaml deleted file mode 100644 index 682147b1f..000000000 --- a/data/excluded/GO-2022-0922.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0922 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/projectcontour/contour -cves: - - CVE-2021-32783 -ghsas: - - GHSA-5ph6-qq5x-7jwc diff --git a/data/excluded/GO-2022-0923.yaml b/data/excluded/GO-2022-0923.yaml deleted file mode 100644 index 0a37771b8..000000000 --- a/data/excluded/GO-2022-0923.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0923 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/traefik/traefik -cves: - - CVE-2021-32813 -ghsas: - - GHSA-m697-4v8f-55qg diff --git a/data/excluded/GO-2022-0924.yaml b/data/excluded/GO-2022-0924.yaml deleted file mode 100644 index f16654fdc..000000000 --- a/data/excluded/GO-2022-0924.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0924 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/dutchcoders/transfer.sh -cves: - - CVE-2021-33496 -ghsas: - - GHSA-w3jx-wv97-67ph diff --git a/data/excluded/GO-2022-0925.yaml b/data/excluded/GO-2022-0925.yaml deleted file mode 100644 index 5f508ebb8..000000000 --- a/data/excluded/GO-2022-0925.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0925 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/dutchcoders/transfer.sh -cves: - - CVE-2021-33497 -ghsas: - - GHSA-cf55-rq8x-hm6f diff --git a/data/excluded/GO-2022-0928.yaml b/data/excluded/GO-2022-0928.yaml deleted file mode 100644 index d93ce568c..000000000 --- a/data/excluded/GO-2022-0928.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0928 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/argoproj/argo-workflows/v3 -cves: - - CVE-2021-37914 -ghsas: - - GHSA-h563-xh25-x54q diff --git a/data/excluded/GO-2022-0929.yaml b/data/excluded/GO-2022-0929.yaml deleted file mode 100644 index 6a78569fb..000000000 --- a/data/excluded/GO-2022-0929.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0929 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/gen2brain/go-unarr -cves: - - CVE-2021-38197 -ghsas: - - GHSA-v9j4-cp63-qv62 diff --git a/data/excluded/GO-2022-0933.yaml b/data/excluded/GO-2022-0933.yaml deleted file mode 100644 index ead55f163..000000000 --- a/data/excluded/GO-2022-0933.yaml +++ /dev/null @@ -1,11 +0,0 @@ -id: GO-2022-0933 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/pomerium/pomerium -cves: - - CVE-2021-39162 -ghsas: - - GHSA-gjcg-vrxg-xmgv -related: - - CVE-2021-32780 - - GHSA-j374-mjrw-vvp8 diff --git a/data/excluded/GO-2022-0936.yaml b/data/excluded/GO-2022-0936.yaml deleted file mode 100644 index 16e503946..000000000 --- a/data/excluded/GO-2022-0936.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0936 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/in-toto/in-toto-golang -cves: - - CVE-2021-41087 -ghsas: - - GHSA-vrxp-mg9f-hwf3 diff --git a/data/excluded/GO-2022-0937.yaml b/data/excluded/GO-2022-0937.yaml deleted file mode 100644 index 86edfe34c..000000000 --- a/data/excluded/GO-2022-0937.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0937 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/elves/elvish -cves: - - CVE-2021-41088 -ghsas: - - GHSA-fpv6-f8jw-rc3r diff --git a/data/excluded/GO-2022-0938.yaml b/data/excluded/GO-2022-0938.yaml deleted file mode 100644 index 7ec1f1614..000000000 --- a/data/excluded/GO-2022-0938.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0938 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/containerd/containerd -cves: - - CVE-2021-41103 -ghsas: - - GHSA-c2h3-6mxw-7mvq diff --git a/data/excluded/GO-2022-0939.yaml b/data/excluded/GO-2022-0939.yaml deleted file mode 100644 index 295e87381..000000000 --- a/data/excluded/GO-2022-0939.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0939 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/stevenweathers/thunderdome-planning-poker -cves: - - CVE-2021-41232 -ghsas: - - GHSA-26cm-qrc6-mfgj diff --git a/data/excluded/GO-2022-0953.yaml b/data/excluded/GO-2022-0953.yaml deleted file mode 100644 index fbe664f03..000000000 --- a/data/excluded/GO-2022-0953.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0953 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/hashicorp/consul -cves: - - CVE-2022-24687 -ghsas: - - GHSA-hj93-5fg3-3chr diff --git a/data/excluded/GO-2022-0959.yaml b/data/excluded/GO-2022-0959.yaml deleted file mode 100644 index 8e762ff79..000000000 --- a/data/excluded/GO-2022-0959.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0959 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cilium/cilium -ghsas: - - GHSA-pfhr-pccp-hwmh diff --git a/data/excluded/GO-2022-0960.yaml b/data/excluded/GO-2022-0960.yaml deleted file mode 100644 index e8506458c..000000000 --- a/data/excluded/GO-2022-0960.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0960 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/fluxcd/flux2 -cves: - - CVE-2022-36035 -ghsas: - - GHSA-xwf3-6rgv-939r diff --git a/data/excluded/GO-2022-0964.yaml b/data/excluded/GO-2022-0964.yaml deleted file mode 100644 index b573e9595..000000000 --- a/data/excluded/GO-2022-0964.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0964 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/drakkan/sftpgo -cves: - - CVE-2022-36071 -ghsas: - - GHSA-54qx-8p8w-xhg8 diff --git a/data/excluded/GO-2022-0970.yaml b/data/excluded/GO-2022-0970.yaml deleted file mode 100644 index 738cfc887..000000000 --- a/data/excluded/GO-2022-0970.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0970 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/ElrondNetwork/elrond-go -cves: - - CVE-2022-36058 -ghsas: - - GHSA-qf7j-25g9-r63f diff --git a/data/excluded/GO-2022-0971.yaml b/data/excluded/GO-2022-0971.yaml deleted file mode 100644 index ca62ed79d..000000000 --- a/data/excluded/GO-2022-0971.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0971 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/ElrondNetwork/elrond-go -cves: - - CVE-2022-36061 -ghsas: - - GHSA-mv8x-668m-53fg diff --git a/data/excluded/GO-2022-0981.yaml b/data/excluded/GO-2022-0981.yaml deleted file mode 100644 index fe5e5886d..000000000 --- a/data/excluded/GO-2022-0981.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0981 -excluded: NOT_IMPORTABLE -modules: - - module: go.pinniped.dev -cves: - - CVE-2022-31677 -ghsas: - - GHSA-rp4v-hhm6-rcv9 diff --git a/data/excluded/GO-2022-0982.yaml b/data/excluded/GO-2022-0982.yaml deleted file mode 100644 index d067ab3f9..000000000 --- a/data/excluded/GO-2022-0982.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0982 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: code.gitea.io/gitea -cves: - - CVE-2021-45330 -ghsas: - - GHSA-pg38-r834-g45j diff --git a/data/excluded/GO-2022-0983.yaml b/data/excluded/GO-2022-0983.yaml deleted file mode 100644 index 47297c28d..000000000 --- a/data/excluded/GO-2022-0983.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0983 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: k8s.io/kubernetes -cves: - - CVE-2021-25743 -ghsas: - - GHSA-f9jg-8p32-2f55 diff --git a/data/osv/GO-2022-0922.json b/data/osv/GO-2022-0922.json new file mode 100644 index 000000000..d4c273060 --- /dev/null +++ b/data/osv/GO-2022-0922.json @@ -0,0 +1,90 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0922", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-32783", + "GHSA-5ph6-qq5x-7jwc" + ], + "summary": "ExternalName Services can be used to gain access to Envoy's admin interface in github.com/projectcontour/contour", + "details": "ExternalName Services can be used to gain access to Envoy's admin interface in github.com/projectcontour/contour", + "affected": [ + { + "package": { + "name": "github.com/projectcontour/contour", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.14.2" + }, + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.2" + }, + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.1" + }, + { + "introduced": "1.17.0" + }, + { + "fixed": "1.17.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32783" + }, + { + "type": "FIX", + "url": "https://github.com/projectcontour/contour/commit/5f3e6d0ab1d48e64bae46400c85c490b200393a3" + }, + { + "type": "FIX", + "url": "https://github.com/projectcontour/contour/commit/b53a5c4fd927f4ea2c6cf02f1359d8e28bef852e" + }, + { + "type": "WEB", + "url": "https://github.com/projectcontour/contour/releases/tag/v1.14.2" + }, + { + "type": "WEB", + "url": "https://github.com/projectcontour/contour/releases/tag/v1.15.2" + }, + { + "type": "WEB", + "url": "https://github.com/projectcontour/contour/releases/tag/v1.16.1" + }, + { + "type": "WEB", + "url": "https://github.com/projectcontour/contour/releases/tag/v1.17.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0922", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0923.json b/data/osv/GO-2022-0923.json new file mode 100644 index 000000000..8ecc80c65 --- /dev/null +++ b/data/osv/GO-2022-0923.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0923", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-32813", + "GHSA-m697-4v8f-55qg" + ], + "summary": "Header dropping in traefik in github.com/traefik/traefik", + "details": "Header dropping in traefik in github.com/traefik/traefik", + "affected": [ + { + "package": { + "name": "github.com/traefik/traefik", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.4.13" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-m697-4v8f-55qg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32813" + }, + { + "type": "FIX", + "url": "https://github.com/traefik/traefik/pull/8319/commits/cbaf86a93014a969b8accf39301932c17d0d73f9" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v2.4.13" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0923", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0924.json b/data/osv/GO-2022-0924.json new file mode 100644 index 000000000..3ddf04b97 --- /dev/null +++ b/data/osv/GO-2022-0924.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0924", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-33496", + "GHSA-w3jx-wv97-67ph" + ], + "summary": "Cross-site scripting in Dutchcoders transfer.sh in github.com/dutchcoders/transfer.sh", + "details": "Cross-site scripting in Dutchcoders transfer.sh in github.com/dutchcoders/transfer.sh", + "affected": [ + { + "package": { + "name": "github.com/dutchcoders/transfer.sh", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-w3jx-wv97-67ph" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33496" + }, + { + "type": "FIX", + "url": "https://github.com/dutchcoders/transfer.sh/commit/9df18fdc69de2e71f30d8c1e6bfab2fda2e52eb4" + }, + { + "type": "FIX", + "url": "https://github.com/dutchcoders/transfer.sh/pull/373" + }, + { + "type": "WEB", + "url": "https://github.com/dutchcoders/transfer.sh/releases/tag/v1.2.4" + }, + { + "type": "WEB", + "url": "https://vuln.ryotak.me/advisories/43" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0924", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0925.json b/data/osv/GO-2022-0925.json new file mode 100644 index 000000000..be4575f9e --- /dev/null +++ b/data/osv/GO-2022-0925.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0925", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-33497", + "GHSA-cf55-rq8x-hm6f" + ], + "summary": "Path Traversal in Dutchcoders transfer.sh in github.com/dutchcoders/transfer.sh", + "details": "Path Traversal in Dutchcoders transfer.sh in github.com/dutchcoders/transfer.sh", + "affected": [ + { + "package": { + "name": "github.com/dutchcoders/transfer.sh", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-cf55-rq8x-hm6f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33497" + }, + { + "type": "FIX", + "url": "https://github.com/dutchcoders/transfer.sh/pull/373" + }, + { + "type": "WEB", + "url": "https://github.com/dutchcoders/transfer.sh/releases/tag/v1.2.4" + }, + { + "type": "WEB", + "url": "https://vuln.ryotak.me/advisories/44" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0925", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0928.json b/data/osv/GO-2022-0928.json new file mode 100644 index 000000000..c28aeedbb --- /dev/null +++ b/data/osv/GO-2022-0928.json @@ -0,0 +1,98 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0928", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-37914", + "GHSA-h563-xh25-x54q" + ], + "summary": "Workflow re-write vulnerability using input parameter in github.com/argoproj/argo-workflows", + "details": "Workflow re-write vulnerability using input parameter in github.com/argoproj/argo-workflows", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-workflows", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-workflows/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-workflows/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h563-xh25-x54q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37914" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-workflows/commit/2a2ecc916925642fd8cb1efd026588e6828f82e1" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-workflows/pull/6285" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-workflows/pull/6442" + }, + { + "type": "REPORT", + "url": "https://github.com/argoproj/argo-workflows/issues/6441" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0928", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0929.json b/data/osv/GO-2022-0929.json new file mode 100644 index 000000000..a49d7cbd0 --- /dev/null +++ b/data/osv/GO-2022-0929.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0929", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-38197", + "GHSA-v9j4-cp63-qv62" + ], + "summary": "Tarslip in go-unarr in github.com/gen2brain/go-unarr", + "details": "Tarslip in go-unarr in github.com/gen2brain/go-unarr", + "affected": [ + { + "package": { + "name": "github.com/gen2brain/go-unarr", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.1.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-v9j4-cp63-qv62" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38197" + }, + { + "type": "FIX", + "url": "https://github.com/gen2brain/go-unarr/commit/239ec404d348280b50bbf671327709e8857fc5f4" + }, + { + "type": "REPORT", + "url": "https://github.com/gen2brain/go-unarr/issues/21" + }, + { + "type": "WEB", + "url": "https://github.com/gen2brain/go-unarr/releases/tag/v0.1.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0929", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0933.json b/data/osv/GO-2022-0933.json new file mode 100644 index 000000000..15ec448d9 --- /dev/null +++ b/data/osv/GO-2022-0933.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0933", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-39162", + "GHSA-gjcg-vrxg-xmgv" + ], + "summary": "Incorrect handling of H2 GOAWAY + SETTINGS frames in github.com/pomerium/pomerium", + "details": "Incorrect handling of H2 GOAWAY + SETTINGS frames in github.com/pomerium/pomerium", + "affected": [ + { + "package": { + "name": "github.com/pomerium/pomerium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.15.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39162" + }, + { + "type": "WEB", + "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0933", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0936.json b/data/osv/GO-2022-0936.json new file mode 100644 index 000000000..10adc0904 --- /dev/null +++ b/data/osv/GO-2022-0936.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0936", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-41087", + "GHSA-vrxp-mg9f-hwf3" + ], + "summary": "Improperly Implemented path matching for in-toto-golang in github.com/in-toto/in-toto-golang", + "details": "Improperly Implemented path matching for in-toto-golang in github.com/in-toto/in-toto-golang", + "affected": [ + { + "package": { + "name": "github.com/in-toto/in-toto-golang", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/in-toto/in-toto-golang/security/advisories/GHSA-vrxp-mg9f-hwf3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41087" + }, + { + "type": "FIX", + "url": "https://github.com/in-toto/in-toto-golang/commit/f2c57d1e0f15e3ffbeac531829c696b72ecc4290" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0936", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0937.json b/data/osv/GO-2022-0937.json new file mode 100644 index 000000000..385256742 --- /dev/null +++ b/data/osv/GO-2022-0937.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0937", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-41088", + "GHSA-fpv6-f8jw-rc3r" + ], + "summary": "Elvish vulnerable to remote code execution via the web UI backend in github.com/elves/elvish", + "details": "Elvish vulnerable to remote code execution via the web UI backend in github.com/elves/elvish", + "affected": [ + { + "package": { + "name": "github.com/elves/elvish", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.14.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/elves/elvish/security/advisories/GHSA-fpv6-f8jw-rc3r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41088" + }, + { + "type": "FIX", + "url": "https://github.com/elves/elvish/commit/ccc2750037bbbfafe9c1b7a78eadd3bd16e81fe5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0937", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0938.json b/data/osv/GO-2022-0938.json new file mode 100644 index 000000000..1721da677 --- /dev/null +++ b/data/osv/GO-2022-0938.json @@ -0,0 +1,94 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0938", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-41103", + "GHSA-c2h3-6mxw-7mvq" + ], + "summary": "Insufficiently restricted permissions on plugin directories in github.com/containerd/containerd", + "details": "Insufficiently restricted permissions on plugin directories in github.com/containerd/containerd", + "affected": [ + { + "package": { + "name": "github.com/containerd/containerd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.11" + }, + { + "introduced": "1.5.0" + }, + { + "fixed": "1.5.7" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41103" + }, + { + "type": "FIX", + "url": "https://github.com/containerd/containerd/commit/5b46e404f6b9f661a205e28d59c982d3634148f8" + }, + { + "type": "WEB", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" + }, + { + "type": "WEB", + "url": "https://github.com/containerd/containerd/releases/tag/v1.4.11" + }, + { + "type": "WEB", + "url": "https://github.com/containerd/containerd/releases/tag/v1.5.7" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-31" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2021/dsa-5002" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0938", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0939.json b/data/osv/GO-2022-0939.json new file mode 100644 index 000000000..74c0af9d5 --- /dev/null +++ b/data/osv/GO-2022-0939.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0939", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-41232", + "GHSA-26cm-qrc6-mfgj" + ], + "summary": "Improper Neutralization of Special Elements used in an LDAP Query in stevenweathers/thunderdome-planning-poker in github.com/StevenWeathers/thunderdome-planning-poker", + "details": "Improper Neutralization of Special Elements used in an LDAP Query in stevenweathers/thunderdome-planning-poker in github.com/StevenWeathers/thunderdome-planning-poker", + "affected": [ + { + "package": { + "name": "github.com/StevenWeathers/thunderdome-planning-poker", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/StevenWeathers/thunderdome-planning-poker/security/advisories/GHSA-26cm-qrc6-mfgj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41232" + }, + { + "type": "FIX", + "url": "https://github.com/StevenWeathers/thunderdome-planning-poker/commit/f1524d01e8a0f2d6c3db5461c742456c692dd8c1" + }, + { + "type": "WEB", + "url": "https://github.com/github/securitylab/issues/464#issuecomment-957094994" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0939", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0953.json b/data/osv/GO-2022-0953.json new file mode 100644 index 000000000..87541a5ab --- /dev/null +++ b/data/osv/GO-2022-0953.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0953", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24687", + "GHSA-hj93-5fg3-3chr" + ], + "summary": "HashiCorp Consul Ingress Gateway Panic Can Shutdown Servers in github.com/hashicorp/consul", + "details": "HashiCorp Consul Ingress Gateway Panic Can Shutdown Servers in github.com/hashicorp/consul", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/consul", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.8.0" + }, + { + "fixed": "1.9.15" + }, + { + "introduced": "1.10.0" + }, + { + "fixed": "1.10.8" + }, + { + "introduced": "1.11.0" + }, + { + "fixed": "1.11.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-hj93-5fg3-3chr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24687" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2022-05-consul-ingress-gateway-panic-can-shutdown-servers" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202208-09" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20220331-0006" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0953", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0959.json b/data/osv/GO-2022-0959.json new file mode 100644 index 000000000..9a819de72 --- /dev/null +++ b/data/osv/GO-2022-0959.json @@ -0,0 +1,67 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0959", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-pfhr-pccp-hwmh" + ], + "summary": "Network Policies \u0026 (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels in github.com/cilium/cilium", + "details": "Network Policies \u0026 (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels in github.com/cilium/cilium", + "affected": [ + { + "package": { + "name": "github.com/cilium/cilium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.14" + }, + { + "introduced": "1.11.0" + }, + { + "fixed": "1.11.8" + }, + { + "introduced": "1.12.0" + }, + { + "fixed": "1.12.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cilium/cilium/security/advisories/GHSA-pfhr-pccp-hwmh" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.10.14" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.11.8" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.12.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0959", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0960.json b/data/osv/GO-2022-0960.json new file mode 100644 index 000000000..e34bb2898 --- /dev/null +++ b/data/osv/GO-2022-0960.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0960", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-36035", + "GHSA-xwf3-6rgv-939r" + ], + "summary": "Flux CLI Workload Injection in github.com/fluxcd/flux2", + "details": "Flux CLI Workload Injection in github.com/fluxcd/flux2", + "affected": [ + { + "package": { + "name": "github.com/fluxcd/flux2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.21.0" + }, + { + "fixed": "0.32.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-xwf3-6rgv-939r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36035" + }, + { + "type": "WEB", + "url": "https://github.com/fluxcd/flux2/releases/tag/v0.32.0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0960", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0964.json b/data/osv/GO-2022-0964.json new file mode 100644 index 000000000..6d3c8e3b3 --- /dev/null +++ b/data/osv/GO-2022-0964.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0964", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-36071", + "GHSA-54qx-8p8w-xhg8" + ], + "summary": "SFTPGo vulnerable to recovery codes abuse in github.com/drakkan/sftpgo", + "details": "SFTPGo vulnerable to recovery codes abuse in github.com/drakkan/sftpgo", + "affected": [ + { + "package": { + "name": "github.com/drakkan/sftpgo", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/drakkan/sftpgo/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.2.0" + }, + { + "fixed": "2.3.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-54qx-8p8w-xhg8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36071" + }, + { + "type": "REPORT", + "url": "https://github.com/drakkan/sftpgo/issues/965" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0964", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0970.json b/data/osv/GO-2022-0970.json new file mode 100644 index 000000000..a4eb56ce8 --- /dev/null +++ b/data/osv/GO-2022-0970.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0970", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-36058", + "GHSA-qf7j-25g9-r63f" + ], + "summary": "elrond-go MultiESDTNFTTransfer call on a SC address with missing function name in github.com/ElrondNetwork/elrond-go", + "details": "elrond-go MultiESDTNFTTransfer call on a SC address with missing function name in github.com/ElrondNetwork/elrond-go", + "affected": [ + { + "package": { + "name": "github.com/ElrondNetwork/elrond-go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.34" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-qf7j-25g9-r63f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36058" + }, + { + "type": "FIX", + "url": "https://github.com/ElrondNetwork/elrond-go/commit/cb487fd7be2a2077638eb34ae771a73630c870c7" + }, + { + "type": "WEB", + "url": "https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0970", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0971.json b/data/osv/GO-2022-0971.json new file mode 100644 index 000000000..6a4c00c80 --- /dev/null +++ b/data/osv/GO-2022-0971.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0971", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-36061", + "GHSA-mv8x-668m-53fg" + ], + "summary": "Elrond-go has improper initialization in github.com/ElrondNetwork/elrond-go", + "details": "Elrond-go has improper initialization in github.com/ElrondNetwork/elrond-go", + "affected": [ + { + "package": { + "name": "github.com/ElrondNetwork/elrond-go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.35" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-mv8x-668m-53fg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36061" + }, + { + "type": "WEB", + "url": "https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L452" + }, + { + "type": "WEB", + "url": "https://github.com/ElrondNetwork/elrond-go/releases/tag/v1.3.35" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0971", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0981.json b/data/osv/GO-2022-0981.json new file mode 100644 index 000000000..fc9826199 --- /dev/null +++ b/data/osv/GO-2022-0981.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0981", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31677", + "GHSA-rp4v-hhm6-rcv9" + ], + "summary": "Pinniped Supervisor Insufficient Session Expiration vulnerability in go.pinniped.dev", + "details": "Pinniped Supervisor Insufficient Session Expiration vulnerability in go.pinniped.dev", + "affected": [ + { + "package": { + "name": "go.pinniped.dev", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.3.0" + }, + { + "fixed": "0.19.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31677" + }, + { + "type": "WEB", + "url": "https://github.com/vmware-tanzu/pinniped/pull/1264" + }, + { + "type": "WEB", + "url": "https://github.com/vmware-tanzu/pinniped/releases/tag/v0.19.0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0981", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0982.json b/data/osv/GO-2022-0982.json new file mode 100644 index 000000000..96e2f7723 --- /dev/null +++ b/data/osv/GO-2022-0982.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0982", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-45330", + "GHSA-pg38-r834-g45j" + ], + "summary": "Improper Privilege Management in Gitea in code.gitea.io/gitea", + "details": "Improper Privilege Management in Gitea in code.gitea.io/gitea", + "affected": [ + { + "package": { + "name": "code.gitea.io/gitea", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-pg38-r834-g45j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45330" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/issues/4336" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/pull/4840" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0982", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0983.json b/data/osv/GO-2022-0983.json new file mode 100644 index 000000000..84049490a --- /dev/null +++ b/data/osv/GO-2022-0983.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0983", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-25743", + "GHSA-f9jg-8p32-2f55" + ], + "summary": "kubectl ANSI escape characters not filtered in k8s.io/kubernetes", + "details": "kubectl ANSI escape characters not filtered in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.26.0-alpha.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-f9jg-8p32-2f55" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25743" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/dad0e937c0f76344363eb691b2668490ffef8537" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/101695" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/112553" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20220217-0003" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0983", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2022-0922.yaml b/data/reports/GO-2022-0922.yaml new file mode 100644 index 000000000..92ce1b655 --- /dev/null +++ b/data/reports/GO-2022-0922.yaml @@ -0,0 +1,31 @@ +id: GO-2022-0922 +modules: + - module: github.com/projectcontour/contour + versions: + - fixed: 1.14.2 + - introduced: 1.15.0 + - fixed: 1.15.2 + - introduced: 1.16.0 + - fixed: 1.16.1 + - introduced: 1.17.0 + - fixed: 1.17.1 + vulnerable_at: 1.17.0 +summary: ExternalName Services can be used to gain access to Envoy's admin interface in github.com/projectcontour/contour +cves: + - CVE-2021-32783 +ghsas: + - GHSA-5ph6-qq5x-7jwc +references: + - advisory: https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-32783 + - fix: https://github.com/projectcontour/contour/commit/5f3e6d0ab1d48e64bae46400c85c490b200393a3 + - fix: https://github.com/projectcontour/contour/commit/b53a5c4fd927f4ea2c6cf02f1359d8e28bef852e + - web: https://github.com/projectcontour/contour/releases/tag/v1.14.2 + - web: https://github.com/projectcontour/contour/releases/tag/v1.15.2 + - web: https://github.com/projectcontour/contour/releases/tag/v1.16.1 + - web: https://github.com/projectcontour/contour/releases/tag/v1.17.1 +source: + id: GHSA-5ph6-qq5x-7jwc + created: 2024-08-20T14:30:47.852978-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0923.yaml b/data/reports/GO-2022-0923.yaml new file mode 100644 index 000000000..80ce514b0 --- /dev/null +++ b/data/reports/GO-2022-0923.yaml @@ -0,0 +1,25 @@ +id: GO-2022-0923 +modules: + - module: github.com/traefik/traefik + unsupported_versions: + - last_affected: 1.7.30 + vulnerable_at: 1.7.34 + - module: github.com/traefik/traefik/v2 + versions: + - fixed: 2.4.13 + vulnerable_at: 2.4.12 +summary: Header dropping in traefik in github.com/traefik/traefik +cves: + - CVE-2021-32813 +ghsas: + - GHSA-m697-4v8f-55qg +references: + - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-m697-4v8f-55qg + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-32813 + - fix: https://github.com/traefik/traefik/pull/8319/commits/cbaf86a93014a969b8accf39301932c17d0d73f9 + - web: https://github.com/traefik/traefik/releases/tag/v2.4.13 +source: + id: GHSA-m697-4v8f-55qg + created: 2024-08-20T14:30:55.257226-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0924.yaml b/data/reports/GO-2022-0924.yaml new file mode 100644 index 000000000..1792fb321 --- /dev/null +++ b/data/reports/GO-2022-0924.yaml @@ -0,0 +1,23 @@ +id: GO-2022-0924 +modules: + - module: github.com/dutchcoders/transfer.sh + versions: + - fixed: 1.2.4 + vulnerable_at: 1.2.3 +summary: Cross-site scripting in Dutchcoders transfer.sh in github.com/dutchcoders/transfer.sh +cves: + - CVE-2021-33496 +ghsas: + - GHSA-w3jx-wv97-67ph +references: + - advisory: https://github.com/advisories/GHSA-w3jx-wv97-67ph + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-33496 + - fix: https://github.com/dutchcoders/transfer.sh/commit/9df18fdc69de2e71f30d8c1e6bfab2fda2e52eb4 + - fix: https://github.com/dutchcoders/transfer.sh/pull/373 + - web: https://github.com/dutchcoders/transfer.sh/releases/tag/v1.2.4 + - web: https://vuln.ryotak.me/advisories/43 +source: + id: GHSA-w3jx-wv97-67ph + created: 2024-08-20T14:30:59.729201-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0925.yaml b/data/reports/GO-2022-0925.yaml new file mode 100644 index 000000000..c2dd87846 --- /dev/null +++ b/data/reports/GO-2022-0925.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0925 +modules: + - module: github.com/dutchcoders/transfer.sh + versions: + - fixed: 1.2.4 + vulnerable_at: 1.2.3 +summary: Path Traversal in Dutchcoders transfer.sh in github.com/dutchcoders/transfer.sh +cves: + - CVE-2021-33497 +ghsas: + - GHSA-cf55-rq8x-hm6f +references: + - advisory: https://github.com/advisories/GHSA-cf55-rq8x-hm6f + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-33497 + - fix: https://github.com/dutchcoders/transfer.sh/pull/373 + - web: https://github.com/dutchcoders/transfer.sh/releases/tag/v1.2.4 + - web: https://vuln.ryotak.me/advisories/44 +source: + id: GHSA-cf55-rq8x-hm6f + created: 2024-08-20T14:31:04.353491-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0928.yaml b/data/reports/GO-2022-0928.yaml new file mode 100644 index 000000000..3d1079173 --- /dev/null +++ b/data/reports/GO-2022-0928.yaml @@ -0,0 +1,28 @@ +id: GO-2022-0928 +modules: + - module: github.com/argoproj/argo-workflows + vulnerable_at: 0.4.7 + - module: github.com/argoproj/argo-workflows/v2 + vulnerable_at: 2.12.13 + - module: github.com/argoproj/argo-workflows/v3 + versions: + - introduced: 3.1.0 + - fixed: 3.1.6 + vulnerable_at: 3.1.5 +summary: Workflow re-write vulnerability using input parameter in github.com/argoproj/argo-workflows +cves: + - CVE-2021-37914 +ghsas: + - GHSA-h563-xh25-x54q +references: + - advisory: https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h563-xh25-x54q + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-37914 + - fix: https://github.com/argoproj/argo-workflows/commit/2a2ecc916925642fd8cb1efd026588e6828f82e1 + - fix: https://github.com/argoproj/argo-workflows/pull/6285 + - fix: https://github.com/argoproj/argo-workflows/pull/6442 + - report: https://github.com/argoproj/argo-workflows/issues/6441 +source: + id: GHSA-h563-xh25-x54q + created: 2024-08-20T14:31:25.530183-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0929.yaml b/data/reports/GO-2022-0929.yaml new file mode 100644 index 000000000..a126452dd --- /dev/null +++ b/data/reports/GO-2022-0929.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0929 +modules: + - module: github.com/gen2brain/go-unarr + versions: + - fixed: 0.1.4 + vulnerable_at: 0.1.3 +summary: Tarslip in go-unarr in github.com/gen2brain/go-unarr +cves: + - CVE-2021-38197 +ghsas: + - GHSA-v9j4-cp63-qv62 +references: + - advisory: https://github.com/advisories/GHSA-v9j4-cp63-qv62 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-38197 + - fix: https://github.com/gen2brain/go-unarr/commit/239ec404d348280b50bbf671327709e8857fc5f4 + - report: https://github.com/gen2brain/go-unarr/issues/21 + - web: https://github.com/gen2brain/go-unarr/releases/tag/v0.1.4 +source: + id: GHSA-v9j4-cp63-qv62 + created: 2024-08-20T14:31:33.653863-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0933.yaml b/data/reports/GO-2022-0933.yaml new file mode 100644 index 000000000..18031e8fa --- /dev/null +++ b/data/reports/GO-2022-0933.yaml @@ -0,0 +1,21 @@ +id: GO-2022-0933 +modules: + - module: github.com/pomerium/pomerium + versions: + - fixed: 0.15.1 + vulnerable_at: 0.15.0 +summary: Incorrect handling of H2 GOAWAY + SETTINGS frames in github.com/pomerium/pomerium +cves: + - CVE-2021-39162 +ghsas: + - GHSA-gjcg-vrxg-xmgv +references: + - advisory: https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-39162 + - web: https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8 + - web: https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ +source: + id: GHSA-gjcg-vrxg-xmgv + created: 2024-08-20T14:32:03.137864-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0936.yaml b/data/reports/GO-2022-0936.yaml new file mode 100644 index 000000000..bc2072979 --- /dev/null +++ b/data/reports/GO-2022-0936.yaml @@ -0,0 +1,20 @@ +id: GO-2022-0936 +modules: + - module: github.com/in-toto/in-toto-golang + versions: + - fixed: 0.3.0 + vulnerable_at: 0.2.0 +summary: Improperly Implemented path matching for in-toto-golang in github.com/in-toto/in-toto-golang +cves: + - CVE-2021-41087 +ghsas: + - GHSA-vrxp-mg9f-hwf3 +references: + - advisory: https://github.com/in-toto/in-toto-golang/security/advisories/GHSA-vrxp-mg9f-hwf3 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-41087 + - fix: https://github.com/in-toto/in-toto-golang/commit/f2c57d1e0f15e3ffbeac531829c696b72ecc4290 +source: + id: GHSA-vrxp-mg9f-hwf3 + created: 2024-08-20T14:32:28.208411-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0937.yaml b/data/reports/GO-2022-0937.yaml new file mode 100644 index 000000000..5746719f0 --- /dev/null +++ b/data/reports/GO-2022-0937.yaml @@ -0,0 +1,20 @@ +id: GO-2022-0937 +modules: + - module: github.com/elves/elvish + versions: + - fixed: 0.14.0 + vulnerable_at: 0.14.0-rc3 +summary: Elvish vulnerable to remote code execution via the web UI backend in github.com/elves/elvish +cves: + - CVE-2021-41088 +ghsas: + - GHSA-fpv6-f8jw-rc3r +references: + - advisory: https://github.com/elves/elvish/security/advisories/GHSA-fpv6-f8jw-rc3r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-41088 + - fix: https://github.com/elves/elvish/commit/ccc2750037bbbfafe9c1b7a78eadd3bd16e81fe5 +source: + id: GHSA-fpv6-f8jw-rc3r + created: 2024-08-20T14:32:31.321788-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0938.yaml b/data/reports/GO-2022-0938.yaml new file mode 100644 index 000000000..88ad34f09 --- /dev/null +++ b/data/reports/GO-2022-0938.yaml @@ -0,0 +1,31 @@ +id: GO-2022-0938 +modules: + - module: github.com/containerd/containerd + versions: + - fixed: 1.4.11 + - introduced: 1.5.0 + - fixed: 1.5.7 + vulnerable_at: 1.5.6 +summary: Insufficiently restricted permissions on plugin directories in github.com/containerd/containerd +cves: + - CVE-2021-41103 +ghsas: + - GHSA-c2h3-6mxw-7mvq +references: + - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-41103 + - fix: https://github.com/containerd/containerd/commit/5b46e404f6b9f661a205e28d59c982d3634148f8 + - web: https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf + - web: https://github.com/containerd/containerd/releases/tag/v1.4.11 + - web: https://github.com/containerd/containerd/releases/tag/v1.5.7 + - web: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB + - web: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB + - web: https://security.gentoo.org/glsa/202401-31 + - web: https://www.debian.org/security/2021/dsa-5002 +source: + id: GHSA-c2h3-6mxw-7mvq + created: 2024-08-20T14:32:37.245655-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0939.yaml b/data/reports/GO-2022-0939.yaml new file mode 100644 index 000000000..c11d480b0 --- /dev/null +++ b/data/reports/GO-2022-0939.yaml @@ -0,0 +1,23 @@ +id: GO-2022-0939 +modules: + - module: github.com/StevenWeathers/thunderdome-planning-poker + versions: + - fixed: 1.16.3 + vulnerable_at: 1.16.2 +summary: |- + Improper Neutralization of Special Elements used in an LDAP Query in + stevenweathers/thunderdome-planning-poker in github.com/StevenWeathers/thunderdome-planning-poker +cves: + - CVE-2021-41232 +ghsas: + - GHSA-26cm-qrc6-mfgj +references: + - advisory: https://github.com/StevenWeathers/thunderdome-planning-poker/security/advisories/GHSA-26cm-qrc6-mfgj + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-41232 + - fix: https://github.com/StevenWeathers/thunderdome-planning-poker/commit/f1524d01e8a0f2d6c3db5461c742456c692dd8c1 + - web: https://github.com/github/securitylab/issues/464#issuecomment-957094994 +source: + id: GHSA-26cm-qrc6-mfgj + created: 2024-08-20T14:32:46.8317-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0953.yaml b/data/reports/GO-2022-0953.yaml new file mode 100644 index 000000000..c3742975f --- /dev/null +++ b/data/reports/GO-2022-0953.yaml @@ -0,0 +1,28 @@ +id: GO-2022-0953 +modules: + - module: github.com/hashicorp/consul + versions: + - introduced: 1.8.0 + - fixed: 1.9.15 + - introduced: 1.10.0 + - fixed: 1.10.8 + - introduced: 1.11.0 + - fixed: 1.11.3 + vulnerable_at: 1.11.2 +summary: HashiCorp Consul Ingress Gateway Panic Can Shutdown Servers in github.com/hashicorp/consul +cves: + - CVE-2022-24687 +ghsas: + - GHSA-hj93-5fg3-3chr +references: + - advisory: https://github.com/advisories/GHSA-hj93-5fg3-3chr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-24687 + - web: https://discuss.hashicorp.com + - web: https://discuss.hashicorp.com/t/hcsec-2022-05-consul-ingress-gateway-panic-can-shutdown-servers + - web: https://security.gentoo.org/glsa/202208-09 + - web: https://security.netapp.com/advisory/ntap-20220331-0006 +source: + id: GHSA-hj93-5fg3-3chr + created: 2024-08-20T14:33:25.639827-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0959.yaml b/data/reports/GO-2022-0959.yaml new file mode 100644 index 000000000..7eccac209 --- /dev/null +++ b/data/reports/GO-2022-0959.yaml @@ -0,0 +1,25 @@ +id: GO-2022-0959 +modules: + - module: github.com/cilium/cilium + versions: + - fixed: 1.10.14 + - introduced: 1.11.0 + - fixed: 1.11.8 + - introduced: 1.12.0 + - fixed: 1.12.1 + vulnerable_at: 1.12.0 +summary: |- + Network Policies & (Clusterwide) Cilium Network Policies with namespace label + selectors may unexpectedly select pods with maliciously crafted labels in github.com/cilium/cilium +ghsas: + - GHSA-pfhr-pccp-hwmh +references: + - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-pfhr-pccp-hwmh + - web: https://github.com/cilium/cilium/releases/tag/v1.10.14 + - web: https://github.com/cilium/cilium/releases/tag/v1.11.8 + - web: https://github.com/cilium/cilium/releases/tag/v1.12.1 +source: + id: GHSA-pfhr-pccp-hwmh + created: 2024-08-20T14:34:13.516787-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0960.yaml b/data/reports/GO-2022-0960.yaml new file mode 100644 index 000000000..4223e0ad1 --- /dev/null +++ b/data/reports/GO-2022-0960.yaml @@ -0,0 +1,21 @@ +id: GO-2022-0960 +modules: + - module: github.com/fluxcd/flux2 + versions: + - introduced: 0.21.0 + - fixed: 0.32.0 + vulnerable_at: 0.31.5 +summary: Flux CLI Workload Injection in github.com/fluxcd/flux2 +cves: + - CVE-2022-36035 +ghsas: + - GHSA-xwf3-6rgv-939r +references: + - advisory: https://github.com/fluxcd/flux2/security/advisories/GHSA-xwf3-6rgv-939r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-36035 + - web: https://github.com/fluxcd/flux2/releases/tag/v0.32.0 +source: + id: GHSA-xwf3-6rgv-939r + created: 2024-08-20T14:34:16.297075-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0964.yaml b/data/reports/GO-2022-0964.yaml new file mode 100644 index 000000000..2a9480c6c --- /dev/null +++ b/data/reports/GO-2022-0964.yaml @@ -0,0 +1,23 @@ +id: GO-2022-0964 +modules: + - module: github.com/drakkan/sftpgo + vulnerable_at: 1.2.2 + - module: github.com/drakkan/sftpgo/v2 + versions: + - introduced: 2.2.0 + - fixed: 2.3.4 + vulnerable_at: 2.3.3 +summary: SFTPGo vulnerable to recovery codes abuse in github.com/drakkan/sftpgo +cves: + - CVE-2022-36071 +ghsas: + - GHSA-54qx-8p8w-xhg8 +references: + - advisory: https://github.com/drakkan/sftpgo/security/advisories/GHSA-54qx-8p8w-xhg8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-36071 + - report: https://github.com/drakkan/sftpgo/issues/965 +source: + id: GHSA-54qx-8p8w-xhg8 + created: 2024-08-20T14:34:39.312929-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0970.yaml b/data/reports/GO-2022-0970.yaml new file mode 100644 index 000000000..a8a32aea3 --- /dev/null +++ b/data/reports/GO-2022-0970.yaml @@ -0,0 +1,21 @@ +id: GO-2022-0970 +modules: + - module: github.com/ElrondNetwork/elrond-go + versions: + - fixed: 1.3.34 + vulnerable_at: 1.3.33 +summary: elrond-go MultiESDTNFTTransfer call on a SC address with missing function name in github.com/ElrondNetwork/elrond-go +cves: + - CVE-2022-36058 +ghsas: + - GHSA-qf7j-25g9-r63f +references: + - advisory: https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-qf7j-25g9-r63f + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-36058 + - fix: https://github.com/ElrondNetwork/elrond-go/commit/cb487fd7be2a2077638eb34ae771a73630c870c7 + - web: https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402 +source: + id: GHSA-qf7j-25g9-r63f + created: 2024-08-20T14:34:42.989469-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0971.yaml b/data/reports/GO-2022-0971.yaml new file mode 100644 index 000000000..de25f2bee --- /dev/null +++ b/data/reports/GO-2022-0971.yaml @@ -0,0 +1,21 @@ +id: GO-2022-0971 +modules: + - module: github.com/ElrondNetwork/elrond-go + versions: + - fixed: 1.3.35 + vulnerable_at: 1.3.34 +summary: Elrond-go has improper initialization in github.com/ElrondNetwork/elrond-go +cves: + - CVE-2022-36061 +ghsas: + - GHSA-mv8x-668m-53fg +references: + - advisory: https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-mv8x-668m-53fg + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-36061 + - web: https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L452 + - web: https://github.com/ElrondNetwork/elrond-go/releases/tag/v1.3.35 +source: + id: GHSA-mv8x-668m-53fg + created: 2024-08-20T14:34:47.274095-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0981.yaml b/data/reports/GO-2022-0981.yaml new file mode 100644 index 000000000..8a91a98c4 --- /dev/null +++ b/data/reports/GO-2022-0981.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0981 +modules: + - module: go.pinniped.dev + versions: + - introduced: 0.3.0 + - fixed: 0.19.0 + vulnerable_at: 0.18.0 +summary: Pinniped Supervisor Insufficient Session Expiration vulnerability in go.pinniped.dev +cves: + - CVE-2022-31677 +ghsas: + - GHSA-rp4v-hhm6-rcv9 +references: + - advisory: https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31677 + - web: https://github.com/vmware-tanzu/pinniped/pull/1264 + - web: https://github.com/vmware-tanzu/pinniped/releases/tag/v0.19.0 +source: + id: GHSA-rp4v-hhm6-rcv9 + created: 2024-08-20T14:43:41.004918-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0982.yaml b/data/reports/GO-2022-0982.yaml new file mode 100644 index 000000000..90aaf2e81 --- /dev/null +++ b/data/reports/GO-2022-0982.yaml @@ -0,0 +1,21 @@ +id: GO-2022-0982 +modules: + - module: code.gitea.io/gitea + versions: + - fixed: 1.6.0 + vulnerable_at: 1.6.0-rc2 +summary: Improper Privilege Management in Gitea in code.gitea.io/gitea +cves: + - CVE-2021-45330 +ghsas: + - GHSA-pg38-r834-g45j +references: + - advisory: https://github.com/advisories/GHSA-pg38-r834-g45j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-45330 + - web: https://github.com/go-gitea/gitea/issues/4336 + - web: https://github.com/go-gitea/gitea/pull/4840 +source: + id: GHSA-pg38-r834-g45j + created: 2024-08-20T14:43:44.904444-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0983.yaml b/data/reports/GO-2022-0983.yaml new file mode 100644 index 000000000..940b31346 --- /dev/null +++ b/data/reports/GO-2022-0983.yaml @@ -0,0 +1,23 @@ +id: GO-2022-0983 +modules: + - module: k8s.io/kubernetes + versions: + - fixed: 1.26.0-alpha.3 + vulnerable_at: 1.26.0-alpha.2 +summary: kubectl ANSI escape characters not filtered in k8s.io/kubernetes +cves: + - CVE-2021-25743 +ghsas: + - GHSA-f9jg-8p32-2f55 +references: + - advisory: https://github.com/advisories/GHSA-f9jg-8p32-2f55 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-25743 + - web: https://github.com/kubernetes/kubernetes/commit/dad0e937c0f76344363eb691b2668490ffef8537 + - web: https://github.com/kubernetes/kubernetes/issues/101695 + - web: https://github.com/kubernetes/kubernetes/pull/112553 + - web: https://security.netapp.com/advisory/ntap-20220217-0003 +source: + id: GHSA-f9jg-8p32-2f55 + created: 2024-08-20T14:43:49.522169-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE