diff --git a/data/osv/GO-2024-3294.json b/data/osv/GO-2024-3294.json new file mode 100644 index 00000000..ee8de846 --- /dev/null +++ b/data/osv/GO-2024-3294.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3294", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-53264" + ], + "summary": "Open Redirect Vulnerability in Loading Page in bunkerweb in github.com/bunkerity/bunkerweb", + "details": "Open Redirect Vulnerability in Loading Page in bunkerweb in github.com/bunkerity/bunkerweb", + "affected": [ + { + "package": { + "name": "github.com/bunkerity/bunkerweb", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.11" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53264" + }, + { + "type": "WEB", + "url": "https://github.com/bunkerity/bunkerweb/security/advisories/GHSA-q9rr-h3hx-m87g" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3294", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3296.json b/data/osv/GO-2024-3296.json new file mode 100644 index 00000000..2e1395d5 --- /dev/null +++ b/data/osv/GO-2024-3296.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3296", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-53858", + "GHSA-jwcm-9g39-pmcw" + ], + "summary": "Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in github.com/cli/cli", + "details": "Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in github.com/cli/cli", + "affected": [ + { + "package": { + "name": "github.com/cli/cli", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/cli/cli/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.63.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cli/cli/security/advisories/GHSA-jwcm-9g39-pmcw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53858" + }, + { + "type": "WEB", + "url": "https://git-scm.com/docs/gitcredentials" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3296", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3299.json b/data/osv/GO-2024-3299.json new file mode 100644 index 00000000..0840622f --- /dev/null +++ b/data/osv/GO-2024-3299.json @@ -0,0 +1,97 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3299", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-52003", + "GHSA-h924-8g65-j9wg" + ], + "summary": "Traefik's X-Forwarded-Prefix Header still allows for Open Redirect in github.com/traefik/traefik", + "details": "Traefik's X-Forwarded-Prefix Header still allows for Open Redirect in github.com/traefik/traefik", + "affected": [ + { + "package": { + "name": "github.com/traefik/traefik", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.11.14" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.2.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52003" + }, + { + "type": "FIX", + "url": "https://github.com/traefik/traefik/pull/11253" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v2.11.14" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v3.2.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3299", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3300.json b/data/osv/GO-2024-3300.json new file mode 100644 index 00000000..2b48834b --- /dev/null +++ b/data/osv/GO-2024-3300.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3300", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-52801", + "GHSA-6943-qr24-82vx" + ], + "summary": "sftpgo vulnerable to brute force takeover of OpenID Connect session cookies in github.com/drakkan/sftpgo", + "details": "sftpgo vulnerable to brute force takeover of OpenID Connect session cookies in github.com/drakkan/sftpgo", + "affected": [ + { + "package": { + "name": "github.com/drakkan/sftpgo", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/drakkan/sftpgo/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.6.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-6943-qr24-82vx" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52801" + }, + { + "type": "FIX", + "url": "https://github.com/drakkan/sftpgo/commit/f30a9a2095bf90c0661b04fe038e3b7efc788bc6" + }, + { + "type": "WEB", + "url": "https://github.com/rs/xid" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3300", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3303.json b/data/osv/GO-2024-3303.json new file mode 100644 index 00000000..6c36f512 --- /dev/null +++ b/data/osv/GO-2024-3303.json @@ -0,0 +1,91 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3303", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-53862" + ], + "summary": "Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` mode in github.com/argoproj/argo-workflows", + "details": "Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` mode in github.com/argoproj/argo-workflows", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-workflows", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-workflows/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-workflows/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.5.7" + }, + { + "fixed": "3.5.13" + }, + { + "introduced": "3.6.0-rc1" + }, + { + "fixed": "3.6.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53862" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3303", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-3294.yaml b/data/reports/GO-2024-3294.yaml new file mode 100644 index 00000000..8bdd3595 --- /dev/null +++ b/data/reports/GO-2024-3294.yaml @@ -0,0 +1,16 @@ +id: GO-2024-3294 +modules: + - module: github.com/bunkerity/bunkerweb + versions: + - fixed: 1.5.11 + vulnerable_at: 1.5.10 +summary: Open Redirect Vulnerability in Loading Page in bunkerweb in github.com/bunkerity/bunkerweb +cves: + - CVE-2024-53264 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-53264 + - web: https://github.com/bunkerity/bunkerweb/security/advisories/GHSA-q9rr-h3hx-m87g +source: + id: CVE-2024-53264 + created: 2024-12-02T14:56:38.107508-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3296.yaml b/data/reports/GO-2024-3296.yaml new file mode 100644 index 00000000..3913b65b --- /dev/null +++ b/data/reports/GO-2024-3296.yaml @@ -0,0 +1,23 @@ +id: GO-2024-3296 +modules: + - module: github.com/cli/cli + vulnerable_at: 1.14.0 + - module: github.com/cli/cli/v2 + versions: + - fixed: 2.63.0 + vulnerable_at: 2.62.0 +summary: |- + Recursive repository cloning can leak authentication tokens to non-GitHub + submodule hosts in github.com/cli/cli +cves: + - CVE-2024-53858 +ghsas: + - GHSA-jwcm-9g39-pmcw +references: + - advisory: https://github.com/cli/cli/security/advisories/GHSA-jwcm-9g39-pmcw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-53858 + - web: https://git-scm.com/docs/gitcredentials +source: + id: GHSA-jwcm-9g39-pmcw + created: 2024-12-02T14:56:29.536126-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3299.yaml b/data/reports/GO-2024-3299.yaml new file mode 100644 index 00000000..35f1be93 --- /dev/null +++ b/data/reports/GO-2024-3299.yaml @@ -0,0 +1,27 @@ +id: GO-2024-3299 +modules: + - module: github.com/traefik/traefik + vulnerable_at: 1.7.34 + - module: github.com/traefik/traefik/v2 + versions: + - fixed: 2.11.14 + vulnerable_at: 2.11.13 + - module: github.com/traefik/traefik/v3 + versions: + - fixed: 3.2.1 + vulnerable_at: 3.2.0 +summary: Traefik's X-Forwarded-Prefix Header still allows for Open Redirect in github.com/traefik/traefik +cves: + - CVE-2024-52003 +ghsas: + - GHSA-h924-8g65-j9wg +references: + - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52003 + - fix: https://github.com/traefik/traefik/pull/11253 + - web: https://github.com/traefik/traefik/releases/tag/v2.11.14 + - web: https://github.com/traefik/traefik/releases/tag/v3.2.1 +source: + id: GHSA-h924-8g65-j9wg + created: 2024-12-02T14:56:24.090371-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3300.yaml b/data/reports/GO-2024-3300.yaml new file mode 100644 index 00000000..2e43eab6 --- /dev/null +++ b/data/reports/GO-2024-3300.yaml @@ -0,0 +1,23 @@ +id: GO-2024-3300 +modules: + - module: github.com/drakkan/sftpgo + vulnerable_at: 1.2.2 + - module: github.com/drakkan/sftpgo/v2 + versions: + - introduced: 2.3.0 + - fixed: 2.6.4 + vulnerable_at: 2.6.3 +summary: sftpgo vulnerable to brute force takeover of OpenID Connect session cookies in github.com/drakkan/sftpgo +cves: + - CVE-2024-52801 +ghsas: + - GHSA-6943-qr24-82vx +references: + - advisory: https://github.com/drakkan/sftpgo/security/advisories/GHSA-6943-qr24-82vx + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52801 + - fix: https://github.com/drakkan/sftpgo/commit/f30a9a2095bf90c0661b04fe038e3b7efc788bc6 + - web: https://github.com/rs/xid +source: + id: GHSA-6943-qr24-82vx + created: 2024-12-02T14:56:19.561793-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3303.yaml b/data/reports/GO-2024-3303.yaml new file mode 100644 index 00000000..d1b5bdef --- /dev/null +++ b/data/reports/GO-2024-3303.yaml @@ -0,0 +1,26 @@ +id: GO-2024-3303 +modules: + - module: github.com/argoproj/argo-workflows + vulnerable_at: 0.4.7 + - module: github.com/argoproj/argo-workflows/v2 + vulnerable_at: 2.12.13 + - module: github.com/argoproj/argo-workflows/v3 + versions: + - introduced: 3.5.7 + - fixed: 3.5.13 + - introduced: 3.6.0-rc1 + - fixed: 3.6.2 + vulnerable_at: 3.6.1 +summary: |- + Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` + mode in github.com/argoproj/argo-workflows +cves: + - CVE-2024-53862 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-53862 + - fix: https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715 + - web: https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9 +source: + id: CVE-2024-53862 + created: 2024-12-02T14:56:09.920859-05:00 +review_status: UNREVIEWED