From 1b6c74b893638bc7dc279d789098e3c202356b17 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Thu, 27 Jun 2024 15:57:03 -0400 Subject: [PATCH] data/reports: add 15 unreviewed reports - data/reports/GO-2024-2898.yaml - data/reports/GO-2024-2905.yaml - data/reports/GO-2024-2924.yaml - data/reports/GO-2024-2926.yaml - data/reports/GO-2024-2927.yaml - data/reports/GO-2024-2928.yaml - data/reports/GO-2024-2929.yaml - data/reports/GO-2024-2931.yaml - data/reports/GO-2024-2932.yaml - data/reports/GO-2024-2933.yaml - data/reports/GO-2024-2934.yaml - data/reports/GO-2024-2938.yaml - data/reports/GO-2024-2939.yaml - data/reports/GO-2024-2940.yaml - data/reports/GO-2024-2941.yaml Fixes golang/vulndb#2898 Fixes golang/vulndb#2905 Fixes golang/vulndb#2924 Fixes golang/vulndb#2926 Fixes golang/vulndb#2927 Fixes golang/vulndb#2928 Fixes golang/vulndb#2929 Fixes golang/vulndb#2931 Fixes golang/vulndb#2932 Fixes golang/vulndb#2933 Fixes golang/vulndb#2934 Fixes golang/vulndb#2938 Fixes golang/vulndb#2939 Fixes golang/vulndb#2940 Fixes golang/vulndb#2941 Change-Id: I235c85ba4f067ada8ca1ff0dc33bb4fb14f13f80 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595636 LUCI-TryBot-Result: Go LUCI Reviewed-by: Damien Neil --- data/osv/GO-2024-2898.json | 81 ++++++++ data/osv/GO-2024-2905.json | 56 ++++++ data/osv/GO-2024-2924.json | 49 +++++ data/osv/GO-2024-2926.json | 340 +++++++++++++++++++++++++++++++++ data/osv/GO-2024-2927.json | 340 +++++++++++++++++++++++++++++++++ data/osv/GO-2024-2928.json | 51 +++++ data/osv/GO-2024-2929.json | 41 ++++ data/osv/GO-2024-2931.json | 41 ++++ data/osv/GO-2024-2932.json | 41 ++++ data/osv/GO-2024-2933.json | 48 +++++ data/osv/GO-2024-2934.json | 64 +++++++ data/osv/GO-2024-2938.json | 53 +++++ data/osv/GO-2024-2939.json | 52 +++++ data/osv/GO-2024-2940.json | 77 ++++++++ data/osv/GO-2024-2941.json | 92 +++++++++ data/reports/GO-2024-2898.yaml | 29 +++ data/reports/GO-2024-2905.yaml | 17 ++ data/reports/GO-2024-2924.yaml | 21 ++ data/reports/GO-2024-2926.yaml | 52 +++++ data/reports/GO-2024-2927.yaml | 52 +++++ data/reports/GO-2024-2928.yaml | 17 ++ data/reports/GO-2024-2929.yaml | 20 ++ data/reports/GO-2024-2931.yaml | 22 +++ data/reports/GO-2024-2932.yaml | 20 ++ data/reports/GO-2024-2933.yaml | 17 ++ data/reports/GO-2024-2934.yaml | 22 +++ data/reports/GO-2024-2938.yaml | 20 ++ data/reports/GO-2024-2939.yaml | 21 ++ data/reports/GO-2024-2940.yaml | 24 +++ data/reports/GO-2024-2941.yaml | 27 +++ 30 files changed, 1807 insertions(+) create mode 100644 data/osv/GO-2024-2898.json create mode 100644 data/osv/GO-2024-2905.json create mode 100644 data/osv/GO-2024-2924.json create mode 100644 data/osv/GO-2024-2926.json create mode 100644 data/osv/GO-2024-2927.json create mode 100644 data/osv/GO-2024-2928.json create mode 100644 data/osv/GO-2024-2929.json create mode 100644 data/osv/GO-2024-2931.json create mode 100644 data/osv/GO-2024-2932.json create mode 100644 data/osv/GO-2024-2933.json create mode 100644 data/osv/GO-2024-2934.json create mode 100644 data/osv/GO-2024-2938.json create mode 100644 data/osv/GO-2024-2939.json create mode 100644 data/osv/GO-2024-2940.json create mode 100644 data/osv/GO-2024-2941.json create mode 100644 data/reports/GO-2024-2898.yaml create mode 100644 data/reports/GO-2024-2905.yaml create mode 100644 data/reports/GO-2024-2924.yaml create mode 100644 data/reports/GO-2024-2926.yaml create mode 100644 data/reports/GO-2024-2927.yaml create mode 100644 data/reports/GO-2024-2928.yaml create mode 100644 data/reports/GO-2024-2929.yaml create mode 100644 data/reports/GO-2024-2931.yaml create mode 100644 data/reports/GO-2024-2932.yaml create mode 100644 data/reports/GO-2024-2933.yaml create mode 100644 data/reports/GO-2024-2934.yaml create mode 100644 data/reports/GO-2024-2938.yaml create mode 100644 data/reports/GO-2024-2939.yaml create mode 100644 data/reports/GO-2024-2940.yaml create mode 100644 data/reports/GO-2024-2941.yaml diff --git a/data/osv/GO-2024-2898.json b/data/osv/GO-2024-2898.json new file mode 100644 index 00000000..966d641e --- /dev/null +++ b/data/osv/GO-2024-2898.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2898", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-36106", + "GHSA-3cqf-953p-h5cp" + ], + "summary": "Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd", + "details": "Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-cd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.11.0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-cd/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.9.17" + }, + { + "introduced": "2.10.0" + }, + { + "fixed": "2.10.12" + }, + { + "introduced": "2.11.0" + }, + { + "fixed": "2.11.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3cqf-953p-h5cp" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36106" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/c2647055c261a550e5da075793260f6524e65ad9" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2898", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2905.json b/data/osv/GO-2024-2905.json new file mode 100644 index 00000000..484814a5 --- /dev/null +++ b/data/osv/GO-2024-2905.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2905", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-5037" + ], + "summary": "Openshift/telemeter: iss check during jwt authentication can be bypassed in github.com/openshift/telemeter", + "details": "Openshift/telemeter: iss check during jwt authentication can be bypassed in github.com/openshift/telemeter", + "affected": [ + { + "package": { + "name": "github.com/openshift/telemeter", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5037" + }, + { + "type": "FIX", + "url": "https://github.com/kubernetes/kubernetes/pull/123540" + }, + { + "type": "REPORT", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272339" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-5037" + }, + { + "type": "WEB", + "url": "https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2905", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2924.json b/data/osv/GO-2024-2924.json new file mode 100644 index 00000000..24c45963 --- /dev/null +++ b/data/osv/GO-2024-2924.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2924", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-36586", + "GHSA-7jp9-vgmq-c8r5" + ], + "summary": "AdGuardHome privilege escalation vulnerability in github.com/AdguardTeam/AdGuardHome", + "details": "AdGuardHome privilege escalation vulnerability in github.com/AdguardTeam/AdGuardHome", + "affected": [ + { + "package": { + "name": "github.com/AdguardTeam/AdGuardHome", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-7jp9-vgmq-c8r5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36586" + }, + { + "type": "WEB", + "url": "https://github.com/go-compile/security-advisories/blob/master/vulns/CVE-2024-36586.md" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2924", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2926.json b/data/osv/GO-2024-2926.json new file mode 100644 index 00000000..f06d4d66 --- /dev/null +++ b/data/osv/GO-2024-2926.json @@ -0,0 +1,340 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2926", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-37158" + ], + "summary": "Evmos is missing precompile checks in github.com/evmos/evmos", + "details": "Evmos is missing precompile checks in github.com/evmos/evmos", + "affected": [ + { + "package": { + "name": "github.com/evmos/evmos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v7", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v9", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v10", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v11", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v12", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v13", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v14", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v15", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v16", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v17", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v18", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "18.0.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37158" + }, + { + "type": "FIX", + "url": "https://github.com/evmos/evmos/commit/b2a09ca66613d8b04decd3f2dcba8e1e77709dcb" + }, + { + "type": "WEB", + "url": "https://github.com/evmos/evmos/security/advisories/GHSA-pxv8-qhrh-jc7v" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2926", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2927.json b/data/osv/GO-2024-2927.json new file mode 100644 index 00000000..5e33933d --- /dev/null +++ b/data/osv/GO-2024-2927.json @@ -0,0 +1,340 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2927", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-37159" + ], + "summary": "Evmos is missing create validator check in github.com/evmos/evmos", + "details": "Evmos is missing create validator check in github.com/evmos/evmos", + "affected": [ + { + "package": { + "name": "github.com/evmos/evmos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v7", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v9", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v10", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v11", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v12", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v13", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v14", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v15", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v16", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v17", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v18", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "18.0.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37159" + }, + { + "type": "FIX", + "url": "https://github.com/evmos/evmos/commit/b2a09ca66613d8b04decd3f2dcba8e1e77709dcb" + }, + { + "type": "WEB", + "url": "https://github.com/evmos/evmos/security/advisories/GHSA-pxv8-qhrh-jc7v" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2927", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2928.json b/data/osv/GO-2024-2928.json new file mode 100644 index 00000000..fc6b660c --- /dev/null +++ b/data/osv/GO-2024-2928.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2928", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-37896" + ], + "summary": "SQL injection vulnerability in Gin-vue-admin in github.com/flipped-aurora/gin-vue-admin", + "details": "SQL injection vulnerability in Gin-vue-admin in github.com/flipped-aurora/gin-vue-admin", + "affected": [ + { + "package": { + "name": "github.com/flipped-aurora/gin-vue-admin", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.6.6+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37896" + }, + { + "type": "FIX", + "url": "https://github.com/flipped-aurora/gin-vue-admin/commit/53d03382188868464ade489ab0713b54392d227f" + }, + { + "type": "WEB", + "url": "https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-gf3r-h744-mqgp" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2928", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2929.json b/data/osv/GO-2024-2929.json new file mode 100644 index 00000000..c7d45f33 --- /dev/null +++ b/data/osv/GO-2024-2929.json @@ -0,0 +1,41 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2929", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-32196", + "GHSA-64jq-m7rq-768h" + ], + "summary": "Rancher's External RoleTemplates can lead to privilege escalation in github.com/rancher/rancher", + "details": "Rancher's External RoleTemplates can lead to privilege escalation in github.com/rancher/rancher", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/rancher/rancher/security/advisories/GHSA-64jq-m7rq-768h" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2929", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2931.json b/data/osv/GO-2024-2931.json new file mode 100644 index 00000000..efae6a0c --- /dev/null +++ b/data/osv/GO-2024-2931.json @@ -0,0 +1,41 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2931", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-22650", + "GHSA-9ghh-mmcq-8phc" + ], + "summary": "Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in github.com/rancher/rancher", + "details": "Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in github.com/rancher/rancher", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/rancher/rancher/security/advisories/GHSA-9ghh-mmcq-8phc" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2931", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2932.json b/data/osv/GO-2024-2932.json new file mode 100644 index 00000000..ce5cbfea --- /dev/null +++ b/data/osv/GO-2024-2932.json @@ -0,0 +1,41 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2932", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-22032", + "GHSA-q6c7-56cq-g2wm" + ], + "summary": "Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher", + "details": "Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/rancher/rancher/security/advisories/GHSA-q6c7-56cq-g2wm" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2932", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2933.json b/data/osv/GO-2024-2933.json new file mode 100644 index 00000000..d14da387 --- /dev/null +++ b/data/osv/GO-2024-2933.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2933", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-5899" + ], + "summary": "Improper trust check in Bazel Build intellij plugin in github.com/bazelbuild/intellij", + "details": "Improper trust check in Bazel Build intellij plugin in github.com/bazelbuild/intellij", + "affected": [ + { + "package": { + "name": "github.com/bazelbuild/intellij", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5899" + }, + { + "type": "WEB", + "url": "https://github.com/bazelbuild/intellij/releases/tag/v2024.06.04-aswb-stable" + }, + { + "type": "WEB", + "url": "https://github.com/bazelbuild/intellij/security/advisories/GHSA-hh9f-wmhw-46vg" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2933", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2934.json b/data/osv/GO-2024-2934.json new file mode 100644 index 00000000..e99b2ddf --- /dev/null +++ b/data/osv/GO-2024-2934.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2934", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-37904", + "GHSA-hpcg-xjq5-g666" + ], + "summary": "Minder affected by denial of service from maliciously configured Git repository in github.com/stacklok/minder", + "details": "Minder affected by denial of service from maliciously configured Git repository in github.com/stacklok/minder", + "affected": [ + { + "package": { + "name": "github.com/stacklok/minder", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.52" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/stacklok/minder/security/advisories/GHSA-hpcg-xjq5-g666" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37904" + }, + { + "type": "FIX", + "url": "https://github.com/stacklok/minder/commit/35bab8f9a6025eea9e6e3cef6bd80707ac03d2a9" + }, + { + "type": "FIX", + "url": "https://github.com/stacklok/minder/commit/7979b43" + }, + { + "type": "WEB", + "url": "https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L55-L89" + }, + { + "type": "WEB", + "url": "https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L56-L62" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2934", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2938.json b/data/osv/GO-2024-2938.json new file mode 100644 index 00000000..d55ca648 --- /dev/null +++ b/data/osv/GO-2024-2938.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2938", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-5182", + "GHSA-cpcx-r2gq-x893" + ], + "summary": "LocalAI path traversal vulnerability in github.com/go-skynet/LocalAI", + "details": "LocalAI path traversal vulnerability in github.com/go-skynet/LocalAI", + "affected": [ + { + "package": { + "name": "github.com/go-skynet/LocalAI", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-cpcx-r2gq-x893" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5182" + }, + { + "type": "WEB", + "url": "https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2938", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2939.json b/data/osv/GO-2024-2939.json new file mode 100644 index 00000000..2bbb04d8 --- /dev/null +++ b/data/osv/GO-2024-2939.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2939", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-38361", + "GHSA-grjv-gjgr-66g2" + ], + "summary": "SpiceDB exclusions can result in no permission returned when permission expected in github.com/authzed/spicedb", + "details": "SpiceDB exclusions can result in no permission returned when permission expected in github.com/authzed/spicedb", + "affected": [ + { + "package": { + "name": "github.com/authzed/spicedb", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.33.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38361" + }, + { + "type": "FIX", + "url": "https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2939", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2940.json b/data/osv/GO-2024-2940.json new file mode 100644 index 00000000..e01ee03d --- /dev/null +++ b/data/osv/GO-2024-2940.json @@ -0,0 +1,77 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2940", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-37897", + "GHSA-hw5f-6wvv-xcrh" + ], + "summary": "SFTPGo has insufficient access control for password reset in github.com/drakkan/sftpgo", + "details": "SFTPGo has insufficient access control for password reset in github.com/drakkan/sftpgo", + "affected": [ + { + "package": { + "name": "github.com/drakkan/sftpgo", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/drakkan/sftpgo/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.2.0" + }, + { + "fixed": "2.6.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37897" + }, + { + "type": "FIX", + "url": "https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423" + }, + { + "type": "FIX", + "url": "https://github.com/drakkan/sftpgo/commit/3462bba3f41cbc75486474991b9e3ac1b5f1e583" + }, + { + "type": "WEB", + "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.6.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2940", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2941.json b/data/osv/GO-2024-2941.json new file mode 100644 index 00000000..a130bf58 --- /dev/null +++ b/data/osv/GO-2024-2941.json @@ -0,0 +1,92 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2941", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-rvj4-q8q5-8grf" + ], + "summary": "ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/traefik/traefik", + "details": "ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/traefik/traefik", + "affected": [ + { + "package": { + "name": "github.com/traefik/traefik", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.11.5" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-rvj4-q8q5-8grf" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v2.11.5" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v3.0.3" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2941", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-2898.yaml b/data/reports/GO-2024-2898.yaml new file mode 100644 index 00000000..c53d32ca --- /dev/null +++ b/data/reports/GO-2024-2898.yaml @@ -0,0 +1,29 @@ +id: GO-2024-2898 +modules: + - module: github.com/argoproj/argo-cd + versions: + - introduced: 0.11.0 + vulnerable_at: 1.8.6 + - module: github.com/argoproj/argo-cd/v2 + versions: + - fixed: 2.9.17 + - introduced: 2.10.0 + - fixed: 2.10.12 + - introduced: 2.11.0 + - fixed: 2.11.3 + vulnerable_at: 2.11.2 +summary: Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd +cves: + - CVE-2024-36106 +ghsas: + - GHSA-3cqf-953p-h5cp +unknown_aliases: + - BIT-argo-cd-2024-36106 +references: + - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-3cqf-953p-h5cp + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36106 + - fix: https://github.com/argoproj/argo-cd/commit/c2647055c261a550e5da075793260f6524e65ad9 +source: + id: GHSA-3cqf-953p-h5cp + created: 2024-06-27T15:55:03.407268-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2905.yaml b/data/reports/GO-2024-2905.yaml new file mode 100644 index 00000000..fbd2d89e --- /dev/null +++ b/data/reports/GO-2024-2905.yaml @@ -0,0 +1,17 @@ +id: GO-2024-2905 +modules: + - module: github.com/openshift/telemeter + vulnerable_at: 3.11.0+incompatible +summary: 'Openshift/telemeter: iss check during jwt authentication can be bypassed in github.com/openshift/telemeter' +cves: + - CVE-2024-5037 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-5037 + - fix: https://github.com/kubernetes/kubernetes/pull/123540 + - report: https://bugzilla.redhat.com/show_bug.cgi?id=2272339 + - web: https://access.redhat.com/security/cve/CVE-2024-5037 + - web: https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78 +source: + id: CVE-2024-5037 + created: 2024-06-27T15:54:56.792975-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2924.yaml b/data/reports/GO-2024-2924.yaml new file mode 100644 index 00000000..2e80c694 --- /dev/null +++ b/data/reports/GO-2024-2924.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2924 +modules: + - module: github.com/AdguardTeam/AdGuardHome + non_go_versions: + - introduced: 0.93.0 + unsupported_versions: + - last_affected: 0.107.51 + vulnerable_at: 0.107.51 +summary: AdGuardHome privilege escalation vulnerability in github.com/AdguardTeam/AdGuardHome +cves: + - CVE-2024-36586 +ghsas: + - GHSA-7jp9-vgmq-c8r5 +references: + - advisory: https://github.com/advisories/GHSA-7jp9-vgmq-c8r5 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36586 + - web: https://github.com/go-compile/security-advisories/blob/master/vulns/CVE-2024-36586.md +source: + id: GHSA-7jp9-vgmq-c8r5 + created: 2024-06-27T15:54:33.634108-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2926.yaml b/data/reports/GO-2024-2926.yaml new file mode 100644 index 00000000..0c21e197 --- /dev/null +++ b/data/reports/GO-2024-2926.yaml @@ -0,0 +1,52 @@ +id: GO-2024-2926 +modules: + - module: github.com/evmos/evmos + vulnerable_at: 1.1.3 + - module: github.com/evmos/evmos/v2 + vulnerable_at: 2.0.2 + - module: github.com/evmos/evmos/v3 + vulnerable_at: 3.0.3 + - module: github.com/evmos/evmos/v4 + vulnerable_at: 4.0.2 + - module: github.com/evmos/evmos/v5 + vulnerable_at: 5.0.1 + - module: github.com/evmos/evmos/v6 + vulnerable_at: 6.0.4 + - module: github.com/evmos/evmos/v7 + vulnerable_at: 7.0.0 + - module: github.com/evmos/evmos/v8 + vulnerable_at: 8.2.3 + - module: github.com/evmos/evmos/v9 + vulnerable_at: 9.1.0 + - module: github.com/evmos/evmos/v10 + vulnerable_at: 10.0.1 + - module: github.com/evmos/evmos/v11 + vulnerable_at: 11.0.2 + - module: github.com/evmos/evmos/v12 + vulnerable_at: 12.1.6 + - module: github.com/evmos/evmos/v13 + vulnerable_at: 13.0.2 + - module: github.com/evmos/evmos/v14 + vulnerable_at: 14.1.0 + - module: github.com/evmos/evmos/v15 + vulnerable_at: 15.0.0 + - module: github.com/evmos/evmos/v16 + vulnerable_at: 16.0.4 + - module: github.com/evmos/evmos/v17 + vulnerable_at: 17.0.1 + - module: github.com/evmos/evmos/v18 + versions: + - fixed: 18.0.0 +summary: Evmos is missing precompile checks in github.com/evmos/evmos +cves: + - CVE-2024-37158 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37158 + - fix: https://github.com/evmos/evmos/commit/b2a09ca66613d8b04decd3f2dcba8e1e77709dcb + - web: https://github.com/evmos/evmos/security/advisories/GHSA-pxv8-qhrh-jc7v +notes: + - fix: 'github.com/evmos/evmos/v18: could not add vulnerable_at: could not find tagged version between introduced and fixed' +source: + id: CVE-2024-37158 + created: 2024-06-27T15:54:31.357366-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2927.yaml b/data/reports/GO-2024-2927.yaml new file mode 100644 index 00000000..6d585c6e --- /dev/null +++ b/data/reports/GO-2024-2927.yaml @@ -0,0 +1,52 @@ +id: GO-2024-2927 +modules: + - module: github.com/evmos/evmos + vulnerable_at: 1.1.3 + - module: github.com/evmos/evmos/v2 + vulnerable_at: 2.0.2 + - module: github.com/evmos/evmos/v3 + vulnerable_at: 3.0.3 + - module: github.com/evmos/evmos/v4 + vulnerable_at: 4.0.2 + - module: github.com/evmos/evmos/v5 + vulnerable_at: 5.0.1 + - module: github.com/evmos/evmos/v6 + vulnerable_at: 6.0.4 + - module: github.com/evmos/evmos/v7 + vulnerable_at: 7.0.0 + - module: github.com/evmos/evmos/v8 + vulnerable_at: 8.2.3 + - module: github.com/evmos/evmos/v9 + vulnerable_at: 9.1.0 + - module: github.com/evmos/evmos/v10 + vulnerable_at: 10.0.1 + - module: github.com/evmos/evmos/v11 + vulnerable_at: 11.0.2 + - module: github.com/evmos/evmos/v12 + vulnerable_at: 12.1.6 + - module: github.com/evmos/evmos/v13 + vulnerable_at: 13.0.2 + - module: github.com/evmos/evmos/v14 + vulnerable_at: 14.1.0 + - module: github.com/evmos/evmos/v15 + vulnerable_at: 15.0.0 + - module: github.com/evmos/evmos/v16 + vulnerable_at: 16.0.4 + - module: github.com/evmos/evmos/v17 + vulnerable_at: 17.0.1 + - module: github.com/evmos/evmos/v18 + versions: + - fixed: 18.0.0 +summary: Evmos is missing create validator check in github.com/evmos/evmos +cves: + - CVE-2024-37159 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37159 + - fix: https://github.com/evmos/evmos/commit/b2a09ca66613d8b04decd3f2dcba8e1e77709dcb + - web: https://github.com/evmos/evmos/security/advisories/GHSA-pxv8-qhrh-jc7v +notes: + - fix: 'github.com/evmos/evmos/v18: could not add vulnerable_at: could not find tagged version between introduced and fixed' +source: + id: CVE-2024-37159 + created: 2024-06-27T15:54:26.419866-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2928.yaml b/data/reports/GO-2024-2928.yaml new file mode 100644 index 00000000..44866389 --- /dev/null +++ b/data/reports/GO-2024-2928.yaml @@ -0,0 +1,17 @@ +id: GO-2024-2928 +modules: + - module: github.com/flipped-aurora/gin-vue-admin + versions: + - fixed: 2.6.6+incompatible + vulnerable_at: 2.6.5+incompatible +summary: SQL injection vulnerability in Gin-vue-admin in github.com/flipped-aurora/gin-vue-admin +cves: + - CVE-2024-37896 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37896 + - fix: https://github.com/flipped-aurora/gin-vue-admin/commit/53d03382188868464ade489ab0713b54392d227f + - web: https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-gf3r-h744-mqgp +source: + id: CVE-2024-37896 + created: 2024-06-27T15:54:20.259992-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2929.yaml b/data/reports/GO-2024-2929.yaml new file mode 100644 index 00000000..75f76166 --- /dev/null +++ b/data/reports/GO-2024-2929.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2929 +modules: + - module: github.com/rancher/rancher + non_go_versions: + - introduced: 2.7.0 + - fixed: 2.7.14 + - introduced: 2.8.0 + - fixed: 2.8.5 + vulnerable_at: 1.6.30 +summary: Rancher's External RoleTemplates can lead to privilege escalation in github.com/rancher/rancher +cves: + - CVE-2023-32196 +ghsas: + - GHSA-64jq-m7rq-768h +references: + - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-64jq-m7rq-768h +source: + id: GHSA-64jq-m7rq-768h + created: 2024-06-27T15:54:17.748688-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2931.yaml b/data/reports/GO-2024-2931.yaml new file mode 100644 index 00000000..5fac8a94 --- /dev/null +++ b/data/reports/GO-2024-2931.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2931 +modules: + - module: github.com/rancher/rancher + non_go_versions: + - introduced: 2.7.0 + - fixed: 2.7.14 + - introduced: 2.8.0 + - fixed: 2.8.5 + vulnerable_at: 1.6.30 +summary: |- + Rancher does not automatically clean up a user deleted or disabled from the + configured Authentication Provider in github.com/rancher/rancher +cves: + - CVE-2023-22650 +ghsas: + - GHSA-9ghh-mmcq-8phc +references: + - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-9ghh-mmcq-8phc +source: + id: GHSA-9ghh-mmcq-8phc + created: 2024-06-27T15:54:12.45213-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2932.yaml b/data/reports/GO-2024-2932.yaml new file mode 100644 index 00000000..d53486cb --- /dev/null +++ b/data/reports/GO-2024-2932.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2932 +modules: + - module: github.com/rancher/rancher + non_go_versions: + - introduced: 2.7.0 + - fixed: 2.7.14 + - introduced: 2.8.0 + - fixed: 2.8.5 + vulnerable_at: 1.6.30 +summary: Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher +cves: + - CVE-2024-22032 +ghsas: + - GHSA-q6c7-56cq-g2wm +references: + - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-q6c7-56cq-g2wm +source: + id: GHSA-q6c7-56cq-g2wm + created: 2024-06-27T15:54:05.57143-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2933.yaml b/data/reports/GO-2024-2933.yaml new file mode 100644 index 00000000..57b4d43e --- /dev/null +++ b/data/reports/GO-2024-2933.yaml @@ -0,0 +1,17 @@ +id: GO-2024-2933 +modules: + - module: github.com/bazelbuild/intellij + unsupported_versions: + - cve_version_range: 'affected from 0 before 2024.06.04.0.2 (default: unaffected)' + vulnerable_at: 2021.12.13+incompatible +summary: Improper trust check in Bazel Build intellij plugin in github.com/bazelbuild/intellij +cves: + - CVE-2024-5899 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-5899 + - web: https://github.com/bazelbuild/intellij/releases/tag/v2024.06.04-aswb-stable + - web: https://github.com/bazelbuild/intellij/security/advisories/GHSA-hh9f-wmhw-46vg +source: + id: CVE-2024-5899 + created: 2024-06-27T15:54:02.860699-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2934.yaml b/data/reports/GO-2024-2934.yaml new file mode 100644 index 00000000..062ca558 --- /dev/null +++ b/data/reports/GO-2024-2934.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2934 +modules: + - module: github.com/stacklok/minder + versions: + - fixed: 0.0.52 + vulnerable_at: 0.0.51 +summary: Minder affected by denial of service from maliciously configured Git repository in github.com/stacklok/minder +cves: + - CVE-2024-37904 +ghsas: + - GHSA-hpcg-xjq5-g666 +references: + - advisory: https://github.com/stacklok/minder/security/advisories/GHSA-hpcg-xjq5-g666 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37904 + - fix: https://github.com/stacklok/minder/commit/35bab8f9a6025eea9e6e3cef6bd80707ac03d2a9 + - fix: https://github.com/stacklok/minder/commit/7979b43 + - web: https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L55-L89 + - web: https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L56-L62 +source: + id: GHSA-hpcg-xjq5-g666 + created: 2024-06-27T15:53:59.10909-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2938.yaml b/data/reports/GO-2024-2938.yaml new file mode 100644 index 00000000..29ef5b55 --- /dev/null +++ b/data/reports/GO-2024-2938.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2938 +modules: + - module: github.com/go-skynet/LocalAI + non_go_versions: + - fixed: 2.16.0 + vulnerable_at: 1.40.0 +summary: LocalAI path traversal vulnerability in github.com/go-skynet/LocalAI +cves: + - CVE-2024-5182 +ghsas: + - GHSA-cpcx-r2gq-x893 +references: + - advisory: https://github.com/advisories/GHSA-cpcx-r2gq-x893 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-5182 + - web: https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e + - web: https://huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545 +source: + id: GHSA-cpcx-r2gq-x893 + created: 2024-06-27T15:53:50.719644-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2939.yaml b/data/reports/GO-2024-2939.yaml new file mode 100644 index 00000000..424db0d2 --- /dev/null +++ b/data/reports/GO-2024-2939.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2939 +modules: + - module: github.com/authzed/spicedb + versions: + - fixed: 1.33.1 + vulnerable_at: 1.33.0 +summary: SpiceDB exclusions can result in no permission returned when permission expected in github.com/authzed/spicedb +cves: + - CVE-2024-38361 +ghsas: + - GHSA-grjv-gjgr-66g2 +unknown_aliases: + - CGA-pfrr-qxjv-xmf4 +references: + - advisory: https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-38361 + - fix: https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb +source: + id: GHSA-grjv-gjgr-66g2 + created: 2024-06-27T15:53:47.71938-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2940.yaml b/data/reports/GO-2024-2940.yaml new file mode 100644 index 00000000..3e264f08 --- /dev/null +++ b/data/reports/GO-2024-2940.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2940 +modules: + - module: github.com/drakkan/sftpgo + vulnerable_at: 1.2.2 + - module: github.com/drakkan/sftpgo/v2 + versions: + - introduced: 2.2.0 + - fixed: 2.6.1 + vulnerable_at: 2.6.0 +summary: SFTPGo has insufficient access control for password reset in github.com/drakkan/sftpgo +cves: + - CVE-2024-37897 +ghsas: + - GHSA-hw5f-6wvv-xcrh +references: + - advisory: https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37897 + - fix: https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423 + - fix: https://github.com/drakkan/sftpgo/commit/3462bba3f41cbc75486474991b9e3ac1b5f1e583 + - web: https://github.com/drakkan/sftpgo/releases/tag/v2.6.1 +source: + id: GHSA-hw5f-6wvv-xcrh + created: 2024-06-27T15:53:42.415925-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2941.yaml b/data/reports/GO-2024-2941.yaml new file mode 100644 index 00000000..ebbec44b --- /dev/null +++ b/data/reports/GO-2024-2941.yaml @@ -0,0 +1,27 @@ +id: GO-2024-2941 +modules: + - module: github.com/traefik/traefik + vulnerable_at: 1.7.34 + - module: github.com/traefik/traefik/v2 + versions: + - fixed: 2.11.5 + vulnerable_at: 2.11.4 + - module: github.com/traefik/traefik/v3 + versions: + - fixed: 3.0.3 + vulnerable_at: 3.0.2 +summary: 'ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/traefik/traefik' +ghsas: + - GHSA-rvj4-q8q5-8grf +unknown_aliases: + - CGA-p2qq-w8qw-6vjp + - CGA-r7v2-xp2f-mjxf +references: + - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-rvj4-q8q5-8grf + - web: https://github.com/traefik/traefik/releases/tag/v2.11.5 + - web: https://github.com/traefik/traefik/releases/tag/v3.0.3 + - web: https://nvd.nist.gov/vuln/detail/CVE-2024-35255 +source: + id: GHSA-rvj4-q8q5-8grf + created: 2024-06-27T15:53:39.605336-04:00 +review_status: UNREVIEWED