Skip to content

Commit

Permalink
data/reports: add 4 reports
Browse files Browse the repository at this point in the history 
  - data/reports/GO-2024-3016.yaml
  - data/reports/GO-2024-3058.yaml
  - data/reports/GO-2024-3068.yaml
  - data/reports/GO-2024-3073.yaml

Fixes #3016
Fixes #3058
Fixes #3068
Fixes #3073

Change-Id: I9ba34b3e2fc2a8610552f25eb53248715625d3b8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606775
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
  • Loading branch information
@tatianab @gopherbot
tatianab authored and gopherbot committed Aug 19, 2024
1 parent 52066e8 commit 42832d4
Show file tree
Hide file tree
Showing 8 changed files with 532 additions and 0 deletions.
127 changes: 127 additions & 0 deletions data/osv/GO-2024-3016.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3016",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-40464",
"GHSA-r6qh-j42j-pw64"
],
"summary": "Beego privilege escalation vulnerability via sendMail in github.com/beego/beego/v2",
"details": "Beego privilege escalation vulnerability via sendMail in github.com/beego/beego/v2",
"affected": [
{
"package": {
"name": "github.com/beego/beego/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego/v2/core/logs",
"symbols": [
"AccessLog",
"Alert",
"Async",
"BeeLogger.Alert",
"BeeLogger.Async",
"BeeLogger.Close",
"BeeLogger.Critical",
"BeeLogger.Debug",
"BeeLogger.DelLogger",
"BeeLogger.Emergency",
"BeeLogger.Error",
"BeeLogger.Flush",
"BeeLogger.Info",
"BeeLogger.Informational",
"BeeLogger.Notice",
"BeeLogger.Reset",
"BeeLogger.SetLogger",
"BeeLogger.Trace",
"BeeLogger.Warn",
"BeeLogger.Warning",
"BeeLogger.Write",
"ColorByMethod",
"ColorByStatus",
"Critical",
"Debug",
"Emergency",
"Error",
"GetLogger",
"Info",
"Informational",
"JLWriter.Format",
"JLWriter.Init",
"JLWriter.WriteMsg",
"LogMsg.OldStyleFormat",
"NewLogger",
"Notice",
"PatternLogFormatter.Format",
"PatternLogFormatter.ToString",
"Reset",
"SLACKWriter.Format",
"SLACKWriter.Init",
"SLACKWriter.WriteMsg",
"SMTPWriter.Format",
"SMTPWriter.Init",
"SMTPWriter.WriteMsg",
"SMTPWriter.sendMail",
"SetLogger",
"Trace",
"Warn",
"Warning",
"connWriter.Format",
"connWriter.Init",
"connWriter.WriteMsg",
"consoleWriter.Format",
"consoleWriter.Init",
"consoleWriter.WriteMsg",
"fileLogWriter.Format",
"fileLogWriter.Init",
"fileLogWriter.WriteMsg",
"multiFileLogWriter.Format",
"multiFileLogWriter.Init",
"multiFileLogWriter.WriteMsg",
"newSMTPWriter"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-r6qh-j42j-pw64"
},
{
"type": "WEB",
"url": "https://gist.github.com/nyxfqq/b53b0148b9aa040de63f58a68fd11445"
},
{
"type": "FIX",
"url": "https://github.com/beego/beego/commit/8f89e12e6cafb106d5c201dbc3b2a338bfde74e2"
},
{
"type": "WEB",
"url": "https://github.com/beego/beego/security/advisories/GHSA-6g9p-wv47-4fxq"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3016",
"review_status": "REVIEWED"
}
}
65 changes: 65 additions & 0 deletions data/osv/GO-2024-3058.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3058",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-41270",
"GHSA-p3pf-mff8-3h47"
],
"summary": "Gorush uses deprecated TLS versions in github.com/appleboy/gorush",
"details": "An issue in the RunHTTPServer function in Gorush allows attackers to intercept and manipulate data due to the use of a deprecated TLS version.",
"affected": [
{
"package": {
"name": "github.com/appleboy/gorush",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.5"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/appleboy/gorush/router",
"symbols": [
"RunHTTPServer"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-p3pf-mff8-3h47"
},
{
"type": "FIX",
"url": "https://github.com/appleboy/gorush/commit/067cb597e485e40b790a267187bf7f00730b1c4b"
},
{
"type": "REPORT",
"url": "https://github.com/appleboy/gorush/issues/792"
},
{
"type": "WEB",
"url": "https://gist.github.com/nyxfqq/cfae38fada582a0f576d154be1aeb1fc"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3058",
"review_status": "REVIEWED"
}
}
94 changes: 94 additions & 0 deletions data/osv/GO-2024-3068.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3068",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"GHSA-83qr-9v2h-qxp4"
],
"summary": "Missing check for the height of cryptographic equivocation evidence in github.com/cosmos/gaia",
"details": "Missing check for the height of cryptographic equivocation evidence in github.com/cosmos/gaia",
"affected": [
{
"package": {
"name": "github.com/cosmos/gaia/v14",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "14.2.0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/cosmos/gaia/v15",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/cosmos/gaia/v16",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/cosmos/gaia/v17",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "17.3.0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-83qr-9v2h-qxp4"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3068",
"review_status": "UNREVIEWED"
}
}
78 changes: 78 additions & 0 deletions data/osv/GO-2024-3073.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3073",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-7625",
"GHSA-25qx-vfw2-fw8r"
],
"summary": "Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking in github.com/hashicorp/nomad",
"details": "Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking in github.com/hashicorp/nomad.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/hashicorp/nomad from v0.6.1 before v1.6.14, from v1.7.0 before v1.7.11, from v1.8.0 before v1.8.3.",
"affected": [
{
"package": {
"name": "github.com/hashicorp/nomad",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.6.1"
},
{
"fixed": "1.8.3"
}
]
}
],
"ecosystem_specific": {
"custom_ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0.6.1"
},
{
"fixed": "1.6.14"
},
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.11"
},
{
"introduced": "1.8.0"
},
{
"fixed": "1.8.3"
}
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-25qx-vfw2-fw8r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7625"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2024-17-nomad-vulnerable-to-allocation-directory-escape-on-non-existing-file-paths-through-archive-unpacking/69293"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3073",
"review_status": "UNREVIEWED"
}
}
Loading

0 comments on commit 42832d4

Please sign in to comment.