From 8c4ccf869d6e929ab8cc044bdf1b3c0b11d4b803 Mon Sep 17 00:00:00 2001 From: Maceo Thompson Date: Wed, 9 Oct 2024 16:17:29 -0400 Subject: [PATCH] data/reports: add 15 reports - data/reports/GO-2024-3161.yaml - data/reports/GO-2024-3162.yaml - data/reports/GO-2024-3163.yaml - data/reports/GO-2024-3166.yaml - data/reports/GO-2024-3167.yaml - data/reports/GO-2024-3168.yaml - data/reports/GO-2024-3169.yaml - data/reports/GO-2024-3170.yaml - data/reports/GO-2024-3172.yaml - data/reports/GO-2024-3173.yaml - data/reports/GO-2024-3174.yaml - data/reports/GO-2024-3175.yaml - data/reports/GO-2024-3179.yaml - data/reports/GO-2024-3181.yaml - data/reports/GO-2024-3182.yaml Fixes golang/vulndb#3161 Fixes golang/vulndb#3162 Fixes golang/vulndb#3163 Fixes golang/vulndb#3166 Fixes golang/vulndb#3167 Fixes golang/vulndb#3168 Fixes golang/vulndb#3169 Fixes golang/vulndb#3170 Fixes golang/vulndb#3172 Fixes golang/vulndb#3173 Fixes golang/vulndb#3174 Fixes golang/vulndb#3175 Fixes golang/vulndb#3179 Fixes golang/vulndb#3181 Fixes golang/vulndb#3182 Change-Id: I6f47e813357034a674970920b6f0de6f4abac032 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/619135 LUCI-TryBot-Result: Go LUCI Reviewed-by: Tatiana Bradley Auto-Submit: Maceo Thompson --- data/osv/GO-2024-3161.json | 75 ++++++++++++++++++ data/osv/GO-2024-3162.json | 52 +++++++++++++ data/osv/GO-2024-3163.json | 62 +++++++++++++++ data/osv/GO-2024-3166.json | 77 ++++++++++++++++++ data/osv/GO-2024-3167.json | 78 +++++++++++++++++++ data/osv/GO-2024-3168.json | 82 ++++++++++++++++++++ data/osv/GO-2024-3169.json | 138 +++++++++++++++++++++++++++++++++ data/osv/GO-2024-3170.json | 68 ++++++++++++++++ data/osv/GO-2024-3172.json | 75 ++++++++++++++++++ data/osv/GO-2024-3173.json | 52 +++++++++++++ data/osv/GO-2024-3174.json | 60 ++++++++++++++ data/osv/GO-2024-3175.json | 67 ++++++++++++++++ data/osv/GO-2024-3179.json | 56 +++++++++++++ data/osv/GO-2024-3181.json | 67 ++++++++++++++++ data/osv/GO-2024-3182.json | 43 ++++++++++ data/reports/GO-2024-3161.yaml | 24 ++++++ data/reports/GO-2024-3162.yaml | 22 ++++++ data/reports/GO-2024-3163.yaml | 17 ++++ data/reports/GO-2024-3166.yaml | 23 ++++++ data/reports/GO-2024-3167.yaml | 24 ++++++ data/reports/GO-2024-3168.yaml | 27 +++++++ data/reports/GO-2024-3169.yaml | 32 ++++++++ data/reports/GO-2024-3170.yaml | 25 ++++++ data/reports/GO-2024-3172.yaml | 22 ++++++ data/reports/GO-2024-3173.yaml | 20 +++++ data/reports/GO-2024-3174.yaml | 22 ++++++ data/reports/GO-2024-3175.yaml | 20 +++++ data/reports/GO-2024-3179.yaml | 22 ++++++ data/reports/GO-2024-3181.yaml | 20 +++++ data/reports/GO-2024-3182.yaml | 18 +++++ 30 files changed, 1390 insertions(+) create mode 100644 data/osv/GO-2024-3161.json create mode 100644 data/osv/GO-2024-3162.json create mode 100644 data/osv/GO-2024-3163.json create mode 100644 data/osv/GO-2024-3166.json create mode 100644 data/osv/GO-2024-3167.json create mode 100644 data/osv/GO-2024-3168.json create mode 100644 data/osv/GO-2024-3169.json create mode 100644 data/osv/GO-2024-3170.json create mode 100644 data/osv/GO-2024-3172.json create mode 100644 data/osv/GO-2024-3173.json create mode 100644 data/osv/GO-2024-3174.json create mode 100644 data/osv/GO-2024-3175.json create mode 100644 data/osv/GO-2024-3179.json create mode 100644 data/osv/GO-2024-3181.json create mode 100644 data/osv/GO-2024-3182.json create mode 100644 data/reports/GO-2024-3161.yaml create mode 100644 data/reports/GO-2024-3162.yaml create mode 100644 data/reports/GO-2024-3163.yaml create mode 100644 data/reports/GO-2024-3166.yaml create mode 100644 data/reports/GO-2024-3167.yaml create mode 100644 data/reports/GO-2024-3168.yaml create mode 100644 data/reports/GO-2024-3169.yaml create mode 100644 data/reports/GO-2024-3170.yaml create mode 100644 data/reports/GO-2024-3172.yaml create mode 100644 data/reports/GO-2024-3173.yaml create mode 100644 data/reports/GO-2024-3174.yaml create mode 100644 data/reports/GO-2024-3175.yaml create mode 100644 data/reports/GO-2024-3179.yaml create mode 100644 data/reports/GO-2024-3181.yaml create mode 100644 data/reports/GO-2024-3182.yaml diff --git a/data/osv/GO-2024-3161.json b/data/osv/GO-2024-3161.json new file mode 100644 index 00000000..9f12eea8 --- /dev/null +++ b/data/osv/GO-2024-3161.json @@ -0,0 +1,75 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3161", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-22030", + "GHSA-h4h5-9833-v2p4" + ], + "summary": "Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher", + "details": "Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.15, from v2.8.0 before v2.8.8, from v2.9.0 before v2.9.2.", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.15" + }, + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.8" + }, + { + "introduced": "2.9.0" + }, + { + "fixed": "2.9.2" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/rancher/rancher/security/advisories/GHSA-h4h5-9833-v2p4" + }, + { + "type": "WEB", + "url": "https://github.com/rancherlabs/support-tools/tree/master/windows-agent-strict-verify" + }, + { + "type": "WEB", + "url": "https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/tls-settings" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3161", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3162.json b/data/osv/GO-2024-3162.json new file mode 100644 index 00000000..27cc3897 --- /dev/null +++ b/data/osv/GO-2024-3162.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3162", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-7594", + "GHSA-jg74-mwgw-v6x3" + ], + "summary": "Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault", + "details": "Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.7.7" + }, + { + "fixed": "1.17.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-jg74-mwgw-v6x3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7594" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/70251" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3162", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3163.json b/data/osv/GO-2024-3163.json new file mode 100644 index 00000000..351d45d0 --- /dev/null +++ b/data/osv/GO-2024-3163.json @@ -0,0 +1,62 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3163", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47182" + ], + "summary": "Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle", + "details": "Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/amir20/dozzle before v8.5.3.", + "affected": [ + { + "package": { + "name": "github.com/amir20/dozzle", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "8.5.3" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47182" + }, + { + "type": "FIX", + "url": "https://github.com/amir20/dozzle/commit/de79f03aa3dbe5bb1e154a7e8d3dccbd229f3ea3" + }, + { + "type": "WEB", + "url": "https://github.com/amir20/dozzle/security/advisories/GHSA-w7qr-q9fh-fj35" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3163", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3166.json b/data/osv/GO-2024-3166.json new file mode 100644 index 00000000..8f8a6a10 --- /dev/null +++ b/data/osv/GO-2024-3166.json @@ -0,0 +1,77 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3166", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47534", + "GHSA-4f8r-qqr9-fq8j" + ], + "summary": "Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf", + "details": "Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf", + "affected": [ + { + "package": { + "name": "github.com/theupdateframework/go-tuf", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/theupdateframework/go-tuf/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47534" + }, + { + "type": "FIX", + "url": "https://github.com/theupdateframework/go-tuf/commit/f36420caba9edbfdfd64f95a9554c0836d9cf819" + }, + { + "type": "WEB", + "url": "https://github.com/theupdateframework/go-tuf/blob/f95222bdd22d2ac4e5b8ed6fe912b645e213c3b5/metadata/metadata.go#L565-L580" + }, + { + "type": "WEB", + "url": "https://github.com/theupdateframework/tuf-conformance/pull/115" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3166", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3167.json b/data/osv/GO-2024-3167.json new file mode 100644 index 00000000..1ac3b10d --- /dev/null +++ b/data/osv/GO-2024-3167.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3167", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-9355", + "GHSA-3h3x-2hwv-hr52" + ], + "summary": "Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl", + "details": "Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl", + "affected": [ + { + "package": { + "name": "github.com/golang-fips/openssl", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/golang-fips/openssl/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-3h3x-2hwv-hr52" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:7502" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:7550" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-9355" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3167", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3168.json b/data/osv/GO-2024-3168.json new file mode 100644 index 00000000..95321f59 --- /dev/null +++ b/data/osv/GO-2024-3168.json @@ -0,0 +1,82 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3168", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-8975", + "GHSA-chqx-36rm-rf8h" + ], + "summary": "Grafana Alloy on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/alloy", + "details": "Grafana Alloy on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/alloy", + "affected": [ + { + "package": { + "name": "github.com/grafana/alloy", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.4" + }, + { + "introduced": "1.4.0-rc.0" + }, + { + "fixed": "1.4.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-chqx-36rm-rf8h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8975" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/alloy/commit/88e779887690954c009503598a3f4bf563cb6596" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/alloy/commit/f14249012fd970d3fd73604e6fff9b6c7990a9bb" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/alloy/releases/tag/v1.3.4" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/alloy/releases/tag/v1.4.0" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/alloy/releases/tag/v1.4.1" + }, + { + "type": "WEB", + "url": "https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996" + }, + { + "type": "WEB", + "url": "https://grafana.com/security/security-advisories/cve-2024-8975" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3168", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3169.json b/data/osv/GO-2024-3169.json new file mode 100644 index 00000000..fcad2b8a --- /dev/null +++ b/data/osv/GO-2024-3169.json @@ -0,0 +1,138 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3169", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-9407", + "GHSA-fhqq-8f65-5xfc" + ], + "summary": "Improper Input Validation in Buildah and Podman in github.com/containers/buildah", + "details": "Improper Input Validation in Buildah and Podman in github.com/containers/buildah", + "affected": [ + { + "package": { + "name": "github.com/containers/buildah", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/containers/podman", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/containers/podman/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/containers/podman/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/containers/podman/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/containers/podman/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-fhqq-8f65-5xfc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9407" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-9407" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315887" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3169", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3170.json b/data/osv/GO-2024-3170.json new file mode 100644 index 00000000..8b4081b0 --- /dev/null +++ b/data/osv/GO-2024-3170.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3170", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-8996", + "GHSA-m5gv-m5f9-wgv4" + ], + "summary": "Grafana Agent (Flow mode) on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/agent", + "details": "Grafana Agent (Flow mode) on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/agent", + "affected": [ + { + "package": { + "name": "github.com/grafana/agent", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.43.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-m5gv-m5f9-wgv4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8996" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/agent/commit/91bab2c05906938d3f8e1e3c61a863f037985299" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/agent/releases/tag/v0.43.2" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/agent/releases/tag/v0.43.3" + }, + { + "type": "WEB", + "url": "https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996" + }, + { + "type": "WEB", + "url": "https://grafana.com/security/security-advisories/cve-2024-8996" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3170", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3172.json b/data/osv/GO-2024-3172.json new file mode 100644 index 00000000..1f66bc46 --- /dev/null +++ b/data/osv/GO-2024-3172.json @@ -0,0 +1,75 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3172", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-33662", + "GHSA-9mjw-79r6-c9m8" + ], + "summary": "Portainer improperly uses an encryption algorithm in the AesEncrypt function in github.com/portainer/portainer", + "details": "Portainer improperly uses an encryption algorithm in the AesEncrypt function in github.com/portainer/portainer.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/portainer/portainer before v2.20.2.", + "affected": [ + { + "package": { + "name": "github.com/portainer/portainer", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.20.2" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9mjw-79r6-c9m8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33662" + }, + { + "type": "REPORT", + "url": "https://github.com/portainer/portainer/issues/11737" + }, + { + "type": "WEB", + "url": "https://github.com/portainer/portainer/compare/2.20.1...2.20.2" + }, + { + "type": "WEB", + "url": "https://github.com/search?q=repo%3Aportainer%2Fportainer+EE-6764\u0026type=pullrequests" + }, + { + "type": "WEB", + "url": "https://www.portainer.io" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3172", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3173.json b/data/osv/GO-2024-3173.json new file mode 100644 index 00000000..0d94a502 --- /dev/null +++ b/data/osv/GO-2024-3173.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3173", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-7558", + "GHSA-mh98-763h-m9v4" + ], + "summary": "JUJU_CONTEXT_ID is a predictable authentication secret in github.com/juju/juju", + "details": "JUJU_CONTEXT_ID is a predictable authentication secret in github.com/juju/juju", + "affected": [ + { + "package": { + "name": "github.com/juju/juju", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20240826044107-ecd7e2d0e986" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7558" + }, + { + "type": "FIX", + "url": "https://github.com/juju/juju/commit/ecd7e2d0e9867576b9da04871e22232f06fa0cc7" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3173", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3174.json b/data/osv/GO-2024-3174.json new file mode 100644 index 00000000..5eb64be0 --- /dev/null +++ b/data/osv/GO-2024-3174.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3174", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-8037", + "GHSA-8v4w-f4r9-7h6x" + ], + "summary": "Vulnerable juju hook tool abstract UNIX domain socket in github.com/juju/juju", + "details": "Vulnerable juju hook tool abstract UNIX domain socket in github.com/juju/juju", + "affected": [ + { + "package": { + "name": "github.com/juju/juju", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20240820065804-2f2ec128ef5a" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8037" + }, + { + "type": "FIX", + "url": "https://github.com/juju/juju/commit/2f2ec128ef5a8ca81fc86ae79cfcdbab0007c206" + }, + { + "type": "WEB", + "url": "https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/uniter/paths.go#L222" + }, + { + "type": "WEB", + "url": "https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3174", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3175.json b/data/osv/GO-2024-3175.json new file mode 100644 index 00000000..fd3c3838 --- /dev/null +++ b/data/osv/GO-2024-3175.json @@ -0,0 +1,67 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3175", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-8038", + "GHSA-xwgj-vpm9-q2rq" + ], + "summary": "Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju", + "details": "Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/juju/juju before v0.0.0-20240829052008-43f0fc59790d.", + "affected": [ + { + "package": { + "name": "github.com/juju/juju", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20240829052008-43f0fc59790d" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8038" + }, + { + "type": "FIX", + "url": "https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b" + }, + { + "type": "WEB", + "url": "https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3175", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3179.json b/data/osv/GO-2024-3179.json new file mode 100644 index 00000000..56a8308b --- /dev/null +++ b/data/osv/GO-2024-3179.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3179", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47616", + "GHSA-r7rh-jww5-5fjr" + ], + "summary": "Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium", + "details": "Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium", + "affected": [ + { + "package": { + "name": "github.com/pomerium/pomerium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.27.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-r7rh-jww5-5fjr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47616" + }, + { + "type": "FIX", + "url": "https://github.com/pomerium/pomerium/commit/e018cf0fc0979d2abe25ff705db019feb7523444" + }, + { + "type": "WEB", + "url": "https://github.com/pomerium/pomerium/releases/tag/v0.27.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3179", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3181.json b/data/osv/GO-2024-3181.json new file mode 100644 index 00000000..d36b42cd --- /dev/null +++ b/data/osv/GO-2024-3181.json @@ -0,0 +1,67 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3181", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-9313", + "GHSA-x5q3-c8rm-w787" + ], + "summary": "PAM module may allow accessing with the credentials of another user in github.com/ubuntu/authd", + "details": "PAM module may allow accessing with the credentials of another user in github.com/ubuntu/authd.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/ubuntu/authd before v0.0.0-20240930103526-63e527496b01.", + "affected": [ + { + "package": { + "name": "github.com/ubuntu/authd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20240930103526-63e527496b01" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/ubuntu/authd/security/advisories/GHSA-x5q3-c8rm-w787" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9313" + }, + { + "type": "ADVISORY", + "url": "https://www.cve.org/CVERecord?id=CVE-2024-9313" + }, + { + "type": "FIX", + "url": "https://github.com/ubuntu/authd/commit/63e527496b013bed46904c1c58be593c13ebdce5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3181", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3182.json b/data/osv/GO-2024-3182.json new file mode 100644 index 00000000..1c1138ee --- /dev/null +++ b/data/osv/GO-2024-3182.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3182", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-wpr2-j6gr-pjw9" + ], + "summary": "OpenTofu potential leaking of secret variable values when using static evaluation in v1.8 in github.com/opentofu/opentofu", + "details": "OpenTofu potential leaking of secret variable values when using static evaluation in v1.8 in github.com/opentofu/opentofu", + "affected": [ + { + "package": { + "name": "github.com/opentofu/opentofu", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.8.0" + }, + { + "fixed": "1.8.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/opentofu/opentofu/security/advisories/GHSA-wpr2-j6gr-pjw9" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3182", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-3161.yaml b/data/reports/GO-2024-3161.yaml new file mode 100644 index 00000000..3a48e0b8 --- /dev/null +++ b/data/reports/GO-2024-3161.yaml @@ -0,0 +1,24 @@ +id: GO-2024-3161 +modules: + - module: github.com/rancher/rancher + non_go_versions: + - introduced: 2.7.0 + - fixed: 2.7.15 + - introduced: 2.8.0 + - fixed: 2.8.8 + - introduced: 2.9.0 + - fixed: 2.9.2 + vulnerable_at: 1.6.30 +summary: Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher +cves: + - CVE-2024-22030 +ghsas: + - GHSA-h4h5-9833-v2p4 +references: + - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-h4h5-9833-v2p4 + - web: https://github.com/rancherlabs/support-tools/tree/master/windows-agent-strict-verify + - web: https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/tls-settings +source: + id: GHSA-h4h5-9833-v2p4 + created: 2024-10-08T11:00:07.819692-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3162.yaml b/data/reports/GO-2024-3162.yaml new file mode 100644 index 00000000..ee1bc4b4 --- /dev/null +++ b/data/reports/GO-2024-3162.yaml @@ -0,0 +1,22 @@ +id: GO-2024-3162 +modules: + - module: github.com/hashicorp/vault + versions: + - introduced: 1.7.7 + - fixed: 1.17.6 + vulnerable_at: 1.17.5 +summary: |- + Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By + Default in github.com/hashicorp/vault +cves: + - CVE-2024-7594 +ghsas: + - GHSA-jg74-mwgw-v6x3 +references: + - advisory: https://github.com/advisories/GHSA-jg74-mwgw-v6x3 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-7594 + - web: https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/70251 +source: + id: GHSA-jg74-mwgw-v6x3 + created: 2024-10-08T11:00:03.066641-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3163.yaml b/data/reports/GO-2024-3163.yaml new file mode 100644 index 00000000..e5c58244 --- /dev/null +++ b/data/reports/GO-2024-3163.yaml @@ -0,0 +1,17 @@ +id: GO-2024-3163 +modules: + - module: github.com/amir20/dozzle + non_go_versions: + - fixed: 8.5.3 + vulnerable_at: 1.29.0 +summary: Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle +cves: + - CVE-2024-47182 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47182 + - fix: https://github.com/amir20/dozzle/commit/de79f03aa3dbe5bb1e154a7e8d3dccbd229f3ea3 + - web: https://github.com/amir20/dozzle/security/advisories/GHSA-w7qr-q9fh-fj35 +source: + id: CVE-2024-47182 + created: 2024-10-08T10:59:53.97116-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3166.yaml b/data/reports/GO-2024-3166.yaml new file mode 100644 index 00000000..da0c1210 --- /dev/null +++ b/data/reports/GO-2024-3166.yaml @@ -0,0 +1,23 @@ +id: GO-2024-3166 +modules: + - module: github.com/theupdateframework/go-tuf + vulnerable_at: 0.7.0 + - module: github.com/theupdateframework/go-tuf/v2 + versions: + - fixed: 2.0.1 + vulnerable_at: 2.0.0 +summary: Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf +cves: + - CVE-2024-47534 +ghsas: + - GHSA-4f8r-qqr9-fq8j +references: + - advisory: https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47534 + - fix: https://github.com/theupdateframework/go-tuf/commit/f36420caba9edbfdfd64f95a9554c0836d9cf819 + - web: https://github.com/theupdateframework/go-tuf/blob/f95222bdd22d2ac4e5b8ed6fe912b645e213c3b5/metadata/metadata.go#L565-L580 + - web: https://github.com/theupdateframework/tuf-conformance/pull/115 +source: + id: GHSA-4f8r-qqr9-fq8j + created: 2024-10-08T10:58:11.67149-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3167.yaml b/data/reports/GO-2024-3167.yaml new file mode 100644 index 00000000..36f6aaf5 --- /dev/null +++ b/data/reports/GO-2024-3167.yaml @@ -0,0 +1,24 @@ +id: GO-2024-3167 +modules: + - module: github.com/golang-fips/openssl + vulnerable_at: 0.0.0-20230605154532-724e32b0f4b8 + - module: github.com/golang-fips/openssl/v2 + unsupported_versions: + - last_affected: 2.0.3 + vulnerable_at: 2.0.3 +summary: Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl +cves: + - CVE-2024-9355 +ghsas: + - GHSA-3h3x-2hwv-hr52 +references: + - advisory: https://github.com/advisories/GHSA-3h3x-2hwv-hr52 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9355 + - web: https://access.redhat.com/errata/RHSA-2024:7502 + - web: https://access.redhat.com/errata/RHSA-2024:7550 + - web: https://access.redhat.com/security/cve/CVE-2024-9355 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2315719 +source: + id: GHSA-3h3x-2hwv-hr52 + created: 2024-10-08T10:58:05.90723-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3168.yaml b/data/reports/GO-2024-3168.yaml new file mode 100644 index 00000000..8ce110f6 --- /dev/null +++ b/data/reports/GO-2024-3168.yaml @@ -0,0 +1,27 @@ +id: GO-2024-3168 +modules: + - module: github.com/grafana/alloy + versions: + - fixed: 1.3.4 + - introduced: 1.4.0-rc.0 + - fixed: 1.4.1 + vulnerable_at: 1.4.0 +summary: Grafana Alloy on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/alloy +cves: + - CVE-2024-8975 +ghsas: + - GHSA-chqx-36rm-rf8h +references: + - advisory: https://github.com/advisories/GHSA-chqx-36rm-rf8h + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8975 + - fix: https://github.com/grafana/alloy/commit/88e779887690954c009503598a3f4bf563cb6596 + - fix: https://github.com/grafana/alloy/commit/f14249012fd970d3fd73604e6fff9b6c7990a9bb + - web: https://github.com/grafana/alloy/releases/tag/v1.3.4 + - web: https://github.com/grafana/alloy/releases/tag/v1.4.0 + - web: https://github.com/grafana/alloy/releases/tag/v1.4.1 + - web: https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996 + - web: https://grafana.com/security/security-advisories/cve-2024-8975 +source: + id: GHSA-chqx-36rm-rf8h + created: 2024-10-08T10:57:59.230434-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3169.yaml b/data/reports/GO-2024-3169.yaml new file mode 100644 index 00000000..c1d22d10 --- /dev/null +++ b/data/reports/GO-2024-3169.yaml @@ -0,0 +1,32 @@ +id: GO-2024-3169 +modules: + - module: github.com/containers/buildah + unsupported_versions: + - last_affected: 1.37.3 + vulnerable_at: 1.37.4 + - module: github.com/containers/podman + vulnerable_at: 1.9.3 + - module: github.com/containers/podman/v2 + vulnerable_at: 2.2.1 + - module: github.com/containers/podman/v3 + vulnerable_at: 3.4.7 + - module: github.com/containers/podman/v4 + vulnerable_at: 4.9.5 + - module: github.com/containers/podman/v5 + unsupported_versions: + - last_affected: 5.2.3 + vulnerable_at: 5.2.4 +summary: Improper Input Validation in Buildah and Podman in github.com/containers/buildah +cves: + - CVE-2024-9407 +ghsas: + - GHSA-fhqq-8f65-5xfc +references: + - advisory: https://github.com/advisories/GHSA-fhqq-8f65-5xfc + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9407 + - web: https://access.redhat.com/security/cve/CVE-2024-9407 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2315887 +source: + id: GHSA-fhqq-8f65-5xfc + created: 2024-10-08T10:57:52.867555-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3170.yaml b/data/reports/GO-2024-3170.yaml new file mode 100644 index 00000000..9661f0ec --- /dev/null +++ b/data/reports/GO-2024-3170.yaml @@ -0,0 +1,25 @@ +id: GO-2024-3170 +modules: + - module: github.com/grafana/agent + versions: + - fixed: 0.43.3 + vulnerable_at: 0.43.2 +summary: |- + Grafana Agent (Flow mode) on Windows has Unquoted Search Path or Element + vulnerability in github.com/grafana/agent +cves: + - CVE-2024-8996 +ghsas: + - GHSA-m5gv-m5f9-wgv4 +references: + - advisory: https://github.com/advisories/GHSA-m5gv-m5f9-wgv4 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8996 + - fix: https://github.com/grafana/agent/commit/91bab2c05906938d3f8e1e3c61a863f037985299 + - web: https://github.com/grafana/agent/releases/tag/v0.43.2 + - web: https://github.com/grafana/agent/releases/tag/v0.43.3 + - web: https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996 + - web: https://grafana.com/security/security-advisories/cve-2024-8996 +source: + id: GHSA-m5gv-m5f9-wgv4 + created: 2024-10-08T10:57:47.066929-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3172.yaml b/data/reports/GO-2024-3172.yaml new file mode 100644 index 00000000..9402991d --- /dev/null +++ b/data/reports/GO-2024-3172.yaml @@ -0,0 +1,22 @@ +id: GO-2024-3172 +modules: + - module: github.com/portainer/portainer + non_go_versions: + - fixed: 2.20.2 + vulnerable_at: 0.10.1 +summary: Portainer improperly uses an encryption algorithm in the AesEncrypt function in github.com/portainer/portainer +cves: + - CVE-2024-33662 +ghsas: + - GHSA-9mjw-79r6-c9m8 +references: + - advisory: https://github.com/advisories/GHSA-9mjw-79r6-c9m8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-33662 + - report: https://github.com/portainer/portainer/issues/11737 + - web: https://github.com/portainer/portainer/compare/2.20.1...2.20.2 + - web: https://github.com/search?q=repo%3Aportainer%2Fportainer+EE-6764&type=pullrequests + - web: https://www.portainer.io +source: + id: GHSA-9mjw-79r6-c9m8 + created: 2024-10-08T10:56:56.076983-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3173.yaml b/data/reports/GO-2024-3173.yaml new file mode 100644 index 00000000..33a58561 --- /dev/null +++ b/data/reports/GO-2024-3173.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3173 +modules: + - module: github.com/juju/juju + versions: + - fixed: 0.0.0-20240826044107-ecd7e2d0e986 +summary: JUJU_CONTEXT_ID is a predictable authentication secret in github.com/juju/juju +cves: + - CVE-2024-7558 +ghsas: + - GHSA-mh98-763h-m9v4 +references: + - advisory: https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-7558 + - fix: https://github.com/juju/juju/commit/ecd7e2d0e9867576b9da04871e22232f06fa0cc7 +notes: + - fix: 'github.com/juju/juju: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version' +source: + id: GHSA-mh98-763h-m9v4 + created: 2024-10-08T10:56:11.849364-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3174.yaml b/data/reports/GO-2024-3174.yaml new file mode 100644 index 00000000..fdbf7af9 --- /dev/null +++ b/data/reports/GO-2024-3174.yaml @@ -0,0 +1,22 @@ +id: GO-2024-3174 +modules: + - module: github.com/juju/juju + versions: + - fixed: 0.0.0-20240820065804-2f2ec128ef5a +summary: Vulnerable juju hook tool abstract UNIX domain socket in github.com/juju/juju +cves: + - CVE-2024-8037 +ghsas: + - GHSA-8v4w-f4r9-7h6x +references: + - advisory: https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8037 + - fix: https://github.com/juju/juju/commit/2f2ec128ef5a8ca81fc86ae79cfcdbab0007c206 + - web: https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/uniter/paths.go#L222 + - web: https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4 +notes: + - fix: 'github.com/juju/juju: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version' +source: + id: GHSA-8v4w-f4r9-7h6x + created: 2024-10-08T10:55:15.039767-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3175.yaml b/data/reports/GO-2024-3175.yaml new file mode 100644 index 00000000..6085c6e1 --- /dev/null +++ b/data/reports/GO-2024-3175.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3175 +modules: + - module: github.com/juju/juju + non_go_versions: + - fixed: 0.0.0-20240829052008-43f0fc59790d + vulnerable_at: 0.0.0-20241008120523-919931217918 +summary: Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju +cves: + - CVE-2024-8038 +ghsas: + - GHSA-xwgj-vpm9-q2rq +references: + - advisory: https://github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8038 + - fix: https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b + - web: https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125 +source: + id: GHSA-xwgj-vpm9-q2rq + created: 2024-10-08T10:54:30.860927-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3179.yaml b/data/reports/GO-2024-3179.yaml new file mode 100644 index 00000000..d1f2022d --- /dev/null +++ b/data/reports/GO-2024-3179.yaml @@ -0,0 +1,22 @@ +id: GO-2024-3179 +modules: + - module: github.com/pomerium/pomerium + versions: + - fixed: 0.27.1 + vulnerable_at: 0.27.0 +summary: |- + Pomerium service account access token may grant unintended access to databroker + API in github.com/pomerium/pomerium +cves: + - CVE-2024-47616 +ghsas: + - GHSA-r7rh-jww5-5fjr +references: + - advisory: https://github.com/pomerium/pomerium/security/advisories/GHSA-r7rh-jww5-5fjr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47616 + - fix: https://github.com/pomerium/pomerium/commit/e018cf0fc0979d2abe25ff705db019feb7523444 + - web: https://github.com/pomerium/pomerium/releases/tag/v0.27.1 +source: + id: GHSA-r7rh-jww5-5fjr + created: 2024-10-08T10:54:22.040469-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3181.yaml b/data/reports/GO-2024-3181.yaml new file mode 100644 index 00000000..3b2e62f1 --- /dev/null +++ b/data/reports/GO-2024-3181.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3181 +modules: + - module: github.com/ubuntu/authd + non_go_versions: + - fixed: 0.0.0-20240930103526-63e527496b01 + vulnerable_at: 0.0.0-20230706090440-d8cb2d561419 +summary: PAM module may allow accessing with the credentials of another user in github.com/ubuntu/authd +cves: + - CVE-2024-9313 +ghsas: + - GHSA-x5q3-c8rm-w787 +references: + - advisory: https://github.com/ubuntu/authd/security/advisories/GHSA-x5q3-c8rm-w787 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9313 + - advisory: https://www.cve.org/CVERecord?id=CVE-2024-9313 + - fix: https://github.com/ubuntu/authd/commit/63e527496b013bed46904c1c58be593c13ebdce5 +source: + id: GHSA-x5q3-c8rm-w787 + created: 2024-10-08T10:54:15.521922-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3182.yaml b/data/reports/GO-2024-3182.yaml new file mode 100644 index 00000000..7aae3b1c --- /dev/null +++ b/data/reports/GO-2024-3182.yaml @@ -0,0 +1,18 @@ +id: GO-2024-3182 +modules: + - module: github.com/opentofu/opentofu + versions: + - introduced: 1.8.0 + - fixed: 1.8.3 + vulnerable_at: 1.8.2 +summary: |- + OpenTofu potential leaking of secret variable values when using static + evaluation in v1.8 in github.com/opentofu/opentofu +ghsas: + - GHSA-wpr2-j6gr-pjw9 +references: + - advisory: https://github.com/opentofu/opentofu/security/advisories/GHSA-wpr2-j6gr-pjw9 +source: + id: GHSA-wpr2-j6gr-pjw9 + created: 2024-10-08T10:54:13.414193-04:00 +review_status: UNREVIEWED