data/reports: regenerate 8 reports

- data/reports/GO-2024-2993.yaml - data/reports/GO-2024-2997.yaml - data/reports/GO-2024-3033.yaml - data/reports/GO-2024-3039.yaml - data/reports/GO-2024-2921.yaml - data/reports/GO-2024-2982.yaml - data/reports/GO-2024-3066.yaml - data/reports/GO-2024-3070.yaml Updates #2993 Updates #2997 Updates #3033 Updates #3039 Updates #2921 Updates #2982 Updates #3066 Updates #3070 Change-Id: I5a682ceba4983a42b0d7783535488c5ecf049f25 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606360 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com>
golang · Aug 19, 2024 · 9fd9786 · 9fd9786
1 parent 4c06ac4
commit 9fd9786
Show file tree

Hide file tree

Showing 15 changed files with 147 additions and 39 deletions.
diff --git a/data/osv/GO-2024-2982.json b/data/osv/GO-2024-2982.json
@@ -20,7 +20,7 @@
           "type": "SEMVER",
           "events": [
             {
-              "introduced": "1.16.0-rc1"
+              "introduced": "1.10.0"
             },
             {
               "fixed": "1.16.3"

diff --git a/data/osv/GO-2024-2993.json b/data/osv/GO-2024-2993.json
@@ -8,7 +8,7 @@
     "GHSA-hc5w-gxxr-w8x8"
   ],
   "summary": "Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver",
-  "details": "Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver",
+  "details": "Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/bishopfox/sliver before v1.6.0.",
   "affected": [
     {
       "package": {
@@ -25,7 +25,21 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "1.6.0"
+              }
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
@@ -45,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/BishopFox/sliver/commit/5016fb8d7cdff38c79e22e8293e58300f8d3bd57"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BishopFox/sliver/commit/d8ff64222dc69d931197d0bbae3fba11dbe17533"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/BishopFox/sliver/issues/65"

diff --git a/data/osv/GO-2024-2997.json b/data/osv/GO-2024-2997.json
@@ -7,7 +7,7 @@
     "CVE-2024-21583"
   ],
   "summary": "CVE-2024-21583 in github.com/gitpod-io/gitpod",
-  "details": "CVE-2024-21583 in github.com/gitpod-io/gitpod",
+  "details": "CVE-2024-21583 in github.com/gitpod-io/gitpod.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/gitpod-io/gitpod before v0.1.5-main-gha.27122.",
   "affected": [
     {
       "package": {
@@ -24,6 +24,71 @@
           ]
         }
       ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "0.1.5-main-gha.27122"
+              }
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "github.com/gitpod-io/gitpod/components/server/go",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/gitpod-io/gitpod/components/ws-proxy",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/gitpod-io/gitpod/install/installer",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
       "ecosystem_specific": {}
     }
   ],

diff --git a/data/osv/GO-2024-3033.json b/data/osv/GO-2024-3033.json
@@ -41,10 +41,6 @@
       "type": "REPORT",
       "url": "https://github.com/mickael-kerjean/filestash/issues/710"
     },
-    {
-      "type": "WEB",
-      "url": "https://gist.github.com/nyxfqq/c367f2ca9448810924dcf0f1af30b441"
-    },
     {
       "type": "WEB",
       "url": "https://github.com/mickael-kerjean/filestash/blob/master/server/plugin/plg_backend_ftp/index.go#L108"

diff --git a/data/osv/GO-2024-3039.json b/data/osv/GO-2024-3039.json
@@ -36,6 +36,10 @@
       "type": "ADVISORY",
       "url": "https://github.com/kubean-io/kubean/security/advisories/GHSA-3wfj-3x8q-hrpg"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41820"
+    },
     {
       "type": "FIX",
       "url": "https://github.com/kubean-io/kubean/commit/167e97329e4a27ba2f456d2846d39af20e1af7ef"

diff --git a/data/osv/GO-2024-3066.json b/data/osv/GO-2024-3066.json
@@ -36,6 +36,10 @@
       "type": "ADVISORY",
       "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42368"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a"

diff --git a/data/osv/GO-2024-3070.json b/data/osv/GO-2024-3070.json
@@ -4,10 +4,11 @@
   "modified": "0001-01-01T00:00:00Z",
   "published": "0001-01-01T00:00:00Z",
   "aliases": [
-    "CVE-2024-32231"
+    "CVE-2024-32231",
+    "GHSA-75jf-52jg-qqh4"
   ],
-  "summary": "CVE-2024-32231 in github.com/stashapp/stash",
-  "details": "CVE-2024-32231 in github.com/stashapp/stash",
+  "summary": "SQL injection in github.com/stashapp/stash",
+  "details": "SQL injection in github.com/stashapp/stash",
   "affected": [
     {
       "package": {
@@ -20,6 +21,9 @@
           "events": [
             {
               "introduced": "0"
+            },
+            {
+              "fixed": "0.26.0"
             }
           ]
         }
@@ -30,19 +34,19 @@
   "references": [
     {
       "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32231"
+      "url": "https://github.com/advisories/GHSA-75jf-52jg-qqh4"
     },
     {
-      "type": "FIX",
-      "url": "https://github.com/stashapp/stash/pull/4865"
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32231"
     },
     {
-      "type": "WEB",
-      "url": "https://github.com/stashapp"
+      "type": "FIX",
+      "url": "https://github.com/stashapp/stash/commit/89553864f5fa92beaa37a12e489064b1358d9880"
     },
     {
-      "type": "WEB",
-      "url": "https://github.com/stashapp/stash"
+      "type": "FIX",
+      "url": "https://github.com/stashapp/stash/pull/4865"
     }
   ],
   "database_specific": {

diff --git a/data/reports/GO-2024-2921.yaml b/data/reports/GO-2024-2921.yaml
@@ -16,8 +16,6 @@ cves:
     - CVE-2024-5798
 ghsas:
     - GHSA-32cj-5wx4-gq8p
-unknown_aliases:
-    - BIT-vault-2024-5798
 references:
     - advisory: https://github.com/advisories/GHSA-32cj-5wx4-gq8p
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-5798
@@ -26,5 +24,5 @@ notes:
     - manually removed 'introduced: 1.16.0-rc1' to fix overlapping versions
 source:
     id: GHSA-32cj-5wx4-gq8p
-    created: 2024-07-01T13:30:14.94375-04:00
+    created: 2024-08-16T16:52:23.203667-04:00
 review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-2982.yaml b/data/reports/GO-2024-2982.yaml
@@ -2,7 +2,7 @@ id: GO-2024-2982
 modules:
     - module: github.com/hashicorp/vault
       versions:
-        - introduced: 1.16.0-rc1
+        - introduced: 1.10.0
         - fixed: 1.16.3
         - introduced: 1.17.0-rc1
         - fixed: 1.17.2
@@ -20,7 +20,9 @@ references:
     - advisory: https://github.com/advisories/GHSA-2qmw-pvf7-4mw6
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6468
     - web: https://discuss.hashicorp.com/t/hcsec-2024-14-vault-vulnerable-to-denial-of-service-when-setting-a-proxy-protocol-behavior/68518
+notes:
+    - manually removed 'introduced: 1.16.0-rc1' to fix overlapping versions
 source:
     id: GHSA-2qmw-pvf7-4mw6
-    created: 2024-07-12T16:33:28.734714977Z
+    created: 2024-08-16T16:55:26.033129-04:00
 review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-2993.yaml b/data/reports/GO-2024-2993.yaml
@@ -3,8 +3,8 @@ modules:
     - module: github.com/bishopfox/sliver
       versions:
         - introduced: 1.5.40
-      unsupported_versions:
-        - last_affected: 1.6.0-dev
+      non_go_versions:
+        - fixed: 1.6.0
       vulnerable_at: 1.5.42
 summary: Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver
 cves:
@@ -16,10 +16,11 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41111
     - web: https://github.com/BishopFox/sliver/commit/0deaee625d14c6f05f63c86e5c3b7ae623a1138f
     - web: https://github.com/BishopFox/sliver/commit/5016fb8d7cdff38c79e22e8293e58300f8d3bd57
+    - web: https://github.com/BishopFox/sliver/commit/d8ff64222dc69d931197d0bbae3fba11dbe17533
     - web: https://github.com/BishopFox/sliver/issues/65
     - web: https://github.com/BishopFox/sliver/pull/1281
     - web: https://sliver.sh/docs?name=Multi-player+Mode
 source:
     id: GHSA-hc5w-gxxr-w8x8
-    created: 2024-07-19T12:19:31.469236-04:00
+    created: 2024-08-16T16:55:45.510461-04:00
 review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-2997.yaml b/data/reports/GO-2024-2997.yaml
@@ -1,10 +1,21 @@
 id: GO-2024-2997
 modules:
     - module: github.com/gitpod-io/gitpod
+      non_go_versions:
+        - fixed: 0.1.5-main-gha.27122
+      vulnerable_at: 0.10.0
+    - module: github.com/gitpod-io/gitpod/components/server/go
       unsupported_versions:
-        - cve_version_range: affected from 0 before 0.1.5-main-gha.27122
         - cve_version_range: affected from 0 before main-gha.27122
-      vulnerable_at: 0.10.0
+      vulnerable_at: 0.0.0-20240816160918-43bcbc7f8f04
+    - module: github.com/gitpod-io/gitpod/components/ws-proxy
+      unsupported_versions:
+        - cve_version_range: affected from 0 before main-gha.27122
+      vulnerable_at: 0.0.0-20240816160918-43bcbc7f8f04
+    - module: github.com/gitpod-io/gitpod/install/installer
+      unsupported_versions:
+        - cve_version_range: affected from 0 before main-gha.27122
+      vulnerable_at: 0.0.0-20240816160918-43bcbc7f8f04
 summary: CVE-2024-21583 in github.com/gitpod-io/gitpod
 cves:
     - CVE-2024-21583
@@ -23,5 +34,5 @@ references:
     - web: https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
 source:
     id: CVE-2024-21583
-    created: 2024-07-19T12:19:11.388693-04:00
+    created: 2024-08-16T16:57:56.243289-04:00
 review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3033.yaml b/data/reports/GO-2024-3033.yaml
@@ -15,9 +15,8 @@ references:
     - advisory: https://github.com/advisories/GHSA-4jmm-c6jw-g796
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41255
     - report: https://github.com/mickael-kerjean/filestash/issues/710
-    - web: https://gist.github.com/nyxfqq/c367f2ca9448810924dcf0f1af30b441
     - web: https://github.com/mickael-kerjean/filestash/blob/master/server/plugin/plg_backend_ftp/index.go#L108
 source:
     id: GHSA-4jmm-c6jw-g796
-    created: 2024-08-05T17:04:22.707645-04:00
+    created: 2024-08-16T17:01:15.988287-04:00
 review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3039.yaml b/data/reports/GO-2024-3039.yaml
@@ -11,9 +11,10 @@ ghsas:
     - GHSA-3wfj-3x8q-hrpg
 references:
     - advisory: https://github.com/kubean-io/kubean/security/advisories/GHSA-3wfj-3x8q-hrpg
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41820
     - fix: https://github.com/kubean-io/kubean/commit/167e97329e4a27ba2f456d2846d39af20e1af7ef
     - report: https://github.com/kubean-io/kubean/issues/1326
 source:
     id: GHSA-3wfj-3x8q-hrpg
-    created: 2024-08-05T17:03:57.263844-04:00
+    created: 2024-08-16T17:01:33.338359-04:00
 review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3066.yaml b/data/reports/GO-2024-3066.yaml
@@ -12,9 +12,10 @@ ghsas:
     - GHSA-rfxf-mf63-cpqv
 references:
     - advisory: https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-42368
     - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a
     - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516
 source:
     id: GHSA-rfxf-mf63-cpqv
-    created: 2024-08-13T16:01:13.116826-04:00
+    created: 2024-08-16T17:05:12.903718-04:00
 review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3070.yaml b/data/reports/GO-2024-3070.yaml
@@ -1,16 +1,20 @@
 id: GO-2024-3070
 modules:
     - module: github.com/stashapp/stash
-      vulnerable_at: 0.26.2
-summary: CVE-2024-32231 in github.com/stashapp/stash
+      versions:
+        - fixed: 0.26.0
+      vulnerable_at: 0.25.1
+summary: SQL injection in github.com/stashapp/stash
 cves:
     - CVE-2024-32231
+ghsas:
+    - GHSA-75jf-52jg-qqh4
 references:
+    - advisory: https://github.com/advisories/GHSA-75jf-52jg-qqh4
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32231
+    - fix: https://github.com/stashapp/stash/commit/89553864f5fa92beaa37a12e489064b1358d9880
     - fix: https://github.com/stashapp/stash/pull/4865
-    - web: https://github.com/stashapp
-    - web: https://github.com/stashapp/stash
 source:
-    id: CVE-2024-32231
-    created: 2024-08-16T11:20:42.574239-04:00
+    id: GHSA-75jf-52jg-qqh4
+    created: 2024-08-16T17:05:15.978263-04:00
 review_status: UNREVIEWED