From 9fd978636534561e3f3c27ba7c37184308084245 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Fri, 16 Aug 2024 17:08:45 -0400 Subject: [PATCH] data/reports: regenerate 8 reports - data/reports/GO-2024-2993.yaml - data/reports/GO-2024-2997.yaml - data/reports/GO-2024-3033.yaml - data/reports/GO-2024-3039.yaml - data/reports/GO-2024-2921.yaml - data/reports/GO-2024-2982.yaml - data/reports/GO-2024-3066.yaml - data/reports/GO-2024-3070.yaml Updates golang/vulndb#2993 Updates golang/vulndb#2997 Updates golang/vulndb#3033 Updates golang/vulndb#3039 Updates golang/vulndb#2921 Updates golang/vulndb#2982 Updates golang/vulndb#3066 Updates golang/vulndb#3070 Change-Id: I5a682ceba4983a42b0d7783535488c5ecf049f25 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606360 LUCI-TryBot-Result: Go LUCI Auto-Submit: Tatiana Bradley Reviewed-by: Damien Neil --- data/osv/GO-2024-2982.json | 2 +- data/osv/GO-2024-2993.json | 22 ++++++++++- data/osv/GO-2024-2997.json | 67 +++++++++++++++++++++++++++++++++- data/osv/GO-2024-3033.json | 4 -- data/osv/GO-2024-3039.json | 4 ++ data/osv/GO-2024-3066.json | 4 ++ data/osv/GO-2024-3070.json | 24 +++++++----- data/reports/GO-2024-2921.yaml | 4 +- data/reports/GO-2024-2982.yaml | 6 ++- data/reports/GO-2024-2993.yaml | 7 ++-- data/reports/GO-2024-2997.yaml | 17 +++++++-- data/reports/GO-2024-3033.yaml | 3 +- data/reports/GO-2024-3039.yaml | 3 +- data/reports/GO-2024-3066.yaml | 3 +- data/reports/GO-2024-3070.yaml | 16 +++++--- 15 files changed, 147 insertions(+), 39 deletions(-) diff --git a/data/osv/GO-2024-2982.json b/data/osv/GO-2024-2982.json index 6f96081a..ebcd8525 100644 --- a/data/osv/GO-2024-2982.json +++ b/data/osv/GO-2024-2982.json @@ -20,7 +20,7 @@ "type": "SEMVER", "events": [ { - "introduced": "1.16.0-rc1" + "introduced": "1.10.0" }, { "fixed": "1.16.3" diff --git a/data/osv/GO-2024-2993.json b/data/osv/GO-2024-2993.json index acd7a697..bd09e5d8 100644 --- a/data/osv/GO-2024-2993.json +++ b/data/osv/GO-2024-2993.json @@ -8,7 +8,7 @@ "GHSA-hc5w-gxxr-w8x8" ], "summary": "Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver", - "details": "Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver", + "details": "Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/bishopfox/sliver before v1.6.0.", "affected": [ { "package": { @@ -25,7 +25,21 @@ ] } ], - "ecosystem_specific": {} + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.0" + } + ] + } + ] + } } ], "references": [ @@ -45,6 +59,10 @@ "type": "WEB", "url": "https://github.com/BishopFox/sliver/commit/5016fb8d7cdff38c79e22e8293e58300f8d3bd57" }, + { + "type": "WEB", + "url": "https://github.com/BishopFox/sliver/commit/d8ff64222dc69d931197d0bbae3fba11dbe17533" + }, { "type": "WEB", "url": "https://github.com/BishopFox/sliver/issues/65" diff --git a/data/osv/GO-2024-2997.json b/data/osv/GO-2024-2997.json index de472fd1..b33a6cf3 100644 --- a/data/osv/GO-2024-2997.json +++ b/data/osv/GO-2024-2997.json @@ -7,7 +7,7 @@ "CVE-2024-21583" ], "summary": "CVE-2024-21583 in github.com/gitpod-io/gitpod", - "details": "CVE-2024-21583 in github.com/gitpod-io/gitpod", + "details": "CVE-2024-21583 in github.com/gitpod-io/gitpod.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/gitpod-io/gitpod before v0.1.5-main-gha.27122.", "affected": [ { "package": { @@ -24,6 +24,71 @@ ] } ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.1.5-main-gha.27122" + } + ] + } + ] + } + }, + { + "package": { + "name": "github.com/gitpod-io/gitpod/components/server/go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/gitpod-io/gitpod/components/ws-proxy", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/gitpod-io/gitpod/install/installer", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], "ecosystem_specific": {} } ], diff --git a/data/osv/GO-2024-3033.json b/data/osv/GO-2024-3033.json index f181b13c..7cfb985f 100644 --- a/data/osv/GO-2024-3033.json +++ b/data/osv/GO-2024-3033.json @@ -41,10 +41,6 @@ "type": "REPORT", "url": "https://github.com/mickael-kerjean/filestash/issues/710" }, - { - "type": "WEB", - "url": "https://gist.github.com/nyxfqq/c367f2ca9448810924dcf0f1af30b441" - }, { "type": "WEB", "url": "https://github.com/mickael-kerjean/filestash/blob/master/server/plugin/plg_backend_ftp/index.go#L108" diff --git a/data/osv/GO-2024-3039.json b/data/osv/GO-2024-3039.json index b32183bf..8c036eb6 100644 --- a/data/osv/GO-2024-3039.json +++ b/data/osv/GO-2024-3039.json @@ -36,6 +36,10 @@ "type": "ADVISORY", "url": "https://github.com/kubean-io/kubean/security/advisories/GHSA-3wfj-3x8q-hrpg" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41820" + }, { "type": "FIX", "url": "https://github.com/kubean-io/kubean/commit/167e97329e4a27ba2f456d2846d39af20e1af7ef" diff --git a/data/osv/GO-2024-3066.json b/data/osv/GO-2024-3066.json index a92007c9..8491f1f0 100644 --- a/data/osv/GO-2024-3066.json +++ b/data/osv/GO-2024-3066.json @@ -36,6 +36,10 @@ "type": "ADVISORY", "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42368" + }, { "type": "WEB", "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a" diff --git a/data/osv/GO-2024-3070.json b/data/osv/GO-2024-3070.json index 3265c610..70256e62 100644 --- a/data/osv/GO-2024-3070.json +++ b/data/osv/GO-2024-3070.json @@ -4,10 +4,11 @@ "modified": "0001-01-01T00:00:00Z", "published": "0001-01-01T00:00:00Z", "aliases": [ - "CVE-2024-32231" + "CVE-2024-32231", + "GHSA-75jf-52jg-qqh4" ], - "summary": "CVE-2024-32231 in github.com/stashapp/stash", - "details": "CVE-2024-32231 in github.com/stashapp/stash", + "summary": "SQL injection in github.com/stashapp/stash", + "details": "SQL injection in github.com/stashapp/stash", "affected": [ { "package": { @@ -20,6 +21,9 @@ "events": [ { "introduced": "0" + }, + { + "fixed": "0.26.0" } ] } @@ -30,19 +34,19 @@ "references": [ { "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32231" + "url": "https://github.com/advisories/GHSA-75jf-52jg-qqh4" }, { - "type": "FIX", - "url": "https://github.com/stashapp/stash/pull/4865" + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32231" }, { - "type": "WEB", - "url": "https://github.com/stashapp" + "type": "FIX", + "url": "https://github.com/stashapp/stash/commit/89553864f5fa92beaa37a12e489064b1358d9880" }, { - "type": "WEB", - "url": "https://github.com/stashapp/stash" + "type": "FIX", + "url": "https://github.com/stashapp/stash/pull/4865" } ], "database_specific": { diff --git a/data/reports/GO-2024-2921.yaml b/data/reports/GO-2024-2921.yaml index 5d8edde9..1660a505 100644 --- a/data/reports/GO-2024-2921.yaml +++ b/data/reports/GO-2024-2921.yaml @@ -16,8 +16,6 @@ cves: - CVE-2024-5798 ghsas: - GHSA-32cj-5wx4-gq8p -unknown_aliases: - - BIT-vault-2024-5798 references: - advisory: https://github.com/advisories/GHSA-32cj-5wx4-gq8p - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-5798 @@ -26,5 +24,5 @@ notes: - manually removed 'introduced: 1.16.0-rc1' to fix overlapping versions source: id: GHSA-32cj-5wx4-gq8p - created: 2024-07-01T13:30:14.94375-04:00 + created: 2024-08-16T16:52:23.203667-04:00 review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2982.yaml b/data/reports/GO-2024-2982.yaml index 49fea40d..479aae9f 100644 --- a/data/reports/GO-2024-2982.yaml +++ b/data/reports/GO-2024-2982.yaml @@ -2,7 +2,7 @@ id: GO-2024-2982 modules: - module: github.com/hashicorp/vault versions: - - introduced: 1.16.0-rc1 + - introduced: 1.10.0 - fixed: 1.16.3 - introduced: 1.17.0-rc1 - fixed: 1.17.2 @@ -20,7 +20,9 @@ references: - advisory: https://github.com/advisories/GHSA-2qmw-pvf7-4mw6 - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6468 - web: https://discuss.hashicorp.com/t/hcsec-2024-14-vault-vulnerable-to-denial-of-service-when-setting-a-proxy-protocol-behavior/68518 +notes: + - manually removed 'introduced: 1.16.0-rc1' to fix overlapping versions source: id: GHSA-2qmw-pvf7-4mw6 - created: 2024-07-12T16:33:28.734714977Z + created: 2024-08-16T16:55:26.033129-04:00 review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2993.yaml b/data/reports/GO-2024-2993.yaml index 7bb582f8..dbbd7b40 100644 --- a/data/reports/GO-2024-2993.yaml +++ b/data/reports/GO-2024-2993.yaml @@ -3,8 +3,8 @@ modules: - module: github.com/bishopfox/sliver versions: - introduced: 1.5.40 - unsupported_versions: - - last_affected: 1.6.0-dev + non_go_versions: + - fixed: 1.6.0 vulnerable_at: 1.5.42 summary: Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver cves: @@ -16,10 +16,11 @@ references: - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41111 - web: https://github.com/BishopFox/sliver/commit/0deaee625d14c6f05f63c86e5c3b7ae623a1138f - web: https://github.com/BishopFox/sliver/commit/5016fb8d7cdff38c79e22e8293e58300f8d3bd57 + - web: https://github.com/BishopFox/sliver/commit/d8ff64222dc69d931197d0bbae3fba11dbe17533 - web: https://github.com/BishopFox/sliver/issues/65 - web: https://github.com/BishopFox/sliver/pull/1281 - web: https://sliver.sh/docs?name=Multi-player+Mode source: id: GHSA-hc5w-gxxr-w8x8 - created: 2024-07-19T12:19:31.469236-04:00 + created: 2024-08-16T16:55:45.510461-04:00 review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2997.yaml b/data/reports/GO-2024-2997.yaml index 40b940c2..649263e2 100644 --- a/data/reports/GO-2024-2997.yaml +++ b/data/reports/GO-2024-2997.yaml @@ -1,10 +1,21 @@ id: GO-2024-2997 modules: - module: github.com/gitpod-io/gitpod + non_go_versions: + - fixed: 0.1.5-main-gha.27122 + vulnerable_at: 0.10.0 + - module: github.com/gitpod-io/gitpod/components/server/go unsupported_versions: - - cve_version_range: affected from 0 before 0.1.5-main-gha.27122 - cve_version_range: affected from 0 before main-gha.27122 - vulnerable_at: 0.10.0 + vulnerable_at: 0.0.0-20240816160918-43bcbc7f8f04 + - module: github.com/gitpod-io/gitpod/components/ws-proxy + unsupported_versions: + - cve_version_range: affected from 0 before main-gha.27122 + vulnerable_at: 0.0.0-20240816160918-43bcbc7f8f04 + - module: github.com/gitpod-io/gitpod/install/installer + unsupported_versions: + - cve_version_range: affected from 0 before main-gha.27122 + vulnerable_at: 0.0.0-20240816160918-43bcbc7f8f04 summary: CVE-2024-21583 in github.com/gitpod-io/gitpod cves: - CVE-2024-21583 @@ -23,5 +34,5 @@ references: - web: https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079 source: id: CVE-2024-21583 - created: 2024-07-19T12:19:11.388693-04:00 + created: 2024-08-16T16:57:56.243289-04:00 review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3033.yaml b/data/reports/GO-2024-3033.yaml index ed907b04..6d924c55 100644 --- a/data/reports/GO-2024-3033.yaml +++ b/data/reports/GO-2024-3033.yaml @@ -15,9 +15,8 @@ references: - advisory: https://github.com/advisories/GHSA-4jmm-c6jw-g796 - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41255 - report: https://github.com/mickael-kerjean/filestash/issues/710 - - web: https://gist.github.com/nyxfqq/c367f2ca9448810924dcf0f1af30b441 - web: https://github.com/mickael-kerjean/filestash/blob/master/server/plugin/plg_backend_ftp/index.go#L108 source: id: GHSA-4jmm-c6jw-g796 - created: 2024-08-05T17:04:22.707645-04:00 + created: 2024-08-16T17:01:15.988287-04:00 review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3039.yaml b/data/reports/GO-2024-3039.yaml index 8df4f1bc..7c10f674 100644 --- a/data/reports/GO-2024-3039.yaml +++ b/data/reports/GO-2024-3039.yaml @@ -11,9 +11,10 @@ ghsas: - GHSA-3wfj-3x8q-hrpg references: - advisory: https://github.com/kubean-io/kubean/security/advisories/GHSA-3wfj-3x8q-hrpg + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41820 - fix: https://github.com/kubean-io/kubean/commit/167e97329e4a27ba2f456d2846d39af20e1af7ef - report: https://github.com/kubean-io/kubean/issues/1326 source: id: GHSA-3wfj-3x8q-hrpg - created: 2024-08-05T17:03:57.263844-04:00 + created: 2024-08-16T17:01:33.338359-04:00 review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3066.yaml b/data/reports/GO-2024-3066.yaml index 43abc55f..c144a449 100644 --- a/data/reports/GO-2024-3066.yaml +++ b/data/reports/GO-2024-3066.yaml @@ -12,9 +12,10 @@ ghsas: - GHSA-rfxf-mf63-cpqv references: - advisory: https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-42368 - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516 source: id: GHSA-rfxf-mf63-cpqv - created: 2024-08-13T16:01:13.116826-04:00 + created: 2024-08-16T17:05:12.903718-04:00 review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3070.yaml b/data/reports/GO-2024-3070.yaml index 68459728..ea644825 100644 --- a/data/reports/GO-2024-3070.yaml +++ b/data/reports/GO-2024-3070.yaml @@ -1,16 +1,20 @@ id: GO-2024-3070 modules: - module: github.com/stashapp/stash - vulnerable_at: 0.26.2 -summary: CVE-2024-32231 in github.com/stashapp/stash + versions: + - fixed: 0.26.0 + vulnerable_at: 0.25.1 +summary: SQL injection in github.com/stashapp/stash cves: - CVE-2024-32231 +ghsas: + - GHSA-75jf-52jg-qqh4 references: + - advisory: https://github.com/advisories/GHSA-75jf-52jg-qqh4 - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32231 + - fix: https://github.com/stashapp/stash/commit/89553864f5fa92beaa37a12e489064b1358d9880 - fix: https://github.com/stashapp/stash/pull/4865 - - web: https://github.com/stashapp - - web: https://github.com/stashapp/stash source: - id: CVE-2024-32231 - created: 2024-08-16T11:20:42.574239-04:00 + id: GHSA-75jf-52jg-qqh4 + created: 2024-08-16T17:05:15.978263-04:00 review_status: UNREVIEWED