From a9db2a706583dd860299e1bca4c983407d0a4a84 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley <tatianabradley@google.com> Date: Tue, 20 Aug 2024 12:49:35 -0400 Subject: [PATCH] data/reports: unexclude 20 reports (7) - data/reports/GO-2023-1862.yaml - data/reports/GO-2023-1863.yaml - data/reports/GO-2023-1864.yaml - data/reports/GO-2023-1865.yaml - data/reports/GO-2023-1866.yaml - data/reports/GO-2023-1871.yaml - data/reports/GO-2023-1879.yaml - data/reports/GO-2023-1887.yaml - data/reports/GO-2023-1888.yaml - data/reports/GO-2023-1891.yaml - data/reports/GO-2023-1892.yaml - data/reports/GO-2023-1894.yaml - data/reports/GO-2023-1895.yaml - data/reports/GO-2023-1896.yaml - data/reports/GO-2023-1897.yaml - data/reports/GO-2023-1898.yaml - data/reports/GO-2023-1899.yaml - data/reports/GO-2023-1900.yaml - data/reports/GO-2023-1901.yaml - data/reports/GO-2023-1911.yaml Updates golang/vulndb#1862 Updates golang/vulndb#1863 Updates golang/vulndb#1864 Updates golang/vulndb#1865 Updates golang/vulndb#1866 Updates golang/vulndb#1871 Updates golang/vulndb#1879 Updates golang/vulndb#1887 Updates golang/vulndb#1888 Updates golang/vulndb#1891 Updates golang/vulndb#1892 Updates golang/vulndb#1894 Updates golang/vulndb#1895 Updates golang/vulndb#1896 Updates golang/vulndb#1897 Updates golang/vulndb#1898 Updates golang/vulndb#1899 Updates golang/vulndb#1900 Updates golang/vulndb#1901 Updates golang/vulndb#1911 Change-Id: Iffcbe8e6325ef654a17298cd4c7072192626ad21 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606787 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> --- data/excluded/GO-2023-1862.yaml | 8 --- data/excluded/GO-2023-1863.yaml | 6 -- data/excluded/GO-2023-1864.yaml | 8 --- data/excluded/GO-2023-1865.yaml | 8 --- data/excluded/GO-2023-1866.yaml | 9 --- data/excluded/GO-2023-1871.yaml | 8 --- data/excluded/GO-2023-1879.yaml | 8 --- data/excluded/GO-2023-1887.yaml | 8 --- data/excluded/GO-2023-1888.yaml | 8 --- data/excluded/GO-2023-1891.yaml | 8 --- data/excluded/GO-2023-1892.yaml | 8 --- data/excluded/GO-2023-1894.yaml | 8 --- data/excluded/GO-2023-1895.yaml | 8 --- data/excluded/GO-2023-1896.yaml | 8 --- data/excluded/GO-2023-1897.yaml | 8 --- data/excluded/GO-2023-1898.yaml | 8 --- data/excluded/GO-2023-1899.yaml | 8 --- data/excluded/GO-2023-1900.yaml | 8 --- data/excluded/GO-2023-1901.yaml | 8 --- data/excluded/GO-2023-1911.yaml | 8 --- data/osv/GO-2023-1862.json | 52 ++++++++++++++++ data/osv/GO-2023-1863.json | 84 ++++++++++++++++++++++++++ data/osv/GO-2023-1864.json | 102 ++++++++++++++++++++++++++++++++ data/osv/GO-2023-1865.json | 56 ++++++++++++++++++ data/osv/GO-2023-1866.json | 81 +++++++++++++++++++++++++ data/osv/GO-2023-1871.json | 56 ++++++++++++++++++ data/osv/GO-2023-1879.json | 52 ++++++++++++++++ data/osv/GO-2023-1887.json | 52 ++++++++++++++++ data/osv/GO-2023-1888.json | 52 ++++++++++++++++ data/osv/GO-2023-1891.json | 98 ++++++++++++++++++++++++++++++ data/osv/GO-2023-1892.json | 98 ++++++++++++++++++++++++++++++ data/osv/GO-2023-1894.json | 60 +++++++++++++++++++ data/osv/GO-2023-1895.json | 60 +++++++++++++++++++ data/osv/GO-2023-1896.json | 60 +++++++++++++++++++ data/osv/GO-2023-1897.json | 64 ++++++++++++++++++++ data/osv/GO-2023-1898.json | 52 ++++++++++++++++ data/osv/GO-2023-1899.json | 58 ++++++++++++++++++ data/osv/GO-2023-1900.json | 64 ++++++++++++++++++++ data/osv/GO-2023-1901.json | 53 +++++++++++++++++ data/osv/GO-2023-1911.json | 60 +++++++++++++++++++ data/reports/GO-2023-1862.yaml | 21 +++++++ data/reports/GO-2023-1863.yaml | 28 +++++++++ data/reports/GO-2023-1864.yaml | 34 +++++++++++ data/reports/GO-2023-1865.yaml | 21 +++++++ data/reports/GO-2023-1866.yaml | 31 ++++++++++ data/reports/GO-2023-1871.yaml | 22 +++++++ data/reports/GO-2023-1879.yaml | 22 +++++++ data/reports/GO-2023-1887.yaml | 20 +++++++ data/reports/GO-2023-1888.yaml | 20 +++++++ data/reports/GO-2023-1891.yaml | 33 +++++++++++ data/reports/GO-2023-1892.yaml | 33 +++++++++++ data/reports/GO-2023-1894.yaml | 22 +++++++ data/reports/GO-2023-1895.yaml | 23 +++++++ data/reports/GO-2023-1896.yaml | 23 +++++++ data/reports/GO-2023-1897.yaml | 24 ++++++++ data/reports/GO-2023-1898.yaml | 23 +++++++ data/reports/GO-2023-1899.yaml | 23 +++++++ data/reports/GO-2023-1900.yaml | 26 ++++++++ data/reports/GO-2023-1901.yaml | 23 +++++++ data/reports/GO-2023-1911.yaml | 22 +++++++ 60 files changed, 1808 insertions(+), 159 deletions(-) delete mode 100644 data/excluded/GO-2023-1862.yaml delete mode 100644 data/excluded/GO-2023-1863.yaml delete mode 100644 data/excluded/GO-2023-1864.yaml delete mode 100644 data/excluded/GO-2023-1865.yaml delete mode 100644 data/excluded/GO-2023-1866.yaml delete mode 100644 data/excluded/GO-2023-1871.yaml delete mode 100644 data/excluded/GO-2023-1879.yaml delete mode 100644 data/excluded/GO-2023-1887.yaml delete mode 100644 data/excluded/GO-2023-1888.yaml delete mode 100644 data/excluded/GO-2023-1891.yaml delete mode 100644 data/excluded/GO-2023-1892.yaml delete mode 100644 data/excluded/GO-2023-1894.yaml delete mode 100644 data/excluded/GO-2023-1895.yaml delete mode 100644 data/excluded/GO-2023-1896.yaml delete mode 100644 data/excluded/GO-2023-1897.yaml delete mode 100644 data/excluded/GO-2023-1898.yaml delete mode 100644 data/excluded/GO-2023-1899.yaml delete mode 100644 data/excluded/GO-2023-1900.yaml delete mode 100644 data/excluded/GO-2023-1901.yaml delete mode 100644 data/excluded/GO-2023-1911.yaml create mode 100644 data/osv/GO-2023-1862.json create mode 100644 data/osv/GO-2023-1863.json create mode 100644 data/osv/GO-2023-1864.json create mode 100644 data/osv/GO-2023-1865.json create mode 100644 data/osv/GO-2023-1866.json create mode 100644 data/osv/GO-2023-1871.json create mode 100644 data/osv/GO-2023-1879.json create mode 100644 data/osv/GO-2023-1887.json create mode 100644 data/osv/GO-2023-1888.json create mode 100644 data/osv/GO-2023-1891.json create mode 100644 data/osv/GO-2023-1892.json create mode 100644 data/osv/GO-2023-1894.json create mode 100644 data/osv/GO-2023-1895.json create mode 100644 data/osv/GO-2023-1896.json create mode 100644 data/osv/GO-2023-1897.json create mode 100644 data/osv/GO-2023-1898.json create mode 100644 data/osv/GO-2023-1899.json create mode 100644 data/osv/GO-2023-1900.json create mode 100644 data/osv/GO-2023-1901.json create mode 100644 data/osv/GO-2023-1911.json create mode 100644 data/reports/GO-2023-1862.yaml create mode 100644 data/reports/GO-2023-1863.yaml create mode 100644 data/reports/GO-2023-1864.yaml create mode 100644 data/reports/GO-2023-1865.yaml create mode 100644 data/reports/GO-2023-1866.yaml create mode 100644 data/reports/GO-2023-1871.yaml create mode 100644 data/reports/GO-2023-1879.yaml create mode 100644 data/reports/GO-2023-1887.yaml create mode 100644 data/reports/GO-2023-1888.yaml create mode 100644 data/reports/GO-2023-1891.yaml create mode 100644 data/reports/GO-2023-1892.yaml create mode 100644 data/reports/GO-2023-1894.yaml create mode 100644 data/reports/GO-2023-1895.yaml create mode 100644 data/reports/GO-2023-1896.yaml create mode 100644 data/reports/GO-2023-1897.yaml create mode 100644 data/reports/GO-2023-1898.yaml create mode 100644 data/reports/GO-2023-1899.yaml create mode 100644 data/reports/GO-2023-1900.yaml create mode 100644 data/reports/GO-2023-1901.yaml create mode 100644 data/reports/GO-2023-1911.yaml diff --git a/data/excluded/GO-2023-1862.yaml b/data/excluded/GO-2023-1862.yaml deleted file mode 100644 index 7590ca46..00000000 --- a/data/excluded/GO-2023-1862.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1862 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cilium/cilium -cves: - - CVE-2023-34242 -ghsas: - - GHSA-r7wr-4w5q-55m6 diff --git a/data/excluded/GO-2023-1863.yaml b/data/excluded/GO-2023-1863.yaml deleted file mode 100644 index a189a6f7..00000000 --- a/data/excluded/GO-2023-1863.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2023-1863 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/rudderlabs/rudder-server -cves: - - CVE-2023-30625 diff --git a/data/excluded/GO-2023-1864.yaml b/data/excluded/GO-2023-1864.yaml deleted file mode 100644 index e87da072..00000000 --- a/data/excluded/GO-2023-1864.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1864 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: k8s.io/kubernetes -cves: - - CVE-2023-2431 -ghsas: - - GHSA-xc8m-28vv-4pjc diff --git a/data/excluded/GO-2023-1865.yaml b/data/excluded/GO-2023-1865.yaml deleted file mode 100644 index 31a99a6f..00000000 --- a/data/excluded/GO-2023-1865.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1865 -excluded: NOT_IMPORTABLE -modules: - - module: code.vegaprotocol.io/vega -cves: - - CVE-2023-35163 -ghsas: - - GHSA-8rc9-vxjh-qjf2 diff --git a/data/excluded/GO-2023-1866.yaml b/data/excluded/GO-2023-1866.yaml deleted file mode 100644 index 24b5f2fc..00000000 --- a/data/excluded/GO-2023-1866.yaml +++ /dev/null @@ -1,9 +0,0 @@ -id: GO-2023-1866 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/bishopfox/sliver -cves: - - CVE-2023-34758 - - CVE-2023-35170 -ghsas: - - GHSA-8jxm-xp43-qh3q diff --git a/data/excluded/GO-2023-1871.yaml b/data/excluded/GO-2023-1871.yaml deleted file mode 100644 index 325ffff6..00000000 --- a/data/excluded/GO-2023-1871.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1871 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/authzed/spicedb -cves: - - CVE-2023-35930 -ghsas: - - GHSA-m54h-5x5f-5m6r diff --git a/data/excluded/GO-2023-1879.yaml b/data/excluded/GO-2023-1879.yaml deleted file mode 100644 index 4907f050..00000000 --- a/data/excluded/GO-2023-1879.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1879 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/temporalio/temporal -cves: - - CVE-2023-3485 -ghsas: - - GHSA-gm2g-2xr9-pxxj diff --git a/data/excluded/GO-2023-1887.yaml b/data/excluded/GO-2023-1887.yaml deleted file mode 100644 index 65781f84..00000000 --- a/data/excluded/GO-2023-1887.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1887 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/1Panel-dev/1Panel -cves: - - CVE-2023-36457 -ghsas: - - GHSA-q2mx-gpjf-3h8x diff --git a/data/excluded/GO-2023-1888.yaml b/data/excluded/GO-2023-1888.yaml deleted file mode 100644 index 76ccc747..00000000 --- a/data/excluded/GO-2023-1888.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1888 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/1Panel-dev/1Panel -cves: - - CVE-2023-36458 -ghsas: - - GHSA-7x2c-fgx6-xf9h diff --git a/data/excluded/GO-2023-1891.yaml b/data/excluded/GO-2023-1891.yaml deleted file mode 100644 index ea10f2da..00000000 --- a/data/excluded/GO-2023-1891.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1891 -excluded: NOT_IMPORTABLE -modules: - - module: k8s.io/kubernetes -cves: - - CVE-2023-2727 -ghsas: - - GHSA-qc2g-gmh6-95p4 diff --git a/data/excluded/GO-2023-1892.yaml b/data/excluded/GO-2023-1892.yaml deleted file mode 100644 index f065125b..00000000 --- a/data/excluded/GO-2023-1892.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1892 -excluded: NOT_IMPORTABLE -modules: - - module: k8s.io/kubernetes -cves: - - CVE-2023-2728 -ghsas: - - GHSA-cgcv-5272-97pr diff --git a/data/excluded/GO-2023-1894.yaml b/data/excluded/GO-2023-1894.yaml deleted file mode 100644 index aa2afc95..00000000 --- a/data/excluded/GO-2023-1894.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1894 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: code.gitea.io/gitea -cves: - - CVE-2023-3515 -ghsas: - - GHSA-cf6v-9j57-v6r6 diff --git a/data/excluded/GO-2023-1895.yaml b/data/excluded/GO-2023-1895.yaml deleted file mode 100644 index 92142a20..00000000 --- a/data/excluded/GO-2023-1895.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1895 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/zinclabs/zinc -cves: - - CVE-2022-32171 -ghsas: - - GHSA-4fgv-8448-gf82 diff --git a/data/excluded/GO-2023-1896.yaml b/data/excluded/GO-2023-1896.yaml deleted file mode 100644 index 78b921c0..00000000 --- a/data/excluded/GO-2023-1896.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1896 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/zinclabs/zinc -cves: - - CVE-2022-32172 -ghsas: - - GHSA-7j6x-42mm-p7jm diff --git a/data/excluded/GO-2023-1897.yaml b/data/excluded/GO-2023-1897.yaml deleted file mode 100644 index 27274843..00000000 --- a/data/excluded/GO-2023-1897.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1897 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/hashicorp/vault -cves: - - CVE-2022-41316 -ghsas: - - GHSA-9mh8-9j64-443f diff --git a/data/excluded/GO-2023-1898.yaml b/data/excluded/GO-2023-1898.yaml deleted file mode 100644 index 1071426f..00000000 --- a/data/excluded/GO-2023-1898.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1898 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/boundary -cves: - - CVE-2023-0690 -ghsas: - - GHSA-9vrm-v9xv-x3xr diff --git a/data/excluded/GO-2023-1899.yaml b/data/excluded/GO-2023-1899.yaml deleted file mode 100644 index f8486c83..00000000 --- a/data/excluded/GO-2023-1899.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1899 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/nomad -cves: - - CVE-2023-1296 -ghsas: - - GHSA-hhvx-8755-4cvw diff --git a/data/excluded/GO-2023-1900.yaml b/data/excluded/GO-2023-1900.yaml deleted file mode 100644 index ef7fb3b9..00000000 --- a/data/excluded/GO-2023-1900.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1900 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/hashicorp/vault -cves: - - CVE-2023-24999 -ghsas: - - GHSA-wmg5-g953-qqfw diff --git a/data/excluded/GO-2023-1901.yaml b/data/excluded/GO-2023-1901.yaml deleted file mode 100644 index 8893caf2..00000000 --- a/data/excluded/GO-2023-1901.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1901 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/tektoncd/pipeline -cves: - - CVE-2023-37264 -ghsas: - - GHSA-w2h3-vvvq-3m53 diff --git a/data/excluded/GO-2023-1911.yaml b/data/excluded/GO-2023-1911.yaml deleted file mode 100644 index d6d93e77..00000000 --- a/data/excluded/GO-2023-1911.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1911 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/liamg/gitjacker -cves: - - CVE-2021-29417 -ghsas: - - GHSA-4j5x-f394-xx79 diff --git a/data/osv/GO-2023-1862.json b/data/osv/GO-2023-1862.json new file mode 100644 index 00000000..5e8728fc --- /dev/null +++ b/data/osv/GO-2023-1862.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1862", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-34242", + "GHSA-r7wr-4w5q-55m6" + ], + "summary": "Cilium vulnerable to information leakage via incorrect ReferenceGrant handling in github.com/cilium/cilium", + "details": "Cilium vulnerable to information leakage via incorrect ReferenceGrant handling in github.com/cilium/cilium", + "affected": [ + { + "package": { + "name": "github.com/cilium/cilium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.13.0" + }, + { + "fixed": "1.13.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cilium/cilium/security/advisories/GHSA-r7wr-4w5q-55m6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34242" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.13.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1862", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1863.json b/data/osv/GO-2023-1863.json new file mode 100644 index 00000000..8a4c4e25 --- /dev/null +++ b/data/osv/GO-2023-1863.json @@ -0,0 +1,84 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1863", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-30625", + "GHSA-3jmm-f6jj-rcc3" + ], + "summary": "rudder-server is vulnerable to SQL injection in github.com/rudderlabs/rudder-server", + "details": "rudder-server is vulnerable to SQL injection in github.com/rudderlabs/rudder-server", + "affected": [ + { + "package": { + "name": "github.com/rudderlabs/rudder-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.0-rc.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-3jmm-f6jj-rcc3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30625" + }, + { + "type": "ADVISORY", + "url": "https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server" + }, + { + "type": "FIX", + "url": "https://github.com/rudderlabs/rudder-server/commit/0d061ff2d8c16845179d215bf8012afceba12a30" + }, + { + "type": "FIX", + "url": "https://github.com/rudderlabs/rudder-server/commit/2f956b7eb3d5eb2de3e79d7df2c87405af25071e" + }, + { + "type": "FIX", + "url": "https://github.com/rudderlabs/rudder-server/commit/9c009d9775abc99e72fc470f4c4c8e8f1775e82a" + }, + { + "type": "FIX", + "url": "https://github.com/rudderlabs/rudder-server/pull/2652" + }, + { + "type": "FIX", + "url": "https://github.com/rudderlabs/rudder-server/pull/2663" + }, + { + "type": "FIX", + "url": "https://github.com/rudderlabs/rudder-server/pull/2664" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/173837/Rudder-Server-SQL-Injection-Remote-Code-Execution.html" + }, + { + "type": "WEB", + "url": "https://securitylab.github.com/advisories" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1863", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1864.json b/data/osv/GO-2023-1864.json new file mode 100644 index 00000000..f446036d --- /dev/null +++ b/data/osv/GO-2023-1864.json @@ -0,0 +1,102 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1864", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-2431", + "GHSA-xc8m-28vv-4pjc" + ], + "summary": "Kubelet vulnerable to bypass of seccomp profile enforcement in k8s.io/kubernetes", + "details": "Kubelet vulnerable to bypass of seccomp profile enforcement in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.14" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.10" + }, + { + "introduced": "1.26.0" + }, + { + "fixed": "1.26.5" + }, + { + "introduced": "1.27.0" + }, + { + "fixed": "1.27.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-xc8m-28vv-4pjc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2431" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/118690" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/117020" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/117116" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/117117" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/117118" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/117147" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43HDSKBKPSW53OW647B5ETHRWFFNHSRQ" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBX4RL4UOC7JHWWYB2AJCKSUM7EG5Y5G" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1864", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1865.json b/data/osv/GO-2023-1865.json new file mode 100644 index 00000000..92120c6a --- /dev/null +++ b/data/osv/GO-2023-1865.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1865", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-35163", + "GHSA-8rc9-vxjh-qjf2" + ], + "summary": "Vega's validators able to submit duplicate transactions in code.vegaprotocol.io/vega", + "details": "Vega's validators able to submit duplicate transactions in code.vegaprotocol.io/vega", + "affected": [ + { + "package": { + "name": "code.vegaprotocol.io/vega", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.71.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35163" + }, + { + "type": "WEB", + "url": "https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68" + }, + { + "type": "WEB", + "url": "https://github.com/vegaprotocol/vega/releases/tag/v0.71.6" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1865", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1866.json b/data/osv/GO-2023-1866.json new file mode 100644 index 00000000..5e25ddb2 --- /dev/null +++ b/data/osv/GO-2023-1866.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1866", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-34758", + "CVE-2023-35170", + "GHSA-8jxm-xp43-qh3q" + ], + "summary": "Silver vulnerable to MitM attack against implants due to a cryptography vulnerability in github.com/bishopfox/sliver", + "details": "Silver vulnerable to MitM attack against implants due to a cryptography vulnerability in github.com/bishopfox/sliver", + "affected": [ + { + "package": { + "name": "github.com/bishopfox/sliver", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.0" + }, + { + "fixed": "1.5.40" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-8jxm-xp43-qh3q" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8jxm-xp43-qh3q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34758" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35170" + }, + { + "type": "WEB", + "url": "https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/crypto.go" + }, + { + "type": "WEB", + "url": "https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go" + }, + { + "type": "WEB", + "url": "https://github.com/BishopFox/sliver/commit/2d1ea6192cac2ff9d6450b2d96043fdbf8561516" + }, + { + "type": "WEB", + "url": "https://github.com/BishopFox/sliver/releases/tag/v1.5.40" + }, + { + "type": "WEB", + "url": "https://github.com/tangent65536/Slivjacker" + }, + { + "type": "WEB", + "url": "https://www.chtsecurity.com/news/04f41dcc-1851-463c-93bc-551323ad8091" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1866", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1871.json b/data/osv/GO-2023-1871.json new file mode 100644 index 00000000..b380009b --- /dev/null +++ b/data/osv/GO-2023-1871.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1871", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-35930", + "GHSA-m54h-5x5f-5m6r" + ], + "summary": "SpiceDB's LookupResources may return partial results in github.com/authzed/spicedb", + "details": "SpiceDB's LookupResources may return partial results in github.com/authzed/spicedb", + "affected": [ + { + "package": { + "name": "github.com/authzed/spicedb", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.22.0" + }, + { + "fixed": "1.22.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-m54h-5x5f-5m6r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35930" + }, + { + "type": "FIX", + "url": "https://github.com/authzed/spicedb/pull/1397" + }, + { + "type": "WEB", + "url": "https://github.com/authzed/spicedb/releases/tag/v1.22.2" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1871", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1879.json b/data/osv/GO-2023-1879.json new file mode 100644 index 00000000..f372e328 --- /dev/null +++ b/data/osv/GO-2023-1879.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1879", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-3485", + "GHSA-gm2g-2xr9-pxxj" + ], + "summary": "Temporal Server vulnerable to Incorrect Authorization and Insecure Default Initialization of Resource in go.temporal.io/server", + "details": "Temporal Server vulnerable to Incorrect Authorization and Insecure Default Initialization of Resource in go.temporal.io/server", + "affected": [ + { + "package": { + "name": "go.temporal.io/server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-gm2g-2xr9-pxxj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3485" + }, + { + "type": "WEB", + "url": "https://github.com/temporalio/temporal/releases/tag/v1.20.0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1879", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1887.json b/data/osv/GO-2023-1887.json new file mode 100644 index 00000000..c2ba983e --- /dev/null +++ b/data/osv/GO-2023-1887.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1887", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-36457", + "GHSA-q2mx-gpjf-3h8x" + ], + "summary": "1Panel vulnerable to command injection when adding container repositories in github.com/1Panel-dev/1Panel", + "details": "1Panel vulnerable to command injection when adding container repositories in github.com/1Panel-dev/1Panel", + "affected": [ + { + "package": { + "name": "github.com/1Panel-dev/1Panel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-q2mx-gpjf-3h8x" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36457" + }, + { + "type": "WEB", + "url": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.3.6" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1887", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1888.json b/data/osv/GO-2023-1888.json new file mode 100644 index 00000000..beaff6f0 --- /dev/null +++ b/data/osv/GO-2023-1888.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1888", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-36458", + "GHSA-7x2c-fgx6-xf9h" + ], + "summary": "1Panel vulnerable to command injection when entering the container terminal in github.com/1Panel-dev/1Panel", + "details": "1Panel vulnerable to command injection when entering the container terminal in github.com/1Panel-dev/1Panel", + "affected": [ + { + "package": { + "name": "github.com/1Panel-dev/1Panel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-7x2c-fgx6-xf9h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36458" + }, + { + "type": "WEB", + "url": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.3.6" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1888", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1891.json b/data/osv/GO-2023-1891.json new file mode 100644 index 00000000..f2ecbfab --- /dev/null +++ b/data/osv/GO-2023-1891.json @@ -0,0 +1,98 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1891", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-2727", + "GHSA-qc2g-gmh6-95p4" + ], + "summary": "kube-apiserver vulnerable to policy bypass in k8s.io/kubernetes", + "details": "kube-apiserver vulnerable to policy bypass in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.15" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.11" + }, + { + "introduced": "1.26.0" + }, + { + "fixed": "1.26.6" + }, + { + "introduced": "1.27.0" + }, + { + "fixed": "1.27.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-qc2g-gmh6-95p4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2727" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/07/06/2" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/118640" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118356" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118471" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118473" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118474" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118512" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1891", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1892.json b/data/osv/GO-2023-1892.json new file mode 100644 index 00000000..e000ebbe --- /dev/null +++ b/data/osv/GO-2023-1892.json @@ -0,0 +1,98 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1892", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-2728", + "GHSA-cgcv-5272-97pr" + ], + "summary": "Kubernetes mountable secrets policy bypass in k8s.io/kubernetes", + "details": "Kubernetes mountable secrets policy bypass in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.15" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.11" + }, + { + "introduced": "1.26.0" + }, + { + "fixed": "1.26.6" + }, + { + "introduced": "1.27.0" + }, + { + "fixed": "1.27.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-cgcv-5272-97pr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2728" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/07/06/3" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/118640" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118356" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118471" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118473" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118474" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118512" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1892", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1894.json b/data/osv/GO-2023-1894.json new file mode 100644 index 00000000..02906db1 --- /dev/null +++ b/data/osv/GO-2023-1894.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1894", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-3515", + "GHSA-cf6v-9j57-v6r6" + ], + "summary": "code.gitea.io/gitea Open Redirect vulnerability", + "details": "code.gitea.io/gitea Open Redirect vulnerability", + "affected": [ + { + "package": { + "name": "code.gitea.io/gitea", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-cf6v-9j57-v6r6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3515" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/commit/9aaaf980f0ba15611f30568bd67bce3ec12954e2" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/e335cd18-bc4d-4585-adb7-426c817ed053" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202312-13" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1894", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1895.json b/data/osv/GO-2023-1895.json new file mode 100644 index 00000000..f2741add --- /dev/null +++ b/data/osv/GO-2023-1895.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1895", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-32171", + "GHSA-4fgv-8448-gf82" + ], + "summary": "Zinc Cross-site Scripting vulnerability in github.com/zinclabs/zinc", + "details": "Zinc Cross-site Scripting vulnerability in github.com/zinclabs/zinc", + "affected": [ + { + "package": { + "name": "github.com/zinclabs/zinc", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1.9" + }, + { + "fixed": "0.3.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-4fgv-8448-gf82" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32171" + }, + { + "type": "FIX", + "url": "https://github.com/zinclabs/zinc/commit/3376c248bade163430f9347742428f0a82cd322d" + }, + { + "type": "WEB", + "url": "https://github.com/zincsearch/zincsearch/commit/3376c248bade163430f9347742428f0a82cd322d" + }, + { + "type": "WEB", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-32171" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1895", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1896.json b/data/osv/GO-2023-1896.json new file mode 100644 index 00000000..f0590c1e --- /dev/null +++ b/data/osv/GO-2023-1896.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1896", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-32172", + "GHSA-7j6x-42mm-p7jm" + ], + "summary": "Zinc Cross-site Scripting vulnerability in github.com/zinclabs/zinc", + "details": "Zinc Cross-site Scripting vulnerability in github.com/zinclabs/zinc", + "affected": [ + { + "package": { + "name": "github.com/zinclabs/zinc", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1.9" + }, + { + "fixed": "0.3.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-7j6x-42mm-p7jm" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32172" + }, + { + "type": "FIX", + "url": "https://github.com/zinclabs/zinc/commit/3376c248bade163430f9347742428f0a82cd322d" + }, + { + "type": "WEB", + "url": "https://github.com/zincsearch/zincsearch/commit/3376c248bade163430f9347742428f0a82cd322d" + }, + { + "type": "WEB", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-32172" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1896", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1897.json b/data/osv/GO-2023-1897.json new file mode 100644 index 00000000..ed01989d --- /dev/null +++ b/data/osv/GO-2023-1897.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1897", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-41316", + "GHSA-9mh8-9j64-443f" + ], + "summary": "HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault", + "details": "HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.10" + }, + { + "introduced": "1.10.0" + }, + { + "fixed": "1.10.7" + }, + { + "introduced": "1.11.0" + }, + { + "fixed": "1.11.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9mh8-9j64-443f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41316" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1897", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1898.json b/data/osv/GO-2023-1898.json new file mode 100644 index 00000000..3108b280 --- /dev/null +++ b/data/osv/GO-2023-1898.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1898", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-0690", + "GHSA-9vrm-v9xv-x3xr" + ], + "summary": "HashiCorp Boundary Workers Store Rotated Credentials in Plaintext Even When Key Management Service Configured in github.com/hashicorp/boundary", + "details": "HashiCorp Boundary Workers Store Rotated Credentials in Plaintext Even When Key Management Service Configured in github.com/hashicorp/boundary", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/boundary", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.10.0" + }, + { + "fixed": "0.12.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9vrm-v9xv-x3xr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0690" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2023-03-boundary-workers-store-rotated-credentials-in-plaintext-even-when-key-management-service-configured/49907" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1898", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1899.json b/data/osv/GO-2023-1899.json new file mode 100644 index 00000000..6754580b --- /dev/null +++ b/data/osv/GO-2023-1899.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1899", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-1296", + "GHSA-hhvx-8755-4cvw" + ], + "summary": "Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables in github.com/hashicorp/nomad", + "details": "Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables in github.com/hashicorp/nomad", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/nomad", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.4.0" + }, + { + "fixed": "1.4.6" + }, + { + "introduced": "1.5.0" + }, + { + "fixed": "1.5.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-hhvx-8755-4cvw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1296" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2023-09-nomad-acls-can-not-deny-access-to-workloads-own-variables/51390" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1899", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1900.json b/data/osv/GO-2023-1900.json new file mode 100644 index 00000000..b035242e --- /dev/null +++ b/data/osv/GO-2023-1900.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1900", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-24999", + "GHSA-wmg5-g953-qqfw" + ], + "summary": "Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation in github.com/hashicorp/vault", + "details": "Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.11" + }, + { + "introduced": "1.11.0" + }, + { + "fixed": "1.11.8" + }, + { + "introduced": "1.12.0" + }, + { + "fixed": "1.12.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-wmg5-g953-qqfw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24999" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1900", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1901.json b/data/osv/GO-2023-1901.json new file mode 100644 index 00000000..4be51702 --- /dev/null +++ b/data/osv/GO-2023-1901.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1901", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-37264", + "GHSA-w2h3-vvvq-3m53" + ], + "summary": "Pipelines do not validate child UIDs in github.com/tektoncd/pipeline", + "details": "Pipelines do not validate child UIDs in github.com/tektoncd/pipeline", + "affected": [ + { + "package": { + "name": "github.com/tektoncd/pipeline", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.35.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-w2h3-vvvq-3m53" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37264" + }, + { + "type": "WEB", + "url": "https://github.com/tektoncd/pipeline/blob/2d38f5fa840291395178422d34b36b1bc739e2a2/pkg/reconciler/pipelinerun/pipelinerun.go#L1358-L1372" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1#ChildStatusReference" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1901", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1911.json b/data/osv/GO-2023-1911.json new file mode 100644 index 00000000..f6a13be5 --- /dev/null +++ b/data/osv/GO-2023-1911.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1911", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-29417", + "GHSA-4j5x-f394-xx79" + ], + "summary": "gitjacker arbitrary code execution in github.com/liamg/gitjacker", + "details": "gitjacker arbitrary code execution in github.com/liamg/gitjacker", + "affected": [ + { + "package": { + "name": "github.com/liamg/gitjacker", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.1.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-4j5x-f394-xx79" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29417" + }, + { + "type": "WEB", + "url": "https://github.com/liamg/gitjacker/compare/v0.0.3...v0.1.0" + }, + { + "type": "WEB", + "url": "https://github.com/liamg/gitjacker/releases/tag/v0.1.0" + }, + { + "type": "WEB", + "url": "https://vuln.ryotak.me/advisories/5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1911", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2023-1862.yaml b/data/reports/GO-2023-1862.yaml new file mode 100644 index 00000000..a0659df6 --- /dev/null +++ b/data/reports/GO-2023-1862.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1862 +modules: + - module: github.com/cilium/cilium + versions: + - introduced: 1.13.0 + - fixed: 1.13.4 + vulnerable_at: 1.13.3 +summary: Cilium vulnerable to information leakage via incorrect ReferenceGrant handling in github.com/cilium/cilium +cves: + - CVE-2023-34242 +ghsas: + - GHSA-r7wr-4w5q-55m6 +references: + - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-r7wr-4w5q-55m6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-34242 + - web: https://github.com/cilium/cilium/releases/tag/v1.13.4 +source: + id: GHSA-r7wr-4w5q-55m6 + created: 2024-08-20T11:49:04.375091-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1863.yaml b/data/reports/GO-2023-1863.yaml new file mode 100644 index 00000000..5430095a --- /dev/null +++ b/data/reports/GO-2023-1863.yaml @@ -0,0 +1,28 @@ +id: GO-2023-1863 +modules: + - module: github.com/rudderlabs/rudder-server + versions: + - fixed: 1.3.0-rc.1 + vulnerable_at: 1.2.5 +summary: rudder-server is vulnerable to SQL injection in github.com/rudderlabs/rudder-server +cves: + - CVE-2023-30625 +ghsas: + - GHSA-3jmm-f6jj-rcc3 +references: + - advisory: https://github.com/advisories/GHSA-3jmm-f6jj-rcc3 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-30625 + - advisory: https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server + - fix: https://github.com/rudderlabs/rudder-server/commit/0d061ff2d8c16845179d215bf8012afceba12a30 + - fix: https://github.com/rudderlabs/rudder-server/commit/2f956b7eb3d5eb2de3e79d7df2c87405af25071e + - fix: https://github.com/rudderlabs/rudder-server/commit/9c009d9775abc99e72fc470f4c4c8e8f1775e82a + - fix: https://github.com/rudderlabs/rudder-server/pull/2652 + - fix: https://github.com/rudderlabs/rudder-server/pull/2663 + - fix: https://github.com/rudderlabs/rudder-server/pull/2664 + - web: http://packetstormsecurity.com/files/173837/Rudder-Server-SQL-Injection-Remote-Code-Execution.html + - web: https://securitylab.github.com/advisories +source: + id: GHSA-3jmm-f6jj-rcc3 + created: 2024-08-20T11:49:07.641086-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1864.yaml b/data/reports/GO-2023-1864.yaml new file mode 100644 index 00000000..350b7dd3 --- /dev/null +++ b/data/reports/GO-2023-1864.yaml @@ -0,0 +1,34 @@ +id: GO-2023-1864 +modules: + - module: k8s.io/kubernetes + versions: + - fixed: 1.24.14 + - introduced: 1.25.0 + - fixed: 1.25.10 + - introduced: 1.26.0 + - fixed: 1.26.5 + - introduced: 1.27.0 + - fixed: 1.27.2 + vulnerable_at: 1.27.1 +summary: Kubelet vulnerable to bypass of seccomp profile enforcement in k8s.io/kubernetes +cves: + - CVE-2023-2431 +ghsas: + - GHSA-xc8m-28vv-4pjc +references: + - advisory: https://github.com/advisories/GHSA-xc8m-28vv-4pjc + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-2431 + - web: https://github.com/kubernetes/kubernetes/issues/118690 + - web: https://github.com/kubernetes/kubernetes/pull/117020 + - web: https://github.com/kubernetes/kubernetes/pull/117116 + - web: https://github.com/kubernetes/kubernetes/pull/117117 + - web: https://github.com/kubernetes/kubernetes/pull/117118 + - web: https://github.com/kubernetes/kubernetes/pull/117147 + - web: https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10 + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43HDSKBKPSW53OW647B5ETHRWFFNHSRQ + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBX4RL4UOC7JHWWYB2AJCKSUM7EG5Y5G +source: + id: GHSA-xc8m-28vv-4pjc + created: 2024-08-20T11:49:15.50631-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1865.yaml b/data/reports/GO-2023-1865.yaml new file mode 100644 index 00000000..3f36a5f4 --- /dev/null +++ b/data/reports/GO-2023-1865.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1865 +modules: + - module: code.vegaprotocol.io/vega + versions: + - fixed: 0.71.6 + vulnerable_at: 0.71.5 +summary: Vega's validators able to submit duplicate transactions in code.vegaprotocol.io/vega +cves: + - CVE-2023-35163 +ghsas: + - GHSA-8rc9-vxjh-qjf2 +references: + - advisory: https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-35163 + - web: https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68 + - web: https://github.com/vegaprotocol/vega/releases/tag/v0.71.6 +source: + id: GHSA-8rc9-vxjh-qjf2 + created: 2024-08-20T11:49:25.971228-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2023-1866.yaml b/data/reports/GO-2023-1866.yaml new file mode 100644 index 00000000..4172ec80 --- /dev/null +++ b/data/reports/GO-2023-1866.yaml @@ -0,0 +1,31 @@ +id: GO-2023-1866 +modules: + - module: github.com/bishopfox/sliver + versions: + - introduced: 1.5.0 + - fixed: 1.5.40 + vulnerable_at: 1.5.39 +summary: |- + Silver vulnerable to MitM attack against implants due to a cryptography + vulnerability in github.com/bishopfox/sliver +cves: + - CVE-2023-34758 + - CVE-2023-35170 +ghsas: + - GHSA-8jxm-xp43-qh3q +references: + - advisory: https://github.com/BishopFox/sliver/security/advisories/GHSA-8jxm-xp43-qh3q + - advisory: https://github.com/advisories/GHSA-8jxm-xp43-qh3q + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-34758 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-35170 + - web: https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/crypto.go + - web: https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go + - web: https://github.com/BishopFox/sliver/commit/2d1ea6192cac2ff9d6450b2d96043fdbf8561516 + - web: https://github.com/BishopFox/sliver/releases/tag/v1.5.40 + - web: https://github.com/tangent65536/Slivjacker + - web: https://www.chtsecurity.com/news/04f41dcc-1851-463c-93bc-551323ad8091 +source: + id: GHSA-8jxm-xp43-qh3q + created: 2024-08-20T11:49:30.556879-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2023-1871.yaml b/data/reports/GO-2023-1871.yaml new file mode 100644 index 00000000..b33867db --- /dev/null +++ b/data/reports/GO-2023-1871.yaml @@ -0,0 +1,22 @@ +id: GO-2023-1871 +modules: + - module: github.com/authzed/spicedb + versions: + - introduced: 1.22.0 + - fixed: 1.22.2 + vulnerable_at: 1.22.1 +summary: SpiceDB's LookupResources may return partial results in github.com/authzed/spicedb +cves: + - CVE-2023-35930 +ghsas: + - GHSA-m54h-5x5f-5m6r +references: + - advisory: https://github.com/authzed/spicedb/security/advisories/GHSA-m54h-5x5f-5m6r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-35930 + - fix: https://github.com/authzed/spicedb/pull/1397 + - web: https://github.com/authzed/spicedb/releases/tag/v1.22.2 +source: + id: GHSA-m54h-5x5f-5m6r + created: 2024-08-20T11:49:43.551816-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1879.yaml b/data/reports/GO-2023-1879.yaml new file mode 100644 index 00000000..aea13a9c --- /dev/null +++ b/data/reports/GO-2023-1879.yaml @@ -0,0 +1,22 @@ +id: GO-2023-1879 +modules: + - module: go.temporal.io/server + versions: + - fixed: 1.20.0 + vulnerable_at: 1.19.1 +summary: |- + Temporal Server vulnerable to Incorrect Authorization and Insecure Default + Initialization of Resource in go.temporal.io/server +cves: + - CVE-2023-3485 +ghsas: + - GHSA-gm2g-2xr9-pxxj +references: + - advisory: https://github.com/advisories/GHSA-gm2g-2xr9-pxxj + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-3485 + - web: https://github.com/temporalio/temporal/releases/tag/v1.20.0 +source: + id: GHSA-gm2g-2xr9-pxxj + created: 2024-08-20T11:50:07.315396-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1887.yaml b/data/reports/GO-2023-1887.yaml new file mode 100644 index 00000000..531224de --- /dev/null +++ b/data/reports/GO-2023-1887.yaml @@ -0,0 +1,20 @@ +id: GO-2023-1887 +modules: + - module: github.com/1Panel-dev/1Panel + versions: + - fixed: 1.3.6 + vulnerable_at: 1.3.5 +summary: 1Panel vulnerable to command injection when adding container repositories in github.com/1Panel-dev/1Panel +cves: + - CVE-2023-36457 +ghsas: + - GHSA-q2mx-gpjf-3h8x +references: + - advisory: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-q2mx-gpjf-3h8x + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-36457 + - web: https://github.com/1Panel-dev/1Panel/releases/tag/v1.3.6 +source: + id: GHSA-q2mx-gpjf-3h8x + created: 2024-08-20T11:50:20.850072-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2023-1888.yaml b/data/reports/GO-2023-1888.yaml new file mode 100644 index 00000000..95e60f3d --- /dev/null +++ b/data/reports/GO-2023-1888.yaml @@ -0,0 +1,20 @@ +id: GO-2023-1888 +modules: + - module: github.com/1Panel-dev/1Panel + versions: + - fixed: 1.3.6 + vulnerable_at: 1.3.5 +summary: 1Panel vulnerable to command injection when entering the container terminal in github.com/1Panel-dev/1Panel +cves: + - CVE-2023-36458 +ghsas: + - GHSA-7x2c-fgx6-xf9h +references: + - advisory: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-7x2c-fgx6-xf9h + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-36458 + - web: https://github.com/1Panel-dev/1Panel/releases/tag/v1.3.6 +source: + id: GHSA-7x2c-fgx6-xf9h + created: 2024-08-20T11:50:24.573307-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1891.yaml b/data/reports/GO-2023-1891.yaml new file mode 100644 index 00000000..8c8079dc --- /dev/null +++ b/data/reports/GO-2023-1891.yaml @@ -0,0 +1,33 @@ +id: GO-2023-1891 +modules: + - module: k8s.io/kubernetes + versions: + - fixed: 1.24.15 + - introduced: 1.25.0 + - fixed: 1.25.11 + - introduced: 1.26.0 + - fixed: 1.26.6 + - introduced: 1.27.0 + - fixed: 1.27.3 + vulnerable_at: 1.27.2 +summary: kube-apiserver vulnerable to policy bypass in k8s.io/kubernetes +cves: + - CVE-2023-2727 +ghsas: + - GHSA-qc2g-gmh6-95p4 +references: + - advisory: https://github.com/advisories/GHSA-qc2g-gmh6-95p4 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-2727 + - web: http://www.openwall.com/lists/oss-security/2023/07/06/2 + - web: https://github.com/kubernetes/kubernetes/issues/118640 + - web: https://github.com/kubernetes/kubernetes/pull/118356 + - web: https://github.com/kubernetes/kubernetes/pull/118471 + - web: https://github.com/kubernetes/kubernetes/pull/118473 + - web: https://github.com/kubernetes/kubernetes/pull/118474 + - web: https://github.com/kubernetes/kubernetes/pull/118512 + - web: https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8 +source: + id: GHSA-qc2g-gmh6-95p4 + created: 2024-08-20T11:50:27.307179-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2023-1892.yaml b/data/reports/GO-2023-1892.yaml new file mode 100644 index 00000000..ecf61380 --- /dev/null +++ b/data/reports/GO-2023-1892.yaml @@ -0,0 +1,33 @@ +id: GO-2023-1892 +modules: + - module: k8s.io/kubernetes + versions: + - fixed: 1.24.15 + - introduced: 1.25.0 + - fixed: 1.25.11 + - introduced: 1.26.0 + - fixed: 1.26.6 + - introduced: 1.27.0 + - fixed: 1.27.3 + vulnerable_at: 1.27.2 +summary: Kubernetes mountable secrets policy bypass in k8s.io/kubernetes +cves: + - CVE-2023-2728 +ghsas: + - GHSA-cgcv-5272-97pr +references: + - advisory: https://github.com/advisories/GHSA-cgcv-5272-97pr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-2728 + - web: http://www.openwall.com/lists/oss-security/2023/07/06/3 + - web: https://github.com/kubernetes/kubernetes/issues/118640 + - web: https://github.com/kubernetes/kubernetes/pull/118356 + - web: https://github.com/kubernetes/kubernetes/pull/118471 + - web: https://github.com/kubernetes/kubernetes/pull/118473 + - web: https://github.com/kubernetes/kubernetes/pull/118474 + - web: https://github.com/kubernetes/kubernetes/pull/118512 + - web: https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8 +source: + id: GHSA-cgcv-5272-97pr + created: 2024-08-20T11:50:36.829643-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2023-1894.yaml b/data/reports/GO-2023-1894.yaml new file mode 100644 index 00000000..d1fbd2a7 --- /dev/null +++ b/data/reports/GO-2023-1894.yaml @@ -0,0 +1,22 @@ +id: GO-2023-1894 +modules: + - module: code.gitea.io/gitea + versions: + - fixed: 1.19.4 + vulnerable_at: 1.19.3 +summary: code.gitea.io/gitea Open Redirect vulnerability +cves: + - CVE-2023-3515 +ghsas: + - GHSA-cf6v-9j57-v6r6 +references: + - advisory: https://github.com/advisories/GHSA-cf6v-9j57-v6r6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-3515 + - web: https://github.com/go-gitea/gitea/commit/9aaaf980f0ba15611f30568bd67bce3ec12954e2 + - web: https://huntr.dev/bounties/e335cd18-bc4d-4585-adb7-426c817ed053 + - web: https://security.gentoo.org/glsa/202312-13 +source: + id: GHSA-cf6v-9j57-v6r6 + created: 2024-08-20T11:50:48.12686-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1895.yaml b/data/reports/GO-2023-1895.yaml new file mode 100644 index 00000000..52384597 --- /dev/null +++ b/data/reports/GO-2023-1895.yaml @@ -0,0 +1,23 @@ +id: GO-2023-1895 +modules: + - module: github.com/zinclabs/zinc + versions: + - introduced: 0.1.9 + - fixed: 0.3.2 + vulnerable_at: 0.3.1 +summary: Zinc Cross-site Scripting vulnerability in github.com/zinclabs/zinc +cves: + - CVE-2022-32171 +ghsas: + - GHSA-4fgv-8448-gf82 +references: + - advisory: https://github.com/advisories/GHSA-4fgv-8448-gf82 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-32171 + - fix: https://github.com/zinclabs/zinc/commit/3376c248bade163430f9347742428f0a82cd322d + - web: https://github.com/zincsearch/zincsearch/commit/3376c248bade163430f9347742428f0a82cd322d + - web: https://www.mend.io/vulnerability-database/CVE-2022-32171 +source: + id: GHSA-4fgv-8448-gf82 + created: 2024-08-20T11:50:52.707061-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1896.yaml b/data/reports/GO-2023-1896.yaml new file mode 100644 index 00000000..8b1b4720 --- /dev/null +++ b/data/reports/GO-2023-1896.yaml @@ -0,0 +1,23 @@ +id: GO-2023-1896 +modules: + - module: github.com/zinclabs/zinc + versions: + - introduced: 0.1.9 + - fixed: 0.3.2 + vulnerable_at: 0.3.1 +summary: Zinc Cross-site Scripting vulnerability in github.com/zinclabs/zinc +cves: + - CVE-2022-32172 +ghsas: + - GHSA-7j6x-42mm-p7jm +references: + - advisory: https://github.com/advisories/GHSA-7j6x-42mm-p7jm + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-32172 + - fix: https://github.com/zinclabs/zinc/commit/3376c248bade163430f9347742428f0a82cd322d + - web: https://github.com/zincsearch/zincsearch/commit/3376c248bade163430f9347742428f0a82cd322d + - web: https://www.mend.io/vulnerability-database/CVE-2022-32172 +source: + id: GHSA-7j6x-42mm-p7jm + created: 2024-08-20T11:50:56.596276-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1897.yaml b/data/reports/GO-2023-1897.yaml new file mode 100644 index 00000000..e0baa2f3 --- /dev/null +++ b/data/reports/GO-2023-1897.yaml @@ -0,0 +1,24 @@ +id: GO-2023-1897 +modules: + - module: github.com/hashicorp/vault + versions: + - fixed: 1.9.10 + - introduced: 1.10.0 + - fixed: 1.10.7 + - introduced: 1.11.0 + - fixed: 1.11.4 + vulnerable_at: 1.11.3 +summary: HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault +cves: + - CVE-2022-41316 +ghsas: + - GHSA-9mh8-9j64-443f +references: + - advisory: https://github.com/advisories/GHSA-9mh8-9j64-443f + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-41316 + - web: https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483 +source: + id: GHSA-9mh8-9j64-443f + created: 2024-08-20T11:50:59.867143-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2023-1898.yaml b/data/reports/GO-2023-1898.yaml new file mode 100644 index 00000000..9491d012 --- /dev/null +++ b/data/reports/GO-2023-1898.yaml @@ -0,0 +1,23 @@ +id: GO-2023-1898 +modules: + - module: github.com/hashicorp/boundary + versions: + - introduced: 0.10.0 + - fixed: 0.12.0 + vulnerable_at: 0.11.2 +summary: |- + HashiCorp Boundary Workers Store Rotated Credentials in Plaintext Even When Key + Management Service Configured in github.com/hashicorp/boundary +cves: + - CVE-2023-0690 +ghsas: + - GHSA-9vrm-v9xv-x3xr +references: + - advisory: https://github.com/advisories/GHSA-9vrm-v9xv-x3xr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-0690 + - web: https://discuss.hashicorp.com/t/hcsec-2023-03-boundary-workers-store-rotated-credentials-in-plaintext-even-when-key-management-service-configured/49907 +source: + id: GHSA-9vrm-v9xv-x3xr + created: 2024-08-20T11:51:03.555065-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1899.yaml b/data/reports/GO-2023-1899.yaml new file mode 100644 index 00000000..a0effbe1 --- /dev/null +++ b/data/reports/GO-2023-1899.yaml @@ -0,0 +1,23 @@ +id: GO-2023-1899 +modules: + - module: github.com/hashicorp/nomad + versions: + - introduced: 1.4.0 + - fixed: 1.4.6 + - introduced: 1.5.0 + - fixed: 1.5.1 + vulnerable_at: 1.5.0 +summary: Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables in github.com/hashicorp/nomad +cves: + - CVE-2023-1296 +ghsas: + - GHSA-hhvx-8755-4cvw +references: + - advisory: https://github.com/advisories/GHSA-hhvx-8755-4cvw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-1296 + - web: https://discuss.hashicorp.com/t/hcsec-2023-09-nomad-acls-can-not-deny-access-to-workloads-own-variables/51390 +source: + id: GHSA-hhvx-8755-4cvw + created: 2024-08-20T11:51:06.530403-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1900.yaml b/data/reports/GO-2023-1900.yaml new file mode 100644 index 00000000..e259b1b7 --- /dev/null +++ b/data/reports/GO-2023-1900.yaml @@ -0,0 +1,26 @@ +id: GO-2023-1900 +modules: + - module: github.com/hashicorp/vault + versions: + - fixed: 1.10.11 + - introduced: 1.11.0 + - fixed: 1.11.8 + - introduced: 1.12.0 + - fixed: 1.12.4 + vulnerable_at: 1.12.3 +summary: |- + Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a + Destroy Operation in github.com/hashicorp/vault +cves: + - CVE-2023-24999 +ghsas: + - GHSA-wmg5-g953-qqfw +references: + - advisory: https://github.com/advisories/GHSA-wmg5-g953-qqfw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-24999 + - web: https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305 +source: + id: GHSA-wmg5-g953-qqfw + created: 2024-08-20T11:51:09.559247-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2023-1901.yaml b/data/reports/GO-2023-1901.yaml new file mode 100644 index 00000000..929f0c06 --- /dev/null +++ b/data/reports/GO-2023-1901.yaml @@ -0,0 +1,23 @@ +id: GO-2023-1901 +modules: + - module: github.com/tektoncd/pipeline + versions: + - introduced: 0.35.0 + unsupported_versions: + - last_affected: 0.52.0 + vulnerable_at: 0.62.1 +summary: Pipelines do not validate child UIDs in github.com/tektoncd/pipeline +cves: + - CVE-2023-37264 +ghsas: + - GHSA-w2h3-vvvq-3m53 +references: + - advisory: https://github.com/tektoncd/pipeline/security/advisories/GHSA-w2h3-vvvq-3m53 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-37264 + - web: https://github.com/tektoncd/pipeline/blob/2d38f5fa840291395178422d34b36b1bc739e2a2/pkg/reconciler/pipelinerun/pipelinerun.go#L1358-L1372 + - web: https://pkg.go.dev/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1#ChildStatusReference +source: + id: GHSA-w2h3-vvvq-3m53 + created: 2024-08-20T11:51:13.001039-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1911.yaml b/data/reports/GO-2023-1911.yaml new file mode 100644 index 00000000..643b80ef --- /dev/null +++ b/data/reports/GO-2023-1911.yaml @@ -0,0 +1,22 @@ +id: GO-2023-1911 +modules: + - module: github.com/liamg/gitjacker + versions: + - fixed: 0.1.0 + vulnerable_at: 0.0.3 +summary: gitjacker arbitrary code execution in github.com/liamg/gitjacker +cves: + - CVE-2021-29417 +ghsas: + - GHSA-4j5x-f394-xx79 +references: + - advisory: https://github.com/advisories/GHSA-4j5x-f394-xx79 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-29417 + - web: https://github.com/liamg/gitjacker/compare/v0.0.3...v0.1.0 + - web: https://github.com/liamg/gitjacker/releases/tag/v0.1.0 + - web: https://vuln.ryotak.me/advisories/5 +source: + id: GHSA-4j5x-f394-xx79 + created: 2024-08-20T11:51:33.170972-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE