diff --git a/data/osv/GO-2024-3057.json b/data/osv/GO-2024-3057.json new file mode 100644 index 00000000..f8ad1cb0 --- /dev/null +++ b/data/osv/GO-2024-3057.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3057", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-41260", + "GHSA-9v35-4xcr-w9ph" + ], + "summary": "NetBird uses a static initialization vector (IV) in github.com/netbirdio/netbird", + "details": "NetBird uses a static initialization vector (IV) in github.com/netbirdio/netbird", + "affected": [ + { + "package": { + "name": "github.com/netbirdio/netbird", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9v35-4xcr-w9ph" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41260" + }, + { + "type": "REPORT", + "url": "https://github.com/netbirdio/netbird/issues/2246" + }, + { + "type": "WEB", + "url": "https://gist.github.com/nyxfqq/92232108ac153e95d538bb17fc5ad636" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3057", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3059.json b/data/osv/GO-2024-3059.json new file mode 100644 index 00000000..263cc31d --- /dev/null +++ b/data/osv/GO-2024-3059.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3059", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-m3rh-cvr5-x6q4" + ], + "summary": "CosmWasm wasmd has large address count in ValidateBasic in github.com/CosmWasm/wasmd", + "details": "CosmWasm wasmd has large address count in ValidateBasic in github.com/CosmWasm/wasmd", + "affected": [ + { + "package": { + "name": "github.com/CosmWasm/wasmd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.52.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/CosmWasm/wasmd/security/advisories/GHSA-m3rh-cvr5-x6q4" + }, + { + "type": "FIX", + "url": "https://github.com/CosmWasm/wasmd/commit/76c0c061c9cb6b142163883e46c26d99384dc443" + }, + { + "type": "WEB", + "url": "https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-003.md" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3059", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3061.json b/data/osv/GO-2024-3061.json new file mode 100644 index 00000000..ad4d3d97 --- /dev/null +++ b/data/osv/GO-2024-3061.json @@ -0,0 +1,45 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3061", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-42473", + "GHSA-3f6g-m4hr-59h8" + ], + "summary": "OpenFGA Authorization Bypass in github.com/openfga/openfga", + "details": "OpenFGA Authorization Bypass in github.com/openfga/openfga", + "affected": [ + { + "package": { + "name": "github.com/openfga/openfga", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.7" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/openfga/openfga/security/advisories/GHSA-3f6g-m4hr-59h8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42473" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3061", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3063.json b/data/osv/GO-2024-3063.json new file mode 100644 index 00000000..a7b06e67 --- /dev/null +++ b/data/osv/GO-2024-3063.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3063", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-42480", + "GHSA-6r4j-4rjc-8vw5" + ], + "summary": "RBAC Roles for `etcd` created by Kamaji are not disjunct in github.com/clastix/kamaji", + "details": "RBAC Roles for `etcd` created by Kamaji are not disjunct in github.com/clastix/kamaji", + "affected": [ + { + "package": { + "name": "github.com/clastix/kamaji", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/clastix/kamaji/security/advisories/GHSA-6r4j-4rjc-8vw5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42480" + }, + { + "type": "FIX", + "url": "https://github.com/clastix/kamaji/commit/1731e8c2ed5148b125ecfbdf091ee177bd44f3db" + }, + { + "type": "WEB", + "url": "https://github.com/clastix/kamaji/blob/8cdc6191242f80d120c46b166e2102d27568225a/internal/datastore/etcd.go#L19-L24" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3063", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3064.json b/data/osv/GO-2024-3064.json new file mode 100644 index 00000000..d62b4ac9 --- /dev/null +++ b/data/osv/GO-2024-3064.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3064", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-41890", + "GHSA-gvpv-r32v-9737" + ], + "summary": "Apache Answer: The link to reset the user's password will remain valid after sending a new link in github.com/apache/incubator-answer", + "details": "Apache Answer: The link to reset the user's password will remain valid after sending a new link in github.com/apache/incubator-answer", + "affected": [ + { + "package": { + "name": "github.com/apache/incubator-answer", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-gvpv-r32v-9737" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41890" + }, + { + "type": "FIX", + "url": "https://github.com/apache/incubator-answer/commit/2820efc454f5808974dce0aa99aac106be3f727b" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/j7c080xj31x8rvz1pyk2h47rdd9pwbv9" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3064", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3065.json b/data/osv/GO-2024-3065.json new file mode 100644 index 00000000..167f8ec6 --- /dev/null +++ b/data/osv/GO-2024-3065.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3065", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-41888", + "GHSA-v3x9-wrq5-868j" + ], + "summary": "Apache Answer: The link for resetting user password is not Single-Use in github.com/apache/incubator-answer", + "details": "Apache Answer: The link for resetting user password is not Single-Use in github.com/apache/incubator-answer", + "affected": [ + { + "package": { + "name": "github.com/apache/incubator-answer", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-v3x9-wrq5-868j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41888" + }, + { + "type": "FIX", + "url": "https://github.com/apache/incubator-answer/commit/2820efc454f5808974dce0aa99aac106be3f727b" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3065", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3066.json b/data/osv/GO-2024-3066.json new file mode 100644 index 00000000..a92007c9 --- /dev/null +++ b/data/osv/GO-2024-3066.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3066", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-42368", + "GHSA-rfxf-mf63-cpqv" + ], + "summary": "open-telemetry has an Observable Timing Discrepancy in github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension", + "details": "open-telemetry has an Observable Timing Discrepancy in github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension", + "affected": [ + { + "package": { + "name": "github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.80.0" + }, + { + "fixed": "0.107.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv" + }, + { + "type": "WEB", + "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a" + }, + { + "type": "WEB", + "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3066", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-3057.yaml b/data/reports/GO-2024-3057.yaml new file mode 100644 index 00000000..a9c83568 --- /dev/null +++ b/data/reports/GO-2024-3057.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3057 +modules: + - module: github.com/netbirdio/netbird + unsupported_versions: + - last_affected: 0.28.7 + vulnerable_at: 0.28.7 +summary: NetBird uses a static initialization vector (IV) in github.com/netbirdio/netbird +cves: + - CVE-2024-41260 +ghsas: + - GHSA-9v35-4xcr-w9ph +references: + - advisory: https://github.com/advisories/GHSA-9v35-4xcr-w9ph + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41260 + - report: https://github.com/netbirdio/netbird/issues/2246 + - web: https://gist.github.com/nyxfqq/92232108ac153e95d538bb17fc5ad636 +source: + id: GHSA-9v35-4xcr-w9ph + created: 2024-08-13T16:01:38.012502-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3059.yaml b/data/reports/GO-2024-3059.yaml new file mode 100644 index 00000000..a02f44f4 --- /dev/null +++ b/data/reports/GO-2024-3059.yaml @@ -0,0 +1,17 @@ +id: GO-2024-3059 +modules: + - module: github.com/CosmWasm/wasmd + versions: + - fixed: 0.52.0 + vulnerable_at: 0.51.0 +summary: CosmWasm wasmd has large address count in ValidateBasic in github.com/CosmWasm/wasmd +ghsas: + - GHSA-m3rh-cvr5-x6q4 +references: + - advisory: https://github.com/CosmWasm/wasmd/security/advisories/GHSA-m3rh-cvr5-x6q4 + - fix: https://github.com/CosmWasm/wasmd/commit/76c0c061c9cb6b142163883e46c26d99384dc443 + - web: https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-003.md +source: + id: GHSA-m3rh-cvr5-x6q4 + created: 2024-08-13T16:01:32.501447-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3061.yaml b/data/reports/GO-2024-3061.yaml new file mode 100644 index 00000000..8251e875 --- /dev/null +++ b/data/reports/GO-2024-3061.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3061 +modules: + - module: github.com/openfga/openfga + versions: + - introduced: 1.5.7 + unsupported_versions: + - last_affected: 1.5.8 + vulnerable_at: 1.5.8 +summary: OpenFGA Authorization Bypass in github.com/openfga/openfga +cves: + - CVE-2024-42473 +ghsas: + - GHSA-3f6g-m4hr-59h8 +references: + - advisory: https://github.com/openfga/openfga/security/advisories/GHSA-3f6g-m4hr-59h8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-42473 +source: + id: GHSA-3f6g-m4hr-59h8 + created: 2024-08-13T16:01:28.756929-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3063.yaml b/data/reports/GO-2024-3063.yaml new file mode 100644 index 00000000..beaeeb41 --- /dev/null +++ b/data/reports/GO-2024-3063.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3063 +modules: + - module: github.com/clastix/kamaji + unsupported_versions: + - last_affected: 1.0.0 + vulnerable_at: 1.0.0 +summary: RBAC Roles for `etcd` created by Kamaji are not disjunct in github.com/clastix/kamaji +cves: + - CVE-2024-42480 +ghsas: + - GHSA-6r4j-4rjc-8vw5 +references: + - advisory: https://github.com/clastix/kamaji/security/advisories/GHSA-6r4j-4rjc-8vw5 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-42480 + - fix: https://github.com/clastix/kamaji/commit/1731e8c2ed5148b125ecfbdf091ee177bd44f3db + - web: https://github.com/clastix/kamaji/blob/8cdc6191242f80d120c46b166e2102d27568225a/internal/datastore/etcd.go#L19-L24 +source: + id: GHSA-6r4j-4rjc-8vw5 + created: 2024-08-13T16:01:25.444213-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3064.yaml b/data/reports/GO-2024-3064.yaml new file mode 100644 index 00000000..e91b77ee --- /dev/null +++ b/data/reports/GO-2024-3064.yaml @@ -0,0 +1,22 @@ +id: GO-2024-3064 +modules: + - module: github.com/apache/incubator-answer + versions: + - fixed: 1.3.6 + vulnerable_at: 1.3.6-RC1 +summary: |- + Apache Answer: The link to reset the user's password will remain valid after + sending a new link in github.com/apache/incubator-answer +cves: + - CVE-2024-41890 +ghsas: + - GHSA-gvpv-r32v-9737 +references: + - advisory: https://github.com/advisories/GHSA-gvpv-r32v-9737 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41890 + - fix: https://github.com/apache/incubator-answer/commit/2820efc454f5808974dce0aa99aac106be3f727b + - web: https://lists.apache.org/thread/j7c080xj31x8rvz1pyk2h47rdd9pwbv9 +source: + id: GHSA-gvpv-r32v-9737 + created: 2024-08-13T16:01:21.6681-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3065.yaml b/data/reports/GO-2024-3065.yaml new file mode 100644 index 00000000..4557feef --- /dev/null +++ b/data/reports/GO-2024-3065.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3065 +modules: + - module: github.com/apache/incubator-answer + versions: + - fixed: 1.3.6 + vulnerable_at: 1.3.6-RC1 +summary: 'Apache Answer: The link for resetting user password is not Single-Use in github.com/apache/incubator-answer' +cves: + - CVE-2024-41888 +ghsas: + - GHSA-v3x9-wrq5-868j +references: + - advisory: https://github.com/advisories/GHSA-v3x9-wrq5-868j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41888 + - fix: https://github.com/apache/incubator-answer/commit/2820efc454f5808974dce0aa99aac106be3f727b + - web: https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4 +source: + id: GHSA-v3x9-wrq5-868j + created: 2024-08-13T16:01:16.810392-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3066.yaml b/data/reports/GO-2024-3066.yaml new file mode 100644 index 00000000..43abc55f --- /dev/null +++ b/data/reports/GO-2024-3066.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3066 +modules: + - module: github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension + versions: + - introduced: 0.80.0 + - fixed: 0.107.0 + vulnerable_at: 0.106.1 +summary: open-telemetry has an Observable Timing Discrepancy in github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension +cves: + - CVE-2024-42368 +ghsas: + - GHSA-rfxf-mf63-cpqv +references: + - advisory: https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv + - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a + - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516 +source: + id: GHSA-rfxf-mf63-cpqv + created: 2024-08-13T16:01:13.116826-04:00 +review_status: UNREVIEWED