diff --git a/data/excluded/GO-2022-0985.yaml b/data/excluded/GO-2022-0985.yaml deleted file mode 100644 index 1f4011c1e..000000000 --- a/data/excluded/GO-2022-0985.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: GO-2022-0985 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/moby/moby -cves: - - CVE-2022-36109 -ghsas: - - GHSA-rc4r-wh2q-q6c4 -related: - - CVE-2022-2989 - - CVE-2022-2990 - - CVE-2022-2995 - - CVE-2023-25173 - - GHSA-4wjj-jwc9-2x96 - - GHSA-fjm8-m7m6-2fjp - - GHSA-hmfx-3pcx-653p - - GHSA-phjr-8j92-w5v7 diff --git a/data/excluded/GO-2022-0986.yaml b/data/excluded/GO-2022-0986.yaml deleted file mode 100644 index b815626a5..000000000 --- a/data/excluded/GO-2022-0986.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0986 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/gravitl/netmaker -cves: - - CVE-2022-36110 -ghsas: - - GHSA-ggf6-638m-vqmg diff --git a/data/excluded/GO-2022-0987.yaml b/data/excluded/GO-2022-0987.yaml deleted file mode 100644 index a2f3d1041..000000000 --- a/data/excluded/GO-2022-0987.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0987 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/gophish/gophish -cves: - - CVE-2022-25295 -ghsas: - - GHSA-hvw3-p9px-gpc9 diff --git a/data/excluded/GO-2022-0989.yaml b/data/excluded/GO-2022-0989.yaml deleted file mode 100644 index 976a48945..000000000 --- a/data/excluded/GO-2022-0989.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0989 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/matrix-org/dendrite -cves: - - CVE-2022-39200 -ghsas: - - GHSA-pfw4-xjgm-267c diff --git a/data/excluded/GO-2022-0995.yaml b/data/excluded/GO-2022-0995.yaml deleted file mode 100644 index 009b42350..000000000 --- a/data/excluded/GO-2022-0995.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0995 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/siderolabs/talos -cves: - - CVE-2022-36103 -ghsas: - - GHSA-7hgc-php5-77qq diff --git a/data/excluded/GO-2022-1000.yaml b/data/excluded/GO-2022-1000.yaml deleted file mode 100644 index cba9e1621..000000000 --- a/data/excluded/GO-2022-1000.yaml +++ /dev/null @@ -1,9 +0,0 @@ -id: GO-2022-1000 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: kubevirt.io/kubevirt -ghsas: - - GHSA-qv98-3369-g364 -related: - - CVE-2022-1798 - - GHSA-cvx8-ppmc-78hm diff --git a/data/excluded/GO-2022-1006.yaml b/data/excluded/GO-2022-1006.yaml deleted file mode 100644 index a6a214c2d..000000000 --- a/data/excluded/GO-2022-1006.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-1006 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/casdoor/casdoor -cves: - - CVE-2022-38638 -ghsas: - - GHSA-9vm3-r8gq-cr6x diff --git a/data/excluded/GO-2022-1014.yaml b/data/excluded/GO-2022-1014.yaml deleted file mode 100644 index 78d18670d..000000000 --- a/data/excluded/GO-2022-1014.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: GO-2022-1014 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cri-o/cri-o -cves: - - CVE-2022-2995 -ghsas: - - GHSA-phjr-8j92-w5v7 -related: - - CVE-2022-2989 - - CVE-2022-2990 - - CVE-2022-36109 - - CVE-2023-25173 - - GHSA-4wjj-jwc9-2x96 - - GHSA-fjm8-m7m6-2fjp - - GHSA-hmfx-3pcx-653p - - GHSA-rc4r-wh2q-q6c4 diff --git a/data/excluded/GO-2022-1015.yaml b/data/excluded/GO-2022-1015.yaml deleted file mode 100644 index b47ae6511..000000000 --- a/data/excluded/GO-2022-1015.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-1015 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/drakkan/sftpgo -cves: - - CVE-2022-39220 -ghsas: - - GHSA-cf7g-cm7q-rq7f diff --git a/data/excluded/GO-2022-1019.yaml b/data/excluded/GO-2022-1019.yaml deleted file mode 100644 index 0f58d2b1a..000000000 --- a/data/excluded/GO-2022-1019.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-1019 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/treeverse/lakefs -ghsas: - - GHSA-28q9-9c3g-v3f9 diff --git a/data/excluded/GO-2022-1021.yaml b/data/excluded/GO-2022-1021.yaml deleted file mode 100644 index f305904cc..000000000 --- a/data/excluded/GO-2022-1021.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-1021 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/vault -cves: - - CVE-2022-40186 -ghsas: - - GHSA-7cgv-v83v-rr87 diff --git a/data/excluded/GO-2022-1023.yaml b/data/excluded/GO-2022-1023.yaml deleted file mode 100644 index 4cbf86794..000000000 --- a/data/excluded/GO-2022-1023.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-1023 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/brokercap/Bifrost -cves: - - CVE-2022-39219 -ghsas: - - GHSA-p6fh-xc6r-g5hw diff --git a/data/excluded/GO-2022-1029.yaml b/data/excluded/GO-2022-1029.yaml deleted file mode 100644 index 87f16411b..000000000 --- a/data/excluded/GO-2022-1029.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-1029 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/consul -cves: - - CVE-2022-40716 -ghsas: - - GHSA-m69r-9g56-7mv8 diff --git a/data/excluded/GO-2022-1032.yaml b/data/excluded/GO-2022-1032.yaml deleted file mode 100644 index 88cd563bc..000000000 --- a/data/excluded/GO-2022-1032.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-1032 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cloudflare/goflow -cves: - - CVE-2022-2529 -ghsas: - - GHSA-9rpw-2h95-666c diff --git a/data/excluded/GO-2022-1033.yaml b/data/excluded/GO-2022-1033.yaml deleted file mode 100644 index 29af4523e..000000000 --- a/data/excluded/GO-2022-1033.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-1033 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/dapr/dashboard -cves: - - CVE-2022-38817 -ghsas: - - GHSA-2w6m-q946-399r diff --git a/data/excluded/GO-2022-1060.yaml b/data/excluded/GO-2022-1060.yaml deleted file mode 100644 index 757d211e7..000000000 --- a/data/excluded/GO-2022-1060.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-1060 -excluded: NOT_IMPORTABLE -modules: - - module: gogs.io/gogs -cves: - - CVE-2022-32174 -ghsas: - - GHSA-mcjj-2fvq-mc3r diff --git a/data/excluded/GO-2022-1062.yaml b/data/excluded/GO-2022-1062.yaml deleted file mode 100644 index 980e8bc02..000000000 --- a/data/excluded/GO-2022-1062.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-1062 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/nomad -cves: - - CVE-2022-41606 -ghsas: - - GHSA-7v3g-4878-5qrf diff --git a/data/excluded/GO-2022-1065.yaml b/data/excluded/GO-2022-1065.yaml deleted file mode 100644 index 32171f038..000000000 --- a/data/excluded/GO-2022-1065.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-1065 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/go-gitea/gitea -cves: - - CVE-2022-42968 -ghsas: - - GHSA-w8xw-7crf-h23x diff --git a/data/excluded/GO-2022-1066.yaml b/data/excluded/GO-2022-1066.yaml deleted file mode 100644 index baa2b9fdb..000000000 --- a/data/excluded/GO-2022-1066.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-1066 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cheqd/cheqd-node -ghsas: - - GHSA-j92c-mmf7-j5x5 diff --git a/data/excluded/GO-2022-1067.yaml b/data/excluded/GO-2022-1067.yaml deleted file mode 100644 index e6c9250fb..000000000 --- a/data/excluded/GO-2022-1067.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-1067 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/brokercap/Bifrost -cves: - - CVE-2022-39267 -ghsas: - - GHSA-mxrx-fg8p-5p5j diff --git a/data/osv/GO-2022-0985.json b/data/osv/GO-2022-0985.json new file mode 100644 index 000000000..22ec63bf2 --- /dev/null +++ b/data/osv/GO-2022-0985.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0985", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-36109", + "GHSA-rc4r-wh2q-q6c4" + ], + "summary": "Docker supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions in github.com/docker/docker", + "details": "Docker supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions in github.com/docker/docker", + "affected": [ + { + "package": { + "name": "github.com/docker/docker", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "20.10.18+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36109" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/releases/tag/v20.10.18" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0985", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0986.json b/data/osv/GO-2022-0986.json new file mode 100644 index 000000000..076f01493 --- /dev/null +++ b/data/osv/GO-2022-0986.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0986", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-36110", + "GHSA-ggf6-638m-vqmg" + ], + "summary": "Netmaker vulnerable to Insufficient Granularity of Access Control in github.com/gravitl/netmaker", + "details": "Netmaker vulnerable to Insufficient Granularity of Access Control in github.com/gravitl/netmaker", + "affected": [ + { + "package": { + "name": "github.com/gravitl/netmaker", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.15.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36110" + }, + { + "type": "WEB", + "url": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0986", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0987.json b/data/osv/GO-2022-0987.json new file mode 100644 index 000000000..d20bd1066 --- /dev/null +++ b/data/osv/GO-2022-0987.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0987", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-25295", + "GHSA-hvw3-p9px-gpc9" + ], + "summary": "Gophish before 0.12.0 vulnerable to Open Redirect in github.com/gophish/gophish", + "details": "Gophish before 0.12.0 vulnerable to Open Redirect in github.com/gophish/gophish", + "affected": [ + { + "package": { + "name": "github.com/gophish/gophish", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-hvw3-p9px-gpc9" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25295" + }, + { + "type": "FIX", + "url": "https://github.com/gophish/gophish/commit/2a452bda89ffdb85f929fa78290bce1f456881dc" + }, + { + "type": "FIX", + "url": "https://github.com/gophish/gophish/pull/2262" + }, + { + "type": "WEB", + "url": "https://github.com/gophish/gophish/releases/tag/v0.12.0" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOPHISHGOPHISH-2404177" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0987", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0989.json b/data/osv/GO-2022-0989.json new file mode 100644 index 000000000..711c711f5 --- /dev/null +++ b/data/osv/GO-2022-0989.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0989", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-39200", + "GHSA-pfw4-xjgm-267c" + ], + "summary": "Dendrite signature checks not applied to some retrieved missing events in github.com/matrix-org/dendrite", + "details": "Dendrite signature checks not applied to some retrieved missing events in github.com/matrix-org/dendrite", + "affected": [ + { + "package": { + "name": "github.com/matrix-org/dendrite", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.8" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267c" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39200" + }, + { + "type": "FIX", + "url": "https://github.com/matrix-org/dendrite/commit/2792d0490f3771488bad346981b8c26479a872c3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0989", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0995.json b/data/osv/GO-2022-0995.json new file mode 100644 index 000000000..b59b8e85a --- /dev/null +++ b/data/osv/GO-2022-0995.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0995", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-36103", + "GHSA-7hgc-php5-77qq" + ], + "summary": "Talos worker join token can be used to get elevated access level to the Talos API in github.com/talos-systems/talos", + "details": "Talos worker join token can be used to get elevated access level to the Talos API in github.com/talos-systems/talos", + "affected": [ + { + "package": { + "name": "github.com/talos-systems/talos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/siderolabs/talos/security/advisories/GHSA-7hgc-php5-77qq" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36103" + }, + { + "type": "WEB", + "url": "https://github.com/siderolabs/talos/commit/9eaf33f3f274e746ca1b442c0a1a0dae0cec088f" + }, + { + "type": "WEB", + "url": "https://github.com/siderolabs/talos/releases/tag/v1.2.2" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0995", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1000.json b/data/osv/GO-2022-1000.json new file mode 100644 index 000000000..ce493af9d --- /dev/null +++ b/data/osv/GO-2022-1000.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1000", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-qv98-3369-g364" + ], + "summary": "KubeVirt vulnerable to arbitrary file read on host in kubevirt.io/kubevirt", + "details": "KubeVirt vulnerable to arbitrary file read on host in kubevirt.io/kubevirt", + "affected": [ + { + "package": { + "name": "kubevirt.io/kubevirt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.20.0" + }, + { + "fixed": "0.55.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364" + }, + { + "type": "WEB", + "url": "https://github.com/google/security-research/security/advisories/GHSA-cvx8-ppmc-78hm" + }, + { + "type": "WEB", + "url": "https://github.com/kubevirt/kubevirt/pull/8198" + }, + { + "type": "WEB", + "url": "https://github.com/kubevirt/kubevirt/pull/8268" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1000", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1006.json b/data/osv/GO-2022-1006.json new file mode 100644 index 000000000..deb878c1f --- /dev/null +++ b/data/osv/GO-2022-1006.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1006", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-38638", + "GHSA-9vm3-r8gq-cr6x" + ], + "summary": "Casdoor arbitrary file write vulnerability in github.com/casdoor/casdoor", + "details": "Casdoor arbitrary file write vulnerability in github.com/casdoor/casdoor", + "affected": [ + { + "package": { + "name": "github.com/casdoor/casdoor", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.103.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9vm3-r8gq-cr6x" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38638" + }, + { + "type": "FIX", + "url": "https://github.com/casdoor/casdoor/commit/411d76798d73446fff4a0244f0475f1ea8bf42dc" + }, + { + "type": "REPORT", + "url": "https://github.com/casdoor/casdoor/issues/1035" + }, + { + "type": "REPORT", + "url": "https://github.com/casdoor/casdoor/issues/1063" + }, + { + "type": "WEB", + "url": "https://github.com/casdoor/casdoor/releases/tag/v1.103.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1006", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1014.json b/data/osv/GO-2022-1014.json new file mode 100644 index 000000000..b90f092ff --- /dev/null +++ b/data/osv/GO-2022-1014.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1014", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-2995", + "GHSA-phjr-8j92-w5v7" + ], + "summary": "CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure in github.com/cri-o/cri-o", + "details": "CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure in github.com/cri-o/cri-o", + "affected": [ + { + "package": { + "name": "github.com/cri-o/cri-o", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-phjr-8j92-w5v7" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2995" + }, + { + "type": "FIX", + "url": "https://github.com/cri-o/cri-o/commit/db3b399a8d7dabf7f073db73894bee98311d7909" + }, + { + "type": "FIX", + "url": "https://github.com/cri-o/cri-o/pull/6159" + }, + { + "type": "WEB", + "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1014", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1015.json b/data/osv/GO-2022-1015.json new file mode 100644 index 000000000..2f5ad6ed4 --- /dev/null +++ b/data/osv/GO-2022-1015.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1015", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-39220", + "GHSA-cf7g-cm7q-rq7f" + ], + "summary": "SFTPGo WebClient vulnerable to Cross-site Scripting in github.com/drakkan/sftpgo", + "details": "SFTPGo WebClient vulnerable to Cross-site Scripting in github.com/drakkan/sftpgo", + "affected": [ + { + "package": { + "name": "github.com/drakkan/sftpgo", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/drakkan/sftpgo/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.3.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-cf7g-cm7q-rq7f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39220" + }, + { + "type": "FIX", + "url": "https://github.com/drakkan/sftpgo/commit/cbef217cfa92478ee8e00ba1a5fb074f8a8aeee0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1015", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1019.json b/data/osv/GO-2022-1019.json new file mode 100644 index 000000000..1ffdaa09c --- /dev/null +++ b/data/osv/GO-2022-1019.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1019", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-28q9-9c3g-v3f9" + ], + "summary": "lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs", + "details": "lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs", + "affected": [ + { + "package": { + "name": "github.com/treeverse/lakefs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.82.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/treeverse/lakeFS/security/advisories/GHSA-28q9-9c3g-v3f9" + }, + { + "type": "WEB", + "url": "https://github.com/treeverse/lakeFS/commit/81182bf9c0cf57f3cec3c893cf739b2069305e37" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1019", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1021.json b/data/osv/GO-2022-1021.json new file mode 100644 index 000000000..f67130ef2 --- /dev/null +++ b/data/osv/GO-2022-1021.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1021", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-40186", + "GHSA-7cgv-v83v-rr87" + ], + "summary": "HashiCorp Vault vulnerable to incorrect metadata access in github.com/hashicorp/vault", + "details": "HashiCorp Vault vulnerable to incorrect metadata access in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.8.0" + }, + { + "fixed": "1.9.9" + }, + { + "introduced": "1.10.0" + }, + { + "fixed": "1.10.6" + }, + { + "introduced": "1.11.0" + }, + { + "fixed": "1.11.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-7cgv-v83v-rr87" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40186" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20221111-0008" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1021", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1023.json b/data/osv/GO-2022-1023.json new file mode 100644 index 000000000..0d2fb9b3b --- /dev/null +++ b/data/osv/GO-2022-1023.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1023", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-39219", + "GHSA-p6fh-xc6r-g5hw" + ], + "summary": "Brokercap Bifrost subject to authentication bypass when using HTTP basic authentication in github.com/brokercap/Bifrost", + "details": "Brokercap Bifrost subject to authentication bypass when using HTTP basic authentication in github.com/brokercap/Bifrost", + "affected": [ + { + "package": { + "name": "github.com/brokercap/Bifrost", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.7-release" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-p6fh-xc6r-g5hw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39219" + }, + { + "type": "REPORT", + "url": "https://github.com/brokercap/Bifrost/issues/200" + }, + { + "type": "WEB", + "url": "https://github.com/brokercap/Bifrost/releases/tag/v1.8.7-release" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1023", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1029.json b/data/osv/GO-2022-1029.json new file mode 100644 index 000000000..fdc9922f1 --- /dev/null +++ b/data/osv/GO-2022-1029.json @@ -0,0 +1,84 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1029", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-40716", + "GHSA-m69r-9g56-7mv8" + ], + "summary": "HashiCorp Consul vulnerable to authorization bypass in github.com/hashicorp/consul", + "details": "HashiCorp Consul vulnerable to authorization bypass in github.com/hashicorp/consul", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/consul", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.9" + }, + { + "introduced": "1.12.0" + }, + { + "fixed": "1.12.5" + }, + { + "introduced": "1.13.0" + }, + { + "fixed": "1.13.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-m69r-9g56-7mv8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40716" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/consul/commit/8f6fb4f6fe9488b8ec37da71ac503081d7d3760b" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/consul/pull/14579" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1029", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1032.json b/data/osv/GO-2022-1032.json new file mode 100644 index 000000000..3fabc0bfb --- /dev/null +++ b/data/osv/GO-2022-1032.json @@ -0,0 +1,77 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1032", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-2529", + "GHSA-9rpw-2h95-666c" + ], + "summary": "Cloudflare GoFlow vulnerable to a Denial of Service in the sflow packet handling package in github.com/cloudflare/goflow", + "details": "Cloudflare GoFlow vulnerable to a Denial of Service in the sflow packet handling package in github.com/cloudflare/goflow", + "affected": [ + { + "package": { + "name": "github.com/cloudflare/goflow", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/cloudflare/goflow/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.4.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2529" + }, + { + "type": "FIX", + "url": "https://github.com/cloudflare/goflow/commit/2b94619a6204443e3ca1769f4e459f9f57039c51" + }, + { + "type": "FIX", + "url": "https://github.com/cloudflare/goflow/commit/c829ccd2c0aafdc9b886b20bf6f28095607f4998" + }, + { + "type": "WEB", + "url": "https://github.com/cloudflare/goflow/releases/tag/v3.4.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1032", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1033.json b/data/osv/GO-2022-1033.json new file mode 100644 index 000000000..9bff17bba --- /dev/null +++ b/data/osv/GO-2022-1033.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1033", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-38817", + "GHSA-2w6m-q946-399r" + ], + "summary": "Dapr Dashboard vulnerable to Incorrect Access Control in github.com/dapr/dashboard", + "details": "Dapr Dashboard vulnerable to Incorrect Access Control in github.com/dapr/dashboard", + "affected": [ + { + "package": { + "name": "github.com/dapr/dashboard", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2w6m-q946-399r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38817" + }, + { + "type": "REPORT", + "url": "https://github.com/dapr/dashboard/issues/222" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1033", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1060.json b/data/osv/GO-2022-1060.json new file mode 100644 index 000000000..3f926f967 --- /dev/null +++ b/data/osv/GO-2022-1060.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1060", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-32174", + "GHSA-mcjj-2fvq-mc3r" + ], + "summary": "Gogs vulnerable to Cross-site Scripting in gogs.io/gogs", + "details": "Gogs vulnerable to Cross-site Scripting in gogs.io/gogs", + "affected": [ + { + "package": { + "name": "gogs.io/gogs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.6.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mcjj-2fvq-mc3r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32174" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/blob/v0.12.10/public/js/gogs.js#L263" + }, + { + "type": "WEB", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-32174" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1060", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1062.json b/data/osv/GO-2022-1062.json new file mode 100644 index 000000000..0e517d1e3 --- /dev/null +++ b/data/osv/GO-2022-1062.json @@ -0,0 +1,62 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1062", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-41606", + "GHSA-7v3g-4878-5qrf" + ], + "summary": "Nomad Panics On Job Submission With Bad Artifact Stanza Source URL in github.com/hashicorp/nomad", + "details": "Nomad Panics On Job Submission With Bad Artifact Stanza Source URL in github.com/hashicorp/nomad", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/nomad", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.13" + }, + { + "introduced": "1.3.0" + }, + { + "fixed": "1.3.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-7v3g-4878-5qrf" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41606" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2022-22-nomad-panics-on-job-submission-with-bad-artifact-stanza-source-url/45420" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1062", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1065.json b/data/osv/GO-2022-1065.json new file mode 100644 index 000000000..821c8b4fe --- /dev/null +++ b/data/osv/GO-2022-1065.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1065", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-42968", + "GHSA-w8xw-7crf-h23x" + ], + "summary": "Gitea vulnerable to Argument Injection in code.gitea.io/gitea", + "details": "Gitea vulnerable to Argument Injection in code.gitea.io/gitea", + "affected": [ + { + "package": { + "name": "code.gitea.io/gitea", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-w8xw-7crf-h23x" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42968" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/pull/21463" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/releases/tag/v1.17.3" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202210-14" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1065", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1066.json b/data/osv/GO-2022-1066.json new file mode 100644 index 000000000..bd8e156e3 --- /dev/null +++ b/data/osv/GO-2022-1066.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1066", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-j92c-mmf7-j5x5" + ], + "summary": "Potential inter-blockchain communication (IBC) protocol compromise via \"Dragonberry\" vulnerability in cheqd in github.com/cheqd/cheqd-node", + "details": "Potential inter-blockchain communication (IBC) protocol compromise via \"Dragonberry\" vulnerability in cheqd in github.com/cheqd/cheqd-node", + "affected": [ + { + "package": { + "name": "github.com/cheqd/cheqd-node", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.6.9" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cheqd/cheqd-node/security/advisories/GHSA-j92c-mmf7-j5x5" + }, + { + "type": "WEB", + "url": "https://forum.cosmos.network/t/ibc-security-advisory-dragonberry/7702/1" + }, + { + "type": "WEB", + "url": "https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.9" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1066", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-1067.json b/data/osv/GO-2022-1067.json new file mode 100644 index 000000000..8cca9dda8 --- /dev/null +++ b/data/osv/GO-2022-1067.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-1067", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-39267", + "GHSA-mxrx-fg8p-5p5j" + ], + "summary": "Bifrost vulnerable to authentication check flaw that leads to authentication bypass in github.com/brokercap/Bifrost", + "details": "Bifrost vulnerable to authentication check flaw that leads to authentication bypass in github.com/brokercap/Bifrost", + "affected": [ + { + "package": { + "name": "github.com/brokercap/Bifrost", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.7-release" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39267" + }, + { + "type": "FIX", + "url": "https://github.com/brokercap/Bifrost/commit/63da5c8eb7eb21639ea7ac199fe10b5e07b03a8a" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1067", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2022-0985.yaml b/data/reports/GO-2022-0985.yaml new file mode 100644 index 000000000..58e6a1277 --- /dev/null +++ b/data/reports/GO-2022-0985.yaml @@ -0,0 +1,25 @@ +id: GO-2022-0985 +modules: + - module: github.com/docker/docker + versions: + - fixed: 20.10.18+incompatible + vulnerable_at: 20.10.17+incompatible +summary: |- + Docker supplementary group permissions not set up properly, allowing attackers + to bypass primary group restrictions in github.com/docker/docker +cves: + - CVE-2022-36109 +ghsas: + - GHSA-rc4r-wh2q-q6c4 +references: + - advisory: https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-36109 + - web: https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32 + - web: https://github.com/moby/moby/releases/tag/v20.10.18 + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ +source: + id: GHSA-rc4r-wh2q-q6c4 + created: 2024-08-20T14:44:57.127362-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0986.yaml b/data/reports/GO-2022-0986.yaml new file mode 100644 index 000000000..c70234b03 --- /dev/null +++ b/data/reports/GO-2022-0986.yaml @@ -0,0 +1,20 @@ +id: GO-2022-0986 +modules: + - module: github.com/gravitl/netmaker + versions: + - fixed: 0.15.1 + vulnerable_at: 0.15.0 +summary: Netmaker vulnerable to Insufficient Granularity of Access Control in github.com/gravitl/netmaker +cves: + - CVE-2022-36110 +ghsas: + - GHSA-ggf6-638m-vqmg +references: + - advisory: https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-36110 + - web: https://github.com/gravitl/netmaker/releases/tag/v0.15.1 +source: + id: GHSA-ggf6-638m-vqmg + created: 2024-08-20T14:45:07.403759-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0987.yaml b/data/reports/GO-2022-0987.yaml new file mode 100644 index 000000000..f45fa0a18 --- /dev/null +++ b/data/reports/GO-2022-0987.yaml @@ -0,0 +1,23 @@ +id: GO-2022-0987 +modules: + - module: github.com/gophish/gophish + versions: + - fixed: 0.12.0 + vulnerable_at: 0.11.0 +summary: Gophish before 0.12.0 vulnerable to Open Redirect in github.com/gophish/gophish +cves: + - CVE-2022-25295 +ghsas: + - GHSA-hvw3-p9px-gpc9 +references: + - advisory: https://github.com/advisories/GHSA-hvw3-p9px-gpc9 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-25295 + - fix: https://github.com/gophish/gophish/commit/2a452bda89ffdb85f929fa78290bce1f456881dc + - fix: https://github.com/gophish/gophish/pull/2262 + - web: https://github.com/gophish/gophish/releases/tag/v0.12.0 + - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOPHISHGOPHISH-2404177 +source: + id: GHSA-hvw3-p9px-gpc9 + created: 2024-08-20T14:45:11.381625-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0989.yaml b/data/reports/GO-2022-0989.yaml new file mode 100644 index 000000000..cc792fe46 --- /dev/null +++ b/data/reports/GO-2022-0989.yaml @@ -0,0 +1,20 @@ +id: GO-2022-0989 +modules: + - module: github.com/matrix-org/dendrite + versions: + - fixed: 0.9.8 + vulnerable_at: 0.9.7 +summary: Dendrite signature checks not applied to some retrieved missing events in github.com/matrix-org/dendrite +cves: + - CVE-2022-39200 +ghsas: + - GHSA-pfw4-xjgm-267c +references: + - advisory: https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267c + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39200 + - fix: https://github.com/matrix-org/dendrite/commit/2792d0490f3771488bad346981b8c26479a872c3 +source: + id: GHSA-pfw4-xjgm-267c + created: 2024-08-20T14:45:17.279207-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0995.yaml b/data/reports/GO-2022-0995.yaml new file mode 100644 index 000000000..b620c02b0 --- /dev/null +++ b/data/reports/GO-2022-0995.yaml @@ -0,0 +1,23 @@ +id: GO-2022-0995 +modules: + - module: github.com/talos-systems/talos + versions: + - fixed: 1.2.2 + vulnerable_at: 1.2.1 +summary: |- + Talos worker join token can be used to get elevated access level to the Talos + API in github.com/talos-systems/talos +cves: + - CVE-2022-36103 +ghsas: + - GHSA-7hgc-php5-77qq +references: + - advisory: https://github.com/siderolabs/talos/security/advisories/GHSA-7hgc-php5-77qq + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-36103 + - web: https://github.com/siderolabs/talos/commit/9eaf33f3f274e746ca1b442c0a1a0dae0cec088f + - web: https://github.com/siderolabs/talos/releases/tag/v1.2.2 +source: + id: GHSA-7hgc-php5-77qq + created: 2024-08-20T14:45:21.082481-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1000.yaml b/data/reports/GO-2022-1000.yaml new file mode 100644 index 000000000..448eac5f2 --- /dev/null +++ b/data/reports/GO-2022-1000.yaml @@ -0,0 +1,20 @@ +id: GO-2022-1000 +modules: + - module: kubevirt.io/kubevirt + versions: + - introduced: 0.20.0 + - fixed: 0.55.1 + vulnerable_at: 0.55.0 +summary: KubeVirt vulnerable to arbitrary file read on host in kubevirt.io/kubevirt +ghsas: + - GHSA-qv98-3369-g364 +references: + - advisory: https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364 + - web: https://github.com/google/security-research/security/advisories/GHSA-cvx8-ppmc-78hm + - web: https://github.com/kubevirt/kubevirt/pull/8198 + - web: https://github.com/kubevirt/kubevirt/pull/8268 +source: + id: GHSA-qv98-3369-g364 + created: 2024-08-20T14:45:28.107913-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1006.yaml b/data/reports/GO-2022-1006.yaml new file mode 100644 index 000000000..5e3e7b6a0 --- /dev/null +++ b/data/reports/GO-2022-1006.yaml @@ -0,0 +1,23 @@ +id: GO-2022-1006 +modules: + - module: github.com/casdoor/casdoor + versions: + - fixed: 1.103.1 + vulnerable_at: 1.103.0 +summary: Casdoor arbitrary file write vulnerability in github.com/casdoor/casdoor +cves: + - CVE-2022-38638 +ghsas: + - GHSA-9vm3-r8gq-cr6x +references: + - advisory: https://github.com/advisories/GHSA-9vm3-r8gq-cr6x + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-38638 + - fix: https://github.com/casdoor/casdoor/commit/411d76798d73446fff4a0244f0475f1ea8bf42dc + - report: https://github.com/casdoor/casdoor/issues/1035 + - report: https://github.com/casdoor/casdoor/issues/1063 + - web: https://github.com/casdoor/casdoor/releases/tag/v1.103.1 +source: + id: GHSA-9vm3-r8gq-cr6x + created: 2024-08-20T14:45:31.309472-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1014.yaml b/data/reports/GO-2022-1014.yaml new file mode 100644 index 000000000..044fcfb17 --- /dev/null +++ b/data/reports/GO-2022-1014.yaml @@ -0,0 +1,24 @@ +id: GO-2022-1014 +modules: + - module: github.com/cri-o/cri-o + versions: + - fixed: 1.25.0 + vulnerable_at: 1.24.6 +summary: |- + CRI-O incorrect handling of supplementary groups may lead to sensitive + information disclosure in github.com/cri-o/cri-o +cves: + - CVE-2022-2995 +ghsas: + - GHSA-phjr-8j92-w5v7 +references: + - advisory: https://github.com/advisories/GHSA-phjr-8j92-w5v7 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-2995 + - fix: https://github.com/cri-o/cri-o/commit/db3b399a8d7dabf7f073db73894bee98311d7909 + - fix: https://github.com/cri-o/cri-o/pull/6159 + - web: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation +source: + id: GHSA-phjr-8j92-w5v7 + created: 2024-08-20T14:46:14.810052-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1015.yaml b/data/reports/GO-2022-1015.yaml new file mode 100644 index 000000000..078ebd87d --- /dev/null +++ b/data/reports/GO-2022-1015.yaml @@ -0,0 +1,22 @@ +id: GO-2022-1015 +modules: + - module: github.com/drakkan/sftpgo + vulnerable_at: 1.2.2 + - module: github.com/drakkan/sftpgo/v2 + versions: + - fixed: 2.3.5 + vulnerable_at: 2.3.4 +summary: SFTPGo WebClient vulnerable to Cross-site Scripting in github.com/drakkan/sftpgo +cves: + - CVE-2022-39220 +ghsas: + - GHSA-cf7g-cm7q-rq7f +references: + - advisory: https://github.com/drakkan/sftpgo/security/advisories/GHSA-cf7g-cm7q-rq7f + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39220 + - fix: https://github.com/drakkan/sftpgo/commit/cbef217cfa92478ee8e00ba1a5fb074f8a8aeee0 +source: + id: GHSA-cf7g-cm7q-rq7f + created: 2024-08-20T14:46:20.246292-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1019.yaml b/data/reports/GO-2022-1019.yaml new file mode 100644 index 000000000..ecfd01964 --- /dev/null +++ b/data/reports/GO-2022-1019.yaml @@ -0,0 +1,19 @@ +id: GO-2022-1019 +modules: + - module: github.com/treeverse/lakefs + versions: + - fixed: 0.82.0 + vulnerable_at: 0.80.2 +summary: |- + lakeFS vulnerable to authenticated users deleting files they are not authorized + to delete in github.com/treeverse/lakefs +ghsas: + - GHSA-28q9-9c3g-v3f9 +references: + - advisory: https://github.com/treeverse/lakeFS/security/advisories/GHSA-28q9-9c3g-v3f9 + - web: https://github.com/treeverse/lakeFS/commit/81182bf9c0cf57f3cec3c893cf739b2069305e37 +source: + id: GHSA-28q9-9c3g-v3f9 + created: 2024-08-20T14:46:48.759595-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1021.yaml b/data/reports/GO-2022-1021.yaml new file mode 100644 index 000000000..3520ab46f --- /dev/null +++ b/data/reports/GO-2022-1021.yaml @@ -0,0 +1,28 @@ +id: GO-2022-1021 +modules: + - module: github.com/hashicorp/vault + versions: + - introduced: 1.8.0 + - fixed: 1.9.9 + - introduced: 1.10.0 + - fixed: 1.10.6 + - introduced: 1.11.0 + - fixed: 1.11.3 + vulnerable_at: 1.11.2 +summary: HashiCorp Vault vulnerable to incorrect metadata access in github.com/hashicorp/vault +cves: + - CVE-2022-40186 +ghsas: + - GHSA-7cgv-v83v-rr87 +references: + - advisory: https://github.com/advisories/GHSA-7cgv-v83v-rr87 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-40186 + - web: https://discuss.hashicorp.com + - web: https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550 + - web: https://github.com/hashicorp/vault + - web: https://security.netapp.com/advisory/ntap-20221111-0008 +source: + id: GHSA-7cgv-v83v-rr87 + created: 2024-08-20T14:47:07.13343-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1023.yaml b/data/reports/GO-2022-1023.yaml new file mode 100644 index 000000000..74278a368 --- /dev/null +++ b/data/reports/GO-2022-1023.yaml @@ -0,0 +1,23 @@ +id: GO-2022-1023 +modules: + - module: github.com/brokercap/Bifrost + versions: + - fixed: 1.8.7-release + vulnerable_at: 1.8.6-release +summary: |- + Brokercap Bifrost subject to authentication bypass when using HTTP basic + authentication in github.com/brokercap/Bifrost +cves: + - CVE-2022-39219 +ghsas: + - GHSA-p6fh-xc6r-g5hw +references: + - advisory: https://github.com/brokercap/Bifrost/security/advisories/GHSA-p6fh-xc6r-g5hw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39219 + - report: https://github.com/brokercap/Bifrost/issues/200 + - web: https://github.com/brokercap/Bifrost/releases/tag/v1.8.7-release +source: + id: GHSA-p6fh-xc6r-g5hw + created: 2024-08-20T14:47:14.762059-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1029.yaml b/data/reports/GO-2022-1029.yaml new file mode 100644 index 000000000..ef77b5292 --- /dev/null +++ b/data/reports/GO-2022-1029.yaml @@ -0,0 +1,29 @@ +id: GO-2022-1029 +modules: + - module: github.com/hashicorp/consul + versions: + - fixed: 1.11.9 + - introduced: 1.12.0 + - fixed: 1.12.5 + - introduced: 1.13.0 + - fixed: 1.13.2 + vulnerable_at: 1.13.1 +summary: HashiCorp Consul vulnerable to authorization bypass in github.com/hashicorp/consul +cves: + - CVE-2022-40716 +ghsas: + - GHSA-m69r-9g56-7mv8 +references: + - advisory: https://github.com/advisories/GHSA-m69r-9g56-7mv8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-40716 + - fix: https://github.com/hashicorp/consul/commit/8f6fb4f6fe9488b8ec37da71ac503081d7d3760b + - fix: https://github.com/hashicorp/consul/pull/14579 + - web: https://discuss.hashicorp.com + - web: https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628 + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI +source: + id: GHSA-m69r-9g56-7mv8 + created: 2024-08-20T14:47:49.133088-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1032.yaml b/data/reports/GO-2022-1032.yaml new file mode 100644 index 000000000..e4a64ee71 --- /dev/null +++ b/data/reports/GO-2022-1032.yaml @@ -0,0 +1,26 @@ +id: GO-2022-1032 +modules: + - module: github.com/cloudflare/goflow + vulnerable_at: 2.1.0+incompatible + - module: github.com/cloudflare/goflow/v3 + versions: + - fixed: 3.4.4 + vulnerable_at: 3.4.3 +summary: |- + Cloudflare GoFlow vulnerable to a Denial of Service in the sflow packet handling + package in github.com/cloudflare/goflow +cves: + - CVE-2022-2529 +ghsas: + - GHSA-9rpw-2h95-666c +references: + - advisory: https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-2529 + - fix: https://github.com/cloudflare/goflow/commit/2b94619a6204443e3ca1769f4e459f9f57039c51 + - fix: https://github.com/cloudflare/goflow/commit/c829ccd2c0aafdc9b886b20bf6f28095607f4998 + - web: https://github.com/cloudflare/goflow/releases/tag/v3.4.4 +source: + id: GHSA-9rpw-2h95-666c + created: 2024-08-20T14:48:01.457144-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1033.yaml b/data/reports/GO-2022-1033.yaml new file mode 100644 index 000000000..e59e1f13f --- /dev/null +++ b/data/reports/GO-2022-1033.yaml @@ -0,0 +1,22 @@ +id: GO-2022-1033 +modules: + - module: github.com/dapr/dashboard + versions: + - introduced: 0.1.0 + unsupported_versions: + - last_affected: 0.10.0 + vulnerable_at: 0.14.0 +summary: Dapr Dashboard vulnerable to Incorrect Access Control in github.com/dapr/dashboard +cves: + - CVE-2022-38817 +ghsas: + - GHSA-2w6m-q946-399r +references: + - advisory: https://github.com/advisories/GHSA-2w6m-q946-399r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-38817 + - report: https://github.com/dapr/dashboard/issues/222 +source: + id: GHSA-2w6m-q946-399r + created: 2024-08-20T14:48:07.947461-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1060.yaml b/data/reports/GO-2022-1060.yaml new file mode 100644 index 000000000..accde91a6 --- /dev/null +++ b/data/reports/GO-2022-1060.yaml @@ -0,0 +1,23 @@ +id: GO-2022-1060 +modules: + - module: gogs.io/gogs + versions: + - introduced: 0.6.5 + unsupported_versions: + - last_affected: 0.12.10 + vulnerable_at: 0.13.0 +summary: Gogs vulnerable to Cross-site Scripting in gogs.io/gogs +cves: + - CVE-2022-32174 +ghsas: + - GHSA-mcjj-2fvq-mc3r +references: + - advisory: https://github.com/advisories/GHSA-mcjj-2fvq-mc3r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-32174 + - web: https://github.com/gogs/gogs/blob/v0.12.10/public/js/gogs.js#L263 + - web: https://www.mend.io/vulnerability-database/CVE-2022-32174 +source: + id: GHSA-mcjj-2fvq-mc3r + created: 2024-08-20T14:49:14.091264-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-1062.yaml b/data/reports/GO-2022-1062.yaml new file mode 100644 index 000000000..3e9dc23ef --- /dev/null +++ b/data/reports/GO-2022-1062.yaml @@ -0,0 +1,23 @@ +id: GO-2022-1062 +modules: + - module: github.com/hashicorp/nomad + versions: + - fixed: 1.2.13 + - introduced: 1.3.0 + - fixed: 1.3.6 + vulnerable_at: 1.3.5 +summary: Nomad Panics On Job Submission With Bad Artifact Stanza Source URL in github.com/hashicorp/nomad +cves: + - CVE-2022-41606 +ghsas: + - GHSA-7v3g-4878-5qrf +references: + - advisory: https://github.com/advisories/GHSA-7v3g-4878-5qrf + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-41606 + - web: https://discuss.hashicorp.com + - web: https://discuss.hashicorp.com/t/hcsec-2022-22-nomad-panics-on-job-submission-with-bad-artifact-stanza-source-url/45420 +source: + id: GHSA-7v3g-4878-5qrf + created: 2024-08-20T14:49:26.16813-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1065.yaml b/data/reports/GO-2022-1065.yaml new file mode 100644 index 000000000..f974a6eef --- /dev/null +++ b/data/reports/GO-2022-1065.yaml @@ -0,0 +1,22 @@ +id: GO-2022-1065 +modules: + - module: code.gitea.io/gitea + versions: + - fixed: 1.17.3 + vulnerable_at: 1.17.2 +summary: Gitea vulnerable to Argument Injection in code.gitea.io/gitea +cves: + - CVE-2022-42968 +ghsas: + - GHSA-w8xw-7crf-h23x +references: + - advisory: https://github.com/advisories/GHSA-w8xw-7crf-h23x + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-42968 + - web: https://github.com/go-gitea/gitea/pull/21463 + - web: https://github.com/go-gitea/gitea/releases/tag/v1.17.3 + - web: https://security.gentoo.org/glsa/202210-14 +source: + id: GHSA-w8xw-7crf-h23x + created: 2024-08-20T14:49:29.710202-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1066.yaml b/data/reports/GO-2022-1066.yaml new file mode 100644 index 000000000..c37196550 --- /dev/null +++ b/data/reports/GO-2022-1066.yaml @@ -0,0 +1,20 @@ +id: GO-2022-1066 +modules: + - module: github.com/cheqd/cheqd-node + versions: + - fixed: 0.6.9 + vulnerable_at: 0.6.8 +summary: |- + Potential inter-blockchain communication (IBC) protocol compromise via + "Dragonberry" vulnerability in cheqd in github.com/cheqd/cheqd-node +ghsas: + - GHSA-j92c-mmf7-j5x5 +references: + - advisory: https://github.com/cheqd/cheqd-node/security/advisories/GHSA-j92c-mmf7-j5x5 + - web: https://forum.cosmos.network/t/ibc-security-advisory-dragonberry/7702/1 + - web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.9 +source: + id: GHSA-j92c-mmf7-j5x5 + created: 2024-08-20T14:49:34.431692-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-1067.yaml b/data/reports/GO-2022-1067.yaml new file mode 100644 index 000000000..3c5258342 --- /dev/null +++ b/data/reports/GO-2022-1067.yaml @@ -0,0 +1,22 @@ +id: GO-2022-1067 +modules: + - module: github.com/brokercap/Bifrost + versions: + - fixed: 1.8.7-release + vulnerable_at: 1.8.6-release +summary: |- + Bifrost vulnerable to authentication check flaw that leads to authentication + bypass in github.com/brokercap/Bifrost +cves: + - CVE-2022-39267 +ghsas: + - GHSA-mxrx-fg8p-5p5j +references: + - advisory: https://github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39267 + - fix: https://github.com/brokercap/Bifrost/commit/63da5c8eb7eb21639ea7ac199fe10b5e07b03a8a +source: + id: GHSA-mxrx-fg8p-5p5j + created: 2024-08-20T14:49:36.853901-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE