From 34d5974714279ca2a5cfa29c8c8af2df4a5f4113 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Tue, 20 Aug 2024 12:49:26 -0400 Subject: [PATCH] data/reports: unexclude 20 reports (6) - data/reports/GO-2023-1785.yaml - data/reports/GO-2023-1793.yaml - data/reports/GO-2023-1795.yaml - data/reports/GO-2023-1800.yaml - data/reports/GO-2023-1801.yaml - data/reports/GO-2023-1803.yaml - data/reports/GO-2023-1804.yaml - data/reports/GO-2023-1806.yaml - data/reports/GO-2023-1808.yaml - data/reports/GO-2023-1809.yaml - data/reports/GO-2023-1819.yaml - data/reports/GO-2023-1827.yaml - data/reports/GO-2023-1828.yaml - data/reports/GO-2023-1829.yaml - data/reports/GO-2023-1831.yaml - data/reports/GO-2023-1849.yaml - data/reports/GO-2023-1850.yaml - data/reports/GO-2023-1851.yaml - data/reports/GO-2023-1852.yaml - data/reports/GO-2023-1853.yaml Updates golang/vulndb#1785 Updates golang/vulndb#1793 Updates golang/vulndb#1795 Updates golang/vulndb#1800 Updates golang/vulndb#1801 Updates golang/vulndb#1803 Updates golang/vulndb#1804 Updates golang/vulndb#1806 Updates golang/vulndb#1808 Updates golang/vulndb#1809 Updates golang/vulndb#1819 Updates golang/vulndb#1827 Updates golang/vulndb#1828 Updates golang/vulndb#1829 Updates golang/vulndb#1831 Updates golang/vulndb#1849 Updates golang/vulndb#1850 Updates golang/vulndb#1851 Updates golang/vulndb#1852 Updates golang/vulndb#1853 Change-Id: Ib6fb15714358b0a9d7644d6ed43de25bdbd8434b Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606786 LUCI-TryBot-Result: Go LUCI Auto-Submit: Tatiana Bradley Reviewed-by: Damien Neil --- data/excluded/GO-2023-1785.yaml | 8 --- data/excluded/GO-2023-1793.yaml | 8 --- data/excluded/GO-2023-1795.yaml | 8 --- data/excluded/GO-2023-1800.yaml | 8 --- data/excluded/GO-2023-1801.yaml | 8 --- data/excluded/GO-2023-1803.yaml | 8 --- data/excluded/GO-2023-1804.yaml | 6 -- data/excluded/GO-2023-1806.yaml | 8 --- data/excluded/GO-2023-1808.yaml | 8 --- data/excluded/GO-2023-1809.yaml | 8 --- data/excluded/GO-2023-1819.yaml | 8 --- data/excluded/GO-2023-1827.yaml | 8 --- data/excluded/GO-2023-1828.yaml | 8 --- data/excluded/GO-2023-1829.yaml | 8 --- data/excluded/GO-2023-1831.yaml | 8 --- data/excluded/GO-2023-1849.yaml | 8 --- data/excluded/GO-2023-1850.yaml | 8 --- data/excluded/GO-2023-1851.yaml | 8 --- data/excluded/GO-2023-1852.yaml | 8 --- data/excluded/GO-2023-1853.yaml | 8 --- data/osv/GO-2023-1785.json | 72 ++++++++++++++++++++++ data/osv/GO-2023-1793.json | 64 +++++++++++++++++++ data/osv/GO-2023-1795.json | 52 ++++++++++++++++ data/osv/GO-2023-1800.json | 106 ++++++++++++++++++++++++++++++++ data/osv/GO-2023-1801.json | 56 +++++++++++++++++ data/osv/GO-2023-1803.json | 56 +++++++++++++++++ data/osv/GO-2023-1804.json | 51 +++++++++++++++ data/osv/GO-2023-1806.json | 52 ++++++++++++++++ data/osv/GO-2023-1808.json | 81 ++++++++++++++++++++++++ data/osv/GO-2023-1809.json | 81 ++++++++++++++++++++++++ data/osv/GO-2023-1819.json | 52 ++++++++++++++++ data/osv/GO-2023-1827.json | 58 +++++++++++++++++ data/osv/GO-2023-1828.json | 52 ++++++++++++++++ data/osv/GO-2023-1829.json | 56 +++++++++++++++++ data/osv/GO-2023-1831.json | 52 ++++++++++++++++ data/osv/GO-2023-1849.json | 64 +++++++++++++++++++ data/osv/GO-2023-1850.json | 60 ++++++++++++++++++ data/osv/GO-2023-1851.json | 72 ++++++++++++++++++++++ data/osv/GO-2023-1852.json | 60 ++++++++++++++++++ data/osv/GO-2023-1853.json | 56 +++++++++++++++++ data/reports/GO-2023-1785.yaml | 26 ++++++++ data/reports/GO-2023-1793.yaml | 23 +++++++ data/reports/GO-2023-1795.yaml | 20 ++++++ data/reports/GO-2023-1800.yaml | 36 +++++++++++ data/reports/GO-2023-1801.yaml | 22 +++++++ data/reports/GO-2023-1803.yaml | 23 +++++++ data/reports/GO-2023-1804.yaml | 18 ++++++ data/reports/GO-2023-1806.yaml | 20 ++++++ data/reports/GO-2023-1808.yaml | 25 ++++++++ data/reports/GO-2023-1809.yaml | 25 ++++++++ data/reports/GO-2023-1819.yaml | 20 ++++++ data/reports/GO-2023-1827.yaml | 22 +++++++ data/reports/GO-2023-1828.yaml | 23 +++++++ data/reports/GO-2023-1829.yaml | 21 +++++++ data/reports/GO-2023-1831.yaml | 22 +++++++ data/reports/GO-2023-1849.yaml | 24 ++++++++ data/reports/GO-2023-1850.yaml | 23 +++++++ data/reports/GO-2023-1851.yaml | 26 ++++++++ data/reports/GO-2023-1852.yaml | 23 +++++++ data/reports/GO-2023-1853.yaml | 21 +++++++ 60 files changed, 1716 insertions(+), 158 deletions(-) delete mode 100644 data/excluded/GO-2023-1785.yaml delete mode 100644 data/excluded/GO-2023-1793.yaml delete mode 100644 data/excluded/GO-2023-1795.yaml delete mode 100644 data/excluded/GO-2023-1800.yaml delete mode 100644 data/excluded/GO-2023-1801.yaml delete mode 100644 data/excluded/GO-2023-1803.yaml delete mode 100644 data/excluded/GO-2023-1804.yaml delete mode 100644 data/excluded/GO-2023-1806.yaml delete mode 100644 data/excluded/GO-2023-1808.yaml delete mode 100644 data/excluded/GO-2023-1809.yaml delete mode 100644 data/excluded/GO-2023-1819.yaml delete mode 100644 data/excluded/GO-2023-1827.yaml delete mode 100644 data/excluded/GO-2023-1828.yaml delete mode 100644 data/excluded/GO-2023-1829.yaml delete mode 100644 data/excluded/GO-2023-1831.yaml delete mode 100644 data/excluded/GO-2023-1849.yaml delete mode 100644 data/excluded/GO-2023-1850.yaml delete mode 100644 data/excluded/GO-2023-1851.yaml delete mode 100644 data/excluded/GO-2023-1852.yaml delete mode 100644 data/excluded/GO-2023-1853.yaml create mode 100644 data/osv/GO-2023-1785.json create mode 100644 data/osv/GO-2023-1793.json create mode 100644 data/osv/GO-2023-1795.json create mode 100644 data/osv/GO-2023-1800.json create mode 100644 data/osv/GO-2023-1801.json create mode 100644 data/osv/GO-2023-1803.json create mode 100644 data/osv/GO-2023-1804.json create mode 100644 data/osv/GO-2023-1806.json create mode 100644 data/osv/GO-2023-1808.json create mode 100644 data/osv/GO-2023-1809.json create mode 100644 data/osv/GO-2023-1819.json create mode 100644 data/osv/GO-2023-1827.json create mode 100644 data/osv/GO-2023-1828.json create mode 100644 data/osv/GO-2023-1829.json create mode 100644 data/osv/GO-2023-1831.json create mode 100644 data/osv/GO-2023-1849.json create mode 100644 data/osv/GO-2023-1850.json create mode 100644 data/osv/GO-2023-1851.json create mode 100644 data/osv/GO-2023-1852.json create mode 100644 data/osv/GO-2023-1853.json create mode 100644 data/reports/GO-2023-1785.yaml create mode 100644 data/reports/GO-2023-1793.yaml create mode 100644 data/reports/GO-2023-1795.yaml create mode 100644 data/reports/GO-2023-1800.yaml create mode 100644 data/reports/GO-2023-1801.yaml create mode 100644 data/reports/GO-2023-1803.yaml create mode 100644 data/reports/GO-2023-1804.yaml create mode 100644 data/reports/GO-2023-1806.yaml create mode 100644 data/reports/GO-2023-1808.yaml create mode 100644 data/reports/GO-2023-1809.yaml create mode 100644 data/reports/GO-2023-1819.yaml create mode 100644 data/reports/GO-2023-1827.yaml create mode 100644 data/reports/GO-2023-1828.yaml create mode 100644 data/reports/GO-2023-1829.yaml create mode 100644 data/reports/GO-2023-1831.yaml create mode 100644 data/reports/GO-2023-1849.yaml create mode 100644 data/reports/GO-2023-1850.yaml create mode 100644 data/reports/GO-2023-1851.yaml create mode 100644 data/reports/GO-2023-1852.yaml create mode 100644 data/reports/GO-2023-1853.yaml diff --git a/data/excluded/GO-2023-1785.yaml b/data/excluded/GO-2023-1785.yaml deleted file mode 100644 index d30261a2..00000000 --- a/data/excluded/GO-2023-1785.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1785 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cilium/cilium -cves: - - CVE-2023-30851 -ghsas: - - GHSA-2h44-x2wx-49f4 diff --git a/data/excluded/GO-2023-1793.yaml b/data/excluded/GO-2023-1793.yaml deleted file mode 100644 index 37a35463..00000000 --- a/data/excluded/GO-2023-1793.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1793 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: sigs.k8s.io/secrets-store-csi-driver -cves: - - CVE-2023-2878 -ghsas: - - GHSA-g82w-58jf-gcxx diff --git a/data/excluded/GO-2023-1795.yaml b/data/excluded/GO-2023-1795.yaml deleted file mode 100644 index da59e7cf..00000000 --- a/data/excluded/GO-2023-1795.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1795 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/sigstore/rekor -cves: - - CVE-2023-33199 -ghsas: - - GHSA-frqx-jfcm-6jjr diff --git a/data/excluded/GO-2023-1800.yaml b/data/excluded/GO-2023-1800.yaml deleted file mode 100644 index a701fd0a..00000000 --- a/data/excluded/GO-2023-1800.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1800 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/pomerium/pomerium -cves: - - CVE-2023-33189 -ghsas: - - GHSA-pvrc-wvj2-f59p diff --git a/data/excluded/GO-2023-1801.yaml b/data/excluded/GO-2023-1801.yaml deleted file mode 100644 index 3a699978..00000000 --- a/data/excluded/GO-2023-1801.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1801 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/kyverno/kyverno -cves: - - CVE-2023-33191 -ghsas: - - GHSA-33hq-f2mf-jm3c diff --git a/data/excluded/GO-2023-1803.yaml b/data/excluded/GO-2023-1803.yaml deleted file mode 100644 index dc05d02e..00000000 --- a/data/excluded/GO-2023-1803.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1803 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/lima-vm/lima -cves: - - CVE-2023-32684 -ghsas: - - GHSA-f7qw-jj9c-rpq9 diff --git a/data/excluded/GO-2023-1804.yaml b/data/excluded/GO-2023-1804.yaml deleted file mode 100644 index 8df104a1..00000000 --- a/data/excluded/GO-2023-1804.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2023-1804 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/kyverno/kyverno -ghsas: - - GHSA-hgv6-w7r3-w4qw diff --git a/data/excluded/GO-2023-1806.yaml b/data/excluded/GO-2023-1806.yaml deleted file mode 100644 index 71877b75..00000000 --- a/data/excluded/GO-2023-1806.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1806 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/multiversx/mx-chain-go -cves: - - CVE-2023-33964 -ghsas: - - GHSA-7xpv-4pm9-xch2 diff --git a/data/excluded/GO-2023-1808.yaml b/data/excluded/GO-2023-1808.yaml deleted file mode 100644 index 10ead243..00000000 --- a/data/excluded/GO-2023-1808.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1808 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/pydio/cells -cves: - - CVE-2023-2978 -ghsas: - - GHSA-mv7x-27pc-8c96 diff --git a/data/excluded/GO-2023-1809.yaml b/data/excluded/GO-2023-1809.yaml deleted file mode 100644 index 99614f40..00000000 --- a/data/excluded/GO-2023-1809.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1809 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/pydio/cells -cves: - - CVE-2023-2981 -ghsas: - - GHSA-wmfc-g86p-fjvr diff --git a/data/excluded/GO-2023-1819.yaml b/data/excluded/GO-2023-1819.yaml deleted file mode 100644 index d1387895..00000000 --- a/data/excluded/GO-2023-1819.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1819 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/kyverno/kyverno -cves: - - CVE-2023-34091 -ghsas: - - GHSA-hq4m-4948-64cc diff --git a/data/excluded/GO-2023-1827.yaml b/data/excluded/GO-2023-1827.yaml deleted file mode 100644 index aa9a69a9..00000000 --- a/data/excluded/GO-2023-1827.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1827 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/consul -cves: - - CVE-2023-1297 -ghsas: - - GHSA-c57c-7hrj-6q6v diff --git a/data/excluded/GO-2023-1828.yaml b/data/excluded/GO-2023-1828.yaml deleted file mode 100644 index 7cde44e9..00000000 --- a/data/excluded/GO-2023-1828.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1828 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/consul -cves: - - CVE-2023-2816 -ghsas: - - GHSA-rqjq-ww83-wv5c diff --git a/data/excluded/GO-2023-1829.yaml b/data/excluded/GO-2023-1829.yaml deleted file mode 100644 index 2a406e3e..00000000 --- a/data/excluded/GO-2023-1829.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1829 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/notaryproject/notation -cves: - - CVE-2023-33957 -ghsas: - - GHSA-9m3v-v4r5-ppx7 diff --git a/data/excluded/GO-2023-1831.yaml b/data/excluded/GO-2023-1831.yaml deleted file mode 100644 index 3f0b9487..00000000 --- a/data/excluded/GO-2023-1831.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1831 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/notaryproject/notation -cves: - - CVE-2023-33958 -ghsas: - - GHSA-rvrx-rrwh-r9p6 diff --git a/data/excluded/GO-2023-1849.yaml b/data/excluded/GO-2023-1849.yaml deleted file mode 100644 index 95266060..00000000 --- a/data/excluded/GO-2023-1849.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1849 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/hashicorp/vault -cves: - - CVE-2023-2121 -ghsas: - - GHSA-gq98-53rq-qr5h diff --git a/data/excluded/GO-2023-1850.yaml b/data/excluded/GO-2023-1850.yaml deleted file mode 100644 index f030fd9c..00000000 --- a/data/excluded/GO-2023-1850.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1850 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/consul -cves: - - CVE-2018-19653 -ghsas: - - GHSA-4qvx-qq5w-695p diff --git a/data/excluded/GO-2023-1851.yaml b/data/excluded/GO-2023-1851.yaml deleted file mode 100644 index 0b156b70..00000000 --- a/data/excluded/GO-2023-1851.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1851 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/consul -cves: - - CVE-2020-25864 -ghsas: - - GHSA-8xmx-h8rq-h94j diff --git a/data/excluded/GO-2023-1852.yaml b/data/excluded/GO-2023-1852.yaml deleted file mode 100644 index 29255fc4..00000000 --- a/data/excluded/GO-2023-1852.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1852 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/consul/acl -cves: - - CVE-2019-12291 -ghsas: - - GHSA-h65h-v7fw-4p38 diff --git a/data/excluded/GO-2023-1853.yaml b/data/excluded/GO-2023-1853.yaml deleted file mode 100644 index 0fe24bbb..00000000 --- a/data/excluded/GO-2023-1853.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1853 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/consul -cves: - - CVE-2019-9764 -ghsas: - - GHSA-q7fx-wm2p-qfj8 diff --git a/data/osv/GO-2023-1785.json b/data/osv/GO-2023-1785.json new file mode 100644 index 00000000..7a0d5502 --- /dev/null +++ b/data/osv/GO-2023-1785.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1785", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-30851", + "GHSA-2h44-x2wx-49f4" + ], + "summary": "Potential HTTP policy bypass when using header rules in Cilium in github.com/cilium/cilium", + "details": "Potential HTTP policy bypass when using header rules in Cilium in github.com/cilium/cilium", + "affected": [ + { + "package": { + "name": "github.com/cilium/cilium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.16" + }, + { + "introduced": "1.12.0" + }, + { + "fixed": "1.12.9" + }, + { + "introduced": "1.13.0" + }, + { + "fixed": "1.13.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30851" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.11.16" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.12.9" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.13.2" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1785", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1793.json b/data/osv/GO-2023-1793.json new file mode 100644 index 00000000..468440dc --- /dev/null +++ b/data/osv/GO-2023-1793.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1793", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-2878", + "GHSA-g82w-58jf-gcxx" + ], + "summary": "secrets-store-csi-driver discloses service account tokens in logs in sigs.k8s.io/secrets-store-csi-driver", + "details": "secrets-store-csi-driver discloses service account tokens in logs in sigs.k8s.io/secrets-store-csi-driver", + "affected": [ + { + "package": { + "name": "sigs.k8s.io/secrets-store-csi-driver", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/security/advisories/GHSA-g82w-58jf-gcxx" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2878" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/releases/tag/v1.3.3" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/118419" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/5K8ghQHBDdQ/m/Udee6YUgAAAJ" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20230814-0003" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1793", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1795.json b/data/osv/GO-2023-1795.json new file mode 100644 index 00000000..b5ac8a1f --- /dev/null +++ b/data/osv/GO-2023-1795.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1795", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-33199", + "GHSA-frqx-jfcm-6jjr" + ], + "summary": "malformed proposed intoto entries can cause a panic in github.com/sigstore/rekor", + "details": "malformed proposed intoto entries can cause a panic in github.com/sigstore/rekor", + "affected": [ + { + "package": { + "name": "github.com/sigstore/rekor", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/sigstore/rekor/security/advisories/GHSA-frqx-jfcm-6jjr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33199" + }, + { + "type": "FIX", + "url": "https://github.com/sigstore/rekor/commit/140c5add105179e5ffd9e3e114fd1b6b93aebbd4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1795", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1800.json b/data/osv/GO-2023-1800.json new file mode 100644 index 00000000..34f99b35 --- /dev/null +++ b/data/osv/GO-2023-1800.json @@ -0,0 +1,106 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1800", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-33189", + "GHSA-pvrc-wvj2-f59p" + ], + "summary": "Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium", + "details": "Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium", + "affected": [ + { + "package": { + "name": "github.com/pomerium/pomerium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.17.4" + }, + { + "introduced": "0.18.0" + }, + { + "fixed": "0.18.1" + }, + { + "introduced": "0.19.0" + }, + { + "fixed": "0.19.2" + }, + { + "introduced": "0.20.0" + }, + { + "fixed": "0.20.1" + }, + { + "introduced": "0.21.0" + }, + { + "fixed": "0.21.4" + }, + { + "introduced": "0.22.0" + }, + { + "fixed": "0.22.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33189" + }, + { + "type": "FIX", + "url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb" + }, + { + "type": "WEB", + "url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4" + }, + { + "type": "WEB", + "url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1" + }, + { + "type": "WEB", + "url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2" + }, + { + "type": "WEB", + "url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1" + }, + { + "type": "WEB", + "url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4" + }, + { + "type": "WEB", + "url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1800", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1801.json b/data/osv/GO-2023-1801.json new file mode 100644 index 00000000..7e88bf24 --- /dev/null +++ b/data/osv/GO-2023-1801.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1801", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-33191", + "GHSA-33hq-f2mf-jm3c" + ], + "summary": "kyverno seccomp control can be circumvented in github.com/kyverno/kyverno", + "details": "kyverno seccomp control can be circumvented in github.com/kyverno/kyverno", + "affected": [ + { + "package": { + "name": "github.com/kyverno/kyverno", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.9.2" + }, + { + "fixed": "1.9.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-33hq-f2mf-jm3c" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33191" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/pull/7263" + }, + { + "type": "WEB", + "url": "https://github.com/kyverno/kyverno/releases/tag/v1.9.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1801", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1803.json b/data/osv/GO-2023-1803.json new file mode 100644 index 00000000..67d15290 --- /dev/null +++ b/data/osv/GO-2023-1803.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1803", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-32684", + "GHSA-f7qw-jj9c-rpq9" + ], + "summary": "In Lima, a malicious disk image could read a single file on the host filesystem as a qcow2/vmdk backing file in github.com/lima-vm/lima", + "details": "In Lima, a malicious disk image could read a single file on the host filesystem as a qcow2/vmdk backing file in github.com/lima-vm/lima", + "affected": [ + { + "package": { + "name": "github.com/lima-vm/lima", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.16.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/lima-vm/lima/security/advisories/GHSA-f7qw-jj9c-rpq9" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32684" + }, + { + "type": "FIX", + "url": "https://github.com/lima-vm/lima/commit/01dbd4d9cabe692afa4517be3995771f0ebb38a5" + }, + { + "type": "WEB", + "url": "https://github.com/lima-vm/lima/releases/tag/v0.16.0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1803", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1804.json b/data/osv/GO-2023-1804.json new file mode 100644 index 00000000..998b1581 --- /dev/null +++ b/data/osv/GO-2023-1804.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1804", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-hgv6-w7r3-w4qw" + ], + "summary": "Kyverno vulnerable due to usage of insecure cipher in github.com/kyverno/kyverno", + "details": "Kyverno vulnerable due to usage of insecure cipher in github.com/kyverno/kyverno", + "affected": [ + { + "package": { + "name": "github.com/kyverno/kyverno", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hgv6-w7r3-w4qw" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/pull/7308" + }, + { + "type": "WEB", + "url": "https://github.com/kyverno/kyverno/releases/tag/v1.9.5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1804", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1806.json b/data/osv/GO-2023-1806.json new file mode 100644 index 00000000..a00b78af --- /dev/null +++ b/data/osv/GO-2023-1806.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1806", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-33964", + "GHSA-7xpv-4pm9-xch2" + ], + "summary": "mx-chain-go does not treat invalid transaction with wrong username correctly in github.com/multiversx/mx-chain-go", + "details": "mx-chain-go does not treat invalid transaction with wrong username correctly in github.com/multiversx/mx-chain-go", + "affected": [ + { + "package": { + "name": "github.com/multiversx/mx-chain-go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.16" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-7xpv-4pm9-xch2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33964" + }, + { + "type": "FIX", + "url": "https://github.com/multiversx/mx-chain-go/commit/97295471465f4b5f79e51b32f8b7111f8d921606" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1806", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1808.json b/data/osv/GO-2023-1808.json new file mode 100644 index 00000000..90eea408 --- /dev/null +++ b/data/osv/GO-2023-1808.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1808", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-2978", + "GHSA-mv7x-27pc-8c96" + ], + "summary": "Go package pydio/cells vulnerable to authorization bypass in github.com/pydio/cells", + "details": "Go package pydio/cells vulnerable to authorization bypass in github.com/pydio/cells", + "affected": [ + { + "package": { + "name": "github.com/pydio/cells", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/pydio/cells/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.2.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mv7x-27pc-8c96" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2978" + }, + { + "type": "WEB", + "url": "https://popalltheshells.medium.com/multiple-cves-affecting-pydio-cells-4-2-0-321e7e4712be" + }, + { + "type": "WEB", + "url": "https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.230210" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.230210" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1808", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1809.json b/data/osv/GO-2023-1809.json new file mode 100644 index 00000000..53d14f40 --- /dev/null +++ b/data/osv/GO-2023-1809.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1809", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-2981", + "GHSA-wmfc-g86p-fjvr" + ], + "summary": "go package pydio cells vulnerable to cross-site scripting in github.com/pydio/cells", + "details": "go package pydio cells vulnerable to cross-site scripting in github.com/pydio/cells", + "affected": [ + { + "package": { + "name": "github.com/pydio/cells", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/pydio/cells/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.2.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-wmfc-g86p-fjvr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2981" + }, + { + "type": "WEB", + "url": "https://popalltheshells.medium.com/multiple-cves-affecting-pydio-cells-4-2-0-321e7e4712be" + }, + { + "type": "WEB", + "url": "https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.230213" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.230213" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1809", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1819.json b/data/osv/GO-2023-1819.json new file mode 100644 index 00000000..b8680de0 --- /dev/null +++ b/data/osv/GO-2023-1819.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1819", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-34091", + "GHSA-hq4m-4948-64cc" + ], + "summary": "Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno", + "details": "Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno", + "affected": [ + { + "package": { + "name": "github.com/kyverno/kyverno", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34091" + }, + { + "type": "WEB", + "url": "https://github.com/kyverno/kyverno/releases/tag/v1.10.0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1819", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1827.json b/data/osv/GO-2023-1827.json new file mode 100644 index 00000000..7b6e2057 --- /dev/null +++ b/data/osv/GO-2023-1827.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1827", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-1297", + "GHSA-c57c-7hrj-6q6v" + ], + "summary": "Hashicorp Consul vulnerable to denial of service in github.com/hashicorp/consul", + "details": "Hashicorp Consul vulnerable to denial of service in github.com/hashicorp/consul", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/consul", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.14.5" + }, + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-c57c-7hrj-6q6v" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1297" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1827", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1828.json b/data/osv/GO-2023-1828.json new file mode 100644 index 00000000..27a4c9ea --- /dev/null +++ b/data/osv/GO-2023-1828.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1828", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-2816", + "GHSA-rqjq-ww83-wv5c" + ], + "summary": "Hashicorp Consul allows user with service:write permissions to patch remote proxy instances in github.com/hashicorp/consul", + "details": "Hashicorp Consul allows user with service:write permissions to patch remote proxy instances in github.com/hashicorp/consul", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/consul", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-rqjq-ww83-wv5c" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2816" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1828", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1829.json b/data/osv/GO-2023-1829.json new file mode 100644 index 00000000..23159197 --- /dev/null +++ b/data/osv/GO-2023-1829.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1829", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-33957", + "GHSA-9m3v-v4r5-ppx7" + ], + "summary": "Notation vulnerable to denial of service from high number of artifact signatures in github.com/notaryproject/notation", + "details": "Notation vulnerable to denial of service from high number of artifact signatures in github.com/notaryproject/notation", + "affected": [ + { + "package": { + "name": "github.com/notaryproject/notation", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0-rc.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33957" + }, + { + "type": "FIX", + "url": "https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24" + }, + { + "type": "WEB", + "url": "https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1829", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1831.json b/data/osv/GO-2023-1831.json new file mode 100644 index 00000000..07921213 --- /dev/null +++ b/data/osv/GO-2023-1831.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1831", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-33958", + "GHSA-rvrx-rrwh-r9p6" + ], + "summary": "Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack in github.com/notaryproject/notation", + "details": "Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack in github.com/notaryproject/notation", + "affected": [ + { + "package": { + "name": "github.com/notaryproject/notation", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0-rc.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33958" + }, + { + "type": "WEB", + "url": "https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1831", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1849.json b/data/osv/GO-2023-1849.json new file mode 100644 index 00000000..840119a9 --- /dev/null +++ b/data/osv/GO-2023-1849.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1849", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-2121", + "GHSA-gq98-53rq-qr5h" + ], + "summary": "Hashicorp Vault vulnerable to Cross-site Scripting in github.com/hashicorp/vault", + "details": "Hashicorp Vault vulnerable to Cross-site Scripting in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.11" + }, + { + "introduced": "1.12.0" + }, + { + "fixed": "1.12.7" + }, + { + "introduced": "1.13.0" + }, + { + "fixed": "1.13.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-gq98-53rq-qr5h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2121" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1849", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1850.json b/data/osv/GO-2023-1850.json new file mode 100644 index 00000000..30296cb7 --- /dev/null +++ b/data/osv/GO-2023-1850.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1850", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-19653", + "GHSA-4qvx-qq5w-695p" + ], + "summary": "HashiCorp Consul can use cleartext agent-to-agent RPC communication in github.com/hashicorp/consul", + "details": "HashiCorp Consul can use cleartext agent-to-agent RPC communication in github.com/hashicorp/consul", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/consul", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.5.1" + }, + { + "fixed": "1.4.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-4qvx-qq5w-695p" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19653" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/consul/commit/b64e8b262f80397eab4f39c6ae7e14683cb9f55c" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/consul/pull/5069" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!topic/consul-tool/7TCw06oio0I" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1850", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1851.json b/data/osv/GO-2023-1851.json new file mode 100644 index 00000000..7238271e --- /dev/null +++ b/data/osv/GO-2023-1851.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1851", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-25864", + "GHSA-8xmx-h8rq-h94j" + ], + "summary": "HashiCorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul", + "details": "HashiCorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/consul", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.7.14" + }, + { + "introduced": "1.8.0" + }, + { + "fixed": "1.8.10" + }, + { + "introduced": "1.9.0" + }, + { + "fixed": "1.9.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8xmx-h8rq-h94j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25864" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202208-09" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/consul" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1851", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1852.json b/data/osv/GO-2023-1852.json new file mode 100644 index 00000000..7c68d442 --- /dev/null +++ b/data/osv/GO-2023-1852.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1852", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-12291", + "GHSA-h65h-v7fw-4p38" + ], + "summary": "HashiCorp Consul Incorrect Access Control vulnerability in github.com/hashicorp/consul", + "details": "HashiCorp Consul Incorrect Access Control vulnerability in github.com/hashicorp/consul", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/consul", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.4.0" + }, + { + "fixed": "1.5.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-h65h-v7fw-4p38" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12291" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/consul/commit/36ebca1fd0129278487c6570449bc8cc03987890" + }, + { + "type": "REPORT", + "url": "https://github.com/hashicorp/consul/issues/5888" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/consul" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1852", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1853.json b/data/osv/GO-2023-1853.json new file mode 100644 index 00000000..4c19ddfd --- /dev/null +++ b/data/osv/GO-2023-1853.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1853", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-9764", + "GHSA-q7fx-wm2p-qfj8" + ], + "summary": "HashiCorp Consul vulnerable to Origin Validation Error in github.com/hashicorp/consul", + "details": "HashiCorp Consul vulnerable to Origin Validation Error in github.com/hashicorp/consul", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/consul", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-q7fx-wm2p-qfj8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9764" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/consul/commit/7e11dd82aa8dae505b7307adcb68c9d3194b3b40" + }, + { + "type": "REPORT", + "url": "https://github.com/hashicorp/consul/issues/5519" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1853", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2023-1785.yaml b/data/reports/GO-2023-1785.yaml new file mode 100644 index 00000000..a883f354 --- /dev/null +++ b/data/reports/GO-2023-1785.yaml @@ -0,0 +1,26 @@ +id: GO-2023-1785 +modules: + - module: github.com/cilium/cilium + versions: + - fixed: 1.11.16 + - introduced: 1.12.0 + - fixed: 1.12.9 + - introduced: 1.13.0 + - fixed: 1.13.2 + vulnerable_at: 1.13.1 +summary: Potential HTTP policy bypass when using header rules in Cilium in github.com/cilium/cilium +cves: + - CVE-2023-30851 +ghsas: + - GHSA-2h44-x2wx-49f4 +references: + - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-30851 + - web: https://github.com/cilium/cilium/releases/tag/v1.11.16 + - web: https://github.com/cilium/cilium/releases/tag/v1.12.9 + - web: https://github.com/cilium/cilium/releases/tag/v1.13.2 +source: + id: GHSA-2h44-x2wx-49f4 + created: 2024-08-20T11:44:35.135175-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1793.yaml b/data/reports/GO-2023-1793.yaml new file mode 100644 index 00000000..c04ce527 --- /dev/null +++ b/data/reports/GO-2023-1793.yaml @@ -0,0 +1,23 @@ +id: GO-2023-1793 +modules: + - module: sigs.k8s.io/secrets-store-csi-driver + versions: + - fixed: 1.3.3 + vulnerable_at: 1.3.2 +summary: secrets-store-csi-driver discloses service account tokens in logs in sigs.k8s.io/secrets-store-csi-driver +cves: + - CVE-2023-2878 +ghsas: + - GHSA-g82w-58jf-gcxx +references: + - advisory: https://github.com/kubernetes-sigs/secrets-store-csi-driver/security/advisories/GHSA-g82w-58jf-gcxx + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-2878 + - web: https://github.com/kubernetes-sigs/secrets-store-csi-driver/releases/tag/v1.3.3 + - web: https://github.com/kubernetes/kubernetes/issues/118419 + - web: https://groups.google.com/g/kubernetes-security-announce/c/5K8ghQHBDdQ/m/Udee6YUgAAAJ + - web: https://security.netapp.com/advisory/ntap-20230814-0003 +source: + id: GHSA-g82w-58jf-gcxx + created: 2024-08-20T11:44:50.069883-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1795.yaml b/data/reports/GO-2023-1795.yaml new file mode 100644 index 00000000..3ff1673f --- /dev/null +++ b/data/reports/GO-2023-1795.yaml @@ -0,0 +1,20 @@ +id: GO-2023-1795 +modules: + - module: github.com/sigstore/rekor + versions: + - fixed: 1.2.0 + vulnerable_at: 1.1.1 +summary: malformed proposed intoto entries can cause a panic in github.com/sigstore/rekor +cves: + - CVE-2023-33199 +ghsas: + - GHSA-frqx-jfcm-6jjr +references: + - advisory: https://github.com/sigstore/rekor/security/advisories/GHSA-frqx-jfcm-6jjr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-33199 + - fix: https://github.com/sigstore/rekor/commit/140c5add105179e5ffd9e3e114fd1b6b93aebbd4 +source: + id: GHSA-frqx-jfcm-6jjr + created: 2024-08-20T11:44:54.895733-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1800.yaml b/data/reports/GO-2023-1800.yaml new file mode 100644 index 00000000..d562f5ca --- /dev/null +++ b/data/reports/GO-2023-1800.yaml @@ -0,0 +1,36 @@ +id: GO-2023-1800 +modules: + - module: github.com/pomerium/pomerium + versions: + - fixed: 0.17.4 + - introduced: 0.18.0 + - fixed: 0.18.1 + - introduced: 0.19.0 + - fixed: 0.19.2 + - introduced: 0.20.0 + - fixed: 0.20.1 + - introduced: 0.21.0 + - fixed: 0.21.4 + - introduced: 0.22.0 + - fixed: 0.22.2 + vulnerable_at: 0.22.1 +summary: Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium +cves: + - CVE-2023-33189 +ghsas: + - GHSA-pvrc-wvj2-f59p +references: + - advisory: https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-33189 + - fix: https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb + - web: https://github.com/pomerium/pomerium/releases/tag/v0.17.4 + - web: https://github.com/pomerium/pomerium/releases/tag/v0.18.1 + - web: https://github.com/pomerium/pomerium/releases/tag/v0.19.2 + - web: https://github.com/pomerium/pomerium/releases/tag/v0.20.1 + - web: https://github.com/pomerium/pomerium/releases/tag/v0.21.4 + - web: https://github.com/pomerium/pomerium/releases/tag/v0.22.2 +source: + id: GHSA-pvrc-wvj2-f59p + created: 2024-08-20T11:44:58.157026-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1801.yaml b/data/reports/GO-2023-1801.yaml new file mode 100644 index 00000000..29143ed5 --- /dev/null +++ b/data/reports/GO-2023-1801.yaml @@ -0,0 +1,22 @@ +id: GO-2023-1801 +modules: + - module: github.com/kyverno/kyverno + versions: + - introduced: 1.9.2 + - fixed: 1.9.4 + vulnerable_at: 1.9.3 +summary: kyverno seccomp control can be circumvented in github.com/kyverno/kyverno +cves: + - CVE-2023-33191 +ghsas: + - GHSA-33hq-f2mf-jm3c +references: + - advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-33hq-f2mf-jm3c + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-33191 + - fix: https://github.com/kyverno/kyverno/pull/7263 + - web: https://github.com/kyverno/kyverno/releases/tag/v1.9.4 +source: + id: GHSA-33hq-f2mf-jm3c + created: 2024-08-20T11:45:04.563413-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1803.yaml b/data/reports/GO-2023-1803.yaml new file mode 100644 index 00000000..6e29fe8b --- /dev/null +++ b/data/reports/GO-2023-1803.yaml @@ -0,0 +1,23 @@ +id: GO-2023-1803 +modules: + - module: github.com/lima-vm/lima + versions: + - fixed: 0.16.0 + vulnerable_at: 0.15.1 +summary: |- + In Lima, a malicious disk image could read a single file on the host filesystem + as a qcow2/vmdk backing file in github.com/lima-vm/lima +cves: + - CVE-2023-32684 +ghsas: + - GHSA-f7qw-jj9c-rpq9 +references: + - advisory: https://github.com/lima-vm/lima/security/advisories/GHSA-f7qw-jj9c-rpq9 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-32684 + - fix: https://github.com/lima-vm/lima/commit/01dbd4d9cabe692afa4517be3995771f0ebb38a5 + - web: https://github.com/lima-vm/lima/releases/tag/v0.16.0 +source: + id: GHSA-f7qw-jj9c-rpq9 + created: 2024-08-20T11:45:10.547247-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1804.yaml b/data/reports/GO-2023-1804.yaml new file mode 100644 index 00000000..a1151b99 --- /dev/null +++ b/data/reports/GO-2023-1804.yaml @@ -0,0 +1,18 @@ +id: GO-2023-1804 +modules: + - module: github.com/kyverno/kyverno + versions: + - fixed: 1.9.5 + vulnerable_at: 1.9.4 +summary: Kyverno vulnerable due to usage of insecure cipher in github.com/kyverno/kyverno +ghsas: + - GHSA-hgv6-w7r3-w4qw +references: + - advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-hgv6-w7r3-w4qw + - fix: https://github.com/kyverno/kyverno/pull/7308 + - web: https://github.com/kyverno/kyverno/releases/tag/v1.9.5 +source: + id: GHSA-hgv6-w7r3-w4qw + created: 2024-08-20T11:45:14.537311-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1806.yaml b/data/reports/GO-2023-1806.yaml new file mode 100644 index 00000000..bb140ac5 --- /dev/null +++ b/data/reports/GO-2023-1806.yaml @@ -0,0 +1,20 @@ +id: GO-2023-1806 +modules: + - module: github.com/multiversx/mx-chain-go + versions: + - fixed: 1.4.16 + vulnerable_at: 1.4.15 +summary: mx-chain-go does not treat invalid transaction with wrong username correctly in github.com/multiversx/mx-chain-go +cves: + - CVE-2023-33964 +ghsas: + - GHSA-7xpv-4pm9-xch2 +references: + - advisory: https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-7xpv-4pm9-xch2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-33964 + - fix: https://github.com/multiversx/mx-chain-go/commit/97295471465f4b5f79e51b32f8b7111f8d921606 +source: + id: GHSA-7xpv-4pm9-xch2 + created: 2024-08-20T11:45:21.553083-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1808.yaml b/data/reports/GO-2023-1808.yaml new file mode 100644 index 00000000..a36d96b4 --- /dev/null +++ b/data/reports/GO-2023-1808.yaml @@ -0,0 +1,25 @@ +id: GO-2023-1808 +modules: + - module: github.com/pydio/cells + vulnerable_at: 3.0.9+incompatible + - module: github.com/pydio/cells/v4 + versions: + - fixed: 4.2.1 + vulnerable_at: 4.2.1-rc1 +summary: Go package pydio/cells vulnerable to authorization bypass in github.com/pydio/cells +cves: + - CVE-2023-2978 +ghsas: + - GHSA-mv7x-27pc-8c96 +references: + - advisory: https://github.com/advisories/GHSA-mv7x-27pc-8c96 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-2978 + - web: https://popalltheshells.medium.com/multiple-cves-affecting-pydio-cells-4-2-0-321e7e4712be + - web: https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421 + - web: https://vuldb.com/?ctiid.230210 + - web: https://vuldb.com/?id.230210 +source: + id: GHSA-mv7x-27pc-8c96 + created: 2024-08-20T11:45:35.608509-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1809.yaml b/data/reports/GO-2023-1809.yaml new file mode 100644 index 00000000..35bd3867 --- /dev/null +++ b/data/reports/GO-2023-1809.yaml @@ -0,0 +1,25 @@ +id: GO-2023-1809 +modules: + - module: github.com/pydio/cells + vulnerable_at: 3.0.9+incompatible + - module: github.com/pydio/cells/v4 + versions: + - fixed: 4.2.1 + vulnerable_at: 4.2.1-rc1 +summary: go package pydio cells vulnerable to cross-site scripting in github.com/pydio/cells +cves: + - CVE-2023-2981 +ghsas: + - GHSA-wmfc-g86p-fjvr +references: + - advisory: https://github.com/advisories/GHSA-wmfc-g86p-fjvr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-2981 + - web: https://popalltheshells.medium.com/multiple-cves-affecting-pydio-cells-4-2-0-321e7e4712be + - web: https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421 + - web: https://vuldb.com/?ctiid.230213 + - web: https://vuldb.com/?id.230213 +source: + id: GHSA-wmfc-g86p-fjvr + created: 2024-08-20T11:46:12.227471-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1819.yaml b/data/reports/GO-2023-1819.yaml new file mode 100644 index 00000000..792a620f --- /dev/null +++ b/data/reports/GO-2023-1819.yaml @@ -0,0 +1,20 @@ +id: GO-2023-1819 +modules: + - module: github.com/kyverno/kyverno + versions: + - fixed: 1.10.0 + vulnerable_at: 1.10.0-rc.1 +summary: Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno +cves: + - CVE-2023-34091 +ghsas: + - GHSA-hq4m-4948-64cc +references: + - advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-34091 + - web: https://github.com/kyverno/kyverno/releases/tag/v1.10.0 +source: + id: GHSA-hq4m-4948-64cc + created: 2024-08-20T11:46:46.895117-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1827.yaml b/data/reports/GO-2023-1827.yaml new file mode 100644 index 00000000..d6c41bb6 --- /dev/null +++ b/data/reports/GO-2023-1827.yaml @@ -0,0 +1,22 @@ +id: GO-2023-1827 +modules: + - module: github.com/hashicorp/consul + versions: + - fixed: 1.14.5 + - introduced: 1.15.0 + - fixed: 1.15.3 + vulnerable_at: 1.15.2 +summary: Hashicorp Consul vulnerable to denial of service in github.com/hashicorp/consul +cves: + - CVE-2023-1297 +ghsas: + - GHSA-c57c-7hrj-6q6v +references: + - advisory: https://github.com/advisories/GHSA-c57c-7hrj-6q6v + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-1297 + - web: https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515 +source: + id: GHSA-c57c-7hrj-6q6v + created: 2024-08-20T11:46:56.037705-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1828.yaml b/data/reports/GO-2023-1828.yaml new file mode 100644 index 00000000..fba93371 --- /dev/null +++ b/data/reports/GO-2023-1828.yaml @@ -0,0 +1,23 @@ +id: GO-2023-1828 +modules: + - module: github.com/hashicorp/consul + versions: + - introduced: 1.15.0 + - fixed: 1.15.3 + vulnerable_at: 1.15.2 +summary: |- + Hashicorp Consul allows user with service:write permissions to patch remote + proxy instances in github.com/hashicorp/consul +cves: + - CVE-2023-2816 +ghsas: + - GHSA-rqjq-ww83-wv5c +references: + - advisory: https://github.com/advisories/GHSA-rqjq-ww83-wv5c + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-2816 + - web: https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525 +source: + id: GHSA-rqjq-ww83-wv5c + created: 2024-08-20T11:46:59.371377-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1829.yaml b/data/reports/GO-2023-1829.yaml new file mode 100644 index 00000000..ea194b03 --- /dev/null +++ b/data/reports/GO-2023-1829.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1829 +modules: + - module: github.com/notaryproject/notation + versions: + - fixed: 1.0.0-rc.6 + vulnerable_at: 1.0.0-rc.5 +summary: Notation vulnerable to denial of service from high number of artifact signatures in github.com/notaryproject/notation +cves: + - CVE-2023-33957 +ghsas: + - GHSA-9m3v-v4r5-ppx7 +references: + - advisory: https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-33957 + - fix: https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24 + - web: https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6 +source: + id: GHSA-9m3v-v4r5-ppx7 + created: 2024-08-20T11:47:02.312148-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1831.yaml b/data/reports/GO-2023-1831.yaml new file mode 100644 index 00000000..335927ef --- /dev/null +++ b/data/reports/GO-2023-1831.yaml @@ -0,0 +1,22 @@ +id: GO-2023-1831 +modules: + - module: github.com/notaryproject/notation + versions: + - fixed: 1.0.0-rc.6 + vulnerable_at: 1.0.0-rc.5 +summary: |- + Notation's default `maxSignatureAttempts` in `notation verify` enables an + endless data attack in github.com/notaryproject/notation +cves: + - CVE-2023-33958 +ghsas: + - GHSA-rvrx-rrwh-r9p6 +references: + - advisory: https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-33958 + - web: https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6 +source: + id: GHSA-rvrx-rrwh-r9p6 + created: 2024-08-20T11:47:06.188815-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1849.yaml b/data/reports/GO-2023-1849.yaml new file mode 100644 index 00000000..5efaf6aa --- /dev/null +++ b/data/reports/GO-2023-1849.yaml @@ -0,0 +1,24 @@ +id: GO-2023-1849 +modules: + - module: github.com/hashicorp/vault + versions: + - fixed: 1.11.11 + - introduced: 1.12.0 + - fixed: 1.12.7 + - introduced: 1.13.0 + - fixed: 1.13.3 + vulnerable_at: 1.13.2 +summary: Hashicorp Vault vulnerable to Cross-site Scripting in github.com/hashicorp/vault +cves: + - CVE-2023-2121 +ghsas: + - GHSA-gq98-53rq-qr5h +references: + - advisory: https://github.com/advisories/GHSA-gq98-53rq-qr5h + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-2121 + - web: https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814 +source: + id: GHSA-gq98-53rq-qr5h + created: 2024-08-20T11:47:23.785505-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2023-1850.yaml b/data/reports/GO-2023-1850.yaml new file mode 100644 index 00000000..6750a939 --- /dev/null +++ b/data/reports/GO-2023-1850.yaml @@ -0,0 +1,23 @@ +id: GO-2023-1850 +modules: + - module: github.com/hashicorp/consul + versions: + - introduced: 0.5.1 + - fixed: 1.4.1 + vulnerable_at: 1.4.0 +summary: HashiCorp Consul can use cleartext agent-to-agent RPC communication in github.com/hashicorp/consul +cves: + - CVE-2018-19653 +ghsas: + - GHSA-4qvx-qq5w-695p +references: + - advisory: https://github.com/advisories/GHSA-4qvx-qq5w-695p + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2018-19653 + - fix: https://github.com/hashicorp/consul/commit/b64e8b262f80397eab4f39c6ae7e14683cb9f55c + - fix: https://github.com/hashicorp/consul/pull/5069 + - web: https://groups.google.com/forum/#!topic/consul-tool/7TCw06oio0I +source: + id: GHSA-4qvx-qq5w-695p + created: 2024-08-20T11:47:27.065196-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1851.yaml b/data/reports/GO-2023-1851.yaml new file mode 100644 index 00000000..7cb0affe --- /dev/null +++ b/data/reports/GO-2023-1851.yaml @@ -0,0 +1,26 @@ +id: GO-2023-1851 +modules: + - module: github.com/hashicorp/consul + versions: + - fixed: 1.7.14 + - introduced: 1.8.0 + - fixed: 1.8.10 + - introduced: 1.9.0 + - fixed: 1.9.5 + vulnerable_at: 1.9.4 +summary: HashiCorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul +cves: + - CVE-2020-25864 +ghsas: + - GHSA-8xmx-h8rq-h94j +references: + - advisory: https://github.com/advisories/GHSA-8xmx-h8rq-h94j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-25864 + - web: https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368 + - web: https://security.gentoo.org/glsa/202208-09 + - web: https://www.hashicorp.com/blog/category/consul +source: + id: GHSA-8xmx-h8rq-h94j + created: 2024-08-20T11:47:31.956758-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1852.yaml b/data/reports/GO-2023-1852.yaml new file mode 100644 index 00000000..f6b93c4f --- /dev/null +++ b/data/reports/GO-2023-1852.yaml @@ -0,0 +1,23 @@ +id: GO-2023-1852 +modules: + - module: github.com/hashicorp/consul + versions: + - introduced: 1.4.0 + - fixed: 1.5.1 + vulnerable_at: 1.5.0 +summary: HashiCorp Consul Incorrect Access Control vulnerability in github.com/hashicorp/consul +cves: + - CVE-2019-12291 +ghsas: + - GHSA-h65h-v7fw-4p38 +references: + - advisory: https://github.com/advisories/GHSA-h65h-v7fw-4p38 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-12291 + - fix: https://github.com/hashicorp/consul/commit/36ebca1fd0129278487c6570449bc8cc03987890 + - report: https://github.com/hashicorp/consul/issues/5888 + - web: https://www.hashicorp.com/blog/category/consul +source: + id: GHSA-h65h-v7fw-4p38 + created: 2024-08-20T11:47:44.57167-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1853.yaml b/data/reports/GO-2023-1853.yaml new file mode 100644 index 00000000..690b81c5 --- /dev/null +++ b/data/reports/GO-2023-1853.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1853 +modules: + - module: github.com/hashicorp/consul + versions: + - fixed: 1.4.4 + vulnerable_at: 1.4.3 +summary: HashiCorp Consul vulnerable to Origin Validation Error in github.com/hashicorp/consul +cves: + - CVE-2019-9764 +ghsas: + - GHSA-q7fx-wm2p-qfj8 +references: + - advisory: https://github.com/advisories/GHSA-q7fx-wm2p-qfj8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-9764 + - fix: https://github.com/hashicorp/consul/commit/7e11dd82aa8dae505b7307adcb68c9d3194b3b40 + - report: https://github.com/hashicorp/consul/issues/5519 +source: + id: GHSA-q7fx-wm2p-qfj8 + created: 2024-08-20T11:47:48.522611-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE