From 8ed6db9e9907ecc5f1efb6ec03ded56ac4299287 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Tue, 4 Jun 2024 16:39:30 -0400 Subject: [PATCH] data/reports: add 44 unreviewed reports - data/reports/GO-2024-2576.yaml - data/reports/GO-2024-2695.yaml - data/reports/GO-2024-2737.yaml - data/reports/GO-2024-2795.yaml - data/reports/GO-2024-2799.yaml - data/reports/GO-2024-2715.yaml - data/reports/GO-2024-2798.yaml - data/reports/GO-2024-2793.yaml - data/reports/GO-2024-2705.yaml - data/reports/GO-2024-2808.yaml - data/reports/GO-2024-2875.yaml - data/reports/GO-2024-2635.yaml - data/reports/GO-2024-2707.yaml - data/reports/GO-2024-2797.yaml - data/reports/GO-2024-2726.yaml - data/reports/GO-2024-2650.yaml - data/reports/GO-2024-2698.yaml - data/reports/GO-2024-2760.yaml - data/reports/GO-2024-2788.yaml - data/reports/GO-2024-2629.yaml - data/reports/GO-2024-2771.yaml - data/reports/GO-2024-2794.yaml - data/reports/GO-2024-2637.yaml - data/reports/GO-2024-2734.yaml - data/reports/GO-2024-2764.yaml - data/reports/GO-2024-2762.yaml - data/reports/GO-2024-2566.yaml - data/reports/GO-2024-2789.yaml - data/reports/GO-2024-2664.yaml - data/reports/GO-2024-2688.yaml - data/reports/GO-2024-2697.yaml - data/reports/GO-2024-2719.yaml - data/reports/GO-2024-2718.yaml - data/reports/GO-2024-2468.yaml - data/reports/GO-2024-2717.yaml - data/reports/GO-2024-2761.yaml - data/reports/GO-2024-2796.yaml - data/reports/GO-2024-2706.yaml - data/reports/GO-2024-2722.yaml - data/reports/GO-2024-2665.yaml - data/reports/GO-2024-2750.yaml - data/reports/GO-2024-2809.yaml - data/reports/GO-2024-2696.yaml - data/reports/GO-2024-2732.yaml Fixes golang/vulndb#2576 Fixes golang/vulndb#2695 Fixes golang/vulndb#2737 Fixes golang/vulndb#2795 Fixes golang/vulndb#2799 Fixes golang/vulndb#2715 Fixes golang/vulndb#2798 Fixes golang/vulndb#2793 Fixes golang/vulndb#2705 Fixes golang/vulndb#2808 Fixes golang/vulndb#2875 Fixes golang/vulndb#2635 Fixes golang/vulndb#2707 Fixes golang/vulndb#2797 Fixes golang/vulndb#2726 Fixes golang/vulndb#2650 Fixes golang/vulndb#2698 Fixes golang/vulndb#2760 Fixes golang/vulndb#2788 Fixes golang/vulndb#2629 Fixes golang/vulndb#2771 Fixes golang/vulndb#2794 Fixes golang/vulndb#2637 Fixes golang/vulndb#2734 Fixes golang/vulndb#2764 Fixes golang/vulndb#2762 Fixes golang/vulndb#2566 Fixes golang/vulndb#2789 Fixes golang/vulndb#2664 Fixes golang/vulndb#2688 Fixes golang/vulndb#2697 Fixes golang/vulndb#2719 Fixes golang/vulndb#2718 Fixes golang/vulndb#2468 Fixes golang/vulndb#2717 Fixes golang/vulndb#2761 Fixes golang/vulndb#2796 Fixes golang/vulndb#2706 Fixes golang/vulndb#2722 Fixes golang/vulndb#2665 Fixes golang/vulndb#2750 Fixes golang/vulndb#2809 Fixes golang/vulndb#2696 Fixes golang/vulndb#2732 Change-Id: I8f664cb56ccc1fbce1437179178f78fa3825a1c5 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590278 LUCI-TryBot-Result: Go LUCI Reviewed-by: Damien Neil --- data/osv/GO-2024-2468.json | 65 +++++++++++ data/osv/GO-2024-2566.json | 49 ++++++++ data/osv/GO-2024-2576.json | 61 ++++++++++ data/osv/GO-2024-2629.json | 49 ++++++++ data/osv/GO-2024-2635.json | 49 ++++++++ data/osv/GO-2024-2637.json | 53 +++++++++ data/osv/GO-2024-2650.json | 47 ++++++++ data/osv/GO-2024-2664.json | 73 ++++++++++++ data/osv/GO-2024-2665.json | 73 ++++++++++++ data/osv/GO-2024-2688.json | 53 +++++++++ data/osv/GO-2024-2695.json | 65 +++++++++++ data/osv/GO-2024-2696.json | 49 ++++++++ data/osv/GO-2024-2697.json | 49 ++++++++ data/osv/GO-2024-2698.json | 53 +++++++++ data/osv/GO-2024-2705.json | 49 ++++++++ data/osv/GO-2024-2706.json | 65 +++++++++++ data/osv/GO-2024-2707.json | 49 ++++++++ data/osv/GO-2024-2715.json | 197 +++++++++++++++++++++++++++++++++ data/osv/GO-2024-2717.json | 53 +++++++++ data/osv/GO-2024-2718.json | 81 ++++++++++++++ data/osv/GO-2024-2719.json | 81 ++++++++++++++ data/osv/GO-2024-2722.json | 101 +++++++++++++++++ data/osv/GO-2024-2726.json | 71 ++++++++++++ data/osv/GO-2024-2732.json | 40 +++++++ data/osv/GO-2024-2734.json | 49 ++++++++ data/osv/GO-2024-2737.json | 52 +++++++++ data/osv/GO-2024-2750.json | 102 +++++++++++++++++ data/osv/GO-2024-2760.json | 49 ++++++++ data/osv/GO-2024-2761.json | 53 +++++++++ data/osv/GO-2024-2762.json | 52 +++++++++ data/osv/GO-2024-2764.json | 68 ++++++++++++ data/osv/GO-2024-2771.json | 49 ++++++++ data/osv/GO-2024-2788.json | 49 ++++++++ data/osv/GO-2024-2789.json | 81 ++++++++++++++ data/osv/GO-2024-2793.json | 66 +++++++++++ data/osv/GO-2024-2794.json | 76 +++++++++++++ data/osv/GO-2024-2795.json | 86 ++++++++++++++ data/osv/GO-2024-2796.json | 80 +++++++++++++ data/osv/GO-2024-2797.json | 86 ++++++++++++++ data/osv/GO-2024-2798.json | 86 ++++++++++++++ data/osv/GO-2024-2799.json | 44 ++++++++ data/osv/GO-2024-2808.json | 48 ++++++++ data/osv/GO-2024-2809.json | 56 ++++++++++ data/osv/GO-2024-2875.json | 48 ++++++++ data/reports/GO-2024-2468.yaml | 23 ++++ data/reports/GO-2024-2566.yaml | 23 ++++ data/reports/GO-2024-2576.yaml | 22 ++++ data/reports/GO-2024-2629.yaml | 32 ++++++ data/reports/GO-2024-2635.yaml | 21 ++++ data/reports/GO-2024-2637.yaml | 22 ++++ data/reports/GO-2024-2650.yaml | 16 +++ data/reports/GO-2024-2664.yaml | 37 +++++++ data/reports/GO-2024-2665.yaml | 39 +++++++ data/reports/GO-2024-2688.yaml | 21 ++++ data/reports/GO-2024-2695.yaml | 30 +++++ data/reports/GO-2024-2696.yaml | 26 +++++ data/reports/GO-2024-2697.yaml | 30 +++++ data/reports/GO-2024-2698.yaml | 25 +++++ data/reports/GO-2024-2705.yaml | 20 ++++ data/reports/GO-2024-2706.yaml | 30 +++++ data/reports/GO-2024-2707.yaml | 19 ++++ data/reports/GO-2024-2715.yaml | 64 +++++++++++ data/reports/GO-2024-2717.yaml | 20 ++++ data/reports/GO-2024-2718.yaml | 29 +++++ data/reports/GO-2024-2719.yaml | 29 +++++ data/reports/GO-2024-2722.yaml | 31 ++++++ data/reports/GO-2024-2726.yaml | 22 ++++ data/reports/GO-2024-2732.yaml | 15 +++ data/reports/GO-2024-2734.yaml | 21 ++++ data/reports/GO-2024-2737.yaml | 20 ++++ data/reports/GO-2024-2750.yaml | 31 ++++++ data/reports/GO-2024-2760.yaml | 25 +++++ data/reports/GO-2024-2761.yaml | 21 ++++ data/reports/GO-2024-2762.yaml | 20 ++++ data/reports/GO-2024-2764.yaml | 26 +++++ data/reports/GO-2024-2771.yaml | 22 ++++ data/reports/GO-2024-2788.yaml | 19 ++++ data/reports/GO-2024-2789.yaml | 28 +++++ data/reports/GO-2024-2793.yaml | 24 ++++ data/reports/GO-2024-2794.yaml | 27 +++++ data/reports/GO-2024-2795.yaml | 30 +++++ data/reports/GO-2024-2796.yaml | 28 +++++ data/reports/GO-2024-2797.yaml | 30 +++++ data/reports/GO-2024-2798.yaml | 30 +++++ data/reports/GO-2024-2799.yaml | 17 +++ data/reports/GO-2024-2808.yaml | 18 +++ data/reports/GO-2024-2809.yaml | 17 +++ data/reports/GO-2024-2875.yaml | 18 +++ 88 files changed, 3973 insertions(+) create mode 100644 data/osv/GO-2024-2468.json create mode 100644 data/osv/GO-2024-2566.json create mode 100644 data/osv/GO-2024-2576.json create mode 100644 data/osv/GO-2024-2629.json create mode 100644 data/osv/GO-2024-2635.json create mode 100644 data/osv/GO-2024-2637.json create mode 100644 data/osv/GO-2024-2650.json create mode 100644 data/osv/GO-2024-2664.json create mode 100644 data/osv/GO-2024-2665.json create mode 100644 data/osv/GO-2024-2688.json create mode 100644 data/osv/GO-2024-2695.json create mode 100644 data/osv/GO-2024-2696.json create mode 100644 data/osv/GO-2024-2697.json create mode 100644 data/osv/GO-2024-2698.json create mode 100644 data/osv/GO-2024-2705.json create mode 100644 data/osv/GO-2024-2706.json create mode 100644 data/osv/GO-2024-2707.json create mode 100644 data/osv/GO-2024-2715.json create mode 100644 data/osv/GO-2024-2717.json create mode 100644 data/osv/GO-2024-2718.json create mode 100644 data/osv/GO-2024-2719.json create mode 100644 data/osv/GO-2024-2722.json create mode 100644 data/osv/GO-2024-2726.json create mode 100644 data/osv/GO-2024-2732.json create mode 100644 data/osv/GO-2024-2734.json create mode 100644 data/osv/GO-2024-2737.json create mode 100644 data/osv/GO-2024-2750.json create mode 100644 data/osv/GO-2024-2760.json create mode 100644 data/osv/GO-2024-2761.json create mode 100644 data/osv/GO-2024-2762.json create mode 100644 data/osv/GO-2024-2764.json create mode 100644 data/osv/GO-2024-2771.json create mode 100644 data/osv/GO-2024-2788.json create mode 100644 data/osv/GO-2024-2789.json create mode 100644 data/osv/GO-2024-2793.json create mode 100644 data/osv/GO-2024-2794.json create mode 100644 data/osv/GO-2024-2795.json create mode 100644 data/osv/GO-2024-2796.json create mode 100644 data/osv/GO-2024-2797.json create mode 100644 data/osv/GO-2024-2798.json create mode 100644 data/osv/GO-2024-2799.json create mode 100644 data/osv/GO-2024-2808.json create mode 100644 data/osv/GO-2024-2809.json create mode 100644 data/osv/GO-2024-2875.json create mode 100644 data/reports/GO-2024-2468.yaml create mode 100644 data/reports/GO-2024-2566.yaml create mode 100644 data/reports/GO-2024-2576.yaml create mode 100644 data/reports/GO-2024-2629.yaml create mode 100644 data/reports/GO-2024-2635.yaml create mode 100644 data/reports/GO-2024-2637.yaml create mode 100644 data/reports/GO-2024-2650.yaml create mode 100644 data/reports/GO-2024-2664.yaml create mode 100644 data/reports/GO-2024-2665.yaml create mode 100644 data/reports/GO-2024-2688.yaml create mode 100644 data/reports/GO-2024-2695.yaml create mode 100644 data/reports/GO-2024-2696.yaml create mode 100644 data/reports/GO-2024-2697.yaml create mode 100644 data/reports/GO-2024-2698.yaml create mode 100644 data/reports/GO-2024-2705.yaml create mode 100644 data/reports/GO-2024-2706.yaml create mode 100644 data/reports/GO-2024-2707.yaml create mode 100644 data/reports/GO-2024-2715.yaml create mode 100644 data/reports/GO-2024-2717.yaml create mode 100644 data/reports/GO-2024-2718.yaml create mode 100644 data/reports/GO-2024-2719.yaml create mode 100644 data/reports/GO-2024-2722.yaml create mode 100644 data/reports/GO-2024-2726.yaml create mode 100644 data/reports/GO-2024-2732.yaml create mode 100644 data/reports/GO-2024-2734.yaml create mode 100644 data/reports/GO-2024-2737.yaml create mode 100644 data/reports/GO-2024-2750.yaml create mode 100644 data/reports/GO-2024-2760.yaml create mode 100644 data/reports/GO-2024-2761.yaml create mode 100644 data/reports/GO-2024-2762.yaml create mode 100644 data/reports/GO-2024-2764.yaml create mode 100644 data/reports/GO-2024-2771.yaml create mode 100644 data/reports/GO-2024-2788.yaml create mode 100644 data/reports/GO-2024-2789.yaml create mode 100644 data/reports/GO-2024-2793.yaml create mode 100644 data/reports/GO-2024-2794.yaml create mode 100644 data/reports/GO-2024-2795.yaml create mode 100644 data/reports/GO-2024-2796.yaml create mode 100644 data/reports/GO-2024-2797.yaml create mode 100644 data/reports/GO-2024-2798.yaml create mode 100644 data/reports/GO-2024-2799.yaml create mode 100644 data/reports/GO-2024-2808.yaml create mode 100644 data/reports/GO-2024-2809.yaml create mode 100644 data/reports/GO-2024-2875.yaml diff --git a/data/osv/GO-2024-2468.json b/data/osv/GO-2024-2468.json new file mode 100644 index 00000000..54e341ca --- /dev/null +++ b/data/osv/GO-2024-2468.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2468", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-3328", + "GHSA-cjqf-877p-7m3f" + ], + "summary": "snapd Race Condition vulnerability in github.com/snapcore/snapd", + "details": "snapd Race Condition vulnerability in github.com/snapcore/snapd", + "affected": [ + { + "package": { + "name": "github.com/snapcore/snapd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-cjqf-877p-7m3f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3328" + }, + { + "type": "FIX", + "url": "https://github.com/snapcore/snapd/commit/21ebc51f00b8a1417888faa2e83a372fd29d0f5e" + }, + { + "type": "FIX", + "url": "https://github.com/snapcore/snapd/commit/6226cdc57052f4b7057d92f2e549aa169e35cd2d" + }, + { + "type": "FIX", + "url": "https://github.com/snapcore/snapd/pull/12380" + }, + { + "type": "WEB", + "url": "https://ubuntu.com/security/notices/USN-5753-1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2468", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2566.json b/data/osv/GO-2024-2566.json new file mode 100644 index 00000000..61a6e3ab --- /dev/null +++ b/data/osv/GO-2024-2566.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2566", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-24776", + "GHSA-r833-w756-h5p2" + ], + "summary": "Mattermost fails to check the required permissions in github.com/mattermost/mattermost/server/v8", + "details": "Mattermost fails to check the required permissions in github.com/mattermost/mattermost/server/v8", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-r833-w756-h5p2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24776" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2566", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2576.json b/data/osv/GO-2024-2576.json new file mode 100644 index 00000000..db598feb --- /dev/null +++ b/data/osv/GO-2024-2576.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2576", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-1485", + "GHSA-84xv-jfrm-h4gm" + ], + "summary": "registry-support: decompress can delete files outside scope via relative paths in github.com/devfile/registry-support/registry-library", + "details": "registry-support: decompress can delete files outside scope via relative paths in github.com/devfile/registry-support/registry-library", + "affected": [ + { + "package": { + "name": "github.com/devfile/registry-support/registry-library", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-84xv-jfrm-h4gm" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1485" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-1485" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264106" + }, + { + "type": "WEB", + "url": "https://github.com/devfile/registry-support/commit/0e44b9ca6d03fac4fc3f77d37656d56dc5defe0d" + }, + { + "type": "WEB", + "url": "https://github.com/devfile/registry-support/pull/197" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2576", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2629.json b/data/osv/GO-2024-2629.json new file mode 100644 index 00000000..f6e420ab --- /dev/null +++ b/data/osv/GO-2024-2629.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2629", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-1442", + "GHSA-5mxf-42f5-j782" + ], + "summary": "Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana", + "details": "Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-5mxf-42f5-j782" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1442" + }, + { + "type": "WEB", + "url": "https://grafana.com/security/security-advisories/cve-2024-1442" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2629", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2635.json b/data/osv/GO-2024-2635.json new file mode 100644 index 00000000..e6ddbaf5 --- /dev/null +++ b/data/osv/GO-2024-2635.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2635", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-1952", + "GHSA-r4fm-g65h-cr54" + ], + "summary": "Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost/server/v8", + "details": "Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost/server/v8", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-r4fm-g65h-cr54" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1952" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2635", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2637.json b/data/osv/GO-2024-2637.json new file mode 100644 index 00000000..c8a59f93 --- /dev/null +++ b/data/osv/GO-2024-2637.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2637", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-28197", + "GHSA-mq4x-r2w3-j7mr" + ], + "summary": "Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel", + "details": "Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel", + "affected": [ + { + "package": { + "name": "github.com/zitadel/zitadel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28197" + }, + { + "type": "FIX", + "url": "https://github.com/zitadel/zitadel/commit/d4c553b75a214e41299af010ef4b26174a0f802c" + }, + { + "type": "FIX", + "url": "https://github.com/zitadel/zitadel/commit/e82cb51eb819c6cdba8123c9c34c5739b46b29eb" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2637", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2650.json b/data/osv/GO-2024-2650.json new file mode 100644 index 00000000..625dc54d --- /dev/null +++ b/data/osv/GO-2024-2650.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2650", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-v8mx-hp2q-gw85" + ], + "summary": "Golang SDK for Vela Insecure Variable Substitution in github.com/go-vela/sdk-go", + "details": "Golang SDK for Vela Insecure Variable Substitution in github.com/go-vela/sdk-go", + "affected": [ + { + "package": { + "name": "github.com/go-vela/sdk-go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.23.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/go-vela/sdk-go/security/advisories/GHSA-v8mx-hp2q-gw85" + }, + { + "type": "FIX", + "url": "https://github.com/go-vela/sdk-go/commit/e3a34719badf37928e60f4402abe51f8b50055e1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2650", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2664.json b/data/osv/GO-2024-2664.json new file mode 100644 index 00000000..80a229f1 --- /dev/null +++ b/data/osv/GO-2024-2664.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2664", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-29892", + "GHSA-gp8g-f42f-95q2" + ], + "summary": "ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel", + "details": "ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel", + "affected": [ + { + "package": { + "name": "github.com/zitadel/zitadel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29892" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2664", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2665.json b/data/osv/GO-2024-2665.json new file mode 100644 index 00000000..7ea13680 --- /dev/null +++ b/data/osv/GO-2024-2665.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2665", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-29891", + "GHSA-hr5w-cwwq-2v4m" + ], + "summary": "ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass in github.com/zitadel/zitadel", + "details": "ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass in github.com/zitadel/zitadel", + "affected": [ + { + "package": { + "name": "github.com/zitadel/zitadel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29891" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2665", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2688.json b/data/osv/GO-2024-2688.json new file mode 100644 index 00000000..b2fef551 --- /dev/null +++ b/data/osv/GO-2024-2688.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2688", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-31420", + "GHSA-vjhf-6xfr-5p9g" + ], + "summary": "KubeVirt NULL pointer dereference flaw in kubevirt.io/kubevirt", + "details": "KubeVirt NULL pointer dereference flaw in kubevirt.io/kubevirt", + "affected": [ + { + "package": { + "name": "kubevirt.io/kubevirt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-vjhf-6xfr-5p9g" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31420" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-31420" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272951" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2688", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2695.json b/data/osv/GO-2024-2695.json new file mode 100644 index 00000000..42d0911f --- /dev/null +++ b/data/osv/GO-2024-2695.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2695", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-28949", + "GHSA-mcw6-3256-64gg" + ], + "summary": "Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost/server/v8", + "details": "Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost/server/v8", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mcw6-3256-64gg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28949" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/11a21f4da352a472a09de3b8e125514750a6619a" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/362b7d29d35c00fe80721d3d47442a4f3168eb2b" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/5632d6b4ff6d019a21bb8ddd037d4a931cd85ae2" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/88f9285173dc4cb35fa19a8b8604e098a567f704" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2695", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2696.json b/data/osv/GO-2024-2696.json new file mode 100644 index 00000000..e3ecc7a3 --- /dev/null +++ b/data/osv/GO-2024-2696.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2696", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-2447", + "GHSA-wp43-vprh-c3w5" + ], + "summary": "Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost/server/v8", + "details": "Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost/server/v8", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-wp43-vprh-c3w5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2447" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2696", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2697.json b/data/osv/GO-2024-2697.json new file mode 100644 index 00000000..ab102807 --- /dev/null +++ b/data/osv/GO-2024-2697.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2697", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-1313", + "GHSA-67rv-qpw2-6qrr" + ], + "summary": "Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana", + "details": "Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-67rv-qpw2-6qrr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1313" + }, + { + "type": "WEB", + "url": "https://grafana.com/security/security-advisories/cve-2024-1313" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2697", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2698.json b/data/osv/GO-2024-2698.json new file mode 100644 index 00000000..332f1cd9 --- /dev/null +++ b/data/osv/GO-2024-2698.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2698", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-0406", + "GHSA-rhh4-rh7c-7r5v" + ], + "summary": "Archiver Path Traversal vulnerability in github.com/mholt/archiver/v3", + "details": "Archiver Path Traversal vulnerability in github.com/mholt/archiver/v3", + "affected": [ + { + "package": { + "name": "github.com/mholt/archiver/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-rhh4-rh7c-7r5v" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0406" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-0406" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2698", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2705.json b/data/osv/GO-2024-2705.json new file mode 100644 index 00000000..98744f8b --- /dev/null +++ b/data/osv/GO-2024-2705.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2705", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-3135", + "GHSA-jhvf-7c85-3c9g" + ], + "summary": "LocalAI cross-site request forgery vulnerability in github.com/go-skynet/LocalAI", + "details": "LocalAI cross-site request forgery vulnerability in github.com/go-skynet/LocalAI", + "affected": [ + { + "package": { + "name": "github.com/go-skynet/LocalAI", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-jhvf-7c85-3c9g" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3135" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/7afdc4d3-4b68-45ea-96d0-cf9ed3712ae8" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2705", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2706.json b/data/osv/GO-2024-2706.json new file mode 100644 index 00000000..9730477f --- /dev/null +++ b/data/osv/GO-2024-2706.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2706", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-29221", + "GHSA-w67v-ph4x-f48q" + ], + "summary": "Mattermost Server Improper Access Control in github.com/mattermost/mattermost/server/v8", + "details": "Mattermost Server Improper Access Control in github.com/mattermost/mattermost/server/v8", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-w67v-ph4x-f48q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29221" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/0dc03fbc6e3c9afb14137e72ab3fa6f5a0125b9c" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/5cce9fed7363386afebd81a58fb5fab7d2729c8f" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/a5784f34ba6592c6454b8742f24af9d06279e347" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/dd3fe2991a70a41790d6bef5d31afc5957525f3c" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2706", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2707.json b/data/osv/GO-2024-2707.json new file mode 100644 index 00000000..984faa18 --- /dev/null +++ b/data/osv/GO-2024-2707.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2707", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-21848", + "GHSA-xp9j-8p68-9q93" + ], + "summary": "Mattermost Server Improper Access Control in github.com/mattermost/mattermost/server/v8", + "details": "Mattermost Server Improper Access Control in github.com/mattermost/mattermost/server/v8", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-xp9j-8p68-9q93" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21848" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2707", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2715.json b/data/osv/GO-2024-2715.json new file mode 100644 index 00000000..ad1fe31c --- /dev/null +++ b/data/osv/GO-2024-2715.json @@ -0,0 +1,197 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2715", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-32644", + "GHSA-3fp5-2xwh-fxm6" + ], + "summary": "Evmos transaction execution not accounting for all state transition after interaction with precompiles in github.com/evmos/evmos/v16", + "details": "Evmos transaction execution not accounting for all state transition after interaction with precompiles in github.com/evmos/evmos/v16", + "affected": [ + { + "package": { + "name": "github.com/evmos/evmos/v16", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/evmos/evmos/v7", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/tharsis/evmos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/tharsis/evmos/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/tharsis/evmos/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/tharsis/evmos/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/tharsis/evmos/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/evmos/evmos/security/advisories/GHSA-3fp5-2xwh-fxm6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32644" + }, + { + "type": "WEB", + "url": "https://github.com/evmos/evmos/blob/b196a522ba4951890b40992e9f97aa610f8b5f9c/x/evm/statedb/state_object.go#L53-L68" + }, + { + "type": "WEB", + "url": "https://github.com/evmos/evmos/blob/b196a522ba4951890b40992e9f97aa610f8b5f9c/x/evm/statedb/statedb.go#L33-L55" + }, + { + "type": "WEB", + "url": "https://github.com/evmos/evmos/blob/b196a522ba4951890b40992e9f97aa610f8b5f9c/x/evm/statedb/statedb.go#L460-L465" + }, + { + "type": "WEB", + "url": "https://github.com/evmos/evmos/commit/08982b5ee726b97bc50eaf58d1914829648b6a5f" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2715", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2717.json b/data/osv/GO-2024-2717.json new file mode 100644 index 00000000..fabe14f9 --- /dev/null +++ b/data/osv/GO-2024-2717.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2717", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-2029", + "GHSA-wx43-g55g-2jf4" + ], + "summary": "LocalAI Command Injection in audioToWav in github.com/go-skynet/LocalAI", + "details": "LocalAI Command Injection in audioToWav in github.com/go-skynet/LocalAI", + "affected": [ + { + "package": { + "name": "github.com/go-skynet/LocalAI", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-wx43-g55g-2jf4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2029" + }, + { + "type": "WEB", + "url": "https://github.com/mudler/localai/commit/31a4c9c9d3abc58de2bdc5305419181c8b33eb1c" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/e092528a-ce3b-4e66-9b98-3f56d6b276b0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2717", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2718.json b/data/osv/GO-2024-2718.json new file mode 100644 index 00000000..8b5c1243 --- /dev/null +++ b/data/osv/GO-2024-2718.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2718", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-29902", + "GHSA-88jx-383q-w4qc" + ], + "summary": "Cosign malicious attachments can cause system-wide denial of service in github.com/sigstore/cosign", + "details": "Cosign malicious attachments can cause system-wide denial of service in github.com/sigstore/cosign", + "affected": [ + { + "package": { + "name": "github.com/sigstore/cosign", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/sigstore/cosign/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29902" + }, + { + "type": "FIX", + "url": "https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e" + }, + { + "type": "WEB", + "url": "https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40" + }, + { + "type": "WEB", + "url": "https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239" + }, + { + "type": "WEB", + "url": "https://github.com/sigstore/cosign/releases/tag/v2.2.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2718", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2719.json b/data/osv/GO-2024-2719.json new file mode 100644 index 00000000..41ac368d --- /dev/null +++ b/data/osv/GO-2024-2719.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2719", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-29903", + "GHSA-95pr-fxf5-86gv" + ], + "summary": "Cosign malicious artifacts can cause machine-wide DoS in github.com/sigstore/cosign", + "details": "Cosign malicious artifacts can cause machine-wide DoS in github.com/sigstore/cosign", + "affected": [ + { + "package": { + "name": "github.com/sigstore/cosign", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/sigstore/cosign/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29903" + }, + { + "type": "FIX", + "url": "https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e" + }, + { + "type": "WEB", + "url": "https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/cosign/verify.go#L948-L955" + }, + { + "type": "WEB", + "url": "https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70" + }, + { + "type": "WEB", + "url": "https://github.com/sigstore/cosign/releases/tag/v2.2.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2719", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2722.json b/data/osv/GO-2024-2722.json new file mode 100644 index 00000000..ad111595 --- /dev/null +++ b/data/osv/GO-2024-2722.json @@ -0,0 +1,101 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2722", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-28869", + "GHSA-4vwx-54mw-vqfw" + ], + "summary": "Traefik vulnerable to denial of service with Content-length header in github.com/traefik/traefik", + "details": "Traefik vulnerable to denial of service with Content-length header in github.com/traefik/traefik", + "affected": [ + { + "package": { + "name": "github.com/traefik/traefik", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.11.2" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.0.0-beta3" + }, + { + "fixed": "3.0.0-rc5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28869" + }, + { + "type": "FIX", + "url": "https://github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9c6" + }, + { + "type": "WEB", + "url": "https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v2.11.2" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2722", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2726.json b/data/osv/GO-2024-2726.json new file mode 100644 index 00000000..b9475352 --- /dev/null +++ b/data/osv/GO-2024-2726.json @@ -0,0 +1,71 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2726", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-7f4j-64p6-5h5v" + ], + "summary": "Traefik affected by HTTP/2 CONTINUATION flood in net/http in github.com/traefik/traefik/v2", + "details": "Traefik affected by HTTP/2 CONTINUATION flood in net/http in github.com/traefik/traefik/v2", + "affected": [ + { + "package": { + "name": "github.com/traefik/traefik/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.11.2" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.0.0-rc1" + }, + { + "fixed": "3.0.0-rc5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-7f4j-64p6-5h5v" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v2.11.2" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2726", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2732.json b/data/osv/GO-2024-2732.json new file mode 100644 index 00000000..cc13c1b1 --- /dev/null +++ b/data/osv/GO-2024-2732.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2732", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-v6rw-hhgg-wc4x" + ], + "summary": "Evmos vulnerable to DOS and transaction fee expropiation through Authz exploit in github.com/evmos/evmos/v11", + "details": "Evmos vulnerable to DOS and transaction fee expropiation through Authz exploit in github.com/evmos/evmos/v11", + "affected": [ + { + "package": { + "name": "github.com/evmos/evmos/v11", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/evmos/evmos/security/advisories/GHSA-v6rw-hhgg-wc4x" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2732", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2734.json b/data/osv/GO-2024-2734.json new file mode 100644 index 00000000..be4eb4d0 --- /dev/null +++ b/data/osv/GO-2024-2734.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2734", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-30257", + "GHSA-6m9h-2pr2-9j8f" + ], + "summary": "1Panel's password verification is suspected to have a timing attack vulnerability in github.com/1Panel-dev/1Panel", + "details": "1Panel's password verification is suspected to have a timing attack vulnerability in github.com/1Panel-dev/1Panel", + "affected": [ + { + "package": { + "name": "github.com/1Panel-dev/1Panel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-6m9h-2pr2-9j8f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30257" + }, + { + "type": "WEB", + "url": "https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2734", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2737.json b/data/osv/GO-2024-2737.json new file mode 100644 index 00000000..fafa0198 --- /dev/null +++ b/data/osv/GO-2024-2737.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2737", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-32473", + "GHSA-x84c-p2g9-rqv9" + ], + "summary": "IPv6 enabled on IPv4-only network interfaces in github.com/docker/docker", + "details": "IPv6 enabled on IPv4-only network interfaces in github.com/docker/docker", + "affected": [ + { + "package": { + "name": "github.com/docker/docker", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "26.0.0+incompatible" + }, + { + "fixed": "26.0.2+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32473" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2737", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2750.json b/data/osv/GO-2024-2750.json new file mode 100644 index 00000000..7f73ef91 --- /dev/null +++ b/data/osv/GO-2024-2750.json @@ -0,0 +1,102 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2750", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-8567", + "GHSA-2v35-wj4r-rcmv" + ], + "summary": "Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure", + "details": "Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure", + "affected": [ + { + "package": { + "name": "github.com/Azure/secrets-store-csi-driver-provider-azure", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.2.0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/hashicorp/vault-csi-provider", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2v35-wj4r-rcmv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8567" + }, + { + "type": "FIX", + "url": "https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/298" + }, + { + "type": "FIX", + "url": "https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/pull/74" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/secrets-store-csi-driver-provider-vault/pull/50" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2750", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2760.json b/data/osv/GO-2024-2760.json new file mode 100644 index 00000000..78d4af77 --- /dev/null +++ b/data/osv/GO-2024-2760.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2760", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-36775", + "GHSA-28g7-896h-695v" + ], + "summary": "Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher", + "details": "Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/rancher/rancher/security/advisories/GHSA-28g7-896h-695v" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36775" + }, + { + "type": "WEB", + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1189120" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2760", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2761.json b/data/osv/GO-2024-2761.json new file mode 100644 index 00000000..0f28f7d9 --- /dev/null +++ b/data/osv/GO-2024-2761.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2761", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-11881", + "GHSA-2p4g-jrmx-r34m" + ], + "summary": "Rancher Login Parameter Can Be Edited in github.com/rancher/rancher", + "details": "Rancher Login Parameter Can Be Edited in github.com/rancher/rancher", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2p4g-jrmx-r34m" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11881" + }, + { + "type": "REPORT", + "url": "https://github.com/rancher/rancher/issues/20216" + }, + { + "type": "WEB", + "url": "https://github.com/MauroEldritch/VanCleef" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2761", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2762.json b/data/osv/GO-2024-2762.json new file mode 100644 index 00000000..b78f2fcb --- /dev/null +++ b/data/osv/GO-2024-2762.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2762", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-12303", + "GHSA-53pj-67m4-9w98" + ], + "summary": "Rancher code injection via fluentd config commands in github.com/rancher/rancher", + "details": "Rancher code injection via fluentd config commands in github.com/rancher/rancher", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.0.0+incompatible" + }, + { + "fixed": "2.2.4+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-53pj-67m4-9w98" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12303" + }, + { + "type": "WEB", + "url": "https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2762", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2764.json b/data/osv/GO-2024-2764.json new file mode 100644 index 00000000..df646402 --- /dev/null +++ b/data/osv/GO-2024-2764.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2764", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-6287", + "GHSA-6r7x-4q7g-h83j" + ], + "summary": "Rancher Project Members Have Continued Access to Namespaces After Being Removed From Them in github.com/rancher/rancher", + "details": "Rancher Project Members Have Continued Access to Namespaces After Being Removed From Them in github.com/rancher/rancher", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.0.0+incompatible" + }, + { + "fixed": "2.1.6+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-6r7x-4q7g-h83j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6287" + }, + { + "type": "REPORT", + "url": "https://github.com/rancher/rancher/issues/17244" + }, + { + "type": "REPORT", + "url": "https://github.com/rancher/rancher/issues/17724" + }, + { + "type": "WEB", + "url": "https://forums.rancher.com/t/rancher-release-v2-1-6/13148" + }, + { + "type": "WEB", + "url": "https://forums.rancher.com/t/rancher-security-announcement-cve-2018-20321-and-cve-2019-6287/13149" + }, + { + "type": "WEB", + "url": "https://rancher.com/blog/2019/2019-01-29-explaining-security-vulnerabilities-addressed-in-rancher-v2-1-6-and-v2-0-11" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2764", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2771.json b/data/osv/GO-2024-2771.json new file mode 100644 index 00000000..5a04ca84 --- /dev/null +++ b/data/osv/GO-2024-2771.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2771", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-36776", + "GHSA-gvh9-xgrq-r8hw" + ], + "summary": "Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher", + "details": "Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-gvh9-xgrq-r8hw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36776" + }, + { + "type": "WEB", + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1189413" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2771", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2788.json b/data/osv/GO-2024-2788.json new file mode 100644 index 00000000..749011b1 --- /dev/null +++ b/data/osv/GO-2024-2788.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2788", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-32868", + "GHSA-7j7j-66cv-m239" + ], + "summary": "ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel", + "details": "ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel", + "affected": [ + { + "package": { + "name": "github.com/zitadel/zitadel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32868" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2788", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2789.json b/data/osv/GO-2024-2789.json new file mode 100644 index 00000000..25b1e365 --- /dev/null +++ b/data/osv/GO-2024-2789.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2789", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-1139", + "GHSA-x5m7-63c6-fx79" + ], + "summary": "Cluster Monitoring Operator contains a credentials leak in github.com/openshift/cluster-monitoring-operator", + "details": "Cluster Monitoring Operator contains a credentials leak in github.com/openshift/cluster-monitoring-operator", + "affected": [ + { + "package": { + "name": "github.com/openshift/cluster-monitoring-operator", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-x5m7-63c6-fx79" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1139" + }, + { + "type": "FIX", + "url": "https://github.com/openshift/cluster-monitoring-operator/commit/1cfbe9ffafe1e43f8f87a451b72fddf5d76fa4e3" + }, + { + "type": "FIX", + "url": "https://github.com/openshift/cluster-monitoring-operator/pull/1747" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:1887" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:1891" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:2047" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:2782" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-1139" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262158" + }, + { + "type": "WEB", + "url": "https://github.com/openshift/cluster-monitoring-operator/blob/d45a3335c2bbada0948adef9fcba55c4e14fa1d7/pkg/manifests/manifests.go#L3135" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2789", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2793.json b/data/osv/GO-2024-2793.json new file mode 100644 index 00000000..418413b4 --- /dev/null +++ b/data/osv/GO-2024-2793.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2793", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-4195", + "GHSA-5fh7-7mw7-mmx5" + ], + "summary": "Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server", + "details": "Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "8.1.0+incompatible" + }, + { + "fixed": "8.1.12+incompatible" + }, + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.3+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-5fh7-7mw7-mmx5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4195" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/1e3497e0595bb4f9908c94dd9d4685d48556b7e8" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/f0872dd4e4ba34f061aa6982a71c7c29532aac2e" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2793", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2794.json b/data/osv/GO-2024-2794.json new file mode 100644 index 00000000..5711b080 --- /dev/null +++ b/data/osv/GO-2024-2794.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2794", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-4198", + "GHSA-5qx9-9ffj-5r8f" + ], + "summary": "Mattermost fails to fully validate role changes in github.com/mattermost/mattermost-server", + "details": "Mattermost fails to fully validate role changes in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "8.1.0+incompatible" + }, + { + "fixed": "8.1.12+incompatible" + }, + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.3+incompatible" + }, + { + "introduced": "9.6.0-rc1+incompatible" + }, + { + "fixed": "9.6.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-5qx9-9ffj-5r8f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4198" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/3d6d8a7c1f7105558fe266a1b379859a4dba4e9b" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/408ce4a82bb55ce27801f7044d9b3b49e82c47ed" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/fba5b8e348feada9b21290369c3598ccd5c04424" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2794", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2795.json b/data/osv/GO-2024-2795.json new file mode 100644 index 00000000..9f1663f8 --- /dev/null +++ b/data/osv/GO-2024-2795.json @@ -0,0 +1,86 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2795", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-4182", + "GHSA-8f99-g2pj-x8w3" + ], + "summary": "Mattermost crashes web clients via a malformed custom status in github.com/mattermost/mattermost-server", + "details": "Mattermost crashes web clients via a malformed custom status in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "8.1.0+incompatible" + }, + { + "fixed": "8.1.12+incompatible" + }, + { + "introduced": "9.4.0+incompatible" + }, + { + "fixed": "9.4.5+incompatible" + }, + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.3+incompatible" + }, + { + "introduced": "9.6.0-rc1+incompatible" + }, + { + "fixed": "9.6.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8f99-g2pj-x8w3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4182" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/41333a0babf565453d89287549bec1e546e75ce7" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/6cbab0f7ece104681f73dd12c75d9f22d567125e" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/a99dadd80c57d376185ca06f8f70919a6f135bc6" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/f84f8ed65f6a5faba974426424b684635455a527" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2795", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2796.json b/data/osv/GO-2024-2796.json new file mode 100644 index 00000000..5c4e6229 --- /dev/null +++ b/data/osv/GO-2024-2796.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2796", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-22091", + "GHSA-p2wq-4ggp-45f3" + ], + "summary": "Mattermost fails to limit the size of a request path in github.com/mattermost/mattermost-server", + "details": "Mattermost fails to limit the size of a request path in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "8.1.0+incompatible" + }, + { + "fixed": "8.1.12+incompatible" + }, + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.3+incompatible" + }, + { + "introduced": "9.6.0-rc1+incompatible" + }, + { + "fixed": "9.6.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-p2wq-4ggp-45f3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22091" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/13049d8b16b195f98246dff4812b5f64c1e5a627" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/49e7c477246e31c7a0bd85c1043599121755b260" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/54478f2ccbc6c4f110706966adfe0db2c16a566c" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/f6d320017549ec66efb5fdd4bc10b66ab36abb70" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2796", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2797.json b/data/osv/GO-2024-2797.json new file mode 100644 index 00000000..a810be01 --- /dev/null +++ b/data/osv/GO-2024-2797.json @@ -0,0 +1,86 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2797", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-32046", + "GHSA-vx97-8q8q-qgq5" + ], + "summary": "Mattermost's detailed error messages reveal the full file path in github.com/mattermost/mattermost-server", + "details": "Mattermost's detailed error messages reveal the full file path in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "8.1.0+incompatible" + }, + { + "fixed": "8.1.12+incompatible" + }, + { + "introduced": "9.4.0+incompatible" + }, + { + "fixed": "9.4.5+incompatible" + }, + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.3+incompatible" + }, + { + "introduced": "9.6.0-rc1+incompatible" + }, + { + "fixed": "9.6.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-vx97-8q8q-qgq5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32046" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/2a48b5b3428cae494452125401e4f72780543ac8" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/93738756ff79777c6e340c8de63a7b4b0f881d27" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/aa222c66b799c12e32eeb8eae6f555bf6140375b" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/c84c25b20c8b8726a2f126ae9370a72498096172" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2797", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2798.json b/data/osv/GO-2024-2798.json new file mode 100644 index 00000000..fb1ac5ce --- /dev/null +++ b/data/osv/GO-2024-2798.json @@ -0,0 +1,86 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2798", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-4183", + "GHSA-wj37-mpq9-xrcm" + ], + "summary": "Mattermost fails to limit the number of active sessions in github.com/mattermost/mattermost-server", + "details": "Mattermost fails to limit the number of active sessions in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "8.1.0+incompatible" + }, + { + "fixed": "8.1.12+incompatible" + }, + { + "introduced": "9.4.0+incompatible" + }, + { + "fixed": "9.4.5+incompatible" + }, + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.3+incompatible" + }, + { + "introduced": "9.6.0-rc1+incompatible" + }, + { + "fixed": "9.6.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-wj37-mpq9-xrcm" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4183" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/86920d641760552c5aafa5e1d14c93bd30039bc4" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/9d81eee979aee93374bff8ba6714d805e12ffb03" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/b45c3dac4c160992a1ce757ade968e8f5ec506c1" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/bc699e6789cf3ba1544235087897699aaa639e7d" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2798", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2799.json b/data/osv/GO-2024-2799.json new file mode 100644 index 00000000..eeeb72f0 --- /dev/null +++ b/data/osv/GO-2024-2799.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2799", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-32883" + ], + "summary": "MCUboot Injection attack of unprotected TLV values in github.com/mcu-tools/mcuboot", + "details": "MCUboot Injection attack of unprotected TLV values in github.com/mcu-tools/mcuboot", + "affected": [ + { + "package": { + "name": "github.com/mcu-tools/mcuboot", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32883" + }, + { + "type": "WEB", + "url": "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2799", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2808.json b/data/osv/GO-2024-2808.json new file mode 100644 index 00000000..623807de --- /dev/null +++ b/data/osv/GO-2024-2808.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2808", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-4128" + ], + "summary": "CSRF in firebase-tools emulator suite in github.com/firebase/firebase-tools", + "details": "CSRF in firebase-tools emulator suite in github.com/firebase/firebase-tools", + "affected": [ + { + "package": { + "name": "github.com/firebase/firebase-tools", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4128" + }, + { + "type": "FIX", + "url": "https://github.com/firebase/firebase-tools/commit/068a2b08dc308c7ab4b569617f5fc8821237e3a0" + }, + { + "type": "FIX", + "url": "https://github.com/firebase/firebase-tools/pull/6944" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2808", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2809.json b/data/osv/GO-2024-2809.json new file mode 100644 index 00000000..47b48606 --- /dev/null +++ b/data/osv/GO-2024-2809.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2809", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-32359" + ], + "summary": "CVE-2024-32359 in github.com/carina-io/carina", + "details": "CVE-2024-32359 in github.com/carina-io/carina", + "affected": [ + { + "package": { + "name": "github.com/carina-io/carina", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32359" + }, + { + "type": "WEB", + "url": "http://carina.com" + }, + { + "type": "WEB", + "url": "https://gist.github.com/HouqiyuA/568d9857dab4ddba6b8b6a791e90f906" + }, + { + "type": "WEB", + "url": "https://github.com/HouqiyuA/k8s-rbac-poc" + }, + { + "type": "WEB", + "url": "https://github.com/carina-io/carina" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2809", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2875.json b/data/osv/GO-2024-2875.json new file mode 100644 index 00000000..5f90d198 --- /dev/null +++ b/data/osv/GO-2024-2875.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2875", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-34710" + ], + "summary": "Wiki.js Stored XSS through Client Side Template Injection in github.com/requarks/wiki", + "details": "Wiki.js Stored XSS through Client Side Template Injection in github.com/requarks/wiki", + "affected": [ + { + "package": { + "name": "github.com/requarks/wiki", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34710" + }, + { + "type": "FIX", + "url": "https://github.com/requarks/wiki/commit/1238d614e1599fefadd4614ee4b5797a087f50ac" + }, + { + "type": "WEB", + "url": "https://github.com/requarks/wiki/security/advisories/GHSA-xjcj-p2qv-q3rf" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2875", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-2468.yaml b/data/reports/GO-2024-2468.yaml new file mode 100644 index 00000000..339d19ce --- /dev/null +++ b/data/reports/GO-2024-2468.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2468 +modules: + - module: github.com/snapcore/snapd + non_go_versions: + - fixed: 2.57.6 + vulnerable_at: 0.0.0-20240604014309-05c117cc187f +summary: snapd Race Condition vulnerability in github.com/snapcore/snapd +cves: + - CVE-2022-3328 +ghsas: + - GHSA-cjqf-877p-7m3f +references: + - advisory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328 + - advisory: https://github.com/advisories/GHSA-cjqf-877p-7m3f + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-3328 + - fix: https://github.com/snapcore/snapd/commit/21ebc51f00b8a1417888faa2e83a372fd29d0f5e + - fix: https://github.com/snapcore/snapd/commit/6226cdc57052f4b7057d92f2e549aa169e35cd2d + - fix: https://github.com/snapcore/snapd/pull/12380 + - web: https://ubuntu.com/security/notices/USN-5753-1 +source: + id: GHSA-cjqf-877p-7m3f + created: 2024-06-04T15:37:54.887928-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2566.yaml b/data/reports/GO-2024-2566.yaml new file mode 100644 index 00000000..79a7caf1 --- /dev/null +++ b/data/reports/GO-2024-2566.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2566 +modules: + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.8 + - introduced: 9.0.0 + fixed: 9.3.0 + vulnerable_at: 8.0.0-20240604182354-aa5b8bf54904 +summary: Mattermost fails to check the required permissions in github.com/mattermost/mattermost/server/v8 +cves: + - CVE-2024-24776 +ghsas: + - GHSA-r833-w756-h5p2 +unknown_aliases: + - BIT-mattermost-2024-24776 +references: + - advisory: https://github.com/advisories/GHSA-r833-w756-h5p2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-24776 + - web: https://mattermost.com/security-updates +source: + id: GHSA-r833-w756-h5p2 + created: 2024-06-04T15:37:50.838664-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2576.yaml b/data/reports/GO-2024-2576.yaml new file mode 100644 index 00000000..2dacee13 --- /dev/null +++ b/data/reports/GO-2024-2576.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2576 +modules: + - module: github.com/devfile/registry-support/registry-library + non_go_versions: + - fixed: 0.0.0-20240206 + vulnerable_at: 0.0.0-20240530183941-9de6fb93aed6 +summary: 'registry-support: decompress can delete files outside scope via relative paths in github.com/devfile/registry-support/registry-library' +cves: + - CVE-2024-1485 +ghsas: + - GHSA-84xv-jfrm-h4gm +references: + - advisory: https://github.com/advisories/GHSA-84xv-jfrm-h4gm + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1485 + - web: https://access.redhat.com/security/cve/CVE-2024-1485 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2264106 + - web: https://github.com/devfile/registry-support/commit/0e44b9ca6d03fac4fc3f77d37656d56dc5defe0d + - web: https://github.com/devfile/registry-support/pull/197 +source: + id: GHSA-84xv-jfrm-h4gm + created: 2024-06-04T15:37:44.246541-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2629.yaml b/data/reports/GO-2024-2629.yaml new file mode 100644 index 00000000..596e6e9b --- /dev/null +++ b/data/reports/GO-2024-2629.yaml @@ -0,0 +1,32 @@ +id: GO-2024-2629 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - introduced: 8.5.0 + fixed: 9.5.7 + - introduced: 10.0.0 + fixed: 10.0.12 + - introduced: 10.1.0 + fixed: 10.1.8 + - introduced: 10.2.0 + fixed: 10.2.5 + - introduced: 10.3.0 + fixed: 10.3.4 + vulnerable_at: 5.4.5+incompatible +summary: |- + Grafana's users with permissions to create a data source can CRUD all data + sources in github.com/grafana/grafana +cves: + - CVE-2024-1442 +ghsas: + - GHSA-5mxf-42f5-j782 +unknown_aliases: + - BIT-grafana-2024-1442 +references: + - advisory: https://github.com/advisories/GHSA-5mxf-42f5-j782 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1442 + - web: https://grafana.com/security/security-advisories/cve-2024-1442 +source: + id: GHSA-5mxf-42f5-j782 + created: 2024-06-04T15:37:37.122896-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2635.yaml b/data/reports/GO-2024-2635.yaml new file mode 100644 index 00000000..fdb53cfe --- /dev/null +++ b/data/reports/GO-2024-2635.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2635 +modules: + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.9 + - introduced: 9.0.0 + fixed: 9.4.0 + vulnerable_at: 8.0.0-20240604182354-aa5b8bf54904 +summary: Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost/server/v8 +cves: + - CVE-2024-1952 +ghsas: + - GHSA-r4fm-g65h-cr54 +references: + - advisory: https://github.com/advisories/GHSA-r4fm-g65h-cr54 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1952 + - web: https://mattermost.com/security-updates +source: + id: GHSA-r4fm-g65h-cr54 + created: 2024-06-04T15:37:32.558224-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2637.yaml b/data/reports/GO-2024-2637.yaml new file mode 100644 index 00000000..012756bf --- /dev/null +++ b/data/reports/GO-2024-2637.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2637 +modules: + - module: github.com/zitadel/zitadel + non_go_versions: + - fixed: 2.44.3 + - introduced: 2.45.0 + fixed: 2.45.1 + vulnerable_at: 1.87.5 +summary: Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel +cves: + - CVE-2024-28197 +ghsas: + - GHSA-mq4x-r2w3-j7mr +references: + - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-28197 + - fix: https://github.com/zitadel/zitadel/commit/d4c553b75a214e41299af010ef4b26174a0f802c + - fix: https://github.com/zitadel/zitadel/commit/e82cb51eb819c6cdba8123c9c34c5739b46b29eb +source: + id: GHSA-mq4x-r2w3-j7mr + created: 2024-06-04T15:37:28.977324-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2650.yaml b/data/reports/GO-2024-2650.yaml new file mode 100644 index 00000000..8135fe9b --- /dev/null +++ b/data/reports/GO-2024-2650.yaml @@ -0,0 +1,16 @@ +id: GO-2024-2650 +modules: + - module: github.com/go-vela/sdk-go + versions: + - fixed: 0.23.2 + vulnerable_at: 0.23.1 +summary: Golang SDK for Vela Insecure Variable Substitution in github.com/go-vela/sdk-go +ghsas: + - GHSA-v8mx-hp2q-gw85 +references: + - advisory: https://github.com/go-vela/sdk-go/security/advisories/GHSA-v8mx-hp2q-gw85 + - fix: https://github.com/go-vela/sdk-go/commit/e3a34719badf37928e60f4402abe51f8b50055e1 +source: + id: GHSA-v8mx-hp2q-gw85 + created: 2024-06-04T15:37:27.356345-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2664.yaml b/data/reports/GO-2024-2664.yaml new file mode 100644 index 00000000..5fe65f78 --- /dev/null +++ b/data/reports/GO-2024-2664.yaml @@ -0,0 +1,37 @@ +id: GO-2024-2664 +modules: + - module: github.com/zitadel/zitadel + non_go_versions: + - fixed: 2.42.17 + - introduced: 2.43.0 + fixed: 2.43.11 + - introduced: 2.44.0 + fixed: 2.44.7 + - introduced: 2.45.0 + fixed: 2.45.5 + - introduced: 2.46.0 + fixed: 2.46.5 + - introduced: 2.47.0 + fixed: 2.47.8 + - introduced: 2.48.0 + fixed: 2.48.3 + vulnerable_at: 1.87.5 +summary: ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel +cves: + - CVE-2024-29892 +ghsas: + - GHSA-gp8g-f42f-95q2 +references: + - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-29892 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.42.17 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.43.11 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.44.7 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.45.5 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.46.5 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.47.8 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.48.3 +source: + id: GHSA-gp8g-f42f-95q2 + created: 2024-06-04T15:37:24.2634-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2665.yaml b/data/reports/GO-2024-2665.yaml new file mode 100644 index 00000000..5b666e65 --- /dev/null +++ b/data/reports/GO-2024-2665.yaml @@ -0,0 +1,39 @@ +id: GO-2024-2665 +modules: + - module: github.com/zitadel/zitadel + non_go_versions: + - fixed: 2.42.17 + - introduced: 2.43.0 + fixed: 2.43.11 + - introduced: 2.44.0 + fixed: 2.44.7 + - introduced: 2.45.0 + fixed: 2.45.5 + - introduced: 2.46.0 + fixed: 2.46.5 + - introduced: 2.47.0 + fixed: 2.47.8 + - introduced: 2.48.0 + fixed: 2.48.3 + vulnerable_at: 1.87.5 +summary: |- + ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored + XSS + CSP Bypass in github.com/zitadel/zitadel +cves: + - CVE-2024-29891 +ghsas: + - GHSA-hr5w-cwwq-2v4m +references: + - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-29891 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.42.17 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.43.11 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.44.7 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.45.5 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.46.5 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.47.8 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.48.3 +source: + id: GHSA-hr5w-cwwq-2v4m + created: 2024-06-04T15:37:16.762486-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2688.yaml b/data/reports/GO-2024-2688.yaml new file mode 100644 index 00000000..1983dafb --- /dev/null +++ b/data/reports/GO-2024-2688.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2688 +modules: + - module: kubevirt.io/kubevirt + unsupported_versions: + - version: 1.2.0 + type: last_affected + vulnerable_at: 1.2.1 +summary: KubeVirt NULL pointer dereference flaw in kubevirt.io/kubevirt +cves: + - CVE-2024-31420 +ghsas: + - GHSA-vjhf-6xfr-5p9g +references: + - advisory: https://github.com/advisories/GHSA-vjhf-6xfr-5p9g + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-31420 + - web: https://access.redhat.com/security/cve/CVE-2024-31420 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2272951 +source: + id: GHSA-vjhf-6xfr-5p9g + created: 2024-06-04T15:36:43.938217-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2695.yaml b/data/reports/GO-2024-2695.yaml new file mode 100644 index 00000000..fb5a654d --- /dev/null +++ b/data/reports/GO-2024-2695.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2695 +modules: + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - introduced: 8.1.0 + fixed: 8.1.11 + - introduced: 9.3.0 + fixed: 9.3.3 + - introduced: 9.4.0 + fixed: 9.4.4 + - introduced: 9.5.0 + fixed: 9.5.2 + vulnerable_at: 8.0.0-20240604182354-aa5b8bf54904 +summary: Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost/server/v8 +cves: + - CVE-2024-28949 +ghsas: + - GHSA-mcw6-3256-64gg +references: + - advisory: https://github.com/advisories/GHSA-mcw6-3256-64gg + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-28949 + - web: https://github.com/mattermost/mattermost/commit/11a21f4da352a472a09de3b8e125514750a6619a + - web: https://github.com/mattermost/mattermost/commit/362b7d29d35c00fe80721d3d47442a4f3168eb2b + - web: https://github.com/mattermost/mattermost/commit/5632d6b4ff6d019a21bb8ddd037d4a931cd85ae2 + - web: https://github.com/mattermost/mattermost/commit/88f9285173dc4cb35fa19a8b8604e098a567f704 + - web: https://mattermost.com/security-updates +source: + id: GHSA-mcw6-3256-64gg + created: 2024-06-04T15:36:36.807487-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2696.yaml b/data/reports/GO-2024-2696.yaml new file mode 100644 index 00000000..f72ad063 --- /dev/null +++ b/data/reports/GO-2024-2696.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2696 +modules: + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - introduced: 8.1.0 + fixed: 8.1.11 + - introduced: 9.3.0 + fixed: 9.3.3 + - introduced: 9.4.0 + fixed: 9.4.4 + - introduced: 9.5.0 + fixed: 9.5.2 + vulnerable_at: 8.0.0-20240604182354-aa5b8bf54904 +summary: Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost/server/v8 +cves: + - CVE-2024-2447 +ghsas: + - GHSA-wp43-vprh-c3w5 +references: + - advisory: https://github.com/advisories/GHSA-wp43-vprh-c3w5 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-2447 + - web: https://mattermost.com/security-updates +source: + id: GHSA-wp43-vprh-c3w5 + created: 2024-06-04T15:36:33.196481-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2697.yaml b/data/reports/GO-2024-2697.yaml new file mode 100644 index 00000000..d3d0f7fe --- /dev/null +++ b/data/reports/GO-2024-2697.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2697 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - introduced: 9.5.0 + fixed: 9.5.18 + - introduced: 10.0.0 + fixed: 10.0.13 + - introduced: 10.1.0 + fixed: 10.1.9 + - introduced: 10.2.0 + fixed: 10.2.6 + - introduced: 10.3.0 + fixed: 10.3.5 + vulnerable_at: 5.4.5+incompatible +summary: 'Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana' +cves: + - CVE-2024-1313 +ghsas: + - GHSA-67rv-qpw2-6qrr +unknown_aliases: + - BIT-grafana-2024-1313 +references: + - advisory: https://github.com/grafana/bugbounty/security/advisories/GHSA-67rv-qpw2-6qrr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1313 + - web: https://grafana.com/security/security-advisories/cve-2024-1313 +source: + id: GHSA-67rv-qpw2-6qrr + created: 2024-06-04T15:31:16.41185-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2698.yaml b/data/reports/GO-2024-2698.yaml new file mode 100644 index 00000000..74dfee63 --- /dev/null +++ b/data/reports/GO-2024-2698.yaml @@ -0,0 +1,25 @@ +id: GO-2024-2698 +modules: + - module: github.com/mholt/archiver/v3 + non_go_versions: + - introduced: 3.0.0 + unsupported_versions: + - version: 3.5.1 + type: last_affected + - version: 3.5.1 + type: last_affected + vulnerable_at: 3.5.1 +summary: Archiver Path Traversal vulnerability in github.com/mholt/archiver/v3 +cves: + - CVE-2024-0406 +ghsas: + - GHSA-rhh4-rh7c-7r5v +references: + - advisory: https://github.com/advisories/GHSA-rhh4-rh7c-7r5v + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-0406 + - web: https://access.redhat.com/security/cve/CVE-2024-0406 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2257749 +source: + id: GHSA-rhh4-rh7c-7r5v + created: 2024-06-04T15:31:11.733743-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2705.yaml b/data/reports/GO-2024-2705.yaml new file mode 100644 index 00000000..f9f4e4f9 --- /dev/null +++ b/data/reports/GO-2024-2705.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2705 +modules: + - module: github.com/go-skynet/LocalAI + unsupported_versions: + - version: 2.7.0 + type: last_affected + vulnerable_at: 1.40.0 +summary: LocalAI cross-site request forgery vulnerability in github.com/go-skynet/LocalAI +cves: + - CVE-2024-3135 +ghsas: + - GHSA-jhvf-7c85-3c9g +references: + - advisory: https://github.com/advisories/GHSA-jhvf-7c85-3c9g + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-3135 + - web: https://huntr.com/bounties/7afdc4d3-4b68-45ea-96d0-cf9ed3712ae8 +source: + id: GHSA-jhvf-7c85-3c9g + created: 2024-06-04T15:31:08.697271-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2706.yaml b/data/reports/GO-2024-2706.yaml new file mode 100644 index 00000000..9abcad5a --- /dev/null +++ b/data/reports/GO-2024-2706.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2706 +modules: + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - introduced: 8.1.0 + fixed: 8.1.11 + - introduced: 9.3.0 + fixed: 9.3.3 + - introduced: 9.4.0 + fixed: 9.4.4 + - introduced: 9.5.0 + fixed: 9.5.2 + vulnerable_at: 8.0.0-20240604182354-aa5b8bf54904 +summary: Mattermost Server Improper Access Control in github.com/mattermost/mattermost/server/v8 +cves: + - CVE-2024-29221 +ghsas: + - GHSA-w67v-ph4x-f48q +references: + - advisory: https://github.com/advisories/GHSA-w67v-ph4x-f48q + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-29221 + - web: https://github.com/mattermost/mattermost/commit/0dc03fbc6e3c9afb14137e72ab3fa6f5a0125b9c + - web: https://github.com/mattermost/mattermost/commit/5cce9fed7363386afebd81a58fb5fab7d2729c8f + - web: https://github.com/mattermost/mattermost/commit/a5784f34ba6592c6454b8742f24af9d06279e347 + - web: https://github.com/mattermost/mattermost/commit/dd3fe2991a70a41790d6bef5d31afc5957525f3c + - web: https://mattermost.com/security-updates +source: + id: GHSA-w67v-ph4x-f48q + created: 2024-06-04T15:30:58.381022-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2707.yaml b/data/reports/GO-2024-2707.yaml new file mode 100644 index 00000000..6ccecd0a --- /dev/null +++ b/data/reports/GO-2024-2707.yaml @@ -0,0 +1,19 @@ +id: GO-2024-2707 +modules: + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.11 + vulnerable_at: 8.0.0-20240604182354-aa5b8bf54904 +summary: Mattermost Server Improper Access Control in github.com/mattermost/mattermost/server/v8 +cves: + - CVE-2024-21848 +ghsas: + - GHSA-xp9j-8p68-9q93 +references: + - advisory: https://github.com/advisories/GHSA-xp9j-8p68-9q93 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21848 + - web: https://mattermost.com/security-updates +source: + id: GHSA-xp9j-8p68-9q93 + created: 2024-06-04T15:30:53.476926-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2715.yaml b/data/reports/GO-2024-2715.yaml new file mode 100644 index 00000000..af7c79ed --- /dev/null +++ b/data/reports/GO-2024-2715.yaml @@ -0,0 +1,64 @@ +id: GO-2024-2715 +modules: + - module: github.com/evmos/evmos/v16 + non_go_versions: + - fixed: 17.0.0 + vulnerable_at: 16.0.4 + - module: github.com/evmos/evmos/v5 + unsupported_versions: + - version: 5.0.0 + type: last_affected + vulnerable_at: 5.0.1 + - module: github.com/evmos/evmos/v6 + unsupported_versions: + - version: 6.0.4 + type: last_affected + vulnerable_at: 6.0.4 + - module: github.com/evmos/evmos/v7 + unsupported_versions: + - version: 7.0.0 + type: last_affected + vulnerable_at: 7.0.0 + - module: github.com/tharsis/evmos + unsupported_versions: + - version: 1.1.3 + type: last_affected + vulnerable_at: 1.1.3 + - module: github.com/tharsis/evmos/v2 + unsupported_versions: + - version: 2.0.2 + type: last_affected + vulnerable_at: 2.0.2 + - module: github.com/tharsis/evmos/v3 + unsupported_versions: + - version: 3.0.3 + type: last_affected + vulnerable_at: 3.0.3 + - module: github.com/tharsis/evmos/v4 + unsupported_versions: + - version: 4.0.2 + type: last_affected + vulnerable_at: 4.0.2 + - module: github.com/tharsis/evmos/v5 + unsupported_versions: + - version: 5.0.1 + type: last_affected + vulnerable_at: 5.0.1 +summary: |- + Evmos transaction execution not accounting for all state transition after + interaction with precompiles in github.com/evmos/evmos/v16 +cves: + - CVE-2024-32644 +ghsas: + - GHSA-3fp5-2xwh-fxm6 +references: + - advisory: https://github.com/evmos/evmos/security/advisories/GHSA-3fp5-2xwh-fxm6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32644 + - web: https://github.com/evmos/evmos/blob/b196a522ba4951890b40992e9f97aa610f8b5f9c/x/evm/statedb/state_object.go#L53-L68 + - web: https://github.com/evmos/evmos/blob/b196a522ba4951890b40992e9f97aa610f8b5f9c/x/evm/statedb/statedb.go#L33-L55 + - web: https://github.com/evmos/evmos/blob/b196a522ba4951890b40992e9f97aa610f8b5f9c/x/evm/statedb/statedb.go#L460-L465 + - web: https://github.com/evmos/evmos/commit/08982b5ee726b97bc50eaf58d1914829648b6a5f +source: + id: GHSA-3fp5-2xwh-fxm6 + created: 2024-06-04T15:30:44.062102-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2717.yaml b/data/reports/GO-2024-2717.yaml new file mode 100644 index 00000000..7aac2cdc --- /dev/null +++ b/data/reports/GO-2024-2717.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2717 +modules: + - module: github.com/go-skynet/LocalAI + non_go_versions: + - fixed: 2.10.0 + vulnerable_at: 1.40.0 +summary: LocalAI Command Injection in audioToWav in github.com/go-skynet/LocalAI +cves: + - CVE-2024-2029 +ghsas: + - GHSA-wx43-g55g-2jf4 +references: + - advisory: https://github.com/advisories/GHSA-wx43-g55g-2jf4 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-2029 + - web: https://github.com/mudler/localai/commit/31a4c9c9d3abc58de2bdc5305419181c8b33eb1c + - web: https://huntr.com/bounties/e092528a-ce3b-4e66-9b98-3f56d6b276b0 +source: + id: GHSA-wx43-g55g-2jf4 + created: 2024-06-04T15:30:38.950992-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2718.yaml b/data/reports/GO-2024-2718.yaml new file mode 100644 index 00000000..b11addd4 --- /dev/null +++ b/data/reports/GO-2024-2718.yaml @@ -0,0 +1,29 @@ +id: GO-2024-2718 +modules: + - module: github.com/sigstore/cosign + unsupported_versions: + - version: 2.2.3 + type: last_affected + vulnerable_at: 1.13.6 + - module: github.com/sigstore/cosign/v2 + versions: + - fixed: 2.2.4 + vulnerable_at: 2.2.3 +summary: Cosign malicious attachments can cause system-wide denial of service in github.com/sigstore/cosign +cves: + - CVE-2024-29902 +ghsas: + - GHSA-88jx-383q-w4qc +unknown_aliases: + - BIT-cosign-2024-29902 +references: + - advisory: https://github.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-29902 + - fix: https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e + - web: https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40 + - web: https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239 + - web: https://github.com/sigstore/cosign/releases/tag/v2.2.4 +source: + id: GHSA-88jx-383q-w4qc + created: 2024-06-04T15:30:35.477807-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2719.yaml b/data/reports/GO-2024-2719.yaml new file mode 100644 index 00000000..a631e230 --- /dev/null +++ b/data/reports/GO-2024-2719.yaml @@ -0,0 +1,29 @@ +id: GO-2024-2719 +modules: + - module: github.com/sigstore/cosign + unsupported_versions: + - version: 2.2.3 + type: last_affected + vulnerable_at: 1.13.6 + - module: github.com/sigstore/cosign/v2 + versions: + - fixed: 2.2.4 + vulnerable_at: 2.2.3 +summary: Cosign malicious artifacts can cause machine-wide DoS in github.com/sigstore/cosign +cves: + - CVE-2024-29903 +ghsas: + - GHSA-95pr-fxf5-86gv +unknown_aliases: + - BIT-cosign-2024-29903 +references: + - advisory: https://github.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-29903 + - fix: https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e + - web: https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/cosign/verify.go#L948-L955 + - web: https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70 + - web: https://github.com/sigstore/cosign/releases/tag/v2.2.4 +source: + id: GHSA-95pr-fxf5-86gv + created: 2024-06-04T15:30:30.49846-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2722.yaml b/data/reports/GO-2024-2722.yaml new file mode 100644 index 00000000..fc25ab61 --- /dev/null +++ b/data/reports/GO-2024-2722.yaml @@ -0,0 +1,31 @@ +id: GO-2024-2722 +modules: + - module: github.com/traefik/traefik + non_go_versions: + - fixed: 2.11.2 + vulnerable_at: 1.7.34 + - module: github.com/traefik/traefik/v2 + versions: + - fixed: 2.11.2 + vulnerable_at: 2.11.1 + - module: github.com/traefik/traefik/v3 + versions: + - introduced: 3.0.0-beta3 + fixed: 3.0.0-rc5 + vulnerable_at: 3.0.0-rc4 +summary: Traefik vulnerable to denial of service with Content-length header in github.com/traefik/traefik +cves: + - CVE-2024-28869 +ghsas: + - GHSA-4vwx-54mw-vqfw +references: + - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-28869 + - fix: https://github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9c6 + - web: https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts + - web: https://github.com/traefik/traefik/releases/tag/v2.11.2 + - web: https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5 +source: + id: GHSA-4vwx-54mw-vqfw + created: 2024-06-04T15:30:27.097335-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2726.yaml b/data/reports/GO-2024-2726.yaml new file mode 100644 index 00000000..56854849 --- /dev/null +++ b/data/reports/GO-2024-2726.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2726 +modules: + - module: github.com/traefik/traefik/v2 + versions: + - fixed: 2.11.2 + vulnerable_at: 2.11.1 + - module: github.com/traefik/traefik/v3 + versions: + - introduced: 3.0.0-rc1 + fixed: 3.0.0-rc5 + vulnerable_at: 3.0.0-rc4 +summary: Traefik affected by HTTP/2 CONTINUATION flood in net/http in github.com/traefik/traefik/v2 +ghsas: + - GHSA-7f4j-64p6-5h5v +references: + - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-7f4j-64p6-5h5v + - web: https://github.com/traefik/traefik/releases/tag/v2.11.2 + - web: https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5 +source: + id: GHSA-7f4j-64p6-5h5v + created: 2024-06-04T15:30:24.379964-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2732.yaml b/data/reports/GO-2024-2732.yaml new file mode 100644 index 00000000..b013fb2a --- /dev/null +++ b/data/reports/GO-2024-2732.yaml @@ -0,0 +1,15 @@ +id: GO-2024-2732 +modules: + - module: github.com/evmos/evmos/v11 + non_go_versions: + - fixed: 12.0.0 + vulnerable_at: 11.0.2 +summary: Evmos vulnerable to DOS and transaction fee expropiation through Authz exploit in github.com/evmos/evmos/v11 +ghsas: + - GHSA-v6rw-hhgg-wc4x +references: + - advisory: https://github.com/evmos/evmos/security/advisories/GHSA-v6rw-hhgg-wc4x +source: + id: GHSA-v6rw-hhgg-wc4x + created: 2024-06-04T15:30:15.000974-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2734.yaml b/data/reports/GO-2024-2734.yaml new file mode 100644 index 00000000..e74b1765 --- /dev/null +++ b/data/reports/GO-2024-2734.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2734 +modules: + - module: github.com/1Panel-dev/1Panel + non_go_versions: + - fixed: 1.10.3 + vulnerable_at: 1.9.6 +summary: |- + 1Panel's password verification is suspected to have a timing attack + vulnerability in github.com/1Panel-dev/1Panel +cves: + - CVE-2024-30257 +ghsas: + - GHSA-6m9h-2pr2-9j8f +references: + - advisory: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-6m9h-2pr2-9j8f + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-30257 + - web: https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26 +source: + id: GHSA-6m9h-2pr2-9j8f + created: 2024-06-04T15:30:09.964726-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2737.yaml b/data/reports/GO-2024-2737.yaml new file mode 100644 index 00000000..c6ba5db7 --- /dev/null +++ b/data/reports/GO-2024-2737.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2737 +modules: + - module: github.com/docker/docker + versions: + - introduced: 26.0.0+incompatible + fixed: 26.0.2+incompatible + vulnerable_at: 26.0.1+incompatible +summary: IPv6 enabled on IPv4-only network interfaces in github.com/docker/docker +cves: + - CVE-2024-32473 +ghsas: + - GHSA-x84c-p2g9-rqv9 +references: + - advisory: https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32473 + - web: https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642 +source: + id: GHSA-x84c-p2g9-rqv9 + created: 2024-06-04T15:30:04.899272-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2750.yaml b/data/reports/GO-2024-2750.yaml new file mode 100644 index 00000000..270e029e --- /dev/null +++ b/data/reports/GO-2024-2750.yaml @@ -0,0 +1,31 @@ +id: GO-2024-2750 +modules: + - module: github.com/Azure/secrets-store-csi-driver-provider-azure + non_go_versions: + - fixed: 0.0.10 + vulnerable_at: 1.5.2 + - module: github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp + versions: + - fixed: 0.2.0 + vulnerable_at: 0.1.0 + - module: github.com/hashicorp/vault-csi-provider + non_go_versions: + - fixed: 0.0.6 + vulnerable_at: 1.4.2 +summary: Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure +cves: + - CVE-2020-8567 +ghsas: + - GHSA-2v35-wj4r-rcmv +references: + - advisory: https://github.com/advisories/GHSA-2v35-wj4r-rcmv + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-8567 + - fix: https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/298 + - fix: https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/pull/74 + - web: https://github.com/hashicorp/secrets-store-csi-driver-provider-vault/pull/50 + - web: https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384 + - web: https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY +source: + id: GHSA-2v35-wj4r-rcmv + created: 2024-06-04T15:29:24.764705-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2760.yaml b/data/reports/GO-2024-2760.yaml new file mode 100644 index 00000000..7ab8a905 --- /dev/null +++ b/data/reports/GO-2024-2760.yaml @@ -0,0 +1,25 @@ +id: GO-2024-2760 +modules: + - module: github.com/rancher/rancher + non_go_versions: + - fixed: 2.4.18 + - introduced: 2.5.0 + fixed: 2.5.12 + - introduced: 2.6.0 + fixed: 2.6.3 + vulnerable_at: 1.6.30 +summary: |- + Rancher's Failure to delete orphaned role bindings does not revoke project level + access from group based authentication in github.com/rancher/rancher +cves: + - CVE-2021-36775 +ghsas: + - GHSA-28g7-896h-695v +references: + - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-28g7-896h-695v + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-36775 + - web: https://bugzilla.suse.com/show_bug.cgi?id=1189120 +source: + id: GHSA-28g7-896h-695v + created: 2024-06-04T15:29:05.58925-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2761.yaml b/data/reports/GO-2024-2761.yaml new file mode 100644 index 00000000..bd2ce6f6 --- /dev/null +++ b/data/reports/GO-2024-2761.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2761 +modules: + - module: github.com/rancher/rancher + unsupported_versions: + - version: 2.1.4 + type: last_affected + vulnerable_at: 1.6.30 +summary: Rancher Login Parameter Can Be Edited in github.com/rancher/rancher +cves: + - CVE-2019-11881 +ghsas: + - GHSA-2p4g-jrmx-r34m +references: + - advisory: https://github.com/advisories/GHSA-2p4g-jrmx-r34m + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-11881 + - report: https://github.com/rancher/rancher/issues/20216 + - web: https://github.com/MauroEldritch/VanCleef +source: + id: GHSA-2p4g-jrmx-r34m + created: 2024-06-04T15:29:02.104941-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2762.yaml b/data/reports/GO-2024-2762.yaml new file mode 100644 index 00000000..f039d535 --- /dev/null +++ b/data/reports/GO-2024-2762.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2762 +modules: + - module: github.com/rancher/rancher + versions: + - introduced: 2.0.0+incompatible + fixed: 2.2.4+incompatible + vulnerable_at: 2.2.4-rc9+incompatible +summary: Rancher code injection via fluentd config commands in github.com/rancher/rancher +cves: + - CVE-2019-12303 +ghsas: + - GHSA-53pj-67m4-9w98 +references: + - advisory: https://github.com/advisories/GHSA-53pj-67m4-9w98 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-12303 + - web: https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466 +source: + id: GHSA-53pj-67m4-9w98 + created: 2024-06-04T15:28:59.347324-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2764.yaml b/data/reports/GO-2024-2764.yaml new file mode 100644 index 00000000..43cdd6d1 --- /dev/null +++ b/data/reports/GO-2024-2764.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2764 +modules: + - module: github.com/rancher/rancher + versions: + - introduced: 2.0.0+incompatible + fixed: 2.1.6+incompatible + vulnerable_at: 2.1.6-rc5+incompatible +summary: |- + Rancher Project Members Have Continued Access to Namespaces After Being Removed + From Them in github.com/rancher/rancher +cves: + - CVE-2019-6287 +ghsas: + - GHSA-6r7x-4q7g-h83j +references: + - advisory: https://github.com/advisories/GHSA-6r7x-4q7g-h83j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-6287 + - report: https://github.com/rancher/rancher/issues/17244 + - report: https://github.com/rancher/rancher/issues/17724 + - web: https://forums.rancher.com/t/rancher-release-v2-1-6/13148 + - web: https://forums.rancher.com/t/rancher-security-announcement-cve-2018-20321-and-cve-2019-6287/13149 + - web: https://rancher.com/blog/2019/2019-01-29-explaining-security-vulnerabilities-addressed-in-rancher-v2-1-6-and-v2-0-11 +source: + id: GHSA-6r7x-4q7g-h83j + created: 2024-06-04T15:28:51.235603-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2771.yaml b/data/reports/GO-2024-2771.yaml new file mode 100644 index 00000000..dabcdd0d --- /dev/null +++ b/data/reports/GO-2024-2771.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2771 +modules: + - module: github.com/rancher/rancher + non_go_versions: + - introduced: 2.5.0 + fixed: 2.5.10 + vulnerable_at: 1.6.30 +summary: |- + Rancher's Steve API Component Improper authorization check allows privilege + escalation in github.com/rancher/rancher +cves: + - CVE-2021-36776 +ghsas: + - GHSA-gvh9-xgrq-r8hw +references: + - advisory: https://github.com/advisories/GHSA-gvh9-xgrq-r8hw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-36776 + - web: https://bugzilla.suse.com/show_bug.cgi?id=1189413 +source: + id: GHSA-gvh9-xgrq-r8hw + created: 2024-06-04T15:28:43.930948-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2788.yaml b/data/reports/GO-2024-2788.yaml new file mode 100644 index 00000000..c5c1b02c --- /dev/null +++ b/data/reports/GO-2024-2788.yaml @@ -0,0 +1,19 @@ +id: GO-2024-2788 +modules: + - module: github.com/zitadel/zitadel + non_go_versions: + - fixed: 2.50.0 + vulnerable_at: 1.87.5 +summary: ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel +cves: + - CVE-2024-32868 +ghsas: + - GHSA-7j7j-66cv-m239 +references: + - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32868 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.50.0 +source: + id: GHSA-7j7j-66cv-m239 + created: 2024-06-04T15:27:35.033721-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2789.yaml b/data/reports/GO-2024-2789.yaml new file mode 100644 index 00000000..860c765d --- /dev/null +++ b/data/reports/GO-2024-2789.yaml @@ -0,0 +1,28 @@ +id: GO-2024-2789 +modules: + - module: github.com/openshift/cluster-monitoring-operator + unsupported_versions: + - version: 0.1.1 + type: last_affected + vulnerable_at: 3.11.0+incompatible +summary: Cluster Monitoring Operator contains a credentials leak in github.com/openshift/cluster-monitoring-operator +cves: + - CVE-2024-1139 +ghsas: + - GHSA-x5m7-63c6-fx79 +references: + - advisory: https://github.com/advisories/GHSA-x5m7-63c6-fx79 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1139 + - fix: https://github.com/openshift/cluster-monitoring-operator/commit/1cfbe9ffafe1e43f8f87a451b72fddf5d76fa4e3 + - fix: https://github.com/openshift/cluster-monitoring-operator/pull/1747 + - web: https://access.redhat.com/errata/RHSA-2024:1887 + - web: https://access.redhat.com/errata/RHSA-2024:1891 + - web: https://access.redhat.com/errata/RHSA-2024:2047 + - web: https://access.redhat.com/errata/RHSA-2024:2782 + - web: https://access.redhat.com/security/cve/CVE-2024-1139 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2262158 + - web: https://github.com/openshift/cluster-monitoring-operator/blob/d45a3335c2bbada0948adef9fcba55c4e14fa1d7/pkg/manifests/manifests.go#L3135 +source: + id: GHSA-x5m7-63c6-fx79 + created: 2024-06-04T15:27:27.603431-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2793.yaml b/data/reports/GO-2024-2793.yaml new file mode 100644 index 00000000..c9dc0bf2 --- /dev/null +++ b/data/reports/GO-2024-2793.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2793 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 8.1.0+incompatible + fixed: 8.1.12+incompatible + - introduced: 9.5.0+incompatible + fixed: 9.5.3+incompatible + vulnerable_at: 9.5.3-rc3+incompatible +summary: Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server +cves: + - CVE-2024-4195 +ghsas: + - GHSA-5fh7-7mw7-mmx5 +references: + - advisory: https://github.com/advisories/GHSA-5fh7-7mw7-mmx5 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-4195 + - web: https://github.com/mattermost/mattermost/commit/1e3497e0595bb4f9908c94dd9d4685d48556b7e8 + - web: https://github.com/mattermost/mattermost/commit/f0872dd4e4ba34f061aa6982a71c7c29532aac2e + - web: https://mattermost.com/security-updates +source: + id: GHSA-5fh7-7mw7-mmx5 + created: 2024-06-04T15:27:22.651742-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2794.yaml b/data/reports/GO-2024-2794.yaml new file mode 100644 index 00000000..b6e7a835 --- /dev/null +++ b/data/reports/GO-2024-2794.yaml @@ -0,0 +1,27 @@ +id: GO-2024-2794 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 8.1.0+incompatible + fixed: 8.1.12+incompatible + - introduced: 9.5.0+incompatible + fixed: 9.5.3+incompatible + - introduced: 9.6.0-rc1+incompatible + fixed: 9.6.1+incompatible + vulnerable_at: 9.6.1-rc3+incompatible +summary: Mattermost fails to fully validate role changes in github.com/mattermost/mattermost-server +cves: + - CVE-2024-4198 +ghsas: + - GHSA-5qx9-9ffj-5r8f +references: + - advisory: https://github.com/advisories/GHSA-5qx9-9ffj-5r8f + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-4198 + - web: https://github.com/mattermost/mattermost/commit/3d6d8a7c1f7105558fe266a1b379859a4dba4e9b + - web: https://github.com/mattermost/mattermost/commit/408ce4a82bb55ce27801f7044d9b3b49e82c47ed + - web: https://github.com/mattermost/mattermost/commit/fba5b8e348feada9b21290369c3598ccd5c04424 + - web: https://mattermost.com/security-updates +source: + id: GHSA-5qx9-9ffj-5r8f + created: 2024-06-04T15:27:15.679327-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2795.yaml b/data/reports/GO-2024-2795.yaml new file mode 100644 index 00000000..e92eb4d7 --- /dev/null +++ b/data/reports/GO-2024-2795.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2795 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 8.1.0+incompatible + fixed: 8.1.12+incompatible + - introduced: 9.4.0+incompatible + fixed: 9.4.5+incompatible + - introduced: 9.5.0+incompatible + fixed: 9.5.3+incompatible + - introduced: 9.6.0-rc1+incompatible + fixed: 9.6.1+incompatible + vulnerable_at: 9.6.1-rc3+incompatible +summary: Mattermost crashes web clients via a malformed custom status in github.com/mattermost/mattermost-server +cves: + - CVE-2024-4182 +ghsas: + - GHSA-8f99-g2pj-x8w3 +references: + - advisory: https://github.com/advisories/GHSA-8f99-g2pj-x8w3 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-4182 + - web: https://github.com/mattermost/mattermost/commit/41333a0babf565453d89287549bec1e546e75ce7 + - web: https://github.com/mattermost/mattermost/commit/6cbab0f7ece104681f73dd12c75d9f22d567125e + - web: https://github.com/mattermost/mattermost/commit/a99dadd80c57d376185ca06f8f70919a6f135bc6 + - web: https://github.com/mattermost/mattermost/commit/f84f8ed65f6a5faba974426424b684635455a527 + - web: https://mattermost.com/security-updates +source: + id: GHSA-8f99-g2pj-x8w3 + created: 2024-06-04T15:27:08.837695-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2796.yaml b/data/reports/GO-2024-2796.yaml new file mode 100644 index 00000000..1d03abd5 --- /dev/null +++ b/data/reports/GO-2024-2796.yaml @@ -0,0 +1,28 @@ +id: GO-2024-2796 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 8.1.0+incompatible + fixed: 8.1.12+incompatible + - introduced: 9.5.0+incompatible + fixed: 9.5.3+incompatible + - introduced: 9.6.0-rc1+incompatible + fixed: 9.6.1+incompatible + vulnerable_at: 9.6.1-rc3+incompatible +summary: Mattermost fails to limit the size of a request path in github.com/mattermost/mattermost-server +cves: + - CVE-2024-22091 +ghsas: + - GHSA-p2wq-4ggp-45f3 +references: + - advisory: https://github.com/advisories/GHSA-p2wq-4ggp-45f3 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-22091 + - web: https://github.com/mattermost/mattermost/commit/13049d8b16b195f98246dff4812b5f64c1e5a627 + - web: https://github.com/mattermost/mattermost/commit/49e7c477246e31c7a0bd85c1043599121755b260 + - web: https://github.com/mattermost/mattermost/commit/54478f2ccbc6c4f110706966adfe0db2c16a566c + - web: https://github.com/mattermost/mattermost/commit/f6d320017549ec66efb5fdd4bc10b66ab36abb70 + - web: https://mattermost.com/security-updates +source: + id: GHSA-p2wq-4ggp-45f3 + created: 2024-06-04T15:27:02.38708-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2797.yaml b/data/reports/GO-2024-2797.yaml new file mode 100644 index 00000000..afa2f4a6 --- /dev/null +++ b/data/reports/GO-2024-2797.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2797 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 8.1.0+incompatible + fixed: 8.1.12+incompatible + - introduced: 9.4.0+incompatible + fixed: 9.4.5+incompatible + - introduced: 9.5.0+incompatible + fixed: 9.5.3+incompatible + - introduced: 9.6.0-rc1+incompatible + fixed: 9.6.1+incompatible + vulnerable_at: 9.6.1-rc3+incompatible +summary: Mattermost's detailed error messages reveal the full file path in github.com/mattermost/mattermost-server +cves: + - CVE-2024-32046 +ghsas: + - GHSA-vx97-8q8q-qgq5 +references: + - advisory: https://github.com/advisories/GHSA-vx97-8q8q-qgq5 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32046 + - web: https://github.com/mattermost/mattermost/commit/2a48b5b3428cae494452125401e4f72780543ac8 + - web: https://github.com/mattermost/mattermost/commit/93738756ff79777c6e340c8de63a7b4b0f881d27 + - web: https://github.com/mattermost/mattermost/commit/aa222c66b799c12e32eeb8eae6f555bf6140375b + - web: https://github.com/mattermost/mattermost/commit/c84c25b20c8b8726a2f126ae9370a72498096172 + - web: https://mattermost.com/security-updates +source: + id: GHSA-vx97-8q8q-qgq5 + created: 2024-06-04T15:26:55.734035-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2798.yaml b/data/reports/GO-2024-2798.yaml new file mode 100644 index 00000000..a859dc85 --- /dev/null +++ b/data/reports/GO-2024-2798.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2798 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 8.1.0+incompatible + fixed: 8.1.12+incompatible + - introduced: 9.4.0+incompatible + fixed: 9.4.5+incompatible + - introduced: 9.5.0+incompatible + fixed: 9.5.3+incompatible + - introduced: 9.6.0-rc1+incompatible + fixed: 9.6.1+incompatible + vulnerable_at: 9.6.1-rc3+incompatible +summary: Mattermost fails to limit the number of active sessions in github.com/mattermost/mattermost-server +cves: + - CVE-2024-4183 +ghsas: + - GHSA-wj37-mpq9-xrcm +references: + - advisory: https://github.com/advisories/GHSA-wj37-mpq9-xrcm + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-4183 + - web: https://github.com/mattermost/mattermost/commit/86920d641760552c5aafa5e1d14c93bd30039bc4 + - web: https://github.com/mattermost/mattermost/commit/9d81eee979aee93374bff8ba6714d805e12ffb03 + - web: https://github.com/mattermost/mattermost/commit/b45c3dac4c160992a1ce757ade968e8f5ec506c1 + - web: https://github.com/mattermost/mattermost/commit/bc699e6789cf3ba1544235087897699aaa639e7d + - web: https://mattermost.com/security-updates +source: + id: GHSA-wj37-mpq9-xrcm + created: 2024-06-04T15:26:28.930861-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2799.yaml b/data/reports/GO-2024-2799.yaml new file mode 100644 index 00000000..334ab1fd --- /dev/null +++ b/data/reports/GO-2024-2799.yaml @@ -0,0 +1,17 @@ +id: GO-2024-2799 +modules: + - module: github.com/mcu-tools/mcuboot + unsupported_versions: + - version: affected at <= 1.11.0 + type: cve_version_range + vulnerable_at: 1.10.0 +summary: MCUboot Injection attack of unprotected TLV values in github.com/mcu-tools/mcuboot +cves: + - CVE-2024-32883 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32883 + - web: https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j +source: + id: CVE-2024-32883 + created: 2024-06-04T15:26:24.569-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2808.yaml b/data/reports/GO-2024-2808.yaml new file mode 100644 index 00000000..6e2f5f0e --- /dev/null +++ b/data/reports/GO-2024-2808.yaml @@ -0,0 +1,18 @@ +id: GO-2024-2808 +modules: + - module: github.com/firebase/firebase-tools + unsupported_versions: + - version: 'affected from 0 to 13.6.0 (default: unaffected)' + type: cve_version_range + vulnerable_at: 13.10.2+incompatible +summary: CSRF in firebase-tools emulator suite in github.com/firebase/firebase-tools +cves: + - CVE-2024-4128 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-4128 + - fix: https://github.com/firebase/firebase-tools/commit/068a2b08dc308c7ab4b569617f5fc8821237e3a0 + - fix: https://github.com/firebase/firebase-tools/pull/6944 +source: + id: CVE-2024-4128 + created: 2024-06-04T15:26:12.991483-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2809.yaml b/data/reports/GO-2024-2809.yaml new file mode 100644 index 00000000..d4874afb --- /dev/null +++ b/data/reports/GO-2024-2809.yaml @@ -0,0 +1,17 @@ +id: GO-2024-2809 +modules: + - module: github.com/carina-io/carina + vulnerable_at: 0.13.0 +summary: CVE-2024-32359 in github.com/carina-io/carina +cves: + - CVE-2024-32359 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32359 + - web: http://carina.com + - web: https://gist.github.com/HouqiyuA/568d9857dab4ddba6b8b6a791e90f906 + - web: https://github.com/HouqiyuA/k8s-rbac-poc + - web: https://github.com/carina-io/carina +source: + id: CVE-2024-32359 + created: 2024-06-04T15:26:08.181182-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2875.yaml b/data/reports/GO-2024-2875.yaml new file mode 100644 index 00000000..84600400 --- /dev/null +++ b/data/reports/GO-2024-2875.yaml @@ -0,0 +1,18 @@ +id: GO-2024-2875 +modules: + - module: github.com/requarks/wiki + unsupported_versions: + - version: affected at <= 2.5.302 + type: cve_version_range + vulnerable_at: 2.5.303+incompatible +summary: Wiki.js Stored XSS through Client Side Template Injection in github.com/requarks/wiki +cves: + - CVE-2024-34710 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-34710 + - fix: https://github.com/requarks/wiki/commit/1238d614e1599fefadd4614ee4b5797a087f50ac + - web: https://github.com/requarks/wiki/security/advisories/GHSA-xjcj-p2qv-q3rf +source: + id: CVE-2024-34710 + created: 2024-06-04T15:25:57.702499-04:00 +review_status: UNREVIEWED