diff --git a/data/osv/GO-2024-2731.json b/data/osv/GO-2024-2731.json new file mode 100644 index 00000000..f2401004 --- /dev/null +++ b/data/osv/GO-2024-2731.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2731", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-m99c-q26r-m7m7" + ], + "summary": "Evmos vulnerable to unauthorized account creation with vesting module in github.com/evmos/evmos/v13", + "details": "Evmos vulnerable to unauthorized account creation with vesting module in github.com/evmos/evmos/v13", + "affected": [ + { + "package": { + "name": "github.com/evmos/evmos/v13", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/evmos/evmos/security/advisories/GHSA-m99c-q26r-m7m7" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2731", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2753.json b/data/osv/GO-2024-2753.json new file mode 100644 index 00000000..07df4945 --- /dev/null +++ b/data/osv/GO-2024-2753.json @@ -0,0 +1,88 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2753", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-8557", + "GHSA-55qj-gj3x-jq9r" + ], + "summary": "Denial of service in Kubernetes in k8s.io/kubernetes", + "details": "Denial of service in Kubernetes in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.1.0" + }, + { + "fixed": "1.16.13" + }, + { + "introduced": "1.17.0" + }, + { + "fixed": "1.17.9" + }, + { + "introduced": "1.18.0" + }, + { + "fixed": "1.18.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-55qj-gj3x-jq9r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8557" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/530f199b6e07cdaab32361e39709ac45f3fdc446" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/68750fefd3df76b7b008ef7b18e8acd18d5c2f2e" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/7fd849cffa2f93061fbcb0a6ae4efd0539b1e981" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/93032" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/92921" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200821-0002" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2753", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2768.json b/data/osv/GO-2024-2768.json new file mode 100644 index 00000000..01f5122c --- /dev/null +++ b/data/osv/GO-2024-2768.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2768", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-25318", + "GHSA-f9xf-jq4j-vqw4" + ], + "summary": "Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher", + "details": "Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.0.0+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-f9xf-jq4j-vqw4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25318" + }, + { + "type": "REPORT", + "url": "https://github.com/rancher/rancher/issues/33590" + }, + { + "type": "WEB", + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1184913" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2768", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2778.json b/data/osv/GO-2024-2778.json new file mode 100644 index 00000000..bde21606 --- /dev/null +++ b/data/osv/GO-2024-2778.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2778", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-31999", + "GHSA-pvxj-25m6-7vqr" + ], + "summary": "Rancher Privilege escalation vulnerability via malicious \"Connection\" header in github.com/rancher/rancher", + "details": "Rancher Privilege escalation vulnerability via malicious \"Connection\" header in github.com/rancher/rancher", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.0.0+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-pvxj-25m6-7vqr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31999" + }, + { + "type": "WEB", + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1187084" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2778", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2780.json b/data/osv/GO-2024-2780.json new file mode 100644 index 00000000..b56f41e4 --- /dev/null +++ b/data/osv/GO-2024-2780.json @@ -0,0 +1,74 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2780", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-11245", + "GHSA-r76g-g87f-vw8f" + ], + "summary": "Kubelet Incorrect Privilege Assignment in k8s.io/kubernetes", + "details": "Kubelet Incorrect Privilege Assignment in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.13.0" + }, + { + "fixed": "1.13.7" + }, + { + "introduced": "1.14.0" + }, + { + "fixed": "1.14.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-r76g-g87f-vw8f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11245" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1715726" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/78308" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/76665" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/76665/commits/26e3c8674e66f0d10170d34f5445f0aed207387f" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20190919-0003" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2780", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2784.json b/data/osv/GO-2024-2784.json new file mode 100644 index 00000000..b534aab1 --- /dev/null +++ b/data/osv/GO-2024-2784.json @@ -0,0 +1,86 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2784", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-11202", + "GHSA-xh8x-j8h3-m5ph" + ], + "summary": "Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher", + "details": "Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.0.0+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.1.0+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.2.0+incompatible" + }, + { + "fixed": "2.2.2+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-xh8x-j8h3-m5ph" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11202" + }, + { + "type": "WEB", + "url": "https://forums.rancher.com/t/rancher-release-v2-2-2-addresses-rancher-cve-2019-11202-and-stability-issues/13977" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2784", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2801.json b/data/osv/GO-2024-2801.json new file mode 100644 index 00000000..64b1822e --- /dev/null +++ b/data/osv/GO-2024-2801.json @@ -0,0 +1,82 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2801", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-33522" + ], + "summary": "Privilege escalation in Calico CNI install binary in github.com/projectcalico/calico", + "details": "Privilege escalation in Calico CNI install binary in github.com/projectcalico/calico", + "affected": [ + { + "package": { + "name": "github.com/projectcalico/calico", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.17.4+incompatible" + }, + { + "introduced": "3.18.0+incompatible" + }, + { + "fixed": "3.18.2+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33522" + }, + { + "type": "FIX", + "url": "https://github.com/projectcalico/calico/pull/8447" + }, + { + "type": "FIX", + "url": "https://github.com/projectcalico/calico/pull/8517" + }, + { + "type": "REPORT", + "url": "https://github.com/projectcalico/calico/issues/7981" + }, + { + "type": "WEB", + "url": "https://www.tigera.io/security-bulletins-tta-2024-001/" + } + ], + "credits": [ + { + "name": "Christopher Alonso (Github: @latortuga71)" + }, + { + "name": "Anthony Tam" + }, + { + "name": "Behnam Shobiri" + }, + { + "name": "Pedro Coutinho" + }, + { + "name": "Matt Dupre" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2801", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2815.json b/data/osv/GO-2024-2815.json new file mode 100644 index 00000000..12ef9ed6 --- /dev/null +++ b/data/osv/GO-2024-2815.json @@ -0,0 +1,59 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2815", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-34068", + "GHSA-qq22-jj8x-4wwv" + ], + "related": [ + "GHSA-6rg3-8h8x-5xfv" + ], + "summary": "Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull in github.com/pterodactyl/wings", + "details": "Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull in github.com/pterodactyl/wings", + "affected": [ + { + "package": { + "name": "github.com/pterodactyl/wings", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.12" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-qq22-jj8x-4wwv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34068" + }, + { + "type": "FIX", + "url": "https://github.com/pterodactyl/wings/commit/c152e36101aba45d8868a9a0eeb890995e8934b8" + }, + { + "type": "WEB", + "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2815", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2858.json b/data/osv/GO-2024-2858.json new file mode 100644 index 00000000..d45627b4 --- /dev/null +++ b/data/osv/GO-2024-2858.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2858", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-39201", + "GHSA-x744-mm8v-vpgr" + ], + "summary": "Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana", + "details": "Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "5.0.0-beta1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39201" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/commit/b571acc1dc130a33f24742c1f93b93216da6cf57" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/commit/c658816f5229d17f877579250c07799d3bbaebc9" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/releases/tag/v9.1.8" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2858", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-2731.yaml b/data/reports/GO-2024-2731.yaml new file mode 100644 index 00000000..ed72b5fa --- /dev/null +++ b/data/reports/GO-2024-2731.yaml @@ -0,0 +1,18 @@ +id: GO-2024-2731 +modules: + - module: github.com/evmos/evmos/v13 + unsupported_versions: + - version: 13.0.2 + type: last_affected + vulnerable_at: 13.0.2 +summary: Evmos vulnerable to unauthorized account creation with vesting module in github.com/evmos/evmos/v13 +ghsas: + - GHSA-m99c-q26r-m7m7 +references: + - advisory: https://github.com/evmos/evmos/security/advisories/GHSA-m99c-q26r-m7m7 +notes: + - create failed to de-duplicate module info; this was done manually +source: + id: GHSA-m99c-q26r-m7m7 + created: 2024-06-07T11:18:32.691578-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2753.yaml b/data/reports/GO-2024-2753.yaml new file mode 100644 index 00000000..d73949c4 --- /dev/null +++ b/data/reports/GO-2024-2753.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2753 +modules: + - module: k8s.io/kubernetes + versions: + - introduced: 1.1.0 + fixed: 1.16.13 + - introduced: 1.17.0 + fixed: 1.17.9 + - introduced: 1.18.0 + fixed: 1.18.6 + vulnerable_at: 1.18.6-rc.0 +summary: Denial of service in Kubernetes in k8s.io/kubernetes +cves: + - CVE-2020-8557 +ghsas: + - GHSA-55qj-gj3x-jq9r +references: + - advisory: https://github.com/advisories/GHSA-55qj-gj3x-jq9r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-8557 + - web: https://github.com/kubernetes/kubernetes/commit/530f199b6e07cdaab32361e39709ac45f3fdc446 + - web: https://github.com/kubernetes/kubernetes/commit/68750fefd3df76b7b008ef7b18e8acd18d5c2f2e + - web: https://github.com/kubernetes/kubernetes/commit/7fd849cffa2f93061fbcb0a6ae4efd0539b1e981 + - web: https://github.com/kubernetes/kubernetes/issues/93032 + - web: https://github.com/kubernetes/kubernetes/pull/92921 + - web: https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ + - web: https://security.netapp.com/advisory/ntap-20200821-0002 +source: + id: GHSA-55qj-gj3x-jq9r + created: 2024-06-07T11:23:44.913991-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2768.yaml b/data/reports/GO-2024-2768.yaml new file mode 100644 index 00000000..b2e4eb19 --- /dev/null +++ b/data/reports/GO-2024-2768.yaml @@ -0,0 +1,27 @@ +id: GO-2024-2768 +modules: + - module: github.com/rancher/rancher + versions: + - introduced: 2.0.0+incompatible + non_go_versions: + - fixed: 2.4.16 + - introduced: 2.5.0 + fixed: 2.5.9 +summary: |- + Rancher does not properly specify ApiGroup when creating Kubernetes RBAC + resources in github.com/rancher/rancher +cves: + - CVE-2021-25318 +ghsas: + - GHSA-f9xf-jq4j-vqw4 +references: + - advisory: https://github.com/advisories/GHSA-f9xf-jq4j-vqw4 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-25318 + - report: https://github.com/rancher/rancher/issues/33590 + - web: https://bugzilla.suse.com/show_bug.cgi?id=1184913 +notes: + - non_go_versions specified manually +source: + id: GHSA-f9xf-jq4j-vqw4 + created: 2024-06-06T16:14:13.300683-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2778.yaml b/data/reports/GO-2024-2778.yaml new file mode 100644 index 00000000..fc2e199e --- /dev/null +++ b/data/reports/GO-2024-2778.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2778 +modules: + - module: github.com/rancher/rancher + versions: + - introduced: 2.0.0+incompatible + non_go_versions: + - fixed: 2.4.16 + - introduced: 2.5.0 + fixed: 2.5.9 +summary: |- + Rancher Privilege escalation vulnerability via malicious "Connection" header in + github.com/rancher/rancher +cves: + - CVE-2021-31999 +ghsas: + - GHSA-pvxj-25m6-7vqr +references: + - advisory: https://github.com/advisories/GHSA-pvxj-25m6-7vqr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-31999 + - web: https://bugzilla.suse.com/show_bug.cgi?id=1187084 +notes: + - non_go_versions specified manually +source: + id: GHSA-pvxj-25m6-7vqr + created: 2024-06-06T16:13:51.169334-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2780.yaml b/data/reports/GO-2024-2780.yaml new file mode 100644 index 00000000..50cb08e1 --- /dev/null +++ b/data/reports/GO-2024-2780.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2780 +modules: + - module: k8s.io/kubernetes + versions: + - introduced: 1.13.0 + fixed: 1.13.7 + - introduced: 1.14.0 + fixed: 1.14.3 + vulnerable_at: 1.14.3-beta.0 +summary: Kubelet Incorrect Privilege Assignment in k8s.io/kubernetes +cves: + - CVE-2019-11245 +ghsas: + - GHSA-r76g-g87f-vw8f +references: + - advisory: https://github.com/advisories/GHSA-r76g-g87f-vw8f + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-11245 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=1715726 + - web: https://github.com/kubernetes/kubernetes/issues/78308 + - web: https://github.com/kubernetes/kubernetes/pull/76665 + - web: https://github.com/kubernetes/kubernetes/pull/76665/commits/26e3c8674e66f0d10170d34f5445f0aed207387f + - web: https://security.netapp.com/advisory/ntap-20190919-0003 +source: + id: GHSA-r76g-g87f-vw8f + created: 2024-06-07T11:26:55.945196-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2784.yaml b/data/reports/GO-2024-2784.yaml new file mode 100644 index 00000000..a3a73d24 --- /dev/null +++ b/data/reports/GO-2024-2784.yaml @@ -0,0 +1,37 @@ +id: GO-2024-2784 +modules: + - module: github.com/rancher/rancher + versions: + - introduced: 2.0.0+incompatible + unsupported_versions: + - version: 2.0.13 + type: last_affected + - module: github.com/rancher/rancher + versions: + - introduced: 2.1.0+incompatible + unsupported_versions: + - version: 2.1.8 + type: last_affected + - module: github.com/rancher/rancher + versions: + - introduced: 2.2.0+incompatible + fixed: 2.2.2+incompatible + vulnerable_at: 2.2.2-rc9+incompatible +summary: |- + Rancher Recreates Default User With Known Password Despite Deletion in + github.com/rancher/rancher +cves: + - CVE-2019-11202 +ghsas: + - GHSA-xh8x-j8h3-m5ph +references: + - advisory: https://github.com/advisories/GHSA-xh8x-j8h3-m5ph + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-11202 + - web: https://forums.rancher.com/t/rancher-release-v2-2-2-addresses-rancher-cve-2019-11202-and-stability-issues/13977 +notes: + - manually removed vulnerable_at which could not be correctly computed + - fix: 'module merge error: could not merge versions of module github.com/rancher/rancher: introduced and fixed versions must alternate' +source: + id: GHSA-xh8x-j8h3-m5ph + created: 2024-06-06T16:13:02.634565-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2801.yaml b/data/reports/GO-2024-2801.yaml new file mode 100644 index 00000000..f75ecc6d --- /dev/null +++ b/data/reports/GO-2024-2801.yaml @@ -0,0 +1,36 @@ +id: GO-2024-2801 +modules: + - module: github.com/projectcalico/calico + versions: + - fixed: 3.17.4+incompatible + - introduced: 3.18.0+incompatible + fixed: 3.18.2+incompatible + non_go_versions: + - introduced: 3.19.0-1.0 + fixed: 3.19.0-2.0 + unsupported_versions: + - version: 'unaffected at v3.28.0 (default: unaffected)' + type: cve_version_range +summary: |- + Privilege escalation in Calico CNI install binary in + github.com/projectcalico/calico +cves: + - CVE-2024-33522 +credits: + - 'Christopher Alonso (Github: @latortuga71)' + - Anthony Tam + - Behnam Shobiri + - Pedro Coutinho + - Matt Dupre +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-33522 + - fix: https://github.com/projectcalico/calico/pull/8447 + - fix: https://github.com/projectcalico/calico/pull/8517 + - report: https://github.com/projectcalico/calico/issues/7981 + - web: https://www.tigera.io/security-bulletins-tta-2024-001/ +notes: + - non_go_versions specified manually +source: + id: CVE-2024-33522 + created: 2024-06-06T16:12:54.919781-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2815.yaml b/data/reports/GO-2024-2815.yaml new file mode 100644 index 00000000..a036c285 --- /dev/null +++ b/data/reports/GO-2024-2815.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2815 +modules: + - module: github.com/pterodactyl/wings + versions: + - fixed: 1.11.12 + vulnerable_at: 1.11.11 +summary: |- + Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file + pull in github.com/pterodactyl/wings +cves: + - CVE-2024-34068 +ghsas: + - GHSA-qq22-jj8x-4wwv +related: + - GHSA-6rg3-8h8x-5xfv +references: + - advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-qq22-jj8x-4wwv + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-34068 + - fix: https://github.com/pterodactyl/wings/commit/c152e36101aba45d8868a9a0eeb890995e8934b8 + - web: https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv +notes: + - manually moved GHSA-6rg3-8h8x-5xfv to related section +source: + id: GHSA-qq22-jj8x-4wwv + created: 2024-06-06T16:12:49.051564-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2858.yaml b/data/reports/GO-2024-2858.yaml new file mode 100644 index 00000000..00f3c17e --- /dev/null +++ b/data/reports/GO-2024-2858.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2858 +modules: + - module: github.com/grafana/grafana + versions: + - introduced: 5.0.0-beta1+incompatible + non_go_versions: + - fixed: 8.5.14 + - introduced: 9.0.0 + fixed: 9.1.8 +summary: |- + Grafana Data source and plugin proxy endpoints could leak the authentication + cookie to some destination plugins in github.com/grafana/grafana +cves: + - CVE-2022-39201 +ghsas: + - GHSA-x744-mm8v-vpgr +unknown_aliases: + - BIT-grafana-2022-39201 +references: + - advisory: https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39201 + - fix: https://github.com/grafana/grafana/commit/b571acc1dc130a33f24742c1f93b93216da6cf57 + - fix: https://github.com/grafana/grafana/commit/c658816f5229d17f877579250c07799d3bbaebc9 + - web: https://github.com/grafana/grafana/releases/tag/v9.1.8 +notes: + - non_go_versions specified manually +source: + id: GHSA-x744-mm8v-vpgr + created: 2024-06-06T16:12:42.067791-04:00 +review_status: UNREVIEWED