data/reports: add 26 unreviewed reports

- data/reports/GO-2024-2804.yaml - data/reports/GO-2024-2811.yaml - data/reports/GO-2024-2816.yaml - data/reports/GO-2024-2817.yaml - data/reports/GO-2024-2843.yaml - data/reports/GO-2024-2844.yaml - data/reports/GO-2024-2847.yaml - data/reports/GO-2024-2848.yaml - data/reports/GO-2024-2849.yaml - data/reports/GO-2024-2850.yaml - data/reports/GO-2024-2851.yaml - data/reports/GO-2024-2852.yaml - data/reports/GO-2024-2854.yaml - data/reports/GO-2024-2855.yaml - data/reports/GO-2024-2856.yaml - data/reports/GO-2024-2857.yaml - data/reports/GO-2024-2865.yaml - data/reports/GO-2024-2866.yaml - data/reports/GO-2024-2867.yaml - data/reports/GO-2024-2871.yaml - data/reports/GO-2024-2872.yaml - data/reports/GO-2024-2877.yaml - data/reports/GO-2024-2880.yaml - data/reports/GO-2024-2882.yaml - data/reports/GO-2024-2885.yaml - data/reports/GO-2024-2886.yaml Fixes #2804 Fixes #2811 Fixes #2816 Fixes #2817 Fixes #2843 Fixes #2844 Fixes #2847 Fixes #2848 Fixes #2849 Fixes #2850 Fixes #2851 Fixes #2852 Fixes #2854 Fixes #2855 Fixes #2856 Fixes #2857 Fixes #2865 Fixes #2866 Fixes #2867 Fixes #2871 Fixes #2872 Fixes #2877 Fixes #2880 Fixes #2882 Fixes #2885 Fixes #2886 Change-Id: Ia746865818b99c2d6bd37b287461693a53b892d8 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590277 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Damien Neil <[email protected]>
golang · Jun 5, 2024 · 69991d5 · 69991d5
1 parent 922b5d4
commit 69991d5
Show file tree

Hide file tree

Showing 52 changed files with 2,202 additions and 0 deletions.
diff --git a/data/osv/GO-2024-2804.json b/data/osv/GO-2024-2804.json
@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2804",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-32967",
+    "GHSA-q5qj-x2h5-3945"
+  ],
+  "summary": "Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel",
+  "details": "Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/zitadel/zitadel",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32967"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.10"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.49.5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.3"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2804",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2811.json b/data/osv/GO-2024-2811.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2811",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-33398",
+    "GHSA-6fg2-hvj9-832f"
+  ],
+  "summary": "piraeus-operator allows attacker to impersonate service account in github.com/piraeusdatastore/piraeus-operator/v2",
+  "details": "piraeus-operator allows attacker to impersonate service account in github.com/piraeusdatastore/piraeus-operator/v2",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/piraeusdatastore/piraeus-operator/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-6fg2-hvj9-832f"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33398"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/HouqiyuA/d0c11fae5ba4789946ae33175d0f9edb"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HouqiyuA/k8s-rbac-poc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://piraeus.io"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2811",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2816.json b/data/osv/GO-2024-2816.json
@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2816",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-33394",
+    "GHSA-4q63-mr2m-57hf"
+  ],
+  "summary": "kubevirt allows a local attacker to execute arbitrary code via a crafted command in kubevirt.io/kubevirt",
+  "details": "kubevirt allows a local attacker to execute arbitrary code via a crafted command in kubevirt.io/kubevirt",
+  "affected": [
+    {
+      "package": {
+        "name": "kubevirt.io/kubevirt",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-4q63-mr2m-57hf"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33394"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/HouqiyuA/1b75e23ece7ad98490aec1c887bdf49b"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2816",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2817.json b/data/osv/GO-2024-2817.json
@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2817",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-33396",
+    "GHSA-wccg-v638-j9q2"
+  ],
+  "summary": "karmada vulnerable to arbitrary code execution via a crafted command in github.com/karmada-io/karmada",
+  "details": "karmada vulnerable to arbitrary code execution via a crafted command in github.com/karmada-io/karmada",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/karmada-io/karmada",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-wccg-v638-j9q2"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33396"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/HouqiyuA/2b56a893c06553013982836abb77ba50"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2817",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2843.json b/data/osv/GO-2024-2843.json
@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2843",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2022-39306",
+    "GHSA-2x6g-h2hg-rq84"
+  ],
+  "summary": "Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana",
+  "details": "Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/grafana/grafana",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39306"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20221215-0004"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2843",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2844.json b/data/osv/GO-2024-2844.json
@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2844",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2022-39307",
+    "GHSA-3p62-42x7-gxg5"
+  ],
+  "summary": "Grafana User enumeration via forget password in github.com/grafana/grafana",
+  "details": "Grafana User enumeration via forget password in github.com/grafana/grafana",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/grafana/grafana",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39307"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20221215-0004"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2844",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2847.json b/data/osv/GO-2024-2847.json
@@ -0,0 +1,53 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2847",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2022-35957",
+    "GHSA-ff5c-938w-8c9q"
+  ],
+  "summary": "Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana",
+  "details": "Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/grafana/grafana",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35957"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20221215-0001"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2847",
+    "review_status": "UNREVIEWED"
+  }
+}