diff --git a/data/osv/GO-2024-2804.json b/data/osv/GO-2024-2804.json new file mode 100644 index 00000000..e503e19f --- /dev/null +++ b/data/osv/GO-2024-2804.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2804", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-32967", + "GHSA-q5qj-x2h5-3945" + ], + "summary": "Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel", + "details": "Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel", + "affected": [ + { + "package": { + "name": "github.com/zitadel/zitadel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32967" + }, + { + "type": "FIX", + "url": "https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.7" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.7" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.10" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.5" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.49.5" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2804", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2811.json b/data/osv/GO-2024-2811.json new file mode 100644 index 00000000..1be62bd8 --- /dev/null +++ b/data/osv/GO-2024-2811.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2811", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-33398", + "GHSA-6fg2-hvj9-832f" + ], + "summary": "piraeus-operator allows attacker to impersonate service account in github.com/piraeusdatastore/piraeus-operator/v2", + "details": "piraeus-operator allows attacker to impersonate service account in github.com/piraeusdatastore/piraeus-operator/v2", + "affected": [ + { + "package": { + "name": "github.com/piraeusdatastore/piraeus-operator/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-6fg2-hvj9-832f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33398" + }, + { + "type": "WEB", + "url": "https://gist.github.com/HouqiyuA/d0c11fae5ba4789946ae33175d0f9edb" + }, + { + "type": "WEB", + "url": "https://github.com/HouqiyuA/k8s-rbac-poc" + }, + { + "type": "WEB", + "url": "https://piraeus.io" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2811", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2816.json b/data/osv/GO-2024-2816.json new file mode 100644 index 00000000..aed0062a --- /dev/null +++ b/data/osv/GO-2024-2816.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2816", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-33394", + "GHSA-4q63-mr2m-57hf" + ], + "summary": "kubevirt allows a local attacker to execute arbitrary code via a crafted command in kubevirt.io/kubevirt", + "details": "kubevirt allows a local attacker to execute arbitrary code via a crafted command in kubevirt.io/kubevirt", + "affected": [ + { + "package": { + "name": "kubevirt.io/kubevirt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-4q63-mr2m-57hf" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33394" + }, + { + "type": "WEB", + "url": "https://gist.github.com/HouqiyuA/1b75e23ece7ad98490aec1c887bdf49b" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2816", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2817.json b/data/osv/GO-2024-2817.json new file mode 100644 index 00000000..bbb806ca --- /dev/null +++ b/data/osv/GO-2024-2817.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2817", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-33396", + "GHSA-wccg-v638-j9q2" + ], + "summary": "karmada vulnerable to arbitrary code execution via a crafted command in github.com/karmada-io/karmada", + "details": "karmada vulnerable to arbitrary code execution via a crafted command in github.com/karmada-io/karmada", + "affected": [ + { + "package": { + "name": "github.com/karmada-io/karmada", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-wccg-v638-j9q2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33396" + }, + { + "type": "WEB", + "url": "https://gist.github.com/HouqiyuA/2b56a893c06553013982836abb77ba50" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2817", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2843.json b/data/osv/GO-2024-2843.json new file mode 100644 index 00000000..1adc2faf --- /dev/null +++ b/data/osv/GO-2024-2843.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2843", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-39306", + "GHSA-2x6g-h2hg-rq84" + ], + "summary": "Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana", + "details": "Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39306" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20221215-0004" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2843", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2844.json b/data/osv/GO-2024-2844.json new file mode 100644 index 00000000..a28e3abf --- /dev/null +++ b/data/osv/GO-2024-2844.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2844", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-39307", + "GHSA-3p62-42x7-gxg5" + ], + "summary": "Grafana User enumeration via forget password in github.com/grafana/grafana", + "details": "Grafana User enumeration via forget password in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39307" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20221215-0004" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2844", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2847.json b/data/osv/GO-2024-2847.json new file mode 100644 index 00000000..d1eb575e --- /dev/null +++ b/data/osv/GO-2024-2847.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2847", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-35957", + "GHSA-ff5c-938w-8c9q" + ], + "summary": "Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana", + "details": "Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35957" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20221215-0001" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2847", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2848.json b/data/osv/GO-2024-2848.json new file mode 100644 index 00000000..8853cff6 --- /dev/null +++ b/data/osv/GO-2024-2848.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2848", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-39229", + "GHSA-gj7m-853r-289r" + ], + "summary": "Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana", + "details": "Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39229" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/commit/5644758f0c5ae9955a4e5480d71f9bef57fdce35" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/releases/tag/v9.1.8" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2848", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2849.json b/data/osv/GO-2024-2849.json new file mode 100644 index 00000000..1c83b518 --- /dev/null +++ b/data/osv/GO-2024-2849.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2849", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-26312", + "GHSA-hf54-fq2m-p9v6" + ], + "summary": "dotmesh arbitrary file read and/or write in github.com/dotmesh-io/dotmesh", + "details": "dotmesh arbitrary file read and/or write in github.com/dotmesh-io/dotmesh", + "affected": [ + { + "package": { + "name": "github.com/dotmesh-io/dotmesh", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-hf54-fq2m-p9v6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26312" + }, + { + "type": "ADVISORY", + "url": "https://securitylab.github.com/advisories/GHSL-2020-254-zipslip-dotmesh" + }, + { + "type": "WEB", + "url": "https://github.com/dotmesh-io/dotmesh/blob/master/pkg/archiver/tar.go#L255" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2849", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2850.json b/data/osv/GO-2024-2850.json new file mode 100644 index 00000000..8693f13f --- /dev/null +++ b/data/osv/GO-2024-2850.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2850", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-32026", + "GHSA-jj54-5q2m-q7pj" + ], + "summary": "NATS server TLS missing ciphersuite settings when CLI flags used in github.com/nats-io/nats-server/v2", + "details": "NATS server TLS missing ciphersuite settings when CLI flags used in github.com/nats-io/nats-server/v2", + "affected": [ + { + "package": { + "name": "github.com/nats-io/nats-server/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-jj54-5q2m-q7pj" + }, + { + "type": "WEB", + "url": "https://advisories.nats.io" + }, + { + "type": "WEB", + "url": "https://advisories.nats.io/CVE/CVE-2021-32026.txt" + }, + { + "type": "WEB", + "url": "https://github.com/nats-io/nats-server/commit/ffccc2e1bd7aa2466bd9e631e976bfd7ca46f225" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2850", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2851.json b/data/osv/GO-2024-2851.json new file mode 100644 index 00000000..308e5291 --- /dev/null +++ b/data/osv/GO-2024-2851.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2851", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31130", + "GHSA-jv32-5578-pxjc" + ], + "summary": "Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana", + "details": "Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31130" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/releases/tag/v9.1.8" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2851", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2852.json b/data/osv/GO-2024-2852.json new file mode 100644 index 00000000..7ce4db95 --- /dev/null +++ b/data/osv/GO-2024-2852.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2852", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31107", + "GHSA-mx47-6497-3fv2" + ], + "summary": "Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana", + "details": "Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31107" + }, + { + "type": "WEB", + "url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10" + }, + { + "type": "WEB", + "url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9" + }, + { + "type": "WEB", + "url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20220901-0010" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2852", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2854.json b/data/osv/GO-2024-2854.json new file mode 100644 index 00000000..efd069dd --- /dev/null +++ b/data/osv/GO-2024-2854.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2854", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-36062", + "GHSA-p978-56hq-r492" + ], + "summary": "Grafana folders admin only permission privilege escalation in github.com/grafana/grafana", + "details": "Grafana folders admin only permission privilege escalation in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36062" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20221215-0001" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2854", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2855.json b/data/osv/GO-2024-2855.json new file mode 100644 index 00000000..2354433e --- /dev/null +++ b/data/osv/GO-2024-2855.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2855", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31123", + "GHSA-rhxj-gh46-jvw8" + ], + "summary": "Grafana Plugin signature bypass in github.com/grafana/grafana", + "details": "Grafana Plugin signature bypass in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31123" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/releases/tag/v9.1.8" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20221124-0002" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2855", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2856.json b/data/osv/GO-2024-2856.json new file mode 100644 index 00000000..8c16ae56 --- /dev/null +++ b/data/osv/GO-2024-2856.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2856", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-39328", + "GHSA-vqc4-mpj8-jxch" + ], + "summary": "Grafana Race condition allowing privilege escalation in github.com/grafana/grafana", + "details": "Grafana Race condition allowing privilege escalation in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39328" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20221215-0003" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2856", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2857.json b/data/osv/GO-2024-2857.json new file mode 100644 index 00000000..ae875df6 --- /dev/null +++ b/data/osv/GO-2024-2857.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2857", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31097", + "GHSA-vw7q-p2qg-4m5f" + ], + "summary": "Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana", + "details": "Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31097" + }, + { + "type": "WEB", + "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9" + }, + { + "type": "WEB", + "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3" + }, + { + "type": "WEB", + "url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20220901-0010" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2857", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2865.json b/data/osv/GO-2024-2865.json new file mode 100644 index 00000000..7706fb6a --- /dev/null +++ b/data/osv/GO-2024-2865.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2865", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-40297", + "GHSA-x8xm-wrjq-5g54" + ], + "summary": "Stakater Forecastle has a directory traversal vulnerability in github.com/stakater/Forecastle", + "details": "Stakater Forecastle has a directory traversal vulnerability in github.com/stakater/Forecastle", + "affected": [ + { + "package": { + "name": "github.com/stakater/Forecastle", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-x8xm-wrjq-5g54" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40297" + }, + { + "type": "WEB", + "url": "https://github.com/sahar042/CVE-2023-40297" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2865", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2866.json b/data/osv/GO-2024-2866.json new file mode 100644 index 00000000..4da13872 --- /dev/null +++ b/data/osv/GO-2024-2866.json @@ -0,0 +1,71 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2866", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-5042", + "GHSA-2rhx-qhxp-5jpw" + ], + "summary": "Submariner Operator sets unnecessary RBAC permissions in helm charts in github.com/submariner-io/submariner-operator", + "details": "Submariner Operator sets unnecessary RBAC permissions in helm charts in github.com/submariner-io/submariner-operator", + "affected": [ + { + "package": { + "name": "github.com/submariner-io/submariner-operator", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.16.4" + }, + { + "introduced": "0.17.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2rhx-qhxp-5jpw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5042" + }, + { + "type": "FIX", + "url": "https://github.com/submariner-io/submariner-operator/commit/b27a04c4270e53cbff6ff8ac6245db10c204bcab" + }, + { + "type": "FIX", + "url": "https://github.com/submariner-io/submariner-operator/pull/3040" + }, + { + "type": "REPORT", + "url": "https://github.com/submariner-io/submariner-operator/issues/3041" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-5042" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280921" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2866", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2867.json b/data/osv/GO-2024-2867.json new file mode 100644 index 00000000..8144ae63 --- /dev/null +++ b/data/osv/GO-2024-2867.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2867", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-39324", + "GHSA-4724-7jwc-3fpw" + ], + "summary": "Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana", + "details": "Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39324" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/pull/60232" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/pull/60256" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2867", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2871.json b/data/osv/GO-2024-2871.json new file mode 100644 index 00000000..75757a1b --- /dev/null +++ b/data/osv/GO-2024-2871.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2871", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-35194", + "GHSA-crgc-2583-rw27" + ], + "summary": "Stacklok Minder vulnerable to denial of service from maliciously crafted templates in github.com/stacklok/minder", + "details": "Stacklok Minder vulnerable to denial of service from maliciously crafted templates in github.com/stacklok/minder", + "affected": [ + { + "package": { + "name": "github.com/stacklok/minder", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.50" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35194" + }, + { + "type": "FIX", + "url": "https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2871", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2872.json b/data/osv/GO-2024-2872.json new file mode 100644 index 00000000..371d0ae3 --- /dev/null +++ b/data/osv/GO-2024-2872.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2872", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-2j6r-9vv4-6gf5" + ], + "summary": "github.com/bincyber/go-sqlcrypter vulnerable to IV collision", + "details": "github.com/bincyber/go-sqlcrypter vulnerable to IV collision", + "affected": [ + { + "package": { + "name": "github.com/bincyber/go-sqlcrypter", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2j6r-9vv4-6gf5" + }, + { + "type": "FIX", + "url": "https://github.com/bincyber/go-sqlcrypter/commit/96c73cd2b8fd15c9da9b3eafe62c9a040f6537e8" + }, + { + "type": "FIX", + "url": "https://github.com/bincyber/go-sqlcrypter/pull/128" + }, + { + "type": "REPORT", + "url": "https://github.com/bincyber/go-sqlcrypter/issues/127" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2872", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2877.json b/data/osv/GO-2024-2877.json new file mode 100644 index 00000000..dd0724b9 --- /dev/null +++ b/data/osv/GO-2024-2877.json @@ -0,0 +1,115 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2877", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-31989", + "GHSA-9766-5277-j5hr" + ], + "summary": "ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd", + "details": "ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-cd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-cd/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.8.19" + }, + { + "introduced": "2.9.0-rc1" + }, + { + "fixed": "2.9.15" + }, + { + "introduced": "2.10.0-rc1" + }, + { + "fixed": "2.10.10" + }, + { + "introduced": "2.11.0-rc1" + }, + { + "fixed": "2.11.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-9766-5277-j5hr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31989" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/2de0ceade243039c120c28374016c04ff9590d1d" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/35a7d6c7fa1534aceba763d6a68697f36c12e678" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/4e2fe302c3352a0012ecbe7f03476b0e07f7fc6c" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/53570cbd143bced49d4376d6e31bd9c7bd2659ff" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/6ef7b62a0f67e74b4aac2aee31c98ae49dd95d12" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/9552034a80070a93a161bfa330359585f3b85f07" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/bdd889d43969ba738ddd15e1f674d27964048994" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/f1a449e83ee73f8f14d441563b6a31b504f8d8b0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2877", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2880.json b/data/osv/GO-2024-2880.json new file mode 100644 index 00000000..7f2d7a9e --- /dev/null +++ b/data/osv/GO-2024-2880.json @@ -0,0 +1,96 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2880", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-f7cq-5v43-8pwp" + ], + "summary": "Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop in github.com/traefik/traefik", + "details": "Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop in github.com/traefik/traefik", + "affected": [ + { + "package": { + "name": "github.com/traefik/traefik", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.11.3" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-f7cq-5v43-8pwp" + }, + { + "type": "WEB", + "url": "https://github.com/advisories/GHSA-5fq7-4mxc-535h" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v2.11.3" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v3.0.1" + }, + { + "type": "WEB", + "url": "https://www.cve.org/CVERecord?id=CVE-2024-24788" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2880", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2882.json b/data/osv/GO-2024-2882.json new file mode 100644 index 00000000..d58e154e --- /dev/null +++ b/data/osv/GO-2024-2882.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2882", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-35232", + "GHSA-3f65-m234-9mxr" + ], + "summary": "github.com/huandu/facebook may expose access_token in error message.", + "details": "github.com/huandu/facebook may expose access_token in error message.", + "affected": [ + { + "package": { + "name": "github.com/huandu/facebook/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.7.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/huandu/facebook/security/advisories/GHSA-3f65-m234-9mxr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35232" + }, + { + "type": "WEB", + "url": "https://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/http/client.go;l=629-633" + }, + { + "type": "WEB", + "url": "https://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/url/url.go;l=30" + }, + { + "type": "WEB", + "url": "https://github.com/huandu/facebook/blob/1591be276561bbdb019c0279f1d33cb18a650e1b/session.go#L558-L567" + }, + { + "type": "WEB", + "url": "https://github.com/huandu/facebook/commit/8b34431b91b32903c8821b1d7621bf81a029d8e4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2882", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2885.json b/data/osv/GO-2024-2885.json new file mode 100644 index 00000000..9175a9b3 --- /dev/null +++ b/data/osv/GO-2024-2885.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2885", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-35238", + "GHSA-8fmj-33gw-g7pw" + ], + "summary": "Denial of service of Minder Server from maliciously crafted GitHub attestations in github.com/stacklok/minder", + "details": "Denial of service of Minder Server from maliciously crafted GitHub attestations in github.com/stacklok/minder", + "affected": [ + { + "package": { + "name": "github.com/stacklok/minder", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.51" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/stacklok/minder/security/advisories/GHSA-8fmj-33gw-g7pw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35238" + }, + { + "type": "FIX", + "url": "https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892" + }, + { + "type": "WEB", + "url": "https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/verifier/sigstore/container/container.go#L271-L300" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2885", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2886.json b/data/osv/GO-2024-2886.json new file mode 100644 index 00000000..73c7ae38 --- /dev/null +++ b/data/osv/GO-2024-2886.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2886", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-36107", + "GHSA-95fr-cm4m-q5p9" + ], + "summary": "MinIO information disclosure vulnerability in github.com/minio/minio", + "details": "MinIO information disclosure vulnerability in github.com/minio/minio", + "affected": [ + { + "package": { + "name": "github.com/minio/minio", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20240527191746-e0fe7cc39172" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36107" + }, + { + "type": "FIX", + "url": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272" + }, + { + "type": "FIX", + "url": "https://github.com/minio/minio/pull/19810" + }, + { + "type": "WEB", + "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since" + }, + { + "type": "WEB", + "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2886", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-2804.yaml b/data/reports/GO-2024-2804.yaml new file mode 100644 index 00000000..b256acd1 --- /dev/null +++ b/data/reports/GO-2024-2804.yaml @@ -0,0 +1,33 @@ +id: GO-2024-2804 +modules: + - module: github.com/zitadel/zitadel + non_go_versions: + - fixed: 2.45.7 + - introduced: 2.47.0 + fixed: 2.47.10 + - introduced: 2.48.0 + fixed: 2.48.5 + - introduced: 2.49.0 + fixed: 2.49.5 + - introduced: 2.50.0 + fixed: 2.50.3 + vulnerable_at: 1.87.5 +summary: Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel +cves: + - CVE-2024-32967 +ghsas: + - GHSA-q5qj-x2h5-3945 +references: + - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32967 + - fix: https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.45.7 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.46.7 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.47.10 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.48.5 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.49.5 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.50.3 +source: + id: GHSA-q5qj-x2h5-3945 + created: 2024-06-04T14:29:03.147386-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2811.yaml b/data/reports/GO-2024-2811.yaml new file mode 100644 index 00000000..90168cd3 --- /dev/null +++ b/data/reports/GO-2024-2811.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2811 +modules: + - module: github.com/piraeusdatastore/piraeus-operator/v2 + unsupported_versions: + - version: 2.5.0 + type: last_affected + vulnerable_at: 2.5.1 +summary: piraeus-operator allows attacker to impersonate service account in github.com/piraeusdatastore/piraeus-operator/v2 +cves: + - CVE-2024-33398 +ghsas: + - GHSA-6fg2-hvj9-832f +references: + - advisory: https://github.com/advisories/GHSA-6fg2-hvj9-832f + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-33398 + - web: https://gist.github.com/HouqiyuA/d0c11fae5ba4789946ae33175d0f9edb + - web: https://github.com/HouqiyuA/k8s-rbac-poc + - web: https://piraeus.io +source: + id: GHSA-6fg2-hvj9-832f + created: 2024-06-04T14:27:50.695127-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2816.yaml b/data/reports/GO-2024-2816.yaml new file mode 100644 index 00000000..0562d030 --- /dev/null +++ b/data/reports/GO-2024-2816.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2816 +modules: + - module: kubevirt.io/kubevirt + unsupported_versions: + - version: 1.2.0 + type: last_affected + vulnerable_at: 1.2.1 +summary: kubevirt allows a local attacker to execute arbitrary code via a crafted command in kubevirt.io/kubevirt +cves: + - CVE-2024-33394 +ghsas: + - GHSA-4q63-mr2m-57hf +references: + - advisory: https://github.com/advisories/GHSA-4q63-mr2m-57hf + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-33394 + - web: https://gist.github.com/HouqiyuA/1b75e23ece7ad98490aec1c887bdf49b +source: + id: GHSA-4q63-mr2m-57hf + created: 2024-06-04T14:27:47.602792-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2817.yaml b/data/reports/GO-2024-2817.yaml new file mode 100644 index 00000000..b560b171 --- /dev/null +++ b/data/reports/GO-2024-2817.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2817 +modules: + - module: github.com/karmada-io/karmada + unsupported_versions: + - version: 1.9.0 + type: last_affected + vulnerable_at: 1.10.0 +summary: karmada vulnerable to arbitrary code execution via a crafted command in github.com/karmada-io/karmada +cves: + - CVE-2024-33396 +ghsas: + - GHSA-wccg-v638-j9q2 +references: + - advisory: https://github.com/advisories/GHSA-wccg-v638-j9q2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-33396 + - web: https://gist.github.com/HouqiyuA/2b56a893c06553013982836abb77ba50 +source: + id: GHSA-wccg-v638-j9q2 + created: 2024-06-04T14:27:43.925263-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2843.yaml b/data/reports/GO-2024-2843.yaml new file mode 100644 index 00000000..f5ea938a --- /dev/null +++ b/data/reports/GO-2024-2843.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2843 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - introduced: 8.0.0 + fixed: 8.5.15 + - introduced: 9.0.0 + fixed: 9.2.4 + vulnerable_at: 5.4.5+incompatible +summary: Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana +cves: + - CVE-2022-39306 +ghsas: + - GHSA-2x6g-h2hg-rq84 +unknown_aliases: + - BIT-grafana-2022-39306 +references: + - advisory: https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39306 + - web: https://security.netapp.com/advisory/ntap-20221215-0004 +source: + id: GHSA-2x6g-h2hg-rq84 + created: 2024-06-04T14:27:39.956482-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2844.yaml b/data/reports/GO-2024-2844.yaml new file mode 100644 index 00000000..0c2d2633 --- /dev/null +++ b/data/reports/GO-2024-2844.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2844 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - fixed: 8.5.15 + - introduced: 9.0.0 + fixed: 9.2.4 + vulnerable_at: 5.4.5+incompatible +summary: Grafana User enumeration via forget password in github.com/grafana/grafana +cves: + - CVE-2022-39307 +ghsas: + - GHSA-3p62-42x7-gxg5 +unknown_aliases: + - BIT-grafana-2022-39307 +references: + - advisory: https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39307 + - web: https://security.netapp.com/advisory/ntap-20221215-0004 +source: + id: GHSA-3p62-42x7-gxg5 + created: 2024-06-04T14:27:37.274881-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2847.yaml b/data/reports/GO-2024-2847.yaml new file mode 100644 index 00000000..e0ba3043 --- /dev/null +++ b/data/reports/GO-2024-2847.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2847 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - fixed: 8.5.13 + - introduced: 9.0.0 + fixed: 9.0.9 + - introduced: 9.1.0 + fixed: 9.1.6 + vulnerable_at: 5.4.5+incompatible +summary: Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana +cves: + - CVE-2022-35957 +ghsas: + - GHSA-ff5c-938w-8c9q +unknown_aliases: + - BIT-grafana-2022-35957 +references: + - advisory: https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-35957 + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H + - web: https://security.netapp.com/advisory/ntap-20221215-0001 +source: + id: GHSA-ff5c-938w-8c9q + created: 2024-06-04T14:27:32.534925-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2848.yaml b/data/reports/GO-2024-2848.yaml new file mode 100644 index 00000000..7e0005a3 --- /dev/null +++ b/data/reports/GO-2024-2848.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2848 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - fixed: 8.5.14 + - introduced: 9.0.0 + fixed: 9.1.8 + vulnerable_at: 5.4.5+incompatible +summary: Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana +cves: + - CVE-2022-39229 +ghsas: + - GHSA-gj7m-853r-289r +unknown_aliases: + - BIT-grafana-2022-39229 +references: + - advisory: https://github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39229 + - fix: https://github.com/grafana/grafana/commit/5644758f0c5ae9955a4e5480d71f9bef57fdce35 + - web: https://github.com/grafana/grafana/releases/tag/v9.1.8 +source: + id: GHSA-gj7m-853r-289r + created: 2024-06-04T14:27:27.572132-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2849.yaml b/data/reports/GO-2024-2849.yaml new file mode 100644 index 00000000..bff890a6 --- /dev/null +++ b/data/reports/GO-2024-2849.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2849 +modules: + - module: github.com/dotmesh-io/dotmesh + unsupported_versions: + - version: 0.8.1 + type: last_affected + vulnerable_at: 0.0.0-20200428140901-6bdf6885808f +summary: dotmesh arbitrary file read and/or write in github.com/dotmesh-io/dotmesh +cves: + - CVE-2020-26312 +ghsas: + - GHSA-hf54-fq2m-p9v6 +references: + - advisory: https://github.com/advisories/GHSA-hf54-fq2m-p9v6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-26312 + - advisory: https://securitylab.github.com/advisories/GHSL-2020-254-zipslip-dotmesh + - web: https://github.com/dotmesh-io/dotmesh/blob/master/pkg/archiver/tar.go#L255 +source: + id: GHSA-hf54-fq2m-p9v6 + created: 2024-06-04T14:27:24.630281-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2850.yaml b/data/reports/GO-2024-2850.yaml new file mode 100644 index 00000000..5f436f8d --- /dev/null +++ b/data/reports/GO-2024-2850.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2850 +modules: + - module: github.com/nats-io/nats-server/v2 + versions: + - fixed: 2.2.3 + vulnerable_at: 2.2.2 +summary: NATS server TLS missing ciphersuite settings when CLI flags used in github.com/nats-io/nats-server/v2 +cves: + - CVE-2021-32026 +ghsas: + - GHSA-jj54-5q2m-q7pj +references: + - advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-jj54-5q2m-q7pj + - web: https://advisories.nats.io + - web: https://advisories.nats.io/CVE/CVE-2021-32026.txt + - web: https://github.com/nats-io/nats-server/commit/ffccc2e1bd7aa2466bd9e631e976bfd7ca46f225 +source: + id: GHSA-jj54-5q2m-q7pj + created: 2024-06-04T14:27:20.945678-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2851.yaml b/data/reports/GO-2024-2851.yaml new file mode 100644 index 00000000..bced43cf --- /dev/null +++ b/data/reports/GO-2024-2851.yaml @@ -0,0 +1,28 @@ +id: GO-2024-2851 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - introduced: 7.0.0 + fixed: 8.5.14 + - introduced: 9.0.0 + fixed: 9.1.8 + vulnerable_at: 5.4.5+incompatible +summary: |- + Grafana Data source and plugin proxy endpoints leaking authentication tokens to + some destination plugins in github.com/grafana/grafana +cves: + - CVE-2022-31130 +ghsas: + - GHSA-jv32-5578-pxjc +unknown_aliases: + - BIT-grafana-2022-31130 +references: + - advisory: https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31130 + - fix: https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177 + - fix: https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f + - web: https://github.com/grafana/grafana/releases/tag/v9.1.8 +source: + id: GHSA-jv32-5578-pxjc + created: 2024-06-04T14:27:17.106354-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2852.yaml b/data/reports/GO-2024-2852.yaml new file mode 100644 index 00000000..8ce47fc4 --- /dev/null +++ b/data/reports/GO-2024-2852.yaml @@ -0,0 +1,33 @@ +id: GO-2024-2852 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - introduced: 5.3.0 + fixed: 8.3.10 + - introduced: 8.4.0 + fixed: 8.4.10 + - introduced: 8.5.0 + fixed: 8.5.9 + - introduced: 9.0.0 + fixed: 9.0.3 + vulnerable_at: 5.4.5+incompatible +summary: Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana +cves: + - CVE-2022-31107 +ghsas: + - GHSA-mx47-6497-3fv2 +unknown_aliases: + - BIT-grafana-2022-31107 +references: + - advisory: https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31107 + - web: https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10 + - web: https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9 + - web: https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3 + - web: https://security.netapp.com/advisory/ntap-20220901-0010 +notes: + - Tooling could not auto-merge "non_go_versions". This was done manually. +source: + id: GHSA-mx47-6497-3fv2 + created: 2024-06-04T14:27:13.796456-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2854.yaml b/data/reports/GO-2024-2854.yaml new file mode 100644 index 00000000..4e0435c5 --- /dev/null +++ b/data/reports/GO-2024-2854.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2854 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - introduced: 8.5.0 + fixed: 8.5.13 + - introduced: 9.0.0 + fixed: 9.0.9 + - introduced: 9.1.0 + fixed: 9.1.6 + vulnerable_at: 5.4.5+incompatible +summary: Grafana folders admin only permission privilege escalation in github.com/grafana/grafana +cves: + - CVE-2022-36062 +ghsas: + - GHSA-p978-56hq-r492 +unknown_aliases: + - BIT-grafana-2022-36062 +references: + - advisory: https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-36062 + - web: https://security.netapp.com/advisory/ntap-20221215-0001 +source: + id: GHSA-p978-56hq-r492 + created: 2024-06-04T14:27:09.594073-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2855.yaml b/data/reports/GO-2024-2855.yaml new file mode 100644 index 00000000..53a429aa --- /dev/null +++ b/data/reports/GO-2024-2855.yaml @@ -0,0 +1,25 @@ +id: GO-2024-2855 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - introduced: 7.0.0 + fixed: 8.5.14 + - introduced: 9.0.0 + fixed: 9.1.8 + vulnerable_at: 5.4.5+incompatible +summary: Grafana Plugin signature bypass in github.com/grafana/grafana +cves: + - CVE-2022-31123 +ghsas: + - GHSA-rhxj-gh46-jvw8 +unknown_aliases: + - BIT-grafana-2022-31123 +references: + - advisory: https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31123 + - web: https://github.com/grafana/grafana/releases/tag/v9.1.8 + - web: https://security.netapp.com/advisory/ntap-20221124-0002 +source: + id: GHSA-rhxj-gh46-jvw8 + created: 2024-06-04T14:27:06.393242-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2856.yaml b/data/reports/GO-2024-2856.yaml new file mode 100644 index 00000000..5a2c7e7b --- /dev/null +++ b/data/reports/GO-2024-2856.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2856 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - introduced: 9.2.0 + fixed: 9.2.4 + vulnerable_at: 5.4.5+incompatible +summary: Grafana Race condition allowing privilege escalation in github.com/grafana/grafana +cves: + - CVE-2022-39328 +ghsas: + - GHSA-vqc4-mpj8-jxch +unknown_aliases: + - BIT-grafana-2022-39328 +references: + - advisory: https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39328 + - web: https://security.netapp.com/advisory/ntap-20221215-0003 +source: + id: GHSA-vqc4-mpj8-jxch + created: 2024-06-04T14:27:03.429541-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2857.yaml b/data/reports/GO-2024-2857.yaml new file mode 100644 index 00000000..c4e1e01f --- /dev/null +++ b/data/reports/GO-2024-2857.yaml @@ -0,0 +1,31 @@ +id: GO-2024-2857 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - introduced: 8.0.0 + fixed: 8.3.10 + - introduced: 8.4.0 + fixed: 8.4.10 + - introduced: 8.5.0 + fixed: 8.5.9 + - introduced: 9.0.0 + fixed: 9.0.3 + vulnerable_at: 5.4.5+incompatible +summary: Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana +cves: + - CVE-2022-31097 +ghsas: + - GHSA-vw7q-p2qg-4m5f +unknown_aliases: + - BIT-grafana-2022-31097 +references: + - advisory: https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31097 + - web: https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9 + - web: https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3 + - web: https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10 + - web: https://security.netapp.com/advisory/ntap-20220901-0010 +source: + id: GHSA-vw7q-p2qg-4m5f + created: 2024-06-04T14:26:57.952392-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2865.yaml b/data/reports/GO-2024-2865.yaml new file mode 100644 index 00000000..47a5bf0a --- /dev/null +++ b/data/reports/GO-2024-2865.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2865 +modules: + - module: github.com/stakater/Forecastle + unsupported_versions: + - version: 1.0.139 + type: last_affected + vulnerable_at: 1.0.119 +summary: Stakater Forecastle has a directory traversal vulnerability in github.com/stakater/Forecastle +cves: + - CVE-2023-40297 +ghsas: + - GHSA-x8xm-wrjq-5g54 +references: + - advisory: https://github.com/advisories/GHSA-x8xm-wrjq-5g54 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-40297 + - web: https://github.com/sahar042/CVE-2023-40297 +source: + id: GHSA-x8xm-wrjq-5g54 + created: 2024-06-04T14:26:50.366285-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2866.yaml b/data/reports/GO-2024-2866.yaml new file mode 100644 index 00000000..a1fc4ce5 --- /dev/null +++ b/data/reports/GO-2024-2866.yaml @@ -0,0 +1,27 @@ +id: GO-2024-2866 +modules: + - module: github.com/submariner-io/submariner-operator + versions: + - fixed: 0.16.4 + - introduced: 0.17.0 + unsupported_versions: + - version: 0.18.0-m3 + type: last_affected + vulnerable_at: 0.17.1 +summary: Submariner Operator sets unnecessary RBAC permissions in helm charts in github.com/submariner-io/submariner-operator +cves: + - CVE-2024-5042 +ghsas: + - GHSA-2rhx-qhxp-5jpw +references: + - advisory: https://github.com/advisories/GHSA-2rhx-qhxp-5jpw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-5042 + - fix: https://github.com/submariner-io/submariner-operator/commit/b27a04c4270e53cbff6ff8ac6245db10c204bcab + - fix: https://github.com/submariner-io/submariner-operator/pull/3040 + - report: https://github.com/submariner-io/submariner-operator/issues/3041 + - web: https://access.redhat.com/security/cve/CVE-2024-5042 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2280921 +source: + id: GHSA-2rhx-qhxp-5jpw + created: 2024-06-04T14:26:43.671356-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2867.yaml b/data/reports/GO-2024-2867.yaml new file mode 100644 index 00000000..250afe5f --- /dev/null +++ b/data/reports/GO-2024-2867.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2867 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - fixed: 8.5.16 + - introduced: 9.0.0 + fixed: 9.2.8 + vulnerable_at: 5.4.5+incompatible +summary: Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana +cves: + - CVE-2022-39324 +ghsas: + - GHSA-4724-7jwc-3fpw +unknown_aliases: + - BIT-grafana-2022-39324 +references: + - advisory: https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39324 + - fix: https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a + - fix: https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c + - fix: https://github.com/grafana/grafana/pull/60232 + - fix: https://github.com/grafana/grafana/pull/60256 +source: + id: GHSA-4724-7jwc-3fpw + created: 2024-06-04T14:26:30.813921-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2871.yaml b/data/reports/GO-2024-2871.yaml new file mode 100644 index 00000000..b58bb165 --- /dev/null +++ b/data/reports/GO-2024-2871.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2871 +modules: + - module: github.com/stacklok/minder + versions: + - fixed: 0.0.50 + vulnerable_at: 0.0.49 +summary: |- + Stacklok Minder vulnerable to denial of service from maliciously crafted + templates in github.com/stacklok/minder +cves: + - CVE-2024-35194 +ghsas: + - GHSA-crgc-2583-rw27 +references: + - advisory: https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-35194 + - fix: https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892 +source: + id: GHSA-crgc-2583-rw27 + created: 2024-06-04T14:26:26.747786-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2872.yaml b/data/reports/GO-2024-2872.yaml new file mode 100644 index 00000000..b84c64ef --- /dev/null +++ b/data/reports/GO-2024-2872.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2872 +modules: + - module: github.com/bincyber/go-sqlcrypter + versions: + - introduced: 0.1.0 + unsupported_versions: + - version: 0.2.0 + type: last_affected + vulnerable_at: 0.2.0 +summary: github.com/bincyber/go-sqlcrypter vulnerable to IV collision +ghsas: + - GHSA-2j6r-9vv4-6gf5 +references: + - advisory: https://github.com/advisories/GHSA-2j6r-9vv4-6gf5 + - fix: https://github.com/bincyber/go-sqlcrypter/commit/96c73cd2b8fd15c9da9b3eafe62c9a040f6537e8 + - fix: https://github.com/bincyber/go-sqlcrypter/pull/128 + - report: https://github.com/bincyber/go-sqlcrypter/issues/127 +source: + id: GHSA-2j6r-9vv4-6gf5 + created: 2024-06-04T14:26:24.203316-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2877.yaml b/data/reports/GO-2024-2877.yaml new file mode 100644 index 00000000..73480954 --- /dev/null +++ b/data/reports/GO-2024-2877.yaml @@ -0,0 +1,41 @@ +id: GO-2024-2877 +modules: + - module: github.com/argoproj/argo-cd + unsupported_versions: + - version: 1.8.7 + type: last_affected + vulnerable_at: 1.8.6 + - module: github.com/argoproj/argo-cd/v2 + versions: + - fixed: 2.8.19 + - introduced: 2.9.0-rc1 + fixed: 2.9.15 + - introduced: 2.10.0-rc1 + fixed: 2.10.10 + - introduced: 2.11.0-rc1 + fixed: 2.11.1 + vulnerable_at: 2.11.0 +summary: |- + ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis + Cache in github.com/argoproj/argo-cd +cves: + - CVE-2024-31989 +ghsas: + - GHSA-9766-5277-j5hr +unknown_aliases: + - BIT-argo-cd-2024-31989 +references: + - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-9766-5277-j5hr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-31989 + - fix: https://github.com/argoproj/argo-cd/commit/2de0ceade243039c120c28374016c04ff9590d1d + - fix: https://github.com/argoproj/argo-cd/commit/35a7d6c7fa1534aceba763d6a68697f36c12e678 + - fix: https://github.com/argoproj/argo-cd/commit/4e2fe302c3352a0012ecbe7f03476b0e07f7fc6c + - fix: https://github.com/argoproj/argo-cd/commit/53570cbd143bced49d4376d6e31bd9c7bd2659ff + - fix: https://github.com/argoproj/argo-cd/commit/6ef7b62a0f67e74b4aac2aee31c98ae49dd95d12 + - fix: https://github.com/argoproj/argo-cd/commit/9552034a80070a93a161bfa330359585f3b85f07 + - fix: https://github.com/argoproj/argo-cd/commit/bdd889d43969ba738ddd15e1f674d27964048994 + - fix: https://github.com/argoproj/argo-cd/commit/f1a449e83ee73f8f14d441563b6a31b504f8d8b0 +source: + id: GHSA-9766-5277-j5hr + created: 2024-06-04T14:25:44.461912-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2880.yaml b/data/reports/GO-2024-2880.yaml new file mode 100644 index 00000000..8ad5e03f --- /dev/null +++ b/data/reports/GO-2024-2880.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2880 +modules: + - module: github.com/traefik/traefik + unsupported_versions: + - version: 1.7.34 + type: last_affected + vulnerable_at: 1.7.34 + - module: github.com/traefik/traefik/v2 + versions: + - fixed: 2.11.3 + vulnerable_at: 2.11.2 + - module: github.com/traefik/traefik/v3 + versions: + - fixed: 3.0.1 + vulnerable_at: 3.0.0 +summary: |- + Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite + loop in github.com/traefik/traefik +ghsas: + - GHSA-f7cq-5v43-8pwp +references: + - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-f7cq-5v43-8pwp + - web: https://github.com/advisories/GHSA-5fq7-4mxc-535h + - web: https://github.com/traefik/traefik/releases/tag/v2.11.3 + - web: https://github.com/traefik/traefik/releases/tag/v3.0.1 + - web: https://www.cve.org/CVERecord?id=CVE-2024-24788 +source: + id: GHSA-f7cq-5v43-8pwp + created: 2024-06-04T14:25:41.535025-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2882.yaml b/data/reports/GO-2024-2882.yaml new file mode 100644 index 00000000..5c421476 --- /dev/null +++ b/data/reports/GO-2024-2882.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2882 +modules: + - module: github.com/huandu/facebook/v2 + versions: + - fixed: 2.7.2 + vulnerable_at: 2.7.1 +summary: github.com/huandu/facebook may expose access_token in error message. +cves: + - CVE-2024-35232 +ghsas: + - GHSA-3f65-m234-9mxr +references: + - advisory: https://github.com/huandu/facebook/security/advisories/GHSA-3f65-m234-9mxr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-35232 + - web: https://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/http/client.go;l=629-633 + - web: https://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/url/url.go;l=30 + - web: https://github.com/huandu/facebook/blob/1591be276561bbdb019c0279f1d33cb18a650e1b/session.go#L558-L567 + - web: https://github.com/huandu/facebook/commit/8b34431b91b32903c8821b1d7621bf81a029d8e4 +source: + id: GHSA-3f65-m234-9mxr + created: 2024-06-04T14:25:38.136333-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2885.yaml b/data/reports/GO-2024-2885.yaml new file mode 100644 index 00000000..df81a536 --- /dev/null +++ b/data/reports/GO-2024-2885.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2885 +modules: + - module: github.com/stacklok/minder + versions: + - fixed: 0.0.51 + vulnerable_at: 0.0.50 +summary: Denial of service of Minder Server from maliciously crafted GitHub attestations in github.com/stacklok/minder +cves: + - CVE-2024-35238 +ghsas: + - GHSA-8fmj-33gw-g7pw +references: + - advisory: https://github.com/stacklok/minder/security/advisories/GHSA-8fmj-33gw-g7pw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-35238 + - fix: https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892 + - web: https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/verifier/sigstore/container/container.go#L271-L300 +source: + id: GHSA-8fmj-33gw-g7pw + created: 2024-06-04T14:25:34.37589-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2886.yaml b/data/reports/GO-2024-2886.yaml new file mode 100644 index 00000000..1bbc1e57 --- /dev/null +++ b/data/reports/GO-2024-2886.yaml @@ -0,0 +1,25 @@ +id: GO-2024-2886 +modules: + - module: github.com/minio/minio + versions: + - fixed: 0.0.0-20240527191746-e0fe7cc39172 +summary: MinIO information disclosure vulnerability in github.com/minio/minio +cves: + - CVE-2024-36107 +ghsas: + - GHSA-95fr-cm4m-q5p9 +unknown_aliases: + - BIT-minio-2024-36107 +references: + - advisory: https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36107 + - fix: https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272 + - fix: https://github.com/minio/minio/pull/19810 + - web: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since + - web: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since +notes: + - fix: 'github.com/minio/minio: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version' +source: + id: GHSA-95fr-cm4m-q5p9 + created: 2024-06-04T14:25:29.395595-04:00 +review_status: UNREVIEWED