From f74ecab81b4efd22da74a07170a1eeefb5ebae2e Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Thu, 6 Jun 2024 16:20:39 -0400 Subject: [PATCH] data/reports: add 5 unreviewed reports - data/reports/GO-2024-2612.yaml - data/reports/GO-2024-2684.yaml - data/reports/GO-2024-2699.yaml - data/reports/GO-2024-2776.yaml - data/reports/GO-2024-2769.yaml Fixes golang/vulndb#2612 Fixes golang/vulndb#2684 Fixes golang/vulndb#2699 Fixes golang/vulndb#2776 Fixes golang/vulndb#2769 Change-Id: I233aeca23f767773c1238eeec2450617801ae69b Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/591199 LUCI-TryBot-Result: Go LUCI Reviewed-by: Damien Neil Commit-Queue: Tatiana Bradley --- data/osv/GO-2024-2612.json | 60 +++++++++++++++++++++++++++++ data/osv/GO-2024-2684.json | 53 +++++++++++++++++++++++++ data/osv/GO-2024-2699.json | 56 +++++++++++++++++++++++++++ data/osv/GO-2024-2769.json | 60 +++++++++++++++++++++++++++++ data/osv/GO-2024-2776.json | 70 ++++++++++++++++++++++++++++++++++ data/reports/GO-2024-2612.yaml | 22 +++++++++++ data/reports/GO-2024-2684.yaml | 21 ++++++++++ data/reports/GO-2024-2699.yaml | 20 ++++++++++ data/reports/GO-2024-2769.yaml | 23 +++++++++++ data/reports/GO-2024-2776.yaml | 25 ++++++++++++ 10 files changed, 410 insertions(+) create mode 100644 data/osv/GO-2024-2612.json create mode 100644 data/osv/GO-2024-2684.json create mode 100644 data/osv/GO-2024-2699.json create mode 100644 data/osv/GO-2024-2769.json create mode 100644 data/osv/GO-2024-2776.json create mode 100644 data/reports/GO-2024-2612.yaml create mode 100644 data/reports/GO-2024-2684.yaml create mode 100644 data/reports/GO-2024-2699.yaml create mode 100644 data/reports/GO-2024-2769.yaml create mode 100644 data/reports/GO-2024-2776.yaml diff --git a/data/osv/GO-2024-2612.json b/data/osv/GO-2024-2612.json new file mode 100644 index 00000000..dbe46f30 --- /dev/null +++ b/data/osv/GO-2024-2612.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2612", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-2056" + ], + "summary": "Artica Proxy Loopback Services Remotely Accessible Unauthenticated in github.com/gvalkov/tailon", + "details": "Artica Proxy Loopback Services Remotely Accessible Unauthenticated in github.com/gvalkov/tailon", + "affected": [ + { + "package": { + "name": "github.com/gvalkov/tailon", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2056" + }, + { + "type": "WEB", + "url": "http://seclists.org/fulldisclosure/2024/Mar/14" + }, + { + "type": "WEB", + "url": "https://github.com/gvalkov/tailon#security" + }, + { + "type": "WEB", + "url": "https://korelogic.com/Resources/Advisories/KL-001-2024-004.txt" + } + ], + "credits": [ + { + "name": "Jim Becher of KoreLogic, Inc." + }, + { + "name": "Jaggar Henry of KoreLogic, Inc." + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2612", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2684.json b/data/osv/GO-2024-2684.json new file mode 100644 index 00000000..dfca1c1b --- /dev/null +++ b/data/osv/GO-2024-2684.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2684", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-22780", + "GHSA-hwvw-gh23-qpvq" + ], + "summary": "CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs", + "details": "CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs", + "affected": [ + { + "package": { + "name": "github.com/ca17/teamsacs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-hwvw-gh23-qpvq" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22780" + }, + { + "type": "WEB", + "url": "https://fuo.fi/CVE-2024-22780" + }, + { + "type": "WEB", + "url": "https://github.com/CA17/TeamsACS/issues/26" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2684", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2699.json b/data/osv/GO-2024-2699.json new file mode 100644 index 00000000..19d42883 --- /dev/null +++ b/data/osv/GO-2024-2699.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2699", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-28224", + "GHSA-5jx5-hqx5-2vrj" + ], + "summary": "Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama", + "details": "Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama", + "affected": [ + { + "package": { + "name": "github.com/jmorganca/ollama", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.1.29" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-5jx5-hqx5-2vrj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28224" + }, + { + "type": "WEB", + "url": "https://github.com/ollama/ollama/releases" + }, + { + "type": "WEB", + "url": "https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebinding-attack-cve-2024-28224" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2699", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2769.json b/data/osv/GO-2024-2769.json new file mode 100644 index 00000000..ce0449b6 --- /dev/null +++ b/data/osv/GO-2024-2769.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2769", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-38183", + "GHSA-fhv8-m4j4-cww2" + ], + "summary": "Gitea allowed assignment of private issues in code.gitea.io/gitea", + "details": "Gitea allowed assignment of private issues in code.gitea.io/gitea", + "affected": [ + { + "package": { + "name": "code.gitea.io/gitea", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.9" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-fhv8-m4j4-cww2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38183" + }, + { + "type": "WEB", + "url": "https://blog.gitea.io/2022/07/gitea-1.16.9-is-released" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/pull/20133" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/pull/20196" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2769", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2776.json b/data/osv/GO-2024-2776.json new file mode 100644 index 00000000..15c946eb --- /dev/null +++ b/data/osv/GO-2024-2776.json @@ -0,0 +1,70 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2776", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-43350", + "GHSA-mg2c-rc36-p594" + ], + "summary": "Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol", + "details": "Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol", + "affected": [ + { + "package": { + "name": "github.com/apache/trafficcontrol", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "5.1.0+incompatible" + }, + { + "fixed": "5.1.4+incompatible" + }, + { + "introduced": "6.0.0+incompatible" + }, + { + "fixed": "6.0.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mg2c-rc36-p594" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43350" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2021/11/11/3" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2021/11/11/4" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2021/11/17/1" + }, + { + "type": "WEB", + "url": "https://trafficcontrol.apache.org/security" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2776", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-2612.yaml b/data/reports/GO-2024-2612.yaml new file mode 100644 index 00000000..19996a59 --- /dev/null +++ b/data/reports/GO-2024-2612.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2612 +modules: + - module: github.com/gvalkov/tailon + unsupported_versions: + - version: 'affected at 4.50 (default: unaffected)' + type: cve_version_range + vulnerable_at: 1.1.0 +summary: Artica Proxy Loopback Services Remotely Accessible Unauthenticated in github.com/gvalkov/tailon +cves: + - CVE-2024-2056 +credits: + - Jim Becher of KoreLogic, Inc. + - Jaggar Henry of KoreLogic, Inc. +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-2056 + - web: http://seclists.org/fulldisclosure/2024/Mar/14 + - web: https://github.com/gvalkov/tailon#security + - web: https://korelogic.com/Resources/Advisories/KL-001-2024-004.txt +source: + id: CVE-2024-2056 + created: 2024-06-06T16:15:26.949858-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2684.yaml b/data/reports/GO-2024-2684.yaml new file mode 100644 index 00000000..7d83fdae --- /dev/null +++ b/data/reports/GO-2024-2684.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2684 +modules: + - module: github.com/ca17/teamsacs + unsupported_versions: + - version: 1.0.2 + type: last_affected + vulnerable_at: 1.0.3 +summary: CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs +cves: + - CVE-2024-22780 +ghsas: + - GHSA-hwvw-gh23-qpvq +references: + - advisory: https://github.com/advisories/GHSA-hwvw-gh23-qpvq + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-22780 + - web: https://fuo.fi/CVE-2024-22780 + - web: https://github.com/CA17/TeamsACS/issues/26 +source: + id: GHSA-hwvw-gh23-qpvq + created: 2024-06-06T16:16:42.764735-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2699.yaml b/data/reports/GO-2024-2699.yaml new file mode 100644 index 00000000..3f4f661e --- /dev/null +++ b/data/reports/GO-2024-2699.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2699 +modules: + - module: github.com/jmorganca/ollama + versions: + - fixed: 0.1.29 + vulnerable_at: 0.1.28 +summary: Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama +cves: + - CVE-2024-28224 +ghsas: + - GHSA-5jx5-hqx5-2vrj +references: + - advisory: https://github.com/advisories/GHSA-5jx5-hqx5-2vrj + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-28224 + - web: https://github.com/ollama/ollama/releases + - web: https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebinding-attack-cve-2024-28224 +source: + id: GHSA-5jx5-hqx5-2vrj + created: 2024-06-06T16:17:36.326182-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2769.yaml b/data/reports/GO-2024-2769.yaml new file mode 100644 index 00000000..80389fc1 --- /dev/null +++ b/data/reports/GO-2024-2769.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2769 +modules: + - module: code.gitea.io/gitea + versions: + - fixed: 1.16.9 + vulnerable_at: 1.16.8 +summary: Gitea allowed assignment of private issues in code.gitea.io/gitea +cves: + - CVE-2022-38183 +ghsas: + - GHSA-fhv8-m4j4-cww2 +unknown_aliases: + - BIT-gitea-2022-38183 +references: + - advisory: https://github.com/advisories/GHSA-fhv8-m4j4-cww2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-38183 + - web: https://blog.gitea.io/2022/07/gitea-1.16.9-is-released + - web: https://github.com/go-gitea/gitea/pull/20133 + - web: https://github.com/go-gitea/gitea/pull/20196 +source: + id: GHSA-fhv8-m4j4-cww2 + created: 2024-06-06T16:18:38.02836-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2776.yaml b/data/reports/GO-2024-2776.yaml new file mode 100644 index 00000000..110fd411 --- /dev/null +++ b/data/reports/GO-2024-2776.yaml @@ -0,0 +1,25 @@ +id: GO-2024-2776 +modules: + - module: github.com/apache/trafficcontrol + versions: + - introduced: 5.1.0+incompatible + fixed: 5.1.4+incompatible + - introduced: 6.0.0+incompatible + fixed: 6.0.1+incompatible + vulnerable_at: 6.0.0+incompatible +summary: Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol +cves: + - CVE-2021-43350 +ghsas: + - GHSA-mg2c-rc36-p594 +references: + - advisory: https://github.com/advisories/GHSA-mg2c-rc36-p594 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-43350 + - web: http://www.openwall.com/lists/oss-security/2021/11/11/3 + - web: http://www.openwall.com/lists/oss-security/2021/11/11/4 + - web: http://www.openwall.com/lists/oss-security/2021/11/17/1 + - web: https://trafficcontrol.apache.org/security +source: + id: GHSA-mg2c-rc36-p594 + created: 2024-06-06T16:13:56.758827-04:00 +review_status: UNREVIEWED