diff --git a/data/osv/GO-2024-3284.json b/data/osv/GO-2024-3284.json new file mode 100644 index 00000000..6fa8f46b --- /dev/null +++ b/data/osv/GO-2024-3284.json @@ -0,0 +1,71 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3284", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-37820", + "GHSA-9g6g-xqv5-8g5w" + ], + "summary": "PingCAP TiDB nil pointer dereference in github.com/pingcap/tidb", + "details": "PingCAP TiDB nil pointer dereference in github.com/pingcap/tidb.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/pingcap/tidb before v8.2.0.", + "affected": [ + { + "package": { + "name": "github.com/pingcap/tidb", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "8.2.0" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9g6g-xqv5-8g5w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37820" + }, + { + "type": "FIX", + "url": "https://github.com/pingcap/tidb/commit/3d68bd21240c610c6307713e2bd54a5e71c32608" + }, + { + "type": "REPORT", + "url": "https://github.com/pingcap/tidb/issues/53580" + }, + { + "type": "WEB", + "url": "https://gist.github.com/ycybfhb/a9c1e14ce281f2f553adca84d384b761" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3284", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3286.json b/data/osv/GO-2024-3286.json new file mode 100644 index 00000000..eb789ab6 --- /dev/null +++ b/data/osv/GO-2024-3286.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3286", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-10220", + "GHSA-27wf-5967-98gx" + ], + "summary": "Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes", + "details": "Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.28.12" + }, + { + "introduced": "1.29.0" + }, + { + "fixed": "1.29.7" + }, + { + "introduced": "1.30.0" + }, + { + "fixed": "1.30.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-27wf-5967-98gx" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10220" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/11/20/1" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/1ab06efe92d8e898ca1931471c9533ce94aba29b" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/128885" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/ptNgV5Necko" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3286", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3287.json b/data/osv/GO-2024-3287.json new file mode 100644 index 00000000..895d5c17 --- /dev/null +++ b/data/osv/GO-2024-3287.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3287", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-45719", + "GHSA-mr95-vfcf-fx9p" + ], + "summary": "Apache Answer: Predictable Authorization Token Using UUIDv1 in github.com/apache/incubator-answer", + "details": "Apache Answer: Predictable Authorization Token Using UUIDv1 in github.com/apache/incubator-answer", + "affected": [ + { + "package": { + "name": "github.com/apache/incubator-answer", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mr95-vfcf-fx9p" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45719" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/11/22/1" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/sz2d0z39k01nbx3r9pj65t76o1hy9491" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3287", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3288.json b/data/osv/GO-2024-3288.json new file mode 100644 index 00000000..0ad1d856 --- /dev/null +++ b/data/osv/GO-2024-3288.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3288", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-7f6p-phw2-8253" + ], + "summary": "Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws in github.com/taurusgroup/multi-party-sig", + "details": "Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws in github.com/taurusgroup/multi-party-sig", + "affected": [ + { + "package": { + "name": "github.com/taurusgroup/multi-party-sig", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/taurushq-io/multi-party-sig/security/advisories/GHSA-7f6p-phw2-8253" + }, + { + "type": "WEB", + "url": "https://eprint.iacr.org/2018/499.pdf" + }, + { + "type": "WEB", + "url": "https://github.com/taurushq-io/multi-party-sig/blob/4d84aafb57b437da1b933db9a265fb7ce4e7c138/internal/ot/extended.go#L188" + }, + { + "type": "WEB", + "url": "https://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114" + }, + { + "type": "WEB", + "url": "https://github.com/taurushq-io/multi-party-sig/tree/otfix" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3288", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3289.json b/data/osv/GO-2024-3289.json new file mode 100644 index 00000000..20ec80c5 --- /dev/null +++ b/data/osv/GO-2024-3289.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3289", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-6538", + "GHSA-v3w7-g6p2-mpx7" + ], + "summary": "OpenShift Console Server Side Request Forgery vulnerability in github.com/openshift/console", + "details": "OpenShift Console Server Side Request Forgery vulnerability in github.com/openshift/console", + "affected": [ + { + "package": { + "name": "github.com/openshift/console", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-v3w7-g6p2-mpx7" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6538" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-6538" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296057" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3289", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3290.json b/data/osv/GO-2024-3290.json new file mode 100644 index 00000000..a92f5e89 --- /dev/null +++ b/data/osv/GO-2024-3290.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3290", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-52529", + "GHSA-xg58-75qf-9r67" + ], + "summary": "Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in github.com/cilium/cilium", + "details": "Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in github.com/cilium/cilium", + "affected": [ + { + "package": { + "name": "github.com/cilium/cilium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52529" + }, + { + "type": "FIX", + "url": "https://github.com/cilium/cilium/pull/35150" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3290", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3291.json b/data/osv/GO-2024-3291.json new file mode 100644 index 00000000..ace37115 --- /dev/null +++ b/data/osv/GO-2024-3291.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3291", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-43784", + "GHSA-hh33-46q4-hwm2" + ], + "summary": "Re-creating a deleted user in lakeFS will re-enable previous user credentials that existed prior to its deletion in github.com/treeverse/lakefs", + "details": "Re-creating a deleted user in lakeFS will re-enable previous user credentials that existed prior to its deletion in github.com/treeverse/lakefs", + "affected": [ + { + "package": { + "name": "github.com/treeverse/lakefs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.33.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/treeverse/lakeFS/security/advisories/GHSA-hh33-46q4-hwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43784" + }, + { + "type": "WEB", + "url": "https://github.com/treeverse/lakeFS/releases/tag/v1.33.0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3291", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-3284.yaml b/data/reports/GO-2024-3284.yaml new file mode 100644 index 00000000..694fc54b --- /dev/null +++ b/data/reports/GO-2024-3284.yaml @@ -0,0 +1,21 @@ +id: GO-2024-3284 +modules: + - module: github.com/pingcap/tidb + non_go_versions: + - fixed: 8.2.0 + vulnerable_at: 1.0.9 +summary: PingCAP TiDB nil pointer dereference in github.com/pingcap/tidb +cves: + - CVE-2024-37820 +ghsas: + - GHSA-9g6g-xqv5-8g5w +references: + - advisory: https://github.com/advisories/GHSA-9g6g-xqv5-8g5w + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37820 + - fix: https://github.com/pingcap/tidb/commit/3d68bd21240c610c6307713e2bd54a5e71c32608 + - report: https://github.com/pingcap/tidb/issues/53580 + - web: https://gist.github.com/ycybfhb/a9c1e14ce281f2f553adca84d384b761 +source: + id: GHSA-9g6g-xqv5-8g5w + created: 2024-11-27T13:41:33.624345-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3286.yaml b/data/reports/GO-2024-3286.yaml new file mode 100644 index 00000000..3949bd3e --- /dev/null +++ b/data/reports/GO-2024-3286.yaml @@ -0,0 +1,26 @@ +id: GO-2024-3286 +modules: + - module: k8s.io/kubernetes + versions: + - fixed: 1.28.12 + - introduced: 1.29.0 + - fixed: 1.29.7 + - introduced: 1.30.0 + - fixed: 1.30.3 + vulnerable_at: 1.30.2 +summary: Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes +cves: + - CVE-2024-10220 +ghsas: + - GHSA-27wf-5967-98gx +references: + - advisory: https://github.com/advisories/GHSA-27wf-5967-98gx + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-10220 + - web: http://www.openwall.com/lists/oss-security/2024/11/20/1 + - web: https://github.com/kubernetes/kubernetes/commit/1ab06efe92d8e898ca1931471c9533ce94aba29b + - web: https://github.com/kubernetes/kubernetes/issues/128885 + - web: https://groups.google.com/g/kubernetes-security-announce/c/ptNgV5Necko +source: + id: GHSA-27wf-5967-98gx + created: 2024-11-27T13:41:27.937873-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3287.yaml b/data/reports/GO-2024-3287.yaml new file mode 100644 index 00000000..f1d19e93 --- /dev/null +++ b/data/reports/GO-2024-3287.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3287 +modules: + - module: github.com/apache/incubator-answer + versions: + - fixed: 1.4.1 + vulnerable_at: 1.4.1-RC2 +summary: 'Apache Answer: Predictable Authorization Token Using UUIDv1 in github.com/apache/incubator-answer' +cves: + - CVE-2024-45719 +ghsas: + - GHSA-mr95-vfcf-fx9p +references: + - advisory: https://github.com/advisories/GHSA-mr95-vfcf-fx9p + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45719 + - web: http://www.openwall.com/lists/oss-security/2024/11/22/1 + - web: https://lists.apache.org/thread/sz2d0z39k01nbx3r9pj65t76o1hy9491 +source: + id: GHSA-mr95-vfcf-fx9p + created: 2024-11-27T13:41:23.455467-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3288.yaml b/data/reports/GO-2024-3288.yaml new file mode 100644 index 00000000..787b140a --- /dev/null +++ b/data/reports/GO-2024-3288.yaml @@ -0,0 +1,19 @@ +id: GO-2024-3288 +modules: + - module: github.com/taurusgroup/multi-party-sig + unsupported_versions: + - last_affected: 0.6.0-alpha-2021-09-21 + vulnerable_at: 0.6.0-alpha-2021-09-21 +summary: Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws in github.com/taurusgroup/multi-party-sig +ghsas: + - GHSA-7f6p-phw2-8253 +references: + - advisory: https://github.com/taurushq-io/multi-party-sig/security/advisories/GHSA-7f6p-phw2-8253 + - web: https://eprint.iacr.org/2018/499.pdf + - web: https://github.com/taurushq-io/multi-party-sig/blob/4d84aafb57b437da1b933db9a265fb7ce4e7c138/internal/ot/extended.go#L188 + - web: https://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114 + - web: https://github.com/taurushq-io/multi-party-sig/tree/otfix +source: + id: GHSA-7f6p-phw2-8253 + created: 2024-11-27T13:41:20.534174-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3289.yaml b/data/reports/GO-2024-3289.yaml new file mode 100644 index 00000000..84cf81a4 --- /dev/null +++ b/data/reports/GO-2024-3289.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3289 +modules: + - module: github.com/openshift/console + unsupported_versions: + - last_affected: 6.0.6 + vulnerable_at: 6.0.6+incompatible +summary: OpenShift Console Server Side Request Forgery vulnerability in github.com/openshift/console +cves: + - CVE-2024-6538 +ghsas: + - GHSA-v3w7-g6p2-mpx7 +references: + - advisory: https://github.com/advisories/GHSA-v3w7-g6p2-mpx7 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6538 + - web: https://access.redhat.com/security/cve/CVE-2024-6538 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2296057 +source: + id: GHSA-v3w7-g6p2-mpx7 + created: 2024-11-27T13:41:11.327665-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3290.yaml b/data/reports/GO-2024-3290.yaml new file mode 100644 index 00000000..1bae163d --- /dev/null +++ b/data/reports/GO-2024-3290.yaml @@ -0,0 +1,22 @@ +id: GO-2024-3290 +modules: + - module: github.com/cilium/cilium + versions: + - introduced: 1.16.0 + - fixed: 1.16.4 + vulnerable_at: 1.16.3 +summary: |- + Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded + port ranges in github.com/cilium/cilium +cves: + - CVE-2024-52529 +ghsas: + - GHSA-xg58-75qf-9r67 +references: + - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52529 + - fix: https://github.com/cilium/cilium/pull/35150 +source: + id: GHSA-xg58-75qf-9r67 + created: 2024-11-27T13:41:07.247675-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3291.yaml b/data/reports/GO-2024-3291.yaml new file mode 100644 index 00000000..2425e919 --- /dev/null +++ b/data/reports/GO-2024-3291.yaml @@ -0,0 +1,21 @@ +id: GO-2024-3291 +modules: + - module: github.com/treeverse/lakefs + versions: + - fixed: 1.33.0 + vulnerable_at: 1.32.1 +summary: |- + Re-creating a deleted user in lakeFS will re-enable previous user credentials + that existed prior to its deletion in github.com/treeverse/lakefs +cves: + - CVE-2024-43784 +ghsas: + - GHSA-hh33-46q4-hwm2 +references: + - advisory: https://github.com/treeverse/lakeFS/security/advisories/GHSA-hh33-46q4-hwm2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43784 + - web: https://github.com/treeverse/lakeFS/releases/tag/v1.33.0 +source: + id: GHSA-hh33-46q4-hwm2 + created: 2024-11-27T13:41:03.899167-05:00 +review_status: UNREVIEWED