data/reports: add GO-2024-2519, update GO-2024-2833

- data/reports/GO-2024-2519.yaml - data/reports/GO-2024-2833.yaml Fixes #2519 Updates #2833 Change-Id: I34b4277969934d47a6e4978b3c1db2eae19f58e2 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/596175 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Tim King <taking@google.com>
golang · Jul 2, 2024 · 3fc0880 · 3fc0880
1 parent f2119dc
commit 3fc0880
Show file tree

Hide file tree

Showing 4 changed files with 115 additions and 1 deletion.
diff --git a/data/osv/GO-2024-2519.json b/data/osv/GO-2024-2519.json
@@ -0,0 +1,81 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2519",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2020-12459",
+    "GHSA-m25m-5778-fm22"
+  ],
+  "summary": "Grafana world readable configuration files in github.com/grafana/grafana",
+  "details": "Grafana world readable configuration files in github.com/grafana/grafana",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/grafana/grafana",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-m25m-5778-fm22"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12459"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/grafana/grafana/commit/102448040d5132460e3b0013e03ebedec0677e00"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://github.com/grafana/grafana/issues/8283"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2020-12459"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827765"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1829724"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20200518-0004"
+    },
+    {
+      "type": "WEB",
+      "url": "https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2519",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2833.json b/data/osv/GO-2024-2833.json
@@ -4,7 +4,8 @@
   "modified": "0001-01-01T00:00:00Z",
   "published": "0001-01-01T00:00:00Z",
   "aliases": [
-    "CVE-2024-34079"
+    "CVE-2024-34079",
+    "GHSA-75r6-6jg8-pfcq"
   ],
   "summary": "Denial of service in github.com/octo-sts/app",
   "details": "Excessively large requests can be processed, consuming a large amount of resources. This could potentially lead to a denial of service.",

diff --git a/data/reports/GO-2024-2519.yaml b/data/reports/GO-2024-2519.yaml
@@ -0,0 +1,30 @@
+id: GO-2024-2519
+modules:
+    - module: github.com/grafana/grafana
+      non_go_versions:
+        - introduced: 6.0.0
+        - fixed: 7.2.1
+      vulnerable_at: 5.4.5+incompatible
+summary: Grafana world readable configuration files in github.com/grafana/grafana
+cves:
+    - CVE-2020-12459
+ghsas:
+    - GHSA-m25m-5778-fm22
+unknown_aliases:
+    - BIT-grafana-2020-12459
+references:
+    - advisory: https://github.com/advisories/GHSA-m25m-5778-fm22
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-12459
+    - fix: https://github.com/grafana/grafana/commit/102448040d5132460e3b0013e03ebedec0677e00
+    - report: https://github.com/grafana/grafana/issues/8283
+    - web: https://access.redhat.com/security/cve/CVE-2020-12459
+    - web: https://bugzilla.redhat.com/show_bug.cgi?id=1827765
+    - web: https://bugzilla.redhat.com/show_bug.cgi?id=1829724
+    - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS
+    - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A
+    - web: https://security.netapp.com/advisory/ntap-20200518-0004
+    - web: https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277
+source:
+    id: GHSA-m25m-5778-fm22
+    created: 2024-07-02T11:58:25.857462-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-2833.yaml b/data/reports/GO-2024-2833.yaml
@@ -15,6 +15,8 @@ description: |-
     a denial of service.
 cves:
     - CVE-2024-34079
+ghsas:
+    - GHSA-75r6-6jg8-pfcq
 credits:
     - '@enj'
 references: