From 6b4d4e227cc0029509393a01cd65094539c3d36d Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Tue, 19 Nov 2024 12:02:02 -0500 Subject: [PATCH] data/reports: add 9 unreviewed reports - data/reports/GO-2024-3267.yaml - data/reports/GO-2024-3269.yaml - data/reports/GO-2024-3271.yaml - data/reports/GO-2024-3272.yaml - data/reports/GO-2024-3273.yaml - data/reports/GO-2024-3274.yaml - data/reports/GO-2024-3275.yaml - data/reports/GO-2024-3277.yaml - data/reports/GO-2024-3278.yaml Fixes golang/vulndb#3267 Fixes golang/vulndb#3269 Fixes golang/vulndb#3271 Fixes golang/vulndb#3272 Fixes golang/vulndb#3273 Fixes golang/vulndb#3274 Fixes golang/vulndb#3275 Fixes golang/vulndb#3277 Fixes golang/vulndb#3278 Change-Id: Iff40e4830d8ead8505d427db90e38c3e08bc9e38 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/629356 Reviewed-by: Zvonimir Pavlinovic LUCI-TryBot-Result: Go LUCI --- data/osv/GO-2024-3267.json | 67 +++++++++++++++++++++++++++++++ data/osv/GO-2024-3269.json | 65 ++++++++++++++++++++++++++++++ data/osv/GO-2024-3271.json | 51 ++++++++++++++++++++++++ data/osv/GO-2024-3272.json | 52 ++++++++++++++++++++++++ data/osv/GO-2024-3273.json | 52 ++++++++++++++++++++++++ data/osv/GO-2024-3274.json | 56 ++++++++++++++++++++++++++ data/osv/GO-2024-3275.json | 49 +++++++++++++++++++++++ data/osv/GO-2024-3277.json | 72 ++++++++++++++++++++++++++++++++++ data/osv/GO-2024-3278.json | 44 +++++++++++++++++++++ data/reports/GO-2024-3267.yaml | 22 +++++++++++ data/reports/GO-2024-3269.yaml | 22 +++++++++++ data/reports/GO-2024-3271.yaml | 20 ++++++++++ data/reports/GO-2024-3272.yaml | 16 ++++++++ data/reports/GO-2024-3273.yaml | 16 ++++++++ data/reports/GO-2024-3274.yaml | 20 ++++++++++ data/reports/GO-2024-3275.yaml | 19 +++++++++ data/reports/GO-2024-3277.yaml | 24 ++++++++++++ data/reports/GO-2024-3278.yaml | 16 ++++++++ 18 files changed, 683 insertions(+) create mode 100644 data/osv/GO-2024-3267.json create mode 100644 data/osv/GO-2024-3269.json create mode 100644 data/osv/GO-2024-3271.json create mode 100644 data/osv/GO-2024-3272.json create mode 100644 data/osv/GO-2024-3273.json create mode 100644 data/osv/GO-2024-3274.json create mode 100644 data/osv/GO-2024-3275.json create mode 100644 data/osv/GO-2024-3277.json create mode 100644 data/osv/GO-2024-3278.json create mode 100644 data/reports/GO-2024-3267.yaml create mode 100644 data/reports/GO-2024-3269.yaml create mode 100644 data/reports/GO-2024-3271.yaml create mode 100644 data/reports/GO-2024-3272.yaml create mode 100644 data/reports/GO-2024-3273.yaml create mode 100644 data/reports/GO-2024-3274.yaml create mode 100644 data/reports/GO-2024-3275.yaml create mode 100644 data/reports/GO-2024-3277.yaml create mode 100644 data/reports/GO-2024-3278.yaml diff --git a/data/osv/GO-2024-3267.json b/data/osv/GO-2024-3267.json new file mode 100644 index 00000000..57637dcc --- /dev/null +++ b/data/osv/GO-2024-3267.json @@ -0,0 +1,67 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3267", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-52010", + "GHSA-7hpf-g48v-hw3j" + ], + "summary": "Zoraxy has an authenticated command injection in the Web SSH feature in github.com/tobychui/zoraxy", + "details": "Zoraxy has an authenticated command injection in the Web SSH feature in github.com/tobychui/zoraxy.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .", + "affected": [ + { + "package": { + "name": "github.com/tobychui/zoraxy", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.3+incompatible" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.6.1" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7hpf-g48v-hw3j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52010" + }, + { + "type": "FIX", + "url": "https://github.com/tobychui/zoraxy/commit/2e9bc77a5d832bff1093058d42ce7a61382e4bc6" + }, + { + "type": "FIX", + "url": "https://github.com/tobychui/zoraxy/commit/c07d5f85dfc37bd32819358ed7d4bc32c604e8f0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3267", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3269.json b/data/osv/GO-2024-3269.json new file mode 100644 index 00000000..ea5acd08 --- /dev/null +++ b/data/osv/GO-2024-3269.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3269", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-52308", + "GHSA-p2h2-3vg9-4p87" + ], + "summary": "Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer in github.com/cli/cli", + "details": "Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer in github.com/cli/cli", + "affected": [ + { + "package": { + "name": "github.com/cli/cli", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/cli/cli/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.62.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52308" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3269", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3271.json b/data/osv/GO-2024-3271.json new file mode 100644 index 00000000..64117b27 --- /dev/null +++ b/data/osv/GO-2024-3271.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3271", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-52522" + ], + "summary": "Rclone Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata in github.com/rclone/rclone", + "details": "Rclone Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata in github.com/rclone/rclone", + "affected": [ + { + "package": { + "name": "github.com/rclone/rclone", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.59.0" + }, + { + "fixed": "1.68.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52522" + }, + { + "type": "FIX", + "url": "https://github.com/rclone/rclone/commit/01ccf204f42b4f68541b16843292439090a2dcf0" + }, + { + "type": "WEB", + "url": "https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3271", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3272.json b/data/osv/GO-2024-3272.json new file mode 100644 index 00000000..1a2bb445 --- /dev/null +++ b/data/osv/GO-2024-3272.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3272", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-24425" + ], + "summary": "CVE-2024-24425 in github.com/magma/magma", + "details": "CVE-2024-24425 in github.com/magma/magma", + "affected": [ + { + "package": { + "name": "github.com/magma/magma", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24425" + }, + { + "type": "WEB", + "url": "https://cellularsecurity.org/ransacked" + }, + { + "type": "WEB", + "url": "https://github.com/OPENAIRINTERFACE/openair-epc-fed" + }, + { + "type": "WEB", + "url": "https://github.com/magma/magma" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3272", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3273.json b/data/osv/GO-2024-3273.json new file mode 100644 index 00000000..12eadb15 --- /dev/null +++ b/data/osv/GO-2024-3273.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3273", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-24426" + ], + "summary": "CVE-2024-24426 in github.com/magma/magma", + "details": "CVE-2024-24426 in github.com/magma/magma", + "affected": [ + { + "package": { + "name": "github.com/magma/magma", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24426" + }, + { + "type": "WEB", + "url": "https://cellularsecurity.org/ransacked" + }, + { + "type": "WEB", + "url": "https://github.com/OPENAIRINTERFACE/openair-epc-fed" + }, + { + "type": "WEB", + "url": "https://github.com/magma/magma" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3273", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3274.json b/data/osv/GO-2024-3274.json new file mode 100644 index 00000000..38f703c0 --- /dev/null +++ b/data/osv/GO-2024-3274.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3274", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-0109", + "GHSA-5r2g-59px-3q9w" + ], + "summary": "Stored XSS using two files in usememos/memos in github.com/usememos/memos", + "details": "Stored XSS using two files in usememos/memos in github.com/usememos/memos", + "affected": [ + { + "package": { + "name": "github.com/usememos/memos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.10.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-5r2g-59px-3q9w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0109" + }, + { + "type": "FIX", + "url": "https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/1899ffb2-ce1e-4dc0-af96-972612190f6e" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3274", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3275.json b/data/osv/GO-2024-3275.json new file mode 100644 index 00000000..cb2ba249 --- /dev/null +++ b/data/osv/GO-2024-3275.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3275", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-44625", + "GHSA-phm4-wf3h-pc3r" + ], + "summary": "Unpatched Remote Code Execution in Gogs in gogs.io/gogs", + "details": "Unpatched Remote Code Execution in Gogs in gogs.io/gogs", + "affected": [ + { + "package": { + "name": "gogs.io/gogs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-phm4-wf3h-pc3r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44625" + }, + { + "type": "WEB", + "url": "https://fysac.github.io/posts/2024/11/unpatched-remote-code-execution-in-gogs" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3275", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3277.json b/data/osv/GO-2024-3277.json new file mode 100644 index 00000000..2e6fad03 --- /dev/null +++ b/data/osv/GO-2024-3277.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3277", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-0793", + "GHSA-h7wq-jj8r-qm7p" + ], + "summary": "Kubernetes Nil pointer dereference in KCM after v1 HPA patch request in k8s.io/kubernetes", + "details": "Kubernetes Nil pointer dereference in KCM after v1 HPA patch request in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.27.0-alpha.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-h7wq-jj8r-qm7p" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0793" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0741" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:1267" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-0793" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2214402" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/107038#issuecomment-1911327145" + }, + { + "type": "WEB", + "url": "https://github.com/openshift/kubernetes/pull/1876" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3277", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3278.json b/data/osv/GO-2024-3278.json new file mode 100644 index 00000000..6714dcf0 --- /dev/null +++ b/data/osv/GO-2024-3278.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3278", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-9526" + ], + "summary": "Stored XSS in Kubeflow Pipeline View in github.com/kubeflow/pipelines", + "details": "Stored XSS in Kubeflow Pipeline View in github.com/kubeflow/pipelines", + "affected": [ + { + "package": { + "name": "github.com/kubeflow/pipelines", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9526" + }, + { + "type": "FIX", + "url": "https://github.com/kubeflow/pipelines/pull/10315" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3278", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-3267.yaml b/data/reports/GO-2024-3267.yaml new file mode 100644 index 00000000..55828749 --- /dev/null +++ b/data/reports/GO-2024-3267.yaml @@ -0,0 +1,22 @@ +id: GO-2024-3267 +modules: + - module: github.com/tobychui/zoraxy + versions: + - fixed: 3.1.3+incompatible + non_go_versions: + - introduced: 2.6.1 + vulnerable_at: 3.1.2+incompatible +summary: Zoraxy has an authenticated command injection in the Web SSH feature in github.com/tobychui/zoraxy +cves: + - CVE-2024-52010 +ghsas: + - GHSA-7hpf-g48v-hw3j +references: + - advisory: https://github.com/tobychui/zoraxy/security/advisories/GHSA-7hpf-g48v-hw3j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52010 + - fix: https://github.com/tobychui/zoraxy/commit/2e9bc77a5d832bff1093058d42ce7a61382e4bc6 + - fix: https://github.com/tobychui/zoraxy/commit/c07d5f85dfc37bd32819358ed7d4bc32c604e8f0 +source: + id: GHSA-7hpf-g48v-hw3j + created: 2024-11-19T12:00:28.789773-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3269.yaml b/data/reports/GO-2024-3269.yaml new file mode 100644 index 00000000..46dec2c5 --- /dev/null +++ b/data/reports/GO-2024-3269.yaml @@ -0,0 +1,22 @@ +id: GO-2024-3269 +modules: + - module: github.com/cli/cli + vulnerable_at: 1.14.0 + - module: github.com/cli/cli/v2 + versions: + - fixed: 2.62.0 + vulnerable_at: 2.61.0 +summary: |- + Connecting to a malicious Codespaces via GH CLI could allow command execution on + the user's computer in github.com/cli/cli +cves: + - CVE-2024-52308 +ghsas: + - GHSA-p2h2-3vg9-4p87 +references: + - advisory: https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52308 +source: + id: GHSA-p2h2-3vg9-4p87 + created: 2024-11-19T11:59:49.747538-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3271.yaml b/data/reports/GO-2024-3271.yaml new file mode 100644 index 00000000..e24b9ff6 --- /dev/null +++ b/data/reports/GO-2024-3271.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3271 +modules: + - module: github.com/rclone/rclone + versions: + - introduced: 1.59.0 + - fixed: 1.68.2 + vulnerable_at: 1.68.1 +summary: |- + Rclone Improper Permission and Ownership Handling on Symlink Targets with + --links and --metadata in github.com/rclone/rclone +cves: + - CVE-2024-52522 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52522 + - fix: https://github.com/rclone/rclone/commit/01ccf204f42b4f68541b16843292439090a2dcf0 + - web: https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv +source: + id: CVE-2024-52522 + created: 2024-11-19T11:59:46.082737-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3272.yaml b/data/reports/GO-2024-3272.yaml new file mode 100644 index 00000000..9bb40606 --- /dev/null +++ b/data/reports/GO-2024-3272.yaml @@ -0,0 +1,16 @@ +id: GO-2024-3272 +modules: + - module: github.com/magma/magma + vulnerable_at: 1.8.0 +summary: CVE-2024-24425 in github.com/magma/magma +cves: + - CVE-2024-24425 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-24425 + - web: https://cellularsecurity.org/ransacked + - web: https://github.com/OPENAIRINTERFACE/openair-epc-fed + - web: https://github.com/magma/magma +source: + id: CVE-2024-24425 + created: 2024-11-19T11:59:43.486905-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3273.yaml b/data/reports/GO-2024-3273.yaml new file mode 100644 index 00000000..33605b3c --- /dev/null +++ b/data/reports/GO-2024-3273.yaml @@ -0,0 +1,16 @@ +id: GO-2024-3273 +modules: + - module: github.com/magma/magma + vulnerable_at: 1.8.0 +summary: CVE-2024-24426 in github.com/magma/magma +cves: + - CVE-2024-24426 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-24426 + - web: https://cellularsecurity.org/ransacked + - web: https://github.com/OPENAIRINTERFACE/openair-epc-fed + - web: https://github.com/magma/magma +source: + id: CVE-2024-24426 + created: 2024-11-19T11:59:40.044127-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3274.yaml b/data/reports/GO-2024-3274.yaml new file mode 100644 index 00000000..e46ff562 --- /dev/null +++ b/data/reports/GO-2024-3274.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3274 +modules: + - module: github.com/usememos/memos + versions: + - fixed: 0.10.0 + vulnerable_at: 0.9.1 +summary: Stored XSS using two files in usememos/memos in github.com/usememos/memos +cves: + - CVE-2023-0109 +ghsas: + - GHSA-5r2g-59px-3q9w +references: + - advisory: https://github.com/advisories/GHSA-5r2g-59px-3q9w + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-0109 + - fix: https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c + - web: https://huntr.com/bounties/1899ffb2-ce1e-4dc0-af96-972612190f6e +source: + id: GHSA-5r2g-59px-3q9w + created: 2024-11-19T11:59:36.387588-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3275.yaml b/data/reports/GO-2024-3275.yaml new file mode 100644 index 00000000..222c0afe --- /dev/null +++ b/data/reports/GO-2024-3275.yaml @@ -0,0 +1,19 @@ +id: GO-2024-3275 +modules: + - module: gogs.io/gogs + unsupported_versions: + - last_affected: 0.13.0 + vulnerable_at: 0.13.0 +summary: Unpatched Remote Code Execution in Gogs in gogs.io/gogs +cves: + - CVE-2024-44625 +ghsas: + - GHSA-phm4-wf3h-pc3r +references: + - advisory: https://github.com/advisories/GHSA-phm4-wf3h-pc3r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-44625 + - web: https://fysac.github.io/posts/2024/11/unpatched-remote-code-execution-in-gogs +source: + id: GHSA-phm4-wf3h-pc3r + created: 2024-11-19T11:59:32.635983-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3277.yaml b/data/reports/GO-2024-3277.yaml new file mode 100644 index 00000000..ff742366 --- /dev/null +++ b/data/reports/GO-2024-3277.yaml @@ -0,0 +1,24 @@ +id: GO-2024-3277 +modules: + - module: k8s.io/kubernetes + versions: + - fixed: 1.27.0-alpha.1 + vulnerable_at: 1.27.0-alpha.0 +summary: Kubernetes Nil pointer dereference in KCM after v1 HPA patch request in k8s.io/kubernetes +cves: + - CVE-2024-0793 +ghsas: + - GHSA-h7wq-jj8r-qm7p +references: + - advisory: https://github.com/advisories/GHSA-h7wq-jj8r-qm7p + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-0793 + - web: https://access.redhat.com/errata/RHSA-2024:0741 + - web: https://access.redhat.com/errata/RHSA-2024:1267 + - web: https://access.redhat.com/security/cve/CVE-2024-0793 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2214402 + - web: https://github.com/kubernetes/kubernetes/issues/107038#issuecomment-1911327145 + - web: https://github.com/openshift/kubernetes/pull/1876 +source: + id: GHSA-h7wq-jj8r-qm7p + created: 2024-11-19T11:59:24.495186-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3278.yaml b/data/reports/GO-2024-3278.yaml new file mode 100644 index 00000000..61df1974 --- /dev/null +++ b/data/reports/GO-2024-3278.yaml @@ -0,0 +1,16 @@ +id: GO-2024-3278 +modules: + - module: github.com/kubeflow/pipelines + unsupported_versions: + - cve_version_range: 'affected from 0 before 930c35f1c543998e60e8d648ce93185c9b5dbe8d (default: unaffected)' + vulnerable_at: 0.0.0-20241119091323-c57e8973ac4b +summary: Stored XSS in Kubeflow Pipeline View in github.com/kubeflow/pipelines +cves: + - CVE-2024-9526 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9526 + - fix: https://github.com/kubeflow/pipelines/pull/10315 +source: + id: CVE-2024-9526 + created: 2024-11-19T11:59:20.555589-05:00 +review_status: UNREVIEWED