Skip to content

Commit

Permalink
data/reports: add 5 reports
Browse files Browse the repository at this point in the history 
  - data/reports/GO-2024-2920.yaml
  - data/reports/GO-2024-2921.yaml
  - data/reports/GO-2024-2930.yaml
  - data/reports/GO-2024-2936.yaml
  - data/reports/GO-2024-2943.yaml

Fixes #2920
Fixes #2921
Fixes #2930
Fixes #2936
Fixes #2943

Change-Id: I6de64b6c40310fbc70839bdffd8665a4c639d7b3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595957
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
  • Loading branch information
@tatianab
tatianab committed Jul 1, 2024
1 parent 3f3b024 commit 95ad15a
Show file tree
Hide file tree
Showing 10 changed files with 969 additions and 0 deletions.
101 changes: 101 additions & 0 deletions data/osv/GO-2024-2920.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-2920",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2023-49559",
"GHSA-2hmf-46v7-v6fx"
],
"summary": "Denial of service vulnerability via the parseDirectives function in github.com/vektah/gqlparser",
"details": "An issue in vektah gqlparser open-source-library allows a remote attacker to cause a denial of service via a crafted script to the parseDirectives function.",
"affected": [
{
"package": {
"name": "github.com/vektah/gqlparser",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/vektah/gqlparser/parser",
"symbols": [
"ParseQuery",
"ParseSchema",
"ParseSchemas",
"parser.parseDirectives"
]
}
]
}
},
{
"package": {
"name": "github.com/vektah/gqlparser/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.14"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/vektah/gqlparser/v2/parser",
"symbols": [
"ParseQuery",
"ParseSchema",
"ParseSchemas",
"parser.parseDirectives"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2hmf-46v7-v6fx"
},
{
"type": "FIX",
"url": "https://github.com/vektah/gqlparser/commit/36a3658873bf5a107f42488dfc392949cdd02977"
},
{
"type": "WEB",
"url": "https://gist.github.com/uvzz/d3ed9d4532be16ec1040a2cf3dfec8d1"
},
{
"type": "WEB",
"url": "https://github.com/99designs/gqlgen/issues/3118"
},
{
"type": "WEB",
"url": "https://github.com/vektah/gqlparser/blob/master/parser/query.go#L316"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-2920",
"review_status": "REVIEWED"
}
}
58 changes: 58 additions & 0 deletions data/osv/GO-2024-2921.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-2921",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-5798",
"GHSA-32cj-5wx4-gq8p"
],
"summary": "HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault",
"details": "HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault",
"affected": [
{
"package": {
"name": "github.com/hashicorp/vault",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.11.0"
},
{
"fixed": "1.16.3"
},
{
"introduced": "1.17.0-rc1"
},
{
"fixed": "1.17.0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-32cj-5wx4-gq8p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5798"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-2921",
"review_status": "UNREVIEWED"
}
}
127 changes: 127 additions & 0 deletions data/osv/GO-2024-2930.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-2930",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2023-32191",
"GHSA-6gr4-52w6-vmqx"
],
"summary": "RKE credentials are stored in the RKE1 Cluster state ConfigMap in github.com/rancher/rke",
"details": "When RKE provisions a cluster, it stores the cluster state in a configmap called \"full-cluster-state\" inside the \"kube-system\" namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include sensitive data.",
"affected": [
{
"package": {
"name": "github.com/rancher/rke",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.4.18"
},
{
"fixed": "1.4.19"
},
{
"introduced": "1.5.9"
},
{
"fixed": "1.5.10"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/rancher/rke/k8s",
"symbols": [
"GetSecret",
"GetSecretsList",
"GetSystemSecret",
"UpdateSecret"
]
},
{
"path": "github.com/rancher/rke/cluster",
"symbols": [
"Cluster.CheckClusterPorts",
"Cluster.CleanDeadLogs",
"Cluster.CleanupNodes",
"Cluster.ClusterRemove",
"Cluster.DeployControlPlane",
"Cluster.DeployRestoreCerts",
"Cluster.DeployStateFile",
"Cluster.DeployWorkerPlane",
"Cluster.DisableSecretsEncryption",
"Cluster.GetStateFileFromConfigMap",
"Cluster.PrePullK8sImages",
"Cluster.ReconcileDesiredStateEncryptionConfig",
"Cluster.RewriteSecrets",
"Cluster.RotateEncryptionKey",
"Cluster.RunSELinuxCheck",
"Cluster.SetUpHosts",
"Cluster.StoreAddonConfigMap",
"Cluster.SyncLabelsAndTaints",
"Cluster.TunnelHosts",
"Cluster.UpdateClusterCurrentState",
"Cluster.UpgradeControlPlane",
"Cluster.UpgradeWorkerPlane",
"ConfigureCluster",
"FullState.WriteStateFile",
"GetClusterCertsFromKubernetes",
"GetK8sVersion",
"GetStateFromKubernetes",
"ReadStateFile",
"RebuildKubeconfig",
"RebuildState",
"ReconcileCluster",
"ReconcileEncryptionProviderConfig",
"RestartClusterPods",
"SaveFullStateToKubernetes",
"buildFreshState"
]
},
{
"path": "github.com/rancher/rke/cmd",
"symbols": [
"ClusterInit",
"ClusterRemove",
"ClusterUp",
"RestoreEtcdSnapshot",
"RestoreEtcdSnapshotFromCli",
"RetrieveClusterStateConfigMap",
"RotateEncryptionKey",
"SnapshotRemoveFromEtcdHosts",
"SnapshotSaveEtcdHosts",
"SnapshotSaveEtcdHostsFromCli",
"getStateFile",
"saveClusterState"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx"
},
{
"type": "FIX",
"url": "https://github.com/rancher/rke/commit/cf49199481a1891909acb1384eed73a5c987d5bd"
},
{
"type": "FIX",
"url": "https://github.com/rancher/rke/commit/f7485b8dce376db0fc15a7c3ceb3de7029c8d0cf"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-2930",
"review_status": "REVIEWED"
}
}
Loading

0 comments on commit 95ad15a

Please sign in to comment.