-
Notifications
You must be signed in to change notification settings - Fork 62
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
data/reports: add 8 unreviewed reports
- data/reports/GO-2024-3108.yaml - data/reports/GO-2024-3110.yaml - data/reports/GO-2024-3113.yaml - data/reports/GO-2024-3114.yaml - data/reports/GO-2024-3116.yaml - data/reports/GO-2024-3118.yaml - data/reports/GO-2024-3119.yaml - data/reports/GO-2024-3121.yaml Fixes #3108 Fixes #3110 Fixes #3113 Fixes #3114 Fixes #3116 Fixes #3118 Fixes #3119 Fixes #3121 Change-Id: I015aaf6327eeb5bab91fbd525dc21f32c7c1a268 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/610804 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
- Loading branch information
Showing
16 changed files
with
738 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| { | ||
| "schema_version": "1.3.1", | ||
| "id": "GO-2024-3108", | ||
| "modified": "0001-01-01T00:00:00Z", | ||
| "published": "0001-01-01T00:00:00Z", | ||
| "aliases": [ | ||
| "CVE-2024-45388", | ||
| "GHSA-6xx4-x46f-f897" | ||
| ], | ||
| "summary": "Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`) in github.com/SpectoLabs/hoverfly", | ||
| "details": "Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`) in github.com/SpectoLabs/hoverfly", | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "name": "github.com/SpectoLabs/hoverfly", | ||
| "ecosystem": "Go" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "SEMVER", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.10.3" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "ecosystem_specific": {} | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-6xx4-x46f-f897" | ||
| }, | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45388" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://codeql.github.com/codeql-query-help/go/go-path-injection" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/SpectoLabs/hoverfly/releases/tag/v1.10.3" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/handlers/v2/simulation_handler.go#L87" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "url": "https://pkg.go.dev/vuln/GO-2024-3108", | ||
| "review_status": "UNREVIEWED" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| { | ||
| "schema_version": "1.3.1", | ||
| "id": "GO-2024-3110", | ||
| "modified": "0001-01-01T00:00:00Z", | ||
| "published": "0001-01-01T00:00:00Z", | ||
| "aliases": [ | ||
| "CVE-2024-45310", | ||
| "GHSA-jfvp-7x6p-h2pv" | ||
| ], | ||
| "summary": "runc can be confused to create empty files/directories on the host in github.com/opencontainers/runc", | ||
| "details": "runc can be confused to create empty files/directories on the host in github.com/opencontainers/runc", | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "name": "github.com/opencontainers/runc", | ||
| "ecosystem": "Go" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "SEMVER", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.1.14" | ||
| }, | ||
| { | ||
| "introduced": "1.2.0-rc.1" | ||
| }, | ||
| { | ||
| "fixed": "1.2.0-rc.3" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "ecosystem_specific": {} | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv" | ||
| }, | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45310" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/opencontainers/runc/pull/4359" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "url": "https://pkg.go.dev/vuln/GO-2024-3110", | ||
| "review_status": "UNREVIEWED" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| { | ||
| "schema_version": "1.3.1", | ||
| "id": "GO-2024-3113", | ||
| "modified": "0001-01-01T00:00:00Z", | ||
| "published": "0001-01-01T00:00:00Z", | ||
| "aliases": [ | ||
| "CVE-2024-8365", | ||
| "GHSA-jjxf-26c9-77gm" | ||
| ], | ||
| "summary": "Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault", | ||
| "details": "Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault", | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "name": "github.com/hashicorp/vault", | ||
| "ecosystem": "Go" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "SEMVER", | ||
| "events": [ | ||
| { | ||
| "introduced": "1.17.3" | ||
| }, | ||
| { | ||
| "fixed": "1.17.5" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "ecosystem_specific": {} | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://github.com/advisories/GHSA-jjxf-26c9-77gm" | ||
| }, | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8365" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "url": "https://pkg.go.dev/vuln/GO-2024-3113", | ||
| "review_status": "UNREVIEWED" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| { | ||
| "schema_version": "1.3.1", | ||
| "id": "GO-2024-3114", | ||
| "modified": "0001-01-01T00:00:00Z", | ||
| "published": "0001-01-01T00:00:00Z", | ||
| "aliases": [ | ||
| "CVE-2024-43405", | ||
| "GHSA-7h5p-mmpp-hgmm" | ||
| ], | ||
| "summary": "Nuclei Template Signature Verification Bypass in github.com/projectdiscovery/nuclei", | ||
| "details": "Nuclei Template Signature Verification Bypass in github.com/projectdiscovery/nuclei", | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "name": "github.com/projectdiscovery/nuclei", | ||
| "ecosystem": "Go" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "SEMVER", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "ecosystem_specific": {} | ||
| }, | ||
| { | ||
| "package": { | ||
| "name": "github.com/projectdiscovery/nuclei/v2", | ||
| "ecosystem": "Go" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "SEMVER", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "ecosystem_specific": {} | ||
| }, | ||
| { | ||
| "package": { | ||
| "name": "github.com/projectdiscovery/nuclei/v3", | ||
| "ecosystem": "Go" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "SEMVER", | ||
| "events": [ | ||
| { | ||
| "introduced": "3.0.0" | ||
| }, | ||
| { | ||
| "fixed": "3.3.2" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "ecosystem_specific": {} | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-7h5p-mmpp-hgmm" | ||
| }, | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43405" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/projectdiscovery/nuclei/commit/0da993afe6d41b4b1b814e8fad23a2acba13c60a" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "url": "https://pkg.go.dev/vuln/GO-2024-3114", | ||
| "review_status": "UNREVIEWED" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| { | ||
| "schema_version": "1.3.1", | ||
| "id": "GO-2024-3116", | ||
| "modified": "0001-01-01T00:00:00Z", | ||
| "published": "0001-01-01T00:00:00Z", | ||
| "aliases": [ | ||
| "CVE-2024-45395", | ||
| "GHSA-cq38-jh5f-37mq" | ||
| ], | ||
| "summary": "sigstore-go has an unbounded loop over untrusted input can lead to endless data attack in github.com/sigstore/sigstore-go", | ||
| "details": "sigstore-go has an unbounded loop over untrusted input can lead to endless data attack in github.com/sigstore/sigstore-go", | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "name": "github.com/sigstore/sigstore-go", | ||
| "ecosystem": "Go" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "SEMVER", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "0.6.1" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "ecosystem_specific": {} | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://github.com/sigstore/sigstore-go/security/advisories/GHSA-cq38-jh5f-37mq" | ||
| }, | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45395" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/sigstore/sigstore-go/commit/01e70e89e58226286d7977b4dba43b6be472b12c" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/signature.go#L183-L193" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tlog.go#L74-L178" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tsa.go#L59-L68" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "url": "https://pkg.go.dev/vuln/GO-2024-3116", | ||
| "review_status": "UNREVIEWED" | ||
| } | ||
| } |
Oops, something went wrong.