diff --git a/data/excluded/GO-2024-2428.yaml b/data/excluded/GO-2024-2428.yaml deleted file mode 100644 index a44b15e9..00000000 --- a/data/excluded/GO-2024-2428.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2428 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: k8s.io/ingress-nginx -cves: - - CVE-2023-5044 -ghsas: - - GHSA-fp9f-44c2-cw27 diff --git a/data/excluded/GO-2024-2430.yaml b/data/excluded/GO-2024-2430.yaml deleted file mode 100644 index 1f029eb0..00000000 --- a/data/excluded/GO-2024-2430.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2430 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cubefs/cubefs -cves: - - CVE-2023-46738 -ghsas: - - GHSA-qc6v-g3xw-grmx diff --git a/data/excluded/GO-2024-2431.yaml b/data/excluded/GO-2024-2431.yaml deleted file mode 100644 index d74e7e5a..00000000 --- a/data/excluded/GO-2024-2431.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2431 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cubefs/cubefs -cves: - - CVE-2023-46740 -ghsas: - - GHSA-4248-p65p-hcrm diff --git a/data/excluded/GO-2024-2432.yaml b/data/excluded/GO-2024-2432.yaml deleted file mode 100644 index bacb8a8e..00000000 --- a/data/excluded/GO-2024-2432.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2432 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cubefs/cubefs -cves: - - CVE-2023-46739 -ghsas: - - GHSA-8579-7p32-f398 diff --git a/data/excluded/GO-2024-2433.yaml b/data/excluded/GO-2024-2433.yaml deleted file mode 100644 index d04863be..00000000 --- a/data/excluded/GO-2024-2433.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2433 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cubefs/cubefs -cves: - - CVE-2023-46741 -ghsas: - - GHSA-8h2x-gr2c-c275 diff --git a/data/excluded/GO-2024-2434.yaml b/data/excluded/GO-2024-2434.yaml deleted file mode 100644 index f8933c44..00000000 --- a/data/excluded/GO-2024-2434.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2434 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cubefs/cubefs -cves: - - CVE-2023-46742 -ghsas: - - GHSA-vwch-g97w-hfg2 diff --git a/data/excluded/GO-2024-2440.yaml b/data/excluded/GO-2024-2440.yaml deleted file mode 100644 index e94ae58a..00000000 --- a/data/excluded/GO-2024-2440.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2440 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/buildkite/elastic-ci-stack-for-aws/v6 -cves: - - CVE-2023-43741 -ghsas: - - GHSA-r5hg-349q-mg2q diff --git a/data/excluded/GO-2024-2441.yaml b/data/excluded/GO-2024-2441.yaml deleted file mode 100644 index 492ce08d..00000000 --- a/data/excluded/GO-2024-2441.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2024-2441 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/karmada-io/karmada -ghsas: - - GHSA-7xg2-83f8-39mr diff --git a/data/excluded/GO-2024-2442.yaml b/data/excluded/GO-2024-2442.yaml deleted file mode 100644 index 96c369d0..00000000 --- a/data/excluded/GO-2024-2442.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2024-2442 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/gravitational/teleport -ghsas: - - GHSA-76cc-p55w-63g3 diff --git a/data/excluded/GO-2024-2444.yaml b/data/excluded/GO-2024-2444.yaml deleted file mode 100644 index ddd3c33b..00000000 --- a/data/excluded/GO-2024-2444.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2444 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost/server/v8 -cves: - - CVE-2023-50333 -ghsas: - - GHSA-9w97-9rqx-8v4j diff --git a/data/excluded/GO-2024-2445.yaml b/data/excluded/GO-2024-2445.yaml deleted file mode 100644 index bbc9c23b..00000000 --- a/data/excluded/GO-2024-2445.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2024-2445 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/gravitational/teleport -ghsas: - - GHSA-c9v7-wmwj-vf6x diff --git a/data/excluded/GO-2024-2446.yaml b/data/excluded/GO-2024-2446.yaml deleted file mode 100644 index 617f202b..00000000 --- a/data/excluded/GO-2024-2446.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2446 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost/server/v8 -cves: - - CVE-2023-7113 -ghsas: - - GHSA-h3gq-j7p9-x3p4 diff --git a/data/excluded/GO-2024-2447.yaml b/data/excluded/GO-2024-2447.yaml deleted file mode 100644 index 7a7dd0be..00000000 --- a/data/excluded/GO-2024-2447.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2024-2447 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/gravitational/teleport -ghsas: - - GHSA-hw4x-mcx5-9q36 diff --git a/data/excluded/GO-2024-2448.yaml b/data/excluded/GO-2024-2448.yaml deleted file mode 100644 index 95e22609..00000000 --- a/data/excluded/GO-2024-2448.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2448 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost-server/v6 -cves: - - CVE-2023-48732 -ghsas: - - GHSA-q7rx-w656-fwmv diff --git a/data/excluded/GO-2024-2449.yaml b/data/excluded/GO-2024-2449.yaml deleted file mode 100644 index 00f128eb..00000000 --- a/data/excluded/GO-2024-2449.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2024-2449 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: https://github.com/gravitational/teleport -ghsas: - - GHSA-vfxf-76hv-v4w4 diff --git a/data/excluded/GO-2024-2450.yaml b/data/excluded/GO-2024-2450.yaml deleted file mode 100644 index 2fe40638..00000000 --- a/data/excluded/GO-2024-2450.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2450 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost/server/v8 -cves: - - CVE-2023-47858 -ghsas: - - GHSA-w88v-pjr8-cmv2 diff --git a/data/excluded/GO-2024-2457.yaml b/data/excluded/GO-2024-2457.yaml deleted file mode 100644 index bb23fcd6..00000000 --- a/data/excluded/GO-2024-2457.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2457 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/apache/incubator-answer -cves: - - CVE-2023-49619 -ghsas: - - GHSA-f899-4mr4-fqpv diff --git a/data/excluded/GO-2024-2458.yaml b/data/excluded/GO-2024-2458.yaml deleted file mode 100644 index 09a9986d..00000000 --- a/data/excluded/GO-2024-2458.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2458 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cri-o/cri-o -cves: - - CVE-2023-6476 -ghsas: - - GHSA-p4rx-7wvg-fwrc diff --git a/data/excluded/GO-2024-2472.yaml b/data/excluded/GO-2024-2472.yaml deleted file mode 100644 index 0a7c17df..00000000 --- a/data/excluded/GO-2024-2472.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2472 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/notaryproject/notation -cves: - - CVE-2024-23332 -ghsas: - - GHSA-57wx-m636-g3g8 diff --git a/data/excluded/GO-2024-2476.yaml b/data/excluded/GO-2024-2476.yaml deleted file mode 100644 index 8de880a1..00000000 --- a/data/excluded/GO-2024-2476.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2476 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/dexidp/dex -cves: - - CVE-2024-23656 -ghsas: - - GHSA-gr79-9v6v-gc9r diff --git a/data/excluded/GO-2024-2477.yaml b/data/excluded/GO-2024-2477.yaml deleted file mode 100644 index 6f4b74a3..00000000 --- a/data/excluded/GO-2024-2477.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2477 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/openfga/openfga -cves: - - CVE-2024-23820 -ghsas: - - GHSA-rxpw-85vw-fx87 diff --git a/data/excluded/GO-2024-2478.yaml b/data/excluded/GO-2024-2478.yaml deleted file mode 100644 index d98c39d4..00000000 --- a/data/excluded/GO-2024-2478.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2478 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/albertito/chasquid -cves: - - CVE-2023-52354 -ghsas: - - GHSA-g4x3-mfpj-f335 diff --git a/data/excluded/GO-2024-2479.yaml b/data/excluded/GO-2024-2479.yaml deleted file mode 100644 index c30b17a1..00000000 --- a/data/excluded/GO-2024-2479.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2479 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: goauthentik.io -cves: - - CVE-2024-23647 -ghsas: - - GHSA-mrx3-gxjx-hjqj diff --git a/data/excluded/GO-2024-2480.yaml b/data/excluded/GO-2024-2480.yaml deleted file mode 100644 index 560b0b19..00000000 --- a/data/excluded/GO-2024-2480.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2480 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/0xJacky/Nginx-UI -cves: - - CVE-2024-23828 -ghsas: - - GHSA-qcjq-7f7v-pvc8 diff --git a/data/excluded/GO-2024-2481.yaml b/data/excluded/GO-2024-2481.yaml deleted file mode 100644 index 12aed4c1..00000000 --- a/data/excluded/GO-2024-2481.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2481 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/0xJacky/Nginx-UI -cves: - - CVE-2024-23827 -ghsas: - - GHSA-xvq9-4vpv-227m diff --git a/data/excluded/GO-2024-2483.yaml b/data/excluded/GO-2024-2483.yaml deleted file mode 100644 index f91e13d4..00000000 --- a/data/excluded/GO-2024-2483.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2483 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/grafana/grafana -cves: - - CVE-2018-18625 -ghsas: - - GHSA-6wh2-8hw7-jw94 diff --git a/data/excluded/GO-2024-2485.yaml b/data/excluded/GO-2024-2485.yaml deleted file mode 100644 index 5d5af50c..00000000 --- a/data/excluded/GO-2024-2485.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2485 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/vault -cves: - - CVE-2020-10661 -ghsas: - - GHSA-j6vv-vv26-rh7c diff --git a/data/excluded/GO-2024-2486.yaml b/data/excluded/GO-2024-2486.yaml deleted file mode 100644 index dd355cc8..00000000 --- a/data/excluded/GO-2024-2486.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2486 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/vault -cves: - - CVE-2020-10660 -ghsas: - - GHSA-m979-w9wj-qfj9 diff --git a/data/excluded/GO-2024-2488.yaml b/data/excluded/GO-2024-2488.yaml deleted file mode 100644 index 0759692a..00000000 --- a/data/excluded/GO-2024-2488.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2488 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/vault -cves: - - CVE-2020-16251 -ghsas: - - GHSA-4mp7-2m29-gqxf diff --git a/data/excluded/GO-2024-2491.yaml b/data/excluded/GO-2024-2491.yaml deleted file mode 100644 index 586e0f0c..00000000 --- a/data/excluded/GO-2024-2491.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2491 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/opencontainers/runc -cves: - - CVE-2024-21626 -ghsas: - - GHSA-xr7r-f8xq-vfvv diff --git a/data/excluded/GO-2024-2495.yaml b/data/excluded/GO-2024-2495.yaml deleted file mode 100644 index 23ebb2fc..00000000 --- a/data/excluded/GO-2024-2495.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2495 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/apache/servicecomb-service-center -cves: - - CVE-2023-44313 -ghsas: - - GHSA-9xc9-xq7w-vpcr diff --git a/data/excluded/GO-2024-2496.yaml b/data/excluded/GO-2024-2496.yaml deleted file mode 100644 index 3e8e2154..00000000 --- a/data/excluded/GO-2024-2496.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2496 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/apache/servicecomb-service-center -cves: - - CVE-2023-44312 -ghsas: - - GHSA-r8xp-52mq-rmm8 diff --git a/data/excluded/GO-2024-2499.yaml b/data/excluded/GO-2024-2499.yaml deleted file mode 100644 index 14a8972f..00000000 --- a/data/excluded/GO-2024-2499.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2499 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/minio/minio -cves: - - CVE-2024-24747 -ghsas: - - GHSA-xx8w-mq23-29g4 diff --git a/data/excluded/GO-2024-2500.yaml b/data/excluded/GO-2024-2500.yaml deleted file mode 100644 index 0e0e8821..00000000 --- a/data/excluded/GO-2024-2500.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2500 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/moby/moby -cves: - - CVE-2021-41091 -ghsas: - - GHSA-3fwx-pjgw-3558 diff --git a/data/excluded/GO-2024-2501.yaml b/data/excluded/GO-2024-2501.yaml deleted file mode 100644 index d0ceae97..00000000 --- a/data/excluded/GO-2024-2501.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2501 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/consul -cves: - - CVE-2020-25201 -ghsas: - - GHSA-496g-fr33-whrf diff --git a/data/excluded/GO-2024-2505.yaml b/data/excluded/GO-2024-2505.yaml deleted file mode 100644 index 888bf085..00000000 --- a/data/excluded/GO-2024-2505.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2505 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/consul -cves: - - CVE-2020-28053 -ghsas: - - GHSA-6m72-467w-94rh diff --git a/data/excluded/GO-2024-2508.yaml b/data/excluded/GO-2024-2508.yaml deleted file mode 100644 index 81482d1d..00000000 --- a/data/excluded/GO-2024-2508.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2508 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/vault -cves: - - CVE-2020-35177 -ghsas: - - GHSA-rpgp-9hmg-j25x diff --git a/data/excluded/GO-2024-2509.yaml b/data/excluded/GO-2024-2509.yaml deleted file mode 100644 index eae65a84..00000000 --- a/data/excluded/GO-2024-2509.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2509 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/vault -cves: - - CVE-2021-3282 -ghsas: - - GHSA-rq95-xf66-j689 diff --git a/data/excluded/GO-2024-2510.yaml b/data/excluded/GO-2024-2510.yaml deleted file mode 100644 index 60d4cb7b..00000000 --- a/data/excluded/GO-2024-2510.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2510 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/grafana/grafana -cves: - - CVE-2018-12099 -ghsas: - - GHSA-v5gq-qvjq-8p53 diff --git a/data/excluded/GO-2024-2511.yaml b/data/excluded/GO-2024-2511.yaml deleted file mode 100644 index b402b3ef..00000000 --- a/data/excluded/GO-2024-2511.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2511 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/vault -cves: - - CVE-2024-0831 -ghsas: - - GHSA-vgh3-mwxq-rcp8 diff --git a/data/excluded/GO-2024-2512.yaml b/data/excluded/GO-2024-2512.yaml deleted file mode 100644 index d943d25b..00000000 --- a/data/excluded/GO-2024-2512.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2512 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/moby/moby -cves: - - CVE-2024-24557 -ghsas: - - GHSA-xw73-rw38-6vjc diff --git a/data/excluded/GO-2024-2513.yaml b/data/excluded/GO-2024-2513.yaml deleted file mode 100644 index dbc80779..00000000 --- a/data/excluded/GO-2024-2513.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2513 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/grafana/grafana -cves: - - CVE-2020-12458 -ghsas: - - GHSA-3jq7-8ph8-63xm diff --git a/data/excluded/GO-2024-2514.yaml b/data/excluded/GO-2024-2514.yaml deleted file mode 100644 index 61efad4a..00000000 --- a/data/excluded/GO-2024-2514.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2514 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/vault -cves: - - CVE-2020-25816 -ghsas: - - GHSA-57gg-cj55-q5g2 diff --git a/data/excluded/GO-2024-2515.yaml b/data/excluded/GO-2024-2515.yaml deleted file mode 100644 index 0d4e7893..00000000 --- a/data/excluded/GO-2024-2515.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2515 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/grafana/grafana -cves: - - CVE-2020-13430 -ghsas: - - GHSA-7m2x-qhrq-rp8h diff --git a/data/excluded/GO-2024-2516.yaml b/data/excluded/GO-2024-2516.yaml deleted file mode 100644 index ca44d20c..00000000 --- a/data/excluded/GO-2024-2516.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2516 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/grafana/grafana -cves: - - CVE-2018-18624 -ghsas: - - GHSA-9hv8-4frf-cprf diff --git a/data/excluded/GO-2024-2517.yaml b/data/excluded/GO-2024-2517.yaml deleted file mode 100644 index d741bf83..00000000 --- a/data/excluded/GO-2024-2517.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2517 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/grafana/grafana -cves: - - CVE-2020-12245 -ghsas: - - GHSA-ccmg-w4xm-p28v diff --git a/data/excluded/GO-2024-2520.yaml b/data/excluded/GO-2024-2520.yaml deleted file mode 100644 index 87ea281e..00000000 --- a/data/excluded/GO-2024-2520.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2520 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/grafana/grafana -cves: - - CVE-2020-24303 -ghsas: - - GHSA-mvpr-q6rh-8vrp diff --git a/data/excluded/GO-2024-2521.yaml b/data/excluded/GO-2024-2521.yaml deleted file mode 100644 index 7ac9d39b..00000000 --- a/data/excluded/GO-2024-2521.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2521 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/moby/moby -cves: - - CVE-2019-14271 -ghsas: - - GHSA-v2cv-wwxq-qq97 diff --git a/data/excluded/GO-2024-2523.yaml b/data/excluded/GO-2024-2523.yaml deleted file mode 100644 index 6477a82d..00000000 --- a/data/excluded/GO-2024-2523.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2523 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/grafana/grafana -cves: - - CVE-2020-11110 -ghsas: - - GHSA-xr3x-62qw-vc4w diff --git a/data/excluded/GO-2024-2527.yaml b/data/excluded/GO-2024-2527.yaml deleted file mode 100644 index 29db42c8..00000000 --- a/data/excluded/GO-2024-2527.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2024-2527 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: go.etcd.io/etcd/client/pkg/v3 -ghsas: - - GHSA-5x4g-q5rc-36jp diff --git a/data/excluded/GO-2024-2528.yaml b/data/excluded/GO-2024-2528.yaml deleted file mode 100644 index 88f84c0b..00000000 --- a/data/excluded/GO-2024-2528.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2024-2528 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: go.etcd.io/etcd -ghsas: - - GHSA-j86v-2vjr-fg8f diff --git a/data/excluded/GO-2024-2529.yaml b/data/excluded/GO-2024-2529.yaml deleted file mode 100644 index 2abcea59..00000000 --- a/data/excluded/GO-2024-2529.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2024-2529 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: go.etcd.io/etcd -ghsas: - - GHSA-pm3m-32r3-7mfh diff --git a/data/excluded/GO-2024-2530.yaml b/data/excluded/GO-2024-2530.yaml deleted file mode 100644 index dc66b697..00000000 --- a/data/excluded/GO-2024-2530.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2024-2530 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: go.etcd.io/etcd -ghsas: - - GHSA-vjg6-93fv-qv64 diff --git a/data/excluded/GO-2024-2531.yaml b/data/excluded/GO-2024-2531.yaml deleted file mode 100644 index 22b7b38b..00000000 --- a/data/excluded/GO-2024-2531.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2531 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/1Panel-dev/1Panel -cves: - - CVE-2024-24768 -ghsas: - - GHSA-9xfw-jjq2-7v8h diff --git a/data/excluded/GO-2024-2532.yaml b/data/excluded/GO-2024-2532.yaml deleted file mode 100644 index c15a6e9b..00000000 --- a/data/excluded/GO-2024-2532.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2532 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/boundary -cves: - - CVE-2024-1052 -ghsas: - - GHSA-vh73-q3rw-qx7w diff --git a/data/excluded/GO-2024-2535.yaml b/data/excluded/GO-2024-2535.yaml deleted file mode 100644 index a2dd79ab..00000000 --- a/data/excluded/GO-2024-2535.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2535 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/rancher/rancher -cves: - - CVE-2023-32194 -ghsas: - - GHSA-c85r-fwc7-45vc diff --git a/data/excluded/GO-2024-2537.yaml b/data/excluded/GO-2024-2537.yaml deleted file mode 100644 index 140ea793..00000000 --- a/data/excluded/GO-2024-2537.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2537 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/rancher/rancher -cves: - - CVE-2023-22649 -ghsas: - - GHSA-xfj7-qf8w-2gcr diff --git a/data/excluded/GO-2024-2540.yaml b/data/excluded/GO-2024-2540.yaml deleted file mode 100644 index 7c08e8c2..00000000 --- a/data/excluded/GO-2024-2540.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2540 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost-plugin-jira -cves: - - CVE-2024-24774 -ghsas: - - GHSA-qr8f-cjw7-838m diff --git a/data/excluded/GO-2024-2541.yaml b/data/excluded/GO-2024-2541.yaml deleted file mode 100644 index 3b42586b..00000000 --- a/data/excluded/GO-2024-2541.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2541 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost/server/v8 -cves: - - CVE-2024-1402 -ghsas: - - GHSA-32h7-7j94-8fc2 diff --git a/data/excluded/GO-2024-2549.yaml b/data/excluded/GO-2024-2549.yaml deleted file mode 100644 index ef937804..00000000 --- a/data/excluded/GO-2024-2549.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2549 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/greenpau/caddy-security -cves: - - CVE-2023-52430 -ghsas: - - GHSA-xwmv-cx7p-fqfc diff --git a/data/excluded/GO-2024-2550.yaml b/data/excluded/GO-2024-2550.yaml deleted file mode 100644 index b9c378c7..00000000 --- a/data/excluded/GO-2024-2550.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2550 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/mongodb/mongo-tools -cves: - - CVE-2020-7924 -ghsas: - - GHSA-6cwm-wm82-hgrw diff --git a/data/excluded/GO-2024-2556.yaml b/data/excluded/GO-2024-2556.yaml deleted file mode 100644 index 977410d9..00000000 --- a/data/excluded/GO-2024-2556.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2556 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/elastic/apm-server -cves: - - CVE-2024-23448 -ghsas: - - GHSA-8r33-q5j5-rh7g diff --git a/data/excluded/GO-2024-2557.yaml b/data/excluded/GO-2024-2557.yaml deleted file mode 100644 index 5f98d96b..00000000 --- a/data/excluded/GO-2024-2557.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2557 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/greenpau/caddy-security -cves: - - CVE-2024-21492 -ghsas: - - GHSA-vp66-gf7w-9m4x diff --git a/data/excluded/GO-2024-2558.yaml b/data/excluded/GO-2024-2558.yaml deleted file mode 100644 index e1ce0bd6..00000000 --- a/data/excluded/GO-2024-2558.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2558 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/greenpau/caddy-security -cves: - - CVE-2024-21494 -ghsas: - - GHSA-vj36-3ccr-6563 diff --git a/data/excluded/GO-2024-2559.yaml b/data/excluded/GO-2024-2559.yaml deleted file mode 100644 index 0113193b..00000000 --- a/data/excluded/GO-2024-2559.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2559 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/greenpau/caddy-security -cves: - - CVE-2024-21496 -ghsas: - - GHSA-ff72-ff42-c3gw diff --git a/data/excluded/GO-2024-2560.yaml b/data/excluded/GO-2024-2560.yaml deleted file mode 100644 index 809c6f01..00000000 --- a/data/excluded/GO-2024-2560.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2560 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/greenpau/caddy-security -cves: - - CVE-2024-21497 -ghsas: - - GHSA-8hp3-rmr7-xh88 diff --git a/data/excluded/GO-2024-2561.yaml b/data/excluded/GO-2024-2561.yaml deleted file mode 100644 index ef360c25..00000000 --- a/data/excluded/GO-2024-2561.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2561 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/greenpau/caddy-security -cves: - - CVE-2024-21498 -ghsas: - - GHSA-93x8-66j2-wwr5 diff --git a/data/excluded/GO-2024-2562.yaml b/data/excluded/GO-2024-2562.yaml deleted file mode 100644 index 8be0efe6..00000000 --- a/data/excluded/GO-2024-2562.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2562 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/greenpau/caddy-security -cves: - - CVE-2024-21499 -ghsas: - - GHSA-r969-783f-6jqr diff --git a/data/excluded/GO-2024-2563.yaml b/data/excluded/GO-2024-2563.yaml deleted file mode 100644 index bfcac479..00000000 --- a/data/excluded/GO-2024-2563.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2563 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/greenpau/caddy-security -cves: - - CVE-2024-21500 -ghsas: - - GHSA-vfph-hjfv-cpv2 diff --git a/data/excluded/GO-2024-2564.yaml b/data/excluded/GO-2024-2564.yaml deleted file mode 100644 index 3f74b409..00000000 --- a/data/excluded/GO-2024-2564.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2564 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/greenpau/caddy-security -cves: - - CVE-2024-21493 -ghsas: - - GHSA-8h95-jcp5-pjpr diff --git a/data/excluded/GO-2024-2565.yaml b/data/excluded/GO-2024-2565.yaml deleted file mode 100644 index 8d116794..00000000 --- a/data/excluded/GO-2024-2565.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2565 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/greenpau/caddy-security -cves: - - CVE-2024-21495 -ghsas: - - GHSA-c7vf-m394-m4x4 diff --git a/data/excluded/GO-2024-2582.yaml b/data/excluded/GO-2024-2582.yaml deleted file mode 100644 index ad763d04..00000000 --- a/data/excluded/GO-2024-2582.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2582 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/stacklok/minder -cves: - - CVE-2024-27093 -ghsas: - - GHSA-q6h8-4j2v-pjg4 diff --git a/data/excluded/GO-2024-2588.yaml b/data/excluded/GO-2024-2588.yaml deleted file mode 100644 index 714a3db7..00000000 --- a/data/excluded/GO-2024-2588.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2588 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost/server/v8 -cves: - - CVE-2024-1949 -ghsas: - - GHSA-3g35-v53r-gpxc diff --git a/data/excluded/GO-2024-2589.yaml b/data/excluded/GO-2024-2589.yaml deleted file mode 100644 index c056327b..00000000 --- a/data/excluded/GO-2024-2589.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2589 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost/server/v8 -cves: - - CVE-2024-24988 -ghsas: - - GHSA-6mx3-9qfh-77gj diff --git a/data/excluded/GO-2024-2590.yaml b/data/excluded/GO-2024-2590.yaml deleted file mode 100644 index 08fcc2f5..00000000 --- a/data/excluded/GO-2024-2590.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2590 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost/server/v8 -cves: - - CVE-2024-23493 -ghsas: - - GHSA-7v3v-984v-h74r diff --git a/data/excluded/GO-2024-2591.yaml b/data/excluded/GO-2024-2591.yaml deleted file mode 100644 index 55875ca3..00000000 --- a/data/excluded/GO-2024-2591.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2591 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost/server/v8 -cves: - - CVE-2024-1887 -ghsas: - - GHSA-fx48-xv6q-6gp3 diff --git a/data/excluded/GO-2024-2592.yaml b/data/excluded/GO-2024-2592.yaml deleted file mode 100644 index c42ce3a0..00000000 --- a/data/excluded/GO-2024-2592.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2592 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost/server/v8 -cves: - - CVE-2024-1942 -ghsas: - - GHSA-hwjf-4667-gqwx diff --git a/data/excluded/GO-2024-2593.yaml b/data/excluded/GO-2024-2593.yaml deleted file mode 100644 index 529d3828..00000000 --- a/data/excluded/GO-2024-2593.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2593 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost/server/v8 -cves: - - CVE-2024-1888 -ghsas: - - GHSA-pfw6-5rx3-xh3c diff --git a/data/excluded/GO-2024-2594.yaml b/data/excluded/GO-2024-2594.yaml deleted file mode 100644 index 74330db6..00000000 --- a/data/excluded/GO-2024-2594.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2594 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost/server/v8 -cves: - - CVE-2024-1953 -ghsas: - - GHSA-vm9m-57jr-4pxh diff --git a/data/excluded/GO-2024-2595.yaml b/data/excluded/GO-2024-2595.yaml deleted file mode 100644 index b7e7618b..00000000 --- a/data/excluded/GO-2024-2595.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2024-2595 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/mattermost/mattermost/server/v8 -cves: - - CVE-2024-23488 -ghsas: - - GHSA-xgxj-j98c-59rv diff --git a/data/osv/GO-2024-2428.json b/data/osv/GO-2024-2428.json new file mode 100644 index 00000000..4cd75090 --- /dev/null +++ b/data/osv/GO-2024-2428.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2428", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-5044", + "GHSA-fp9f-44c2-cw27" + ], + "summary": "Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation in k8s.io/ingress-nginx", + "details": "Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation in k8s.io/ingress-nginx", + "affected": [ + { + "package": { + "name": "k8s.io/ingress-nginx", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-fp9f-44c2-cw27" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5044" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/10/25/3" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/ingress-nginx/issues/10572" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/ukuYYvRNel0" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240307-0012" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2428", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2430.json b/data/osv/GO-2024-2430.json new file mode 100644 index 00000000..e26bc059 --- /dev/null +++ b/data/osv/GO-2024-2430.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2430", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-46738", + "GHSA-qc6v-g3xw-grmx" + ], + "summary": "Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs", + "details": "Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs", + "affected": [ + { + "package": { + "name": "github.com/cubefs/cubefs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-qc6v-g3xw-grmx" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46738" + }, + { + "type": "FIX", + "url": "https://github.com/cubefs/cubefs/commit/dd46c24873c8f3df48d0a598b704ef9bd24b1ec1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2430", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2431.json b/data/osv/GO-2024-2431.json new file mode 100644 index 00000000..91413592 --- /dev/null +++ b/data/osv/GO-2024-2431.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2431", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-46740", + "GHSA-4248-p65p-hcrm" + ], + "summary": "Insecure random string generator used for sensitive data in github.com/cubefs/cubefs", + "details": "Insecure random string generator used for sensitive data in github.com/cubefs/cubefs", + "affected": [ + { + "package": { + "name": "github.com/cubefs/cubefs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46740" + }, + { + "type": "FIX", + "url": "https://github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07ba" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2431", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2432.json b/data/osv/GO-2024-2432.json new file mode 100644 index 00000000..5a563e93 --- /dev/null +++ b/data/osv/GO-2024-2432.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2432", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-46739", + "GHSA-8579-7p32-f398" + ], + "summary": "CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs", + "details": "CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs", + "affected": [ + { + "package": { + "name": "github.com/cubefs/cubefs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46739" + }, + { + "type": "FIX", + "url": "https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd" + }, + { + "type": "FIX", + "url": "https://github.com/cubefs/cubefs/commit/c21d034d2fcd051ffd64afeafc68cbcb39d26551" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2432", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2433.json b/data/osv/GO-2024-2433.json new file mode 100644 index 00000000..a53496df --- /dev/null +++ b/data/osv/GO-2024-2433.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2433", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-46741", + "GHSA-8h2x-gr2c-c275" + ], + "summary": "CubeFS leaks magic secret key when starting Blobstore access service in github.com/cubefs/cubefs", + "details": "CubeFS leaks magic secret key when starting Blobstore access service in github.com/cubefs/cubefs", + "affected": [ + { + "package": { + "name": "github.com/cubefs/cubefs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-8h2x-gr2c-c275" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46741" + }, + { + "type": "FIX", + "url": "https://github.com/cubefs/cubefs/commit/972f0275ee8d5dbba4b1530da7c145c269b31ef5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2433", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2434.json b/data/osv/GO-2024-2434.json new file mode 100644 index 00000000..a3dfa5e9 --- /dev/null +++ b/data/osv/GO-2024-2434.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2434", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-46742", + "GHSA-vwch-g97w-hfg2" + ], + "summary": "CubeFS leaks users key in logs in github.com/cubefs/cubefs", + "details": "CubeFS leaks users key in logs in github.com/cubefs/cubefs", + "affected": [ + { + "package": { + "name": "github.com/cubefs/cubefs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46742" + }, + { + "type": "FIX", + "url": "https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2434", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2440.json b/data/osv/GO-2024-2440.json new file mode 100644 index 00000000..b75af7eb --- /dev/null +++ b/data/osv/GO-2024-2440.json @@ -0,0 +1,90 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2440", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-43741", + "GHSA-r5hg-349q-mg2q" + ], + "summary": "Buildkite Elastic CI for AWS time-of-check-time-of-use race condition vulnerability in github.com/buildkite/elastic-ci-stack-for-aws", + "details": "Buildkite Elastic CI for AWS time-of-check-time-of-use race condition vulnerability in github.com/buildkite/elastic-ci-stack-for-aws", + "affected": [ + { + "package": { + "name": "github.com/buildkite/elastic-ci-stack-for-aws", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/buildkite/elastic-ci-stack-for-aws/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/buildkite/elastic-ci-stack-for-aws/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.7.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-r5hg-349q-mg2q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43741" + }, + { + "type": "FIX", + "url": "https://github.com/buildkite/elastic-ci-stack-for-aws/commit/edad0b158ea10a6647bb1c84629d93f5c3d8770e" + }, + { + "type": "WEB", + "url": "https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0003.md" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2440", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2441.json b/data/osv/GO-2024-2441.json new file mode 100644 index 00000000..2afafefe --- /dev/null +++ b/data/osv/GO-2024-2441.json @@ -0,0 +1,59 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2441", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-7xg2-83f8-39mr" + ], + "summary": "The DES/3DES cipher was used as part of the TLS protocol by installation tools in github.com/karmada-io/karmada", + "details": "The DES/3DES cipher was used as part of the TLS protocol by installation tools in github.com/karmada-io/karmada", + "affected": [ + { + "package": { + "name": "github.com/karmada-io/karmada", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/karmada-io/karmada/security/advisories/GHSA-7xg2-83f8-39mr" + }, + { + "type": "FIX", + "url": "https://github.com/karmada-io/karmada/commit/98e655fc552b2987c3f2d2a061007889ce8be536" + }, + { + "type": "FIX", + "url": "https://github.com/karmada-io/karmada/commit/c3c376605403e07ca0ed2dc39c9e0f3c38f8e29d" + }, + { + "type": "REPORT", + "url": "https://github.com/karmada-io/karmada/issues/4191" + }, + { + "type": "WEB", + "url": "https://go.dev/issue/41476" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2441", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2442.json b/data/osv/GO-2024-2442.json new file mode 100644 index 00000000..29fa0eb1 --- /dev/null +++ b/data/osv/GO-2024-2442.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2442", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-76cc-p55w-63g3" + ], + "summary": "Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport", + "details": "Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport", + "affected": [ + { + "package": { + "name": "github.com/gravitational/teleport", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/gravitational/teleport/security/advisories/GHSA-76cc-p55w-63g3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2442", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2444.json b/data/osv/GO-2024-2444.json new file mode 100644 index 00000000..23766cbf --- /dev/null +++ b/data/osv/GO-2024-2444.json @@ -0,0 +1,104 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2444", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-50333", + "GHSA-9w97-9rqx-8v4j" + ], + "summary": "Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server", + "details": "Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9w97-9rqx-8v4j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50333" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/61dd452fb2fcd3ac6f7b2e050f7f0a93a92d95fc" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2444", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2445.json b/data/osv/GO-2024-2445.json new file mode 100644 index 00000000..2af57fe8 --- /dev/null +++ b/data/osv/GO-2024-2445.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2445", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-c9v7-wmwj-vf6x" + ], + "summary": "SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport", + "details": "SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport", + "affected": [ + { + "package": { + "name": "github.com/gravitational/teleport", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/gravitational/teleport/security/advisories/GHSA-c9v7-wmwj-vf6x" + }, + { + "type": "FIX", + "url": "https://github.com/gravitational/teleport/commit/1c77fc49944ebcded32bbdd77c3e1f4f8a1c130d" + }, + { + "type": "FIX", + "url": "https://github.com/gravitational/teleport/pull/36136" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2445", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2446.json b/data/osv/GO-2024-2446.json new file mode 100644 index 00000000..07542202 --- /dev/null +++ b/data/osv/GO-2024-2446.json @@ -0,0 +1,100 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2446", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-7113", + "GHSA-h3gq-j7p9-x3p4" + ], + "summary": "Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server", + "details": "Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-h3gq-j7p9-x3p4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7113" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2446", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2447.json b/data/osv/GO-2024-2447.json new file mode 100644 index 00000000..d300340f --- /dev/null +++ b/data/osv/GO-2024-2447.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2447", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-hw4x-mcx5-9q36" + ], + "summary": "Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport", + "details": "Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport", + "affected": [ + { + "package": { + "name": "github.com/gravitational/teleport", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/gravitational/teleport/security/advisories/GHSA-hw4x-mcx5-9q36" + }, + { + "type": "FIX", + "url": "https://github.com/gravitational/teleport/commit/bb2d67d357e868254a21ed7cb132030d7bf9fcbc" + }, + { + "type": "FIX", + "url": "https://github.com/gravitational/teleport/pull/36127" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2447", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2448.json b/data/osv/GO-2024-2448.json new file mode 100644 index 00000000..5b6123f3 --- /dev/null +++ b/data/osv/GO-2024-2448.json @@ -0,0 +1,107 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2448", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-48732", + "GHSA-q7rx-w656-fwmv" + ], + "summary": "Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server", + "details": "Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "8.1.7+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-q7rx-w656-fwmv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48732" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/851515be222160bee0a495c0d411056b19ed4111" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2448", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2449.json b/data/osv/GO-2024-2449.json new file mode 100644 index 00000000..28218eb0 --- /dev/null +++ b/data/osv/GO-2024-2449.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2449", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-vfxf-76hv-v4w4" + ], + "summary": "User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport", + "details": "User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport", + "affected": [ + { + "package": { + "name": "github.com/gravitational/teleport", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/gravitational/teleport/security/advisories/GHSA-vfxf-76hv-v4w4" + }, + { + "type": "FIX", + "url": "https://github.com/gravitational/teleport/commit/fcc97de9f99dfec8696ecfd620672a26f29cf9ac" + }, + { + "type": "FIX", + "url": "https://github.com/gravitational/teleport/pull/36132" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2449", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2450.json b/data/osv/GO-2024-2450.json new file mode 100644 index 00000000..ab743647 --- /dev/null +++ b/data/osv/GO-2024-2450.json @@ -0,0 +1,100 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2450", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-47858", + "GHSA-w88v-pjr8-cmv2" + ], + "summary": "Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server", + "details": "Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-w88v-pjr8-cmv2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47858" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2450", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2457.json b/data/osv/GO-2024-2457.json new file mode 100644 index 00000000..e5dc8335 --- /dev/null +++ b/data/osv/GO-2024-2457.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2457", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-49619", + "GHSA-f899-4mr4-fqpv" + ], + "summary": "Apache Answer Race Condition vulnerability in github.com/apache/incubator-answer", + "details": "Apache Answer Race Condition vulnerability in github.com/apache/incubator-answer", + "affected": [ + { + "package": { + "name": "github.com/apache/incubator-answer", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-f899-4mr4-fqpv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49619" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/10/1" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/nscrl3c7pn68q4j73y3ottql6n5x3hd4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2457", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2458.json b/data/osv/GO-2024-2458.json new file mode 100644 index 00000000..57f275cf --- /dev/null +++ b/data/osv/GO-2024-2458.json @@ -0,0 +1,88 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2458", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-6476", + "GHSA-p4rx-7wvg-fwrc" + ], + "summary": "CRI-O's pods can break out of resource confinement on cgroupv2 in github.com/cri-o/cri-o", + "details": "CRI-O's pods can break out of resource confinement on cgroupv2 in github.com/cri-o/cri-o", + "affected": [ + { + "package": { + "name": "github.com/cri-o/cri-o", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.27.3" + }, + { + "introduced": "1.28.0" + }, + { + "fixed": "1.28.3" + }, + { + "introduced": "1.29.0" + }, + { + "fixed": "1.29.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-p4rx-7wvg-fwrc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6476" + }, + { + "type": "FIX", + "url": "https://github.com/cri-o/cri-o/commit/75effcb1a25851a736e82dba1f7d8cee93ee159e" + }, + { + "type": "FIX", + "url": "https://github.com/cri-o/cri-o/pull/4479" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0195" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0207" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-6476" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253994" + }, + { + "type": "WEB", + "url": "https://github.com/cri-o/cri-o/blob/main/pkg/config/workloads.go#L103-L107" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2458", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2472.json b/data/osv/GO-2024-2472.json new file mode 100644 index 00000000..b6484931 --- /dev/null +++ b/data/osv/GO-2024-2472.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2472", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-23332", + "GHSA-57wx-m636-g3g8" + ], + "summary": "Go package github.com/notaryproject/notation configured with permissive trust policies potentially susceptible to rollback attack from compromised registry", + "details": "Go package github.com/notaryproject/notation configured with permissive trust policies potentially susceptible to rollback attack from compromised registry", + "affected": [ + { + "package": { + "name": "github.com/notaryproject/notation", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/notaryproject/specifications/security/advisories/GHSA-57wx-m636-g3g8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23332" + }, + { + "type": "WEB", + "url": "https://github.com/notaryproject/specifications/commit/cdabdd1042de2999c685fa5d422a785ded9c983a" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2472", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2476.json b/data/osv/GO-2024-2476.json new file mode 100644 index 00000000..4ffdd0a3 --- /dev/null +++ b/data/osv/GO-2024-2476.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2476", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-23656", + "GHSA-gr79-9v6v-gc9r" + ], + "summary": "Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex", + "details": "Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex", + "affected": [ + { + "package": { + "name": "github.com/dexidp/dex", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23656" + }, + { + "type": "FIX", + "url": "https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17" + }, + { + "type": "FIX", + "url": "https://github.com/dexidp/dex/pull/2964" + }, + { + "type": "REPORT", + "url": "https://github.com/dexidp/dex/issues/2848" + }, + { + "type": "WEB", + "url": "https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2476", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2477.json b/data/osv/GO-2024-2477.json new file mode 100644 index 00000000..3be9ac8c --- /dev/null +++ b/data/osv/GO-2024-2477.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2477", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-23820", + "GHSA-rxpw-85vw-fx87" + ], + "summary": "OpenFGA denial of service in github.com/openfga/openfga", + "details": "OpenFGA denial of service in github.com/openfga/openfga", + "affected": [ + { + "package": { + "name": "github.com/openfga/openfga", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23820" + }, + { + "type": "FIX", + "url": "https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39" + }, + { + "type": "WEB", + "url": "https://github.com/openfga/openfga/releases/tag/v1.4.3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2477", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2478.json b/data/osv/GO-2024-2478.json new file mode 100644 index 00000000..3bf7ca21 --- /dev/null +++ b/data/osv/GO-2024-2478.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2478", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-52354", + "GHSA-g4x3-mfpj-f335" + ], + "summary": "chasquid HTTP Request/Response Smuggling vulnerability in github.com/albertito/chasquid in blitiri.com.ar/go/chasquid", + "details": "chasquid HTTP Request/Response Smuggling vulnerability in github.com/albertito/chasquid in blitiri.com.ar/go/chasquid", + "affected": [ + { + "package": { + "name": "blitiri.com.ar/go/chasquid", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-g4x3-mfpj-f335" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52354" + }, + { + "type": "FIX", + "url": "https://github.com/albertito/chasquid/commit/a996106eeebe81a292ecba838c7503cac7493e74" + }, + { + "type": "REPORT", + "url": "https://github.com/albertito/chasquid/issues/47" + }, + { + "type": "WEB", + "url": "https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2478", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2479.json b/data/osv/GO-2024-2479.json new file mode 100644 index 00000000..b793b7b6 --- /dev/null +++ b/data/osv/GO-2024-2479.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2479", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-23647", + "GHSA-mrx3-gxjx-hjqj" + ], + "summary": "Authentik vulnerable to PKCE downgrade attack in goauthentik.io", + "details": "Authentik vulnerable to PKCE downgrade attack in goauthentik.io", + "affected": [ + { + "package": { + "name": "goauthentik.io", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23647" + }, + { + "type": "WEB", + "url": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2479", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2480.json b/data/osv/GO-2024-2480.json new file mode 100644 index 00000000..4665af18 --- /dev/null +++ b/data/osv/GO-2024-2480.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2480", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-23828", + "GHSA-qcjq-7f7v-pvc8" + ], + "summary": "Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF in github.com/0xJacky/Nginx-UI", + "details": "Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF in github.com/0xJacky/Nginx-UI", + "affected": [ + { + "package": { + "name": "github.com/0xJacky/Nginx-UI", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-qcjq-7f7v-pvc8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23828" + }, + { + "type": "WEB", + "url": "https://github.com/0xJacky/nginx-ui/commit/d70e37c8575e25b3da7203ff06da5e16c77a42d1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2480", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2481.json b/data/osv/GO-2024-2481.json new file mode 100644 index 00000000..ae0da472 --- /dev/null +++ b/data/osv/GO-2024-2481.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2481", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-23827", + "GHSA-xvq9-4vpv-227m" + ], + "summary": "Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature in github.com/0xJacky/Nginx-UI", + "details": "Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature in github.com/0xJacky/Nginx-UI", + "affected": [ + { + "package": { + "name": "github.com/0xJacky/Nginx-UI", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23827" + }, + { + "type": "WEB", + "url": "https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/api/certificate/certificate.go#L72" + }, + { + "type": "WEB", + "url": "https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/internal/cert/write_file.go#L15" + }, + { + "type": "WEB", + "url": "https://github.com/0xJacky/nginx-ui/commit/8581bdd3c6f49ab345b773517ba9173fa7fc6199" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2481", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2483.json b/data/osv/GO-2024-2483.json new file mode 100644 index 00000000..4183abed --- /dev/null +++ b/data/osv/GO-2024-2483.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2483", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-18625", + "GHSA-6wh2-8hw7-jw94" + ], + "summary": "Grafana XSS via adding a link in General feature in github.com/grafana/grafana", + "details": "Grafana XSS via adding a link in General feature in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.0.0-beta1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-6wh2-8hw7-jw94" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18625" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/pull/11813" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/pull/14984" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200608-0008" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2483", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2485.json b/data/osv/GO-2024-2485.json new file mode 100644 index 00000000..e6d4c5a4 --- /dev/null +++ b/data/osv/GO-2024-2485.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2485", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-10661", + "GHSA-j6vv-vv26-rh7c" + ], + "summary": "HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault", + "details": "HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.11.0" + }, + { + "fixed": "1.3.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-j6vv-vv26-rh7c" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10661" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/vault" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2485", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2486.json b/data/osv/GO-2024-2486.json new file mode 100644 index 00000000..dc45a436 --- /dev/null +++ b/data/osv/GO-2024-2486.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2486", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-10660", + "GHSA-m979-w9wj-qfj9" + ], + "summary": "HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault", + "details": "HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.9.0" + }, + { + "fixed": "1.3.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-m979-w9wj-qfj9" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10660" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/vault/pull/8606" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/vault" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2486", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2488.json b/data/osv/GO-2024-2488.json new file mode 100644 index 00000000..b9237583 --- /dev/null +++ b/data/osv/GO-2024-2488.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2488", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-16251", + "GHSA-4mp7-2m29-gqxf" + ], + "summary": "HashiCorp Vault Authentication bypass in github.com/hashicorp/vault", + "details": "HashiCorp Vault Authentication bypass in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.8.3" + }, + { + "fixed": "1.2.5" + }, + { + "introduced": "1.3.0" + }, + { + "fixed": "1.3.8" + }, + { + "introduced": "1.4.0" + }, + { + "fixed": "1.4.4" + }, + { + "introduced": "1.5.0" + }, + { + "fixed": "1.5.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-4mp7-2m29-gqxf" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16251" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/159479/Hashicorp-Vault-GCP-IAM-Integration-Authentication-Bypass.html" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/vault" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2488", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2491.json b/data/osv/GO-2024-2491.json new file mode 100644 index 00000000..4c52ce3c --- /dev/null +++ b/data/osv/GO-2024-2491.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2491", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-21626", + "GHSA-xr7r-f8xq-vfvv" + ], + "summary": "runc vulnerable to container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc", + "details": "runc vulnerable to container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc", + "affected": [ + { + "package": { + "name": "github.com/opencontainers/runc", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.0.0-rc93" + }, + { + "fixed": "1.1.12" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21626" + }, + { + "type": "FIX", + "url": "https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/01/1" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/02/3" + }, + { + "type": "WEB", + "url": "https://github.com/opencontainers/runc/releases/tag/v1.1.12" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2491", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2495.json b/data/osv/GO-2024-2495.json new file mode 100644 index 00000000..8cd2dbcf --- /dev/null +++ b/data/osv/GO-2024-2495.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2495", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-44313", + "GHSA-9xc9-xq7w-vpcr" + ], + "summary": "Apache ServiceComb Service-Center Server-Side Request Forgery vulnerability in github.com/apache/servicecomb-service-center", + "details": "Apache ServiceComb Service-Center Server-Side Request Forgery vulnerability in github.com/apache/servicecomb-service-center", + "affected": [ + { + "package": { + "name": "github.com/apache/servicecomb-service-center", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9xc9-xq7w-vpcr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44313" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/31/4" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/kxovd455o9h4f2v811hcov2qknbwld5r" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2495", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2496.json b/data/osv/GO-2024-2496.json new file mode 100644 index 00000000..e3e4fd27 --- /dev/null +++ b/data/osv/GO-2024-2496.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2496", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-44312", + "GHSA-r8xp-52mq-rmm8" + ], + "summary": "Apache ServiceComb Service-Center Exposure of Sensitive Information to an Unauthorized Actor vulnerability in github.com/apache/servicecomb-service-center", + "details": "Apache ServiceComb Service-Center Exposure of Sensitive Information to an Unauthorized Actor vulnerability in github.com/apache/servicecomb-service-center", + "affected": [ + { + "package": { + "name": "github.com/apache/servicecomb-service-center", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-r8xp-52mq-rmm8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44312" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/31/5" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/dkvlgnrmc17qzjdy9k0cr60wpzcssk1s" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2496", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2499.json b/data/osv/GO-2024-2499.json new file mode 100644 index 00000000..aa4b2eae --- /dev/null +++ b/data/osv/GO-2024-2499.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2499", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-24747", + "GHSA-xx8w-mq23-29g4" + ], + "summary": "Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation in github.com/minio/minio", + "details": "Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation in github.com/minio/minio", + "affected": [ + { + "package": { + "name": "github.com/minio/minio", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20240131185645-0ae4915a9391" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24747" + }, + { + "type": "FIX", + "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776" + }, + { + "type": "WEB", + "url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2499", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2500.json b/data/osv/GO-2024-2500.json new file mode 100644 index 00000000..57e20ccc --- /dev/null +++ b/data/osv/GO-2024-2500.json @@ -0,0 +1,84 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2500", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-41091", + "GHSA-3fwx-pjgw-3558" + ], + "summary": "Moby (Docker Engine) Insufficiently restricted permissions on data directory in github.com/docker/docker", + "details": "Moby (Docker Engine) Insufficiently restricted permissions on data directory in github.com/docker/docker", + "affected": [ + { + "package": { + "name": "github.com/docker/docker", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "20.10.9+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/moby/moby", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "20.10.9+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41091" + }, + { + "type": "FIX", + "url": "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64" + }, + { + "type": "WEB", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2500", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2501.json b/data/osv/GO-2024-2501.json new file mode 100644 index 00000000..b359840c --- /dev/null +++ b/data/osv/GO-2024-2501.json @@ -0,0 +1,74 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2501", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-25201", + "GHSA-496g-fr33-whrf" + ], + "summary": "Denial of service in HashiCorp Consul in github.com/hashicorp/consul", + "details": "Denial of service in HashiCorp Consul in github.com/hashicorp/consul", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/consul", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.7.0" + }, + { + "fixed": "1.7.9" + }, + { + "introduced": "1.8.0" + }, + { + "fixed": "1.8.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-496g-fr33-whrf" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25201" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/consul/pull/9024" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#185-october-23-2020" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/consul/releases/tag/v1.8.5" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202208-09" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/consul" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2501", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2505.json b/data/osv/GO-2024-2505.json new file mode 100644 index 00000000..74941a34 --- /dev/null +++ b/data/osv/GO-2024-2505.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2505", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-28053", + "GHSA-6m72-467w-94rh" + ], + "summary": "Privilege Escalation in HashiCorp Consul in github.com/hashicorp/consul", + "details": "Privilege Escalation in HashiCorp Consul in github.com/hashicorp/consul", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/consul", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.2.0" + }, + { + "fixed": "1.6.10" + }, + { + "introduced": "1.7.0" + }, + { + "fixed": "1.7.10" + }, + { + "introduced": "1.8.0" + }, + { + "fixed": "1.8.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-6m72-467w-94rh" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28053" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/consul/commit/ff5215d882ac51b49c2647aac46b42aa9c890ce3" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/consul/pull/9240" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#186-november-19-2020" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202208-09" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/consul" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2505", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2508.json b/data/osv/GO-2024-2508.json new file mode 100644 index 00000000..3daabb34 --- /dev/null +++ b/data/osv/GO-2024-2508.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2508", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-35177", + "GHSA-rpgp-9hmg-j25x" + ], + "summary": "Enumeration of users in HashiCorp Vault in github.com/hashicorp/vault", + "details": "Enumeration of users in HashiCorp Vault in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.0" + }, + { + "fixed": "1.5.6" + }, + { + "introduced": "1.6.0" + }, + { + "fixed": "1.6.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-rpgp-9hmg-j25x" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35177" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/vault/pull/10537" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2020-25-vault-s-ldap-auth-method-allows-user-enumeration/18984" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#161" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2508", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2509.json b/data/osv/GO-2024-2509.json new file mode 100644 index 00000000..142b4a9a --- /dev/null +++ b/data/osv/GO-2024-2509.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2509", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3282", + "GHSA-rq95-xf66-j689" + ], + "summary": "Improper Authentication in HashiCorp Vault in github.com/hashicorp/vault", + "details": "Improper Authentication in HashiCorp Vault in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.6.0" + }, + { + "fixed": "1.6.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-rq95-xf66-j689" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3282" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/vault/commit/09f9068e22f762da123160233518b440e00bdb3b" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2021-04-vault-enterprise-s-dr-secondaries-allowed-raft-peer-removal-without-authentication/20337" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202207-01" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2509", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2510.json b/data/osv/GO-2024-2510.json new file mode 100644 index 00000000..cff3b2fa --- /dev/null +++ b/data/osv/GO-2024-2510.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2510", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-12099", + "GHSA-v5gq-qvjq-8p53" + ], + "summary": "Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana", + "details": "Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.2.0-beta1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-v5gq-qvjq-8p53" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12099" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/pull/11813" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/releases/tag/v5.2.0-beta1" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20190416-0004" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2510", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2511.json b/data/osv/GO-2024-2511.json new file mode 100644 index 00000000..4135524a --- /dev/null +++ b/data/osv/GO-2024-2511.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2511", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-0831", + "GHSA-vgh3-mwxq-rcp8" + ], + "summary": "Hashicorp Vault may expose sensitive log information in github.com/hashicorp/vault", + "details": "Hashicorp Vault may expose sensitive log information in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-vgh3-mwxq-rcp8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0831" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/vault/commit/2a72f2a8a5b57de88c22a2a94c4a5f08c6f3770b" + }, + { + "type": "WEB", + "url": "https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240223-0005" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2511", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2512.json b/data/osv/GO-2024-2512.json new file mode 100644 index 00000000..ed3e153f --- /dev/null +++ b/data/osv/GO-2024-2512.json @@ -0,0 +1,62 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2512", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-24557", + "GHSA-xw73-rw38-6vjc" + ], + "summary": "Classic builder cache poisoning in github.com/docker/docker", + "details": "Classic builder cache poisoning in github.com/docker/docker", + "affected": [ + { + "package": { + "name": "github.com/docker/docker", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "24.0.9+incompatible" + }, + { + "introduced": "25.0.0+incompatible" + }, + { + "fixed": "25.0.2+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2512", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2513.json b/data/osv/GO-2024-2513.json new file mode 100644 index 00000000..4e3eb74e --- /dev/null +++ b/data/osv/GO-2024-2513.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2513", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-12458", + "GHSA-3jq7-8ph8-63xm" + ], + "summary": "Grafana information disclosure in github.com/grafana/grafana", + "details": "Grafana information disclosure in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-3jq7-8ph8-63xm" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12458" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/commit/102448040d5132460e3b0013e03ebedec0677e00" + }, + { + "type": "REPORT", + "url": "https://github.com/grafana/grafana/issues/8283" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2020-12458" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827765" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200518-0001" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2513", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2514.json b/data/osv/GO-2024-2514.json new file mode 100644 index 00000000..d4051ec3 --- /dev/null +++ b/data/osv/GO-2024-2514.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2514", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-25816", + "GHSA-57gg-cj55-q5g2" + ], + "summary": "Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault", + "details": "Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.0.0" + }, + { + "fixed": "1.5.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-57gg-cj55-q5g2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25816" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/vault/pull/10020/commits/f192878110fe93eb13da914b2bee28caa7866a29" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#147" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#154" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/vault" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2514", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2515.json b/data/osv/GO-2024-2515.json new file mode 100644 index 00000000..98bd814d --- /dev/null +++ b/data/osv/GO-2024-2515.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2515", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-13430", + "GHSA-7m2x-qhrq-rp8h" + ], + "summary": "Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana", + "details": "Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-7m2x-qhrq-rp8h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13430" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/pull/24539" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/releases/tag/v7.0.0" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200528-0003" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2515", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2516.json b/data/osv/GO-2024-2516.json new file mode 100644 index 00000000..6d55e3e8 --- /dev/null +++ b/data/osv/GO-2024-2516.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2516", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2018-18624", + "GHSA-9hv8-4frf-cprf" + ], + "summary": "Grafana XSS via a column style in github.com/grafana/grafana", + "details": "Grafana XSS via a column style in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9hv8-4frf-cprf" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18624" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/commit/0284747c88eb9435899006d26ffaf65f89dec88e" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/pull/11813" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/pull/23816" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200608-0008" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2516", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2517.json b/data/osv/GO-2024-2517.json new file mode 100644 index 00000000..f6a930f1 --- /dev/null +++ b/data/osv/GO-2024-2517.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2517", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-12245", + "GHSA-ccmg-w4xm-p28v" + ], + "summary": "Grafana XSS in header column rename in github.com/grafana/grafana", + "details": "Grafana XSS in header column rename in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-ccmg-w4xm-p28v" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12245" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/commit/0284747c88eb9435899006d26ffaf65f89dec88e" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/pull/23816" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html" + }, + { + "type": "WEB", + "url": "https://community.grafana.com/t/release-notes-v6-7-x/27119" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#673-2020-04-23" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200511-0001" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2517", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2520.json b/data/osv/GO-2024-2520.json new file mode 100644 index 00000000..1404cb52 --- /dev/null +++ b/data/osv/GO-2024-2520.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2520", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-24303", + "GHSA-mvpr-q6rh-8vrp" + ], + "summary": "Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana", + "details": "Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mvpr-q6rh-8vrp" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24303" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/pull/25401" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20201123-0002" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2520", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2521.json b/data/osv/GO-2024-2521.json new file mode 100644 index 00000000..d1cfc91b --- /dev/null +++ b/data/osv/GO-2024-2521.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2521", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2019-14271", + "GHSA-v2cv-wwxq-qq97" + ], + "summary": "Moby Docker cp broken with debian containers in github.com/moby/moby", + "details": "Moby Docker cp broken with debian containers in github.com/moby/moby", + "affected": [ + { + "package": { + "name": "github.com/moby/moby", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-v2cv-wwxq-qq97" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14271" + }, + { + "type": "FIX", + "url": "https://github.com/moby/moby/commit/11e48badcb67554b3d795241855028f28d244545" + }, + { + "type": "FIX", + "url": "https://github.com/moby/moby/commit/fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b" + }, + { + "type": "FIX", + "url": "https://github.com/moby/moby/pull/39612" + }, + { + "type": "REPORT", + "url": "https://github.com/moby/moby/issues/39449" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html" + }, + { + "type": "WEB", + "url": "https://docs.docker.com/engine/release-notes" + }, + { + "type": "WEB", + "url": "https://seclists.org/bugtraq/2019/Sep/21" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20190828-0003" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2019/dsa-4521" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2521", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2523.json b/data/osv/GO-2024-2523.json new file mode 100644 index 00000000..3bf96959 --- /dev/null +++ b/data/osv/GO-2024-2523.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2523", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-11110", + "GHSA-xr3x-62qw-vc4w" + ], + "summary": "Grafana stored XSS in github.com/grafana/grafana", + "details": "Grafana stored XSS in github.com/grafana/grafana", + "affected": [ + { + "package": { + "name": "github.com/grafana/grafana", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-xr3x-62qw-vc4w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11110" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/commit/fb114a75241aaef4c08581b42509c750738b768a" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/grafana/pull/23254" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200810-0002" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2523", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2527.json b/data/osv/GO-2024-2527.json new file mode 100644 index 00000000..a4404087 --- /dev/null +++ b/data/osv/GO-2024-2527.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2527", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-5x4g-q5rc-36jp" + ], + "summary": "Etcd pkg Insecure ciphers are allowed by default in go.etcd.io/etcd/client/pkg/v3", + "details": "Etcd pkg Insecure ciphers are allowed by default in go.etcd.io/etcd/client/pkg/v3", + "affected": [ + { + "package": { + "name": "go.etcd.io/etcd/client/pkg/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-5x4g-q5rc-36jp" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2527", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2528.json b/data/osv/GO-2024-2528.json new file mode 100644 index 00000000..852aeca1 --- /dev/null +++ b/data/osv/GO-2024-2528.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2528", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-j86v-2vjr-fg8f" + ], + "summary": "Etcd Gateway TLS endpoint validation only confirms TCP reachability in go.etcd.io/etcd", + "details": "Etcd Gateway TLS endpoint validation only confirms TCP reachability in go.etcd.io/etcd", + "affected": [ + { + "package": { + "name": "go.etcd.io/etcd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "go.etcd.io/etcd/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-j86v-2vjr-fg8f" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2528", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2529.json b/data/osv/GO-2024-2529.json new file mode 100644 index 00000000..60b19610 --- /dev/null +++ b/data/osv/GO-2024-2529.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2529", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-pm3m-32r3-7mfh" + ], + "summary": "Etcd embed auto compaction retention negative value causing a compaction loop or a crash in go.etcd.io/etcd", + "details": "Etcd embed auto compaction retention negative value causing a compaction loop or a crash in go.etcd.io/etcd", + "affected": [ + { + "package": { + "name": "go.etcd.io/etcd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "go.etcd.io/etcd/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-pm3m-32r3-7mfh" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2529", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2530.json b/data/osv/GO-2024-2530.json new file mode 100644 index 00000000..9ba6fda4 --- /dev/null +++ b/data/osv/GO-2024-2530.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2530", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-vjg6-93fv-qv64" + ], + "summary": "Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only in go.etcd.io/etcd", + "details": "Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only in go.etcd.io/etcd", + "affected": [ + { + "package": { + "name": "go.etcd.io/etcd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "go.etcd.io/etcd/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-vjg6-93fv-qv64" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2530", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2531.json b/data/osv/GO-2024-2531.json new file mode 100644 index 00000000..7e61b429 --- /dev/null +++ b/data/osv/GO-2024-2531.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2531", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-24768", + "GHSA-9xfw-jjq2-7v8h" + ], + "summary": "1Panel set-cookie is missing the Secure keyword in github.com/1Panel-dev/1Panel", + "details": "1Panel set-cookie is missing the Secure keyword in github.com/1Panel-dev/1Panel", + "affected": [ + { + "package": { + "name": "github.com/1Panel-dev/1Panel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-9xfw-jjq2-7v8h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24768" + }, + { + "type": "FIX", + "url": "https://github.com/1Panel-dev/1Panel/commit/1169648162c4b9b48e0b4aa508f9dea4d6bc50d5" + }, + { + "type": "FIX", + "url": "https://github.com/1Panel-dev/1Panel/pull/3817" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2531", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2532.json b/data/osv/GO-2024-2532.json new file mode 100644 index 00000000..3657a765 --- /dev/null +++ b/data/osv/GO-2024-2532.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2532", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-1052", + "GHSA-vh73-q3rw-qx7w" + ], + "summary": "Boundary vulnerable to session hijacking through TLS certificate tampering in github.com/hashicorp/boundary", + "details": "Boundary vulnerable to session hijacking through TLS certificate tampering in github.com/hashicorp/boundary", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/boundary", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.8.0" + }, + { + "fixed": "0.15.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-vh73-q3rw-qx7w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1052" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2024-02-boundary-vulnerable-to-session-hijacking-through-tls-certificate-tampering/62458" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2532", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2535.json b/data/osv/GO-2024-2535.json new file mode 100644 index 00000000..a4e071f1 --- /dev/null +++ b/data/osv/GO-2024-2535.json @@ -0,0 +1,41 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2535", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-32194", + "GHSA-c85r-fwc7-45vc" + ], + "summary": "Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in github.com/rancher/rancher", + "details": "Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in github.com/rancher/rancher", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/rancher/rancher/security/advisories/GHSA-c85r-fwc7-45vc" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2535", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2537.json b/data/osv/GO-2024-2537.json new file mode 100644 index 00000000..d754bb64 --- /dev/null +++ b/data/osv/GO-2024-2537.json @@ -0,0 +1,41 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2537", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-22649", + "GHSA-xfj7-qf8w-2gcr" + ], + "summary": "Rancher 'Audit Log' leaks sensitive information in github.com/rancher/rancher", + "details": "Rancher 'Audit Log' leaks sensitive information in github.com/rancher/rancher", + "affected": [ + { + "package": { + "name": "github.com/rancher/rancher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/rancher/rancher/security/advisories/GHSA-xfj7-qf8w-2gcr" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2537", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2540.json b/data/osv/GO-2024-2540.json new file mode 100644 index 00000000..70a6805f --- /dev/null +++ b/data/osv/GO-2024-2540.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2540", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-24774", + "GHSA-qr8f-cjw7-838m" + ], + "summary": "Mattermost Jira Plugin does not properly check security levels in github.com/mattermost/mattermost-plugin-jira", + "details": "Mattermost Jira Plugin does not properly check security levels in github.com/mattermost/mattermost-plugin-jira", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-plugin-jira", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-qr8f-cjw7-838m" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24774" + }, + { + "type": "FIX", + "url": "https://github.com/mattermost/mattermost-plugin-jira/commit/5f5e084d169bf6b82d5c46a7a7eb033e1a01c6de" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2540", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2541.json b/data/osv/GO-2024-2541.json new file mode 100644 index 00000000..ed3b909f --- /dev/null +++ b/data/osv/GO-2024-2541.json @@ -0,0 +1,121 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2541", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-1402", + "GHSA-32h7-7j94-8fc2" + ], + "summary": "Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server", + "details": "Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.1.0+incompatible" + }, + { + "fixed": "9.1.5+incompatible" + }, + { + "introduced": "9.2.0+incompatible" + }, + { + "fixed": "9.2.4+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-32h7-7j94-8fc2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1402" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/64cb0ca8af2dbda1afcddd1604460591a4799b81" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/6d2440de9fd774b67e65e3aac4ab8b6ef9aba2d8" + }, + { + "type": "WEB", + "url": "https://github.com/mattermost/mattermost/commit/81190e2da128a6985914ea7023a69ac400513fc4" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2541", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2549.json b/data/osv/GO-2024-2549.json new file mode 100644 index 00000000..da9ba8ee --- /dev/null +++ b/data/osv/GO-2024-2549.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2549", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-52430", + "GHSA-xwmv-cx7p-fqfc" + ], + "summary": "caddy-security plugin for Caddy vulnerable to reflected Cross-site Scripting in github.com/greenpau/caddy-security", + "details": "caddy-security plugin for Caddy vulnerable to reflected Cross-site Scripting in github.com/greenpau/caddy-security", + "affected": [ + { + "package": { + "name": "github.com/greenpau/caddy-security", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-xwmv-cx7p-fqfc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52430" + }, + { + "type": "REPORT", + "url": "https://github.com/greenpau/caddy-security/issues/264" + }, + { + "type": "WEB", + "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2549", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2550.json b/data/osv/GO-2024-2550.json new file mode 100644 index 00000000..dd7bef4f --- /dev/null +++ b/data/osv/GO-2024-2550.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2550", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2020-7924", + "GHSA-6cwm-wm82-hgrw" + ], + "summary": "MongoDB Tools Improper Certificate Validation vulnerability in github.com/mongodb/mongo-tools", + "details": "MongoDB Tools Improper Certificate Validation vulnerability in github.com/mongodb/mongo-tools", + "affected": [ + { + "package": { + "name": "github.com/mongodb/mongo-tools", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-6cwm-wm82-hgrw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7924" + }, + { + "type": "FIX", + "url": "https://github.com/mongodb/mongo-tools/commit/8c1800b5155084f954a39a1f2f259efac3bb86de" + }, + { + "type": "WEB", + "url": "https://jira.mongodb.org/browse/TOOLS-2587" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2550", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2556.json b/data/osv/GO-2024-2556.json new file mode 100644 index 00000000..a21e345d --- /dev/null +++ b/data/osv/GO-2024-2556.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2556", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-23448", + "GHSA-8r33-q5j5-rh7g" + ], + "summary": "APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server", + "details": "APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server", + "affected": [ + { + "package": { + "name": "github.com/elastic/apm-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8r33-q5j5-rh7g" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23448" + }, + { + "type": "WEB", + "url": "https://discuss.elastic.co/t/apm-server-8-12-1-security-update-esa-2024-03/352688" + }, + { + "type": "WEB", + "url": "https://www.elastic.co/community/security" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2556", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2557.json b/data/osv/GO-2024-2557.json new file mode 100644 index 00000000..985e7344 --- /dev/null +++ b/data/osv/GO-2024-2557.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2557", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-21492", + "GHSA-vp66-gf7w-9m4x" + ], + "summary": "Insufficient Session Expiration in github.com/greenpau/caddy-security", + "details": "Insufficient Session Expiration in github.com/greenpau/caddy-security", + "affected": [ + { + "package": { + "name": "github.com/greenpau/caddy-security", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-vp66-gf7w-9m4x" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21492" + }, + { + "type": "REPORT", + "url": "https://github.com/greenpau/caddy-security/issues/272" + }, + { + "type": "WEB", + "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5920787" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2557", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2558.json b/data/osv/GO-2024-2558.json new file mode 100644 index 00000000..6ae5536d --- /dev/null +++ b/data/osv/GO-2024-2558.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2558", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-21494", + "GHSA-vj36-3ccr-6563" + ], + "summary": "Authentication Bypass by Spoofing in github.com/greenpau/caddy-security", + "details": "Authentication Bypass by Spoofing in github.com/greenpau/caddy-security", + "affected": [ + { + "package": { + "name": "github.com/greenpau/caddy-security", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-vj36-3ccr-6563" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21494" + }, + { + "type": "REPORT", + "url": "https://github.com/greenpau/caddy-security/issues/266" + }, + { + "type": "WEB", + "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249859" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2558", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2559.json b/data/osv/GO-2024-2559.json new file mode 100644 index 00000000..c1de74e3 --- /dev/null +++ b/data/osv/GO-2024-2559.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2559", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-21496", + "GHSA-ff72-ff42-c3gw" + ], + "summary": "Cross-site Scripting in github.com/greenpau/caddy-security", + "details": "Cross-site Scripting in github.com/greenpau/caddy-security", + "affected": [ + { + "package": { + "name": "github.com/greenpau/caddy-security", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-ff72-ff42-c3gw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21496" + }, + { + "type": "REPORT", + "url": "https://github.com/greenpau/caddy-security/issues/267" + }, + { + "type": "WEB", + "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249860" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2559", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2560.json b/data/osv/GO-2024-2560.json new file mode 100644 index 00000000..3222c1ed --- /dev/null +++ b/data/osv/GO-2024-2560.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2560", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-21497", + "GHSA-8hp3-rmr7-xh88" + ], + "summary": "Open Redirect in github.com/greenpau/caddy-security", + "details": "Open Redirect in github.com/greenpau/caddy-security", + "affected": [ + { + "package": { + "name": "github.com/greenpau/caddy-security", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8hp3-rmr7-xh88" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21497" + }, + { + "type": "REPORT", + "url": "https://github.com/greenpau/caddy-security/issues/268" + }, + { + "type": "WEB", + "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249861" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2560", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2561.json b/data/osv/GO-2024-2561.json new file mode 100644 index 00000000..b7943134 --- /dev/null +++ b/data/osv/GO-2024-2561.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2561", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-21498", + "GHSA-93x8-66j2-wwr5" + ], + "summary": "Server-Side Request Forgery in github.com/greenpau/caddy-security", + "details": "Server-Side Request Forgery in github.com/greenpau/caddy-security", + "affected": [ + { + "package": { + "name": "github.com/greenpau/caddy-security", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-93x8-66j2-wwr5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21498" + }, + { + "type": "REPORT", + "url": "https://github.com/greenpau/caddy-security/issues/269" + }, + { + "type": "WEB", + "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249862" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2561", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2562.json b/data/osv/GO-2024-2562.json new file mode 100644 index 00000000..5cb02e2f --- /dev/null +++ b/data/osv/GO-2024-2562.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2562", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-21499", + "GHSA-r969-783f-6jqr" + ], + "summary": "Improper Neutralization of HTTP Headers in github.com/greenpau/caddy-security", + "details": "Improper Neutralization of HTTP Headers in github.com/greenpau/caddy-security", + "affected": [ + { + "package": { + "name": "github.com/greenpau/caddy-security", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-r969-783f-6jqr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21499" + }, + { + "type": "REPORT", + "url": "https://github.com/greenpau/caddy-security/issues/270" + }, + { + "type": "WEB", + "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249863" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2562", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2563.json b/data/osv/GO-2024-2563.json new file mode 100644 index 00000000..e4204ae3 --- /dev/null +++ b/data/osv/GO-2024-2563.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2563", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-21500", + "GHSA-vfph-hjfv-cpv2" + ], + "summary": "Improper Restriction of Excessive Authentication Attempts in github.com/greenpau/caddy-security", + "details": "Improper Restriction of Excessive Authentication Attempts in github.com/greenpau/caddy-security", + "affected": [ + { + "package": { + "name": "github.com/greenpau/caddy-security", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-vfph-hjfv-cpv2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21500" + }, + { + "type": "REPORT", + "url": "https://github.com/greenpau/caddy-security/issues/271" + }, + { + "type": "WEB", + "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249864" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2563", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2564.json b/data/osv/GO-2024-2564.json new file mode 100644 index 00000000..177fddc7 --- /dev/null +++ b/data/osv/GO-2024-2564.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2564", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-21493", + "GHSA-8h95-jcp5-pjpr" + ], + "summary": "Improper Validation of Array Index in github.com/greenpau/caddy-security", + "details": "Improper Validation of Array Index in github.com/greenpau/caddy-security", + "affected": [ + { + "package": { + "name": "github.com/greenpau/caddy-security", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8h95-jcp5-pjpr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21493" + }, + { + "type": "REPORT", + "url": "https://github.com/greenpau/caddy-security/issues/263" + }, + { + "type": "WEB", + "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2564", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2565.json b/data/osv/GO-2024-2565.json new file mode 100644 index 00000000..718b6990 --- /dev/null +++ b/data/osv/GO-2024-2565.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2565", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-21495", + "GHSA-c7vf-m394-m4x4" + ], + "summary": "Use of Insufficiently Random Values in github.com/greenpau/caddy-security", + "details": "Use of Insufficiently Random Values in github.com/greenpau/caddy-security", + "affected": [ + { + "package": { + "name": "github.com/greenpau/caddy-security", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-c7vf-m394-m4x4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21495" + }, + { + "type": "REPORT", + "url": "https://github.com/greenpau/caddy-security/issues/265" + }, + { + "type": "WEB", + "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy" + }, + { + "type": "WEB", + "url": "https://github.com/greenpau/go-authcrunch/commit/ecd3725baf2683eb1519bb3c81ae41085fbf7dc2" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6248275" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2565", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2582.json b/data/osv/GO-2024-2582.json new file mode 100644 index 00000000..9846f82b --- /dev/null +++ b/data/osv/GO-2024-2582.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2582", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-27093", + "GHSA-q6h8-4j2v-pjg4" + ], + "summary": "Minder trusts client-provided mapping from repo name to upstream ID in github.com/stacklok/minder", + "details": "Minder trusts client-provided mapping from repo name to upstream ID in github.com/stacklok/minder", + "affected": [ + { + "package": { + "name": "github.com/stacklok/minder", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27093" + }, + { + "type": "FIX", + "url": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2582", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2588.json b/data/osv/GO-2024-2588.json new file mode 100644 index 00000000..f8ba60e2 --- /dev/null +++ b/data/osv/GO-2024-2588.json @@ -0,0 +1,103 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2588", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-1949", + "GHSA-3g35-v53r-gpxc" + ], + "summary": "Mattermost race condition in github.com/mattermost/mattermost-server", + "details": "Mattermost race condition in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.0.0+incompatible" + }, + { + "fixed": "9.4.2+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-3g35-v53r-gpxc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1949" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2588", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2589.json b/data/osv/GO-2024-2589.json new file mode 100644 index 00000000..58b07198 --- /dev/null +++ b/data/osv/GO-2024-2589.json @@ -0,0 +1,109 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2589", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-24988", + "GHSA-6mx3-9qfh-77gj" + ], + "summary": "Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server", + "details": "Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.2.0+incompatible" + }, + { + "fixed": "9.2.5+incompatible" + }, + { + "introduced": "9.3.0+incompatible" + }, + { + "fixed": "9.3.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-6mx3-9qfh-77gj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24988" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2589", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2590.json b/data/osv/GO-2024-2590.json new file mode 100644 index 00000000..c13ce91d --- /dev/null +++ b/data/osv/GO-2024-2590.json @@ -0,0 +1,115 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2590", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-23493", + "GHSA-7v3v-984v-h74r" + ], + "summary": "Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server", + "details": "Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.2.0+incompatible" + }, + { + "fixed": "9.2.5+incompatible" + }, + { + "introduced": "9.3.0+incompatible" + }, + { + "fixed": "9.3.1+incompatible" + }, + { + "introduced": "9.4.0+incompatible" + }, + { + "fixed": "9.4.2+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-7v3v-984v-h74r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23493" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2590", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2591.json b/data/osv/GO-2024-2591.json new file mode 100644 index 00000000..58a71486 --- /dev/null +++ b/data/osv/GO-2024-2591.json @@ -0,0 +1,109 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2591", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-1887", + "GHSA-fx48-xv6q-6gp3" + ], + "summary": "Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server", + "details": "Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.2.0+incompatible" + }, + { + "fixed": "9.2.5+incompatible" + }, + { + "introduced": "9.3.0+incompatible" + }, + { + "fixed": "9.3.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-fx48-xv6q-6gp3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1887" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2591", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2592.json b/data/osv/GO-2024-2592.json new file mode 100644 index 00000000..d90a0d45 --- /dev/null +++ b/data/osv/GO-2024-2592.json @@ -0,0 +1,109 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2592", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-1942", + "GHSA-hwjf-4667-gqwx" + ], + "summary": "Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server", + "details": "Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.2.0+incompatible" + }, + { + "fixed": "9.2.5+incompatible" + }, + { + "introduced": "9.3.0+incompatible" + }, + { + "fixed": "9.3.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-hwjf-4667-gqwx" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1942" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2592", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2593.json b/data/osv/GO-2024-2593.json new file mode 100644 index 00000000..4d13e222 --- /dev/null +++ b/data/osv/GO-2024-2593.json @@ -0,0 +1,115 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2593", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-1888", + "GHSA-pfw6-5rx3-xh3c" + ], + "summary": "Mattermost fails to check the \"invite_guest\" permission in github.com/mattermost/mattermost-server", + "details": "Mattermost fails to check the \"invite_guest\" permission in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.2.0+incompatible" + }, + { + "fixed": "9.2.5+incompatible" + }, + { + "introduced": "9.3.0+incompatible" + }, + { + "fixed": "9.3.1+incompatible" + }, + { + "introduced": "9.4.0+incompatible" + }, + { + "fixed": "9.4.2+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-pfw6-5rx3-xh3c" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1888" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2593", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2594.json b/data/osv/GO-2024-2594.json new file mode 100644 index 00000000..2741e356 --- /dev/null +++ b/data/osv/GO-2024-2594.json @@ -0,0 +1,115 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2594", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-1953", + "GHSA-vm9m-57jr-4pxh" + ], + "summary": "Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server", + "details": "Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.2.0+incompatible" + }, + { + "fixed": "9.2.5+incompatible" + }, + { + "introduced": "9.3.0+incompatible" + }, + { + "fixed": "9.3.1+incompatible" + }, + { + "introduced": "9.4.0+incompatible" + }, + { + "fixed": "9.4.2+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-vm9m-57jr-4pxh" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1953" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2594", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2595.json b/data/osv/GO-2024-2595.json new file mode 100644 index 00000000..57420556 --- /dev/null +++ b/data/osv/GO-2024-2595.json @@ -0,0 +1,103 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2595", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-23488", + "GHSA-xgxj-j98c-59rv" + ], + "summary": "Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server", + "details": "Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.0.0+incompatible" + }, + { + "fixed": "9.4.2+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-xgxj-j98c-59rv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23488" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2595", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-2428.yaml b/data/reports/GO-2024-2428.yaml new file mode 100644 index 00000000..fc182078 --- /dev/null +++ b/data/reports/GO-2024-2428.yaml @@ -0,0 +1,27 @@ +id: GO-2024-2428 +modules: + - module: k8s.io/ingress-nginx + non_go_versions: + - fixed: 1.9.0 + vulnerable_at: 1.0.0-alpha.1 +summary: |- + Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect + annotation in k8s.io/ingress-nginx +cves: + - CVE-2023-5044 +ghsas: + - GHSA-fp9f-44c2-cw27 +unknown_aliases: + - BIT-nginx-ingress-controller-2023-5044 +references: + - advisory: https://github.com/advisories/GHSA-fp9f-44c2-cw27 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-5044 + - web: http://www.openwall.com/lists/oss-security/2023/10/25/3 + - web: https://github.com/kubernetes/ingress-nginx/issues/10572 + - web: https://groups.google.com/g/kubernetes-security-announce/c/ukuYYvRNel0 + - web: https://security.netapp.com/advisory/ntap-20240307-0012 +source: + id: GHSA-fp9f-44c2-cw27 + created: 2024-06-14T11:34:12.417676-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2430.yaml b/data/reports/GO-2024-2430.yaml new file mode 100644 index 00000000..b62aaeb2 --- /dev/null +++ b/data/reports/GO-2024-2430.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2430 +modules: + - module: github.com/cubefs/cubefs + non_go_versions: + - fixed: 3.3.1 + vulnerable_at: 2.5.2+incompatible +summary: |- + Authenticated users can crash the CubeFS servers with maliciously crafted + requests in github.com/cubefs/cubefs +cves: + - CVE-2023-46738 +ghsas: + - GHSA-qc6v-g3xw-grmx +references: + - advisory: https://github.com/cubefs/cubefs/security/advisories/GHSA-qc6v-g3xw-grmx + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-46738 + - fix: https://github.com/cubefs/cubefs/commit/dd46c24873c8f3df48d0a598b704ef9bd24b1ec1 +source: + id: GHSA-qc6v-g3xw-grmx + created: 2024-06-14T11:34:31.298261-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2431.yaml b/data/reports/GO-2024-2431.yaml new file mode 100644 index 00000000..127e2a89 --- /dev/null +++ b/data/reports/GO-2024-2431.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2431 +modules: + - module: github.com/cubefs/cubefs + non_go_versions: + - fixed: 3.3.1 + vulnerable_at: 2.5.2+incompatible +summary: Insecure random string generator used for sensitive data in github.com/cubefs/cubefs +cves: + - CVE-2023-46740 +ghsas: + - GHSA-4248-p65p-hcrm +references: + - advisory: https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-46740 + - fix: https://github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07ba +source: + id: GHSA-4248-p65p-hcrm + created: 2024-06-14T11:34:36.394692-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2432.yaml b/data/reports/GO-2024-2432.yaml new file mode 100644 index 00000000..cf09b60c --- /dev/null +++ b/data/reports/GO-2024-2432.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2432 +modules: + - module: github.com/cubefs/cubefs + non_go_versions: + - fixed: 3.3.1 + vulnerable_at: 2.5.2+incompatible +summary: CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs +cves: + - CVE-2023-46739 +ghsas: + - GHSA-8579-7p32-f398 +references: + - advisory: https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-46739 + - fix: https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd + - fix: https://github.com/cubefs/cubefs/commit/c21d034d2fcd051ffd64afeafc68cbcb39d26551 +source: + id: GHSA-8579-7p32-f398 + created: 2024-06-14T11:34:40.709598-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2433.yaml b/data/reports/GO-2024-2433.yaml new file mode 100644 index 00000000..b61056c9 --- /dev/null +++ b/data/reports/GO-2024-2433.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2433 +modules: + - module: github.com/cubefs/cubefs + non_go_versions: + - fixed: 3.3.1 + vulnerable_at: 2.5.2+incompatible +summary: CubeFS leaks magic secret key when starting Blobstore access service in github.com/cubefs/cubefs +cves: + - CVE-2023-46741 +ghsas: + - GHSA-8h2x-gr2c-c275 +references: + - advisory: https://github.com/cubefs/cubefs/security/advisories/GHSA-8h2x-gr2c-c275 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-46741 + - fix: https://github.com/cubefs/cubefs/commit/972f0275ee8d5dbba4b1530da7c145c269b31ef5 +source: + id: GHSA-8h2x-gr2c-c275 + created: 2024-06-14T11:34:45.410074-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2434.yaml b/data/reports/GO-2024-2434.yaml new file mode 100644 index 00000000..414e8cf8 --- /dev/null +++ b/data/reports/GO-2024-2434.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2434 +modules: + - module: github.com/cubefs/cubefs + non_go_versions: + - fixed: 3.3.1 + vulnerable_at: 2.5.2+incompatible +summary: CubeFS leaks users key in logs in github.com/cubefs/cubefs +cves: + - CVE-2023-46742 +ghsas: + - GHSA-vwch-g97w-hfg2 +references: + - advisory: https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-46742 + - fix: https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd +source: + id: GHSA-vwch-g97w-hfg2 + created: 2024-06-14T11:34:49.71851-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2440.yaml b/data/reports/GO-2024-2440.yaml new file mode 100644 index 00000000..ed828fb7 --- /dev/null +++ b/data/reports/GO-2024-2440.yaml @@ -0,0 +1,27 @@ +id: GO-2024-2440 +modules: + - module: github.com/buildkite/elastic-ci-stack-for-aws + vulnerable_at: 4.5.0+incompatible + - module: github.com/buildkite/elastic-ci-stack-for-aws/v5 + vulnerable_at: 5.22.5 + - module: github.com/buildkite/elastic-ci-stack-for-aws/v6 + versions: + - fixed: 6.7.1 + vulnerable_at: 6.7.0 +summary: |- + Buildkite Elastic CI for AWS time-of-check-time-of-use race condition + vulnerability in github.com/buildkite/elastic-ci-stack-for-aws +cves: + - CVE-2023-43741 +ghsas: + - GHSA-r5hg-349q-mg2q +references: + - advisory: https://github.com/advisories/GHSA-r5hg-349q-mg2q + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-43741 + - fix: https://github.com/buildkite/elastic-ci-stack-for-aws/commit/edad0b158ea10a6647bb1c84629d93f5c3d8770e + - web: https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0003.md +source: + id: GHSA-r5hg-349q-mg2q + created: 2024-06-26T16:12:24.457895-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2024-2441.yaml b/data/reports/GO-2024-2441.yaml new file mode 100644 index 00000000..699f0df7 --- /dev/null +++ b/data/reports/GO-2024-2441.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2441 +modules: + - module: github.com/karmada-io/karmada + versions: + - fixed: 1.8.0 + vulnerable_at: 1.8.0-preview2 +summary: The DES/3DES cipher was used as part of the TLS protocol by installation tools in github.com/karmada-io/karmada +ghsas: + - GHSA-7xg2-83f8-39mr +references: + - advisory: https://github.com/karmada-io/karmada/security/advisories/GHSA-7xg2-83f8-39mr + - fix: https://github.com/karmada-io/karmada/commit/98e655fc552b2987c3f2d2a061007889ce8be536 + - fix: https://github.com/karmada-io/karmada/commit/c3c376605403e07ca0ed2dc39c9e0f3c38f8e29d + - report: https://github.com/karmada-io/karmada/issues/4191 + - web: https://go.dev/issue/41476 +source: + id: GHSA-7xg2-83f8-39mr + created: 2024-06-14T11:34:57.66072-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2442.yaml b/data/reports/GO-2024-2442.yaml new file mode 100644 index 00000000..cf01d7e0 --- /dev/null +++ b/data/reports/GO-2024-2442.yaml @@ -0,0 +1,19 @@ +id: GO-2024-2442 +modules: + - module: github.com/gravitational/teleport + non_go_versions: + - introduced: 13.0.0 + fixed: 13.4.13 + - introduced: 14.0.0 + fixed: 14.2.4 + vulnerable_at: 3.2.17+incompatible +summary: Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport +ghsas: + - GHSA-76cc-p55w-63g3 +references: + - advisory: https://github.com/gravitational/teleport/security/advisories/GHSA-76cc-p55w-63g3 +source: + id: GHSA-76cc-p55w-63g3 + created: 2024-06-14T11:35:01.72578-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2444.yaml b/data/reports/GO-2024-2444.yaml new file mode 100644 index 00000000..8bc465c0 --- /dev/null +++ b/data/reports/GO-2024-2444.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2444 +modules: + - module: github.com/mattermost/mattermost-server + vulnerable_at: 9.9.0+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.7 + vulnerable_at: 8.0.0-20240626184126-817e18414e41 +summary: Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server +cves: + - CVE-2023-50333 +ghsas: + - GHSA-9w97-9rqx-8v4j +unknown_aliases: + - BIT-mattermost-2023-50333 + - CGA-28fj-7rmv-xw55 +references: + - advisory: https://github.com/advisories/GHSA-9w97-9rqx-8v4j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-50333 + - web: https://github.com/mattermost/mattermost/commit/61dd452fb2fcd3ac6f7b2e050f7f0a93a92d95fc + - web: https://mattermost.com/security-updates +source: + id: GHSA-9w97-9rqx-8v4j + created: 2024-06-26T16:12:41.49358-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2445.yaml b/data/reports/GO-2024-2445.yaml new file mode 100644 index 00000000..f7f8088e --- /dev/null +++ b/data/reports/GO-2024-2445.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2445 +modules: + - module: github.com/gravitational/teleport + non_go_versions: + - fixed: 12.4.31 + - introduced: 13.0.0 + fixed: 13.4.13 + - introduced: 14.0.0 + fixed: 14.2.4 + vulnerable_at: 3.2.17+incompatible +summary: SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport +ghsas: + - GHSA-c9v7-wmwj-vf6x +references: + - advisory: https://github.com/gravitational/teleport/security/advisories/GHSA-c9v7-wmwj-vf6x + - fix: https://github.com/gravitational/teleport/commit/1c77fc49944ebcded32bbdd77c3e1f4f8a1c130d + - fix: https://github.com/gravitational/teleport/pull/36136 +source: + id: GHSA-c9v7-wmwj-vf6x + created: 2024-06-14T11:35:27.699279-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2446.yaml b/data/reports/GO-2024-2446.yaml new file mode 100644 index 00000000..eb34f148 --- /dev/null +++ b/data/reports/GO-2024-2446.yaml @@ -0,0 +1,29 @@ +id: GO-2024-2446 +modules: + - module: github.com/mattermost/mattermost-server + vulnerable_at: 9.9.0+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.7 + vulnerable_at: 8.0.0-20240626184126-817e18414e41 +summary: Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server +cves: + - CVE-2023-7113 +ghsas: + - GHSA-h3gq-j7p9-x3p4 +unknown_aliases: + - BIT-mattermost-2023-7113 + - CGA-pcxv-43r4-92mm +references: + - advisory: https://github.com/advisories/GHSA-h3gq-j7p9-x3p4 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-7113 + - web: https://mattermost.com/security-updates +source: + id: GHSA-h3gq-j7p9-x3p4 + created: 2024-06-26T16:12:13.229043-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2447.yaml b/data/reports/GO-2024-2447.yaml new file mode 100644 index 00000000..63be2c45 --- /dev/null +++ b/data/reports/GO-2024-2447.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2447 +modules: + - module: github.com/gravitational/teleport + non_go_versions: + - fixed: 12.4.31 + - introduced: 13.0.0 + fixed: 13.4.13 + - introduced: 14.0.0 + fixed: 14.2.4 + vulnerable_at: 3.2.17+incompatible +summary: |- + Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low + privileged users in github.com/gravitational/teleport +ghsas: + - GHSA-hw4x-mcx5-9q36 +references: + - advisory: https://github.com/gravitational/teleport/security/advisories/GHSA-hw4x-mcx5-9q36 + - fix: https://github.com/gravitational/teleport/commit/bb2d67d357e868254a21ed7cb132030d7bf9fcbc + - fix: https://github.com/gravitational/teleport/pull/36127 +source: + id: GHSA-hw4x-mcx5-9q36 + created: 2024-06-14T11:35:35.160981-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2448.yaml b/data/reports/GO-2024-2448.yaml new file mode 100644 index 00000000..ad8a9e71 --- /dev/null +++ b/data/reports/GO-2024-2448.yaml @@ -0,0 +1,34 @@ +id: GO-2024-2448 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - fixed: 8.1.7+incompatible + vulnerable_at: 8.1.7-rc3+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.7 + vulnerable_at: 8.0.0-20240626184126-817e18414e41 +summary: |- + Mattermost notified all users in the channel when using WebSockets to respond + individually in github.com/mattermost/mattermost-server +cves: + - CVE-2023-48732 +ghsas: + - GHSA-q7rx-w656-fwmv +unknown_aliases: + - BIT-mattermost-2023-48732 + - CGA-jhcr-g7wj-9vq2 +references: + - advisory: https://github.com/advisories/GHSA-q7rx-w656-fwmv + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-48732 + - web: https://github.com/mattermost/mattermost/commit/851515be222160bee0a495c0d411056b19ed4111 + - web: https://mattermost.com/security-updates +source: + id: GHSA-q7rx-w656-fwmv + created: 2024-06-26T16:10:54.767283-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2449.yaml b/data/reports/GO-2024-2449.yaml new file mode 100644 index 00000000..05b91216 --- /dev/null +++ b/data/reports/GO-2024-2449.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2449 +modules: + - module: github.com/gravitational/teleport + non_go_versions: + - fixed: 12.4.31 + - introduced: 13.0.0 + fixed: 13.4.13 + - introduced: 14.0.0 + fixed: 14.2.4 + vulnerable_at: 3.2.17+incompatible +summary: User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport +ghsas: + - GHSA-vfxf-76hv-v4w4 +references: + - advisory: https://github.com/gravitational/teleport/security/advisories/GHSA-vfxf-76hv-v4w4 + - fix: https://github.com/gravitational/teleport/commit/fcc97de9f99dfec8696ecfd620672a26f29cf9ac + - fix: https://github.com/gravitational/teleport/pull/36132 +source: + id: GHSA-vfxf-76hv-v4w4 + created: 2024-06-14T11:35:44.744025-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2450.yaml b/data/reports/GO-2024-2450.yaml new file mode 100644 index 00000000..7c549249 --- /dev/null +++ b/data/reports/GO-2024-2450.yaml @@ -0,0 +1,31 @@ +id: GO-2024-2450 +modules: + - module: github.com/mattermost/mattermost-server + non_go_versions: + - fixed: 7.8.10 + vulnerable_at: 9.9.0+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.1 + vulnerable_at: 8.0.0-20240626184126-817e18414e41 +summary: Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server +cves: + - CVE-2023-47858 +ghsas: + - GHSA-w88v-pjr8-cmv2 +unknown_aliases: + - BIT-mattermost-2023-47858 + - CGA-4m9j-264v-7mr3 +references: + - advisory: https://github.com/advisories/GHSA-w88v-pjr8-cmv2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-47858 + - web: https://mattermost.com/security-updates +source: + id: GHSA-w88v-pjr8-cmv2 + created: 2024-06-26T16:13:37.899374-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2457.yaml b/data/reports/GO-2024-2457.yaml new file mode 100644 index 00000000..8597b7aa --- /dev/null +++ b/data/reports/GO-2024-2457.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2457 +modules: + - module: github.com/apache/incubator-answer + versions: + - fixed: 1.2.1 + vulnerable_at: 1.2.1-RC1 +summary: Apache Answer Race Condition vulnerability in github.com/apache/incubator-answer +cves: + - CVE-2023-49619 +ghsas: + - GHSA-f899-4mr4-fqpv +references: + - advisory: https://github.com/advisories/GHSA-f899-4mr4-fqpv + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-49619 + - web: http://www.openwall.com/lists/oss-security/2024/01/10/1 + - web: https://lists.apache.org/thread/nscrl3c7pn68q4j73y3ottql6n5x3hd4 +source: + id: GHSA-f899-4mr4-fqpv + created: 2024-06-14T11:35:54.338882-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2024-2458.yaml b/data/reports/GO-2024-2458.yaml new file mode 100644 index 00000000..697a9a5d --- /dev/null +++ b/data/reports/GO-2024-2458.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2458 +modules: + - module: github.com/cri-o/cri-o + versions: + - fixed: 1.27.3 + - introduced: 1.28.0 + fixed: 1.28.3 + - introduced: 1.29.0 + fixed: 1.29.1 + vulnerable_at: 1.29.0 +summary: CRI-O's pods can break out of resource confinement on cgroupv2 in github.com/cri-o/cri-o +cves: + - CVE-2023-6476 +ghsas: + - GHSA-p4rx-7wvg-fwrc +references: + - advisory: https://github.com/cri-o/cri-o/security/advisories/GHSA-p4rx-7wvg-fwrc + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-6476 + - fix: https://github.com/cri-o/cri-o/commit/75effcb1a25851a736e82dba1f7d8cee93ee159e + - fix: https://github.com/cri-o/cri-o/pull/4479 + - web: https://access.redhat.com/errata/RHSA-2024:0195 + - web: https://access.redhat.com/errata/RHSA-2024:0207 + - web: https://access.redhat.com/security/cve/CVE-2023-6476 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2253994 + - web: https://github.com/cri-o/cri-o/blob/main/pkg/config/workloads.go#L103-L107 +source: + id: GHSA-p4rx-7wvg-fwrc + created: 2024-06-14T11:36:01.32545-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2472.yaml b/data/reports/GO-2024-2472.yaml new file mode 100644 index 00000000..a6b7c891 --- /dev/null +++ b/data/reports/GO-2024-2472.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2472 +modules: + - module: github.com/notaryproject/notation + unsupported_versions: + - version: 1.0.0 + type: last_affected + vulnerable_at: 1.1.1 +summary: |- + Go package github.com/notaryproject/notation configured with permissive trust + policies potentially susceptible to rollback attack from compromised registry +cves: + - CVE-2024-23332 +ghsas: + - GHSA-57wx-m636-g3g8 +references: + - advisory: https://github.com/notaryproject/specifications/security/advisories/GHSA-57wx-m636-g3g8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-23332 + - web: https://github.com/notaryproject/specifications/commit/cdabdd1042de2999c685fa5d422a785ded9c983a +source: + id: GHSA-57wx-m636-g3g8 + created: 2024-06-14T11:36:23.175793-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2476.yaml b/data/reports/GO-2024-2476.yaml new file mode 100644 index 00000000..ee4c1b87 --- /dev/null +++ b/data/reports/GO-2024-2476.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2476 +modules: + - module: github.com/dexidp/dex + non_go_versions: + - introduced: 2.37.0 + fixed: 2.38.0 + vulnerable_at: 0.6.1 +summary: |- + Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure + ciphers in github.com/dexidp/dex +cves: + - CVE-2024-23656 +ghsas: + - GHSA-gr79-9v6v-gc9r +references: + - advisory: https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-23656 + - fix: https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17 + - fix: https://github.com/dexidp/dex/pull/2964 + - report: https://github.com/dexidp/dex/issues/2848 + - web: https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425 +source: + id: GHSA-gr79-9v6v-gc9r + created: 2024-06-14T11:36:28.742125-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2477.yaml b/data/reports/GO-2024-2477.yaml new file mode 100644 index 00000000..9a706ff1 --- /dev/null +++ b/data/reports/GO-2024-2477.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2477 +modules: + - module: github.com/openfga/openfga + versions: + - fixed: 1.4.3 + vulnerable_at: 1.4.2 +summary: OpenFGA denial of service in github.com/openfga/openfga +cves: + - CVE-2024-23820 +ghsas: + - GHSA-rxpw-85vw-fx87 +references: + - advisory: https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-23820 + - fix: https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39 + - web: https://github.com/openfga/openfga/releases/tag/v1.4.3 +source: + id: GHSA-rxpw-85vw-fx87 + created: 2024-06-14T11:36:36.858461-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2478.yaml b/data/reports/GO-2024-2478.yaml new file mode 100644 index 00000000..687a87ee --- /dev/null +++ b/data/reports/GO-2024-2478.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2478 +modules: + - module: blitiri.com.ar/go/chasquid + versions: + - fixed: 1.13.0 + vulnerable_at: 1.11.1 +summary: |- + chasquid HTTP Request/Response Smuggling vulnerability in + github.com/albertito/chasquid in blitiri.com.ar/go/chasquid +cves: + - CVE-2023-52354 +ghsas: + - GHSA-g4x3-mfpj-f335 +references: + - advisory: https://github.com/advisories/GHSA-g4x3-mfpj-f335 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-52354 + - fix: https://github.com/albertito/chasquid/commit/a996106eeebe81a292ecba838c7503cac7493e74 + - report: https://github.com/albertito/chasquid/issues/47 + - web: https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24 +source: + id: GHSA-g4x3-mfpj-f335 + created: 2024-06-26T16:14:26.250749-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2479.yaml b/data/reports/GO-2024-2479.yaml new file mode 100644 index 00000000..6687a6e4 --- /dev/null +++ b/data/reports/GO-2024-2479.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2479 +modules: + - module: goauthentik.io + non_go_versions: + - fixed: 2023.8.7 + - introduced: 2023.10.0 + fixed: 2023.10.7 + vulnerable_at: 0.0.0-20240614153308-6e98c9a6a9f4 +summary: Authentik vulnerable to PKCE downgrade attack in goauthentik.io +cves: + - CVE-2024-23647 +ghsas: + - GHSA-mrx3-gxjx-hjqj +references: + - advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-23647 + - web: https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a +source: + id: GHSA-mrx3-gxjx-hjqj + created: 2024-06-14T11:36:48.687986-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2480.yaml b/data/reports/GO-2024-2480.yaml new file mode 100644 index 00000000..912abf30 --- /dev/null +++ b/data/reports/GO-2024-2480.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2480 +modules: + - module: github.com/0xJacky/Nginx-UI + non_go_versions: + - fixed: 2.0.0-beta.12 + vulnerable_at: 1.9.9 +summary: |- + Nginx-UI vulnerable to authenticated RCE through injecting into the application + config via CRLF in github.com/0xJacky/Nginx-UI +cves: + - CVE-2024-23828 +ghsas: + - GHSA-qcjq-7f7v-pvc8 +references: + - advisory: https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-qcjq-7f7v-pvc8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-23828 + - web: https://github.com/0xJacky/nginx-ui/commit/d70e37c8575e25b3da7203ff06da5e16c77a42d1 +source: + id: GHSA-qcjq-7f7v-pvc8 + created: 2024-06-14T11:36:54.518439-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2024-2481.yaml b/data/reports/GO-2024-2481.yaml new file mode 100644 index 00000000..57dc81bd --- /dev/null +++ b/data/reports/GO-2024-2481.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2481 +modules: + - module: github.com/0xJacky/Nginx-UI + non_go_versions: + - fixed: 2.0.0-beta.12 + vulnerable_at: 1.9.9 +summary: |- + Nginx-UI vulnerable to arbitrary file write through the Import Certificate + feature in github.com/0xJacky/Nginx-UI +cves: + - CVE-2024-23827 +ghsas: + - GHSA-xvq9-4vpv-227m +references: + - advisory: https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-23827 + - web: https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/api/certificate/certificate.go#L72 + - web: https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/internal/cert/write_file.go#L15 + - web: https://github.com/0xJacky/nginx-ui/commit/8581bdd3c6f49ab345b773517ba9173fa7fc6199 +source: + id: GHSA-xvq9-4vpv-227m + created: 2024-06-14T11:37:04.445587-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2024-2483.yaml b/data/reports/GO-2024-2483.yaml new file mode 100644 index 00000000..5b072fd8 --- /dev/null +++ b/data/reports/GO-2024-2483.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2483 +modules: + - module: github.com/grafana/grafana + versions: + - fixed: 6.0.0-beta1+incompatible + vulnerable_at: 5.4.5+incompatible +summary: Grafana XSS via adding a link in General feature in github.com/grafana/grafana +cves: + - CVE-2018-18625 +ghsas: + - GHSA-6wh2-8hw7-jw94 +references: + - advisory: https://github.com/advisories/GHSA-6wh2-8hw7-jw94 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2018-18625 + - fix: https://github.com/grafana/grafana/pull/11813 + - fix: https://github.com/grafana/grafana/pull/14984 + - web: https://security.netapp.com/advisory/ntap-20200608-0008 +source: + id: GHSA-6wh2-8hw7-jw94 + created: 2024-06-14T11:37:10.915935-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2485.yaml b/data/reports/GO-2024-2485.yaml new file mode 100644 index 00000000..e737d52d --- /dev/null +++ b/data/reports/GO-2024-2485.yaml @@ -0,0 +1,25 @@ +id: GO-2024-2485 +modules: + - module: github.com/hashicorp/vault + versions: + - introduced: 0.11.0 + fixed: 1.3.4 + vulnerable_at: 1.3.3 +summary: HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault +cves: + - CVE-2020-10661 +ghsas: + - GHSA-j6vv-vv26-rh7c +unknown_aliases: + - BIT-vault-2020-10661 +references: + - advisory: https://github.com/advisories/GHSA-j6vv-vv26-rh7c + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-10661 + - fix: https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a + - web: https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020 + - web: https://www.hashicorp.com/blog/category/vault +source: + id: GHSA-j6vv-vv26-rh7c + created: 2024-06-14T11:37:17.728135-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2486.yaml b/data/reports/GO-2024-2486.yaml new file mode 100644 index 00000000..d78a0b7d --- /dev/null +++ b/data/reports/GO-2024-2486.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2486 +modules: + - module: github.com/hashicorp/vault + versions: + - introduced: 0.9.0 + fixed: 1.3.4 + vulnerable_at: 1.3.3 +summary: HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault +cves: + - CVE-2020-10660 +ghsas: + - GHSA-m979-w9wj-qfj9 +unknown_aliases: + - BIT-vault-2020-10660 +references: + - advisory: https://github.com/advisories/GHSA-m979-w9wj-qfj9 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-10660 + - fix: https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a + - fix: https://github.com/hashicorp/vault/pull/8606 + - web: https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020 + - web: https://www.hashicorp.com/blog/category/vault +source: + id: GHSA-m979-w9wj-qfj9 + created: 2024-06-14T11:37:27.238275-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2488.yaml b/data/reports/GO-2024-2488.yaml new file mode 100644 index 00000000..30788765 --- /dev/null +++ b/data/reports/GO-2024-2488.yaml @@ -0,0 +1,31 @@ +id: GO-2024-2488 +modules: + - module: github.com/hashicorp/vault + versions: + - introduced: 0.8.3 + fixed: 1.2.5 + - introduced: 1.3.0 + fixed: 1.3.8 + - introduced: 1.4.0 + fixed: 1.4.4 + - introduced: 1.5.0 + fixed: 1.5.1 + vulnerable_at: 1.5.0 +summary: HashiCorp Vault Authentication bypass in github.com/hashicorp/vault +cves: + - CVE-2020-16251 +ghsas: + - GHSA-4mp7-2m29-gqxf +unknown_aliases: + - BIT-vault-2020-16251 +references: + - advisory: https://github.com/advisories/GHSA-4mp7-2m29-gqxf + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-16251 + - web: http://packetstormsecurity.com/files/159479/Hashicorp-Vault-GCP-IAM-Integration-Authentication-Bypass.html + - web: https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151 + - web: https://www.hashicorp.com/blog/category/vault +source: + id: GHSA-4mp7-2m29-gqxf + created: 2024-06-14T11:37:32.985013-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2491.yaml b/data/reports/GO-2024-2491.yaml new file mode 100644 index 00000000..49e15ff5 --- /dev/null +++ b/data/reports/GO-2024-2491.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2491 +modules: + - module: github.com/opencontainers/runc + versions: + - introduced: 1.0.0-rc93 + fixed: 1.1.12 + vulnerable_at: 1.1.11 +summary: |- + runc vulnerable to container breakout through process.cwd trickery and leaked + fds in github.com/opencontainers/runc +cves: + - CVE-2024-21626 +ghsas: + - GHSA-xr7r-f8xq-vfvv +references: + - advisory: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21626 + - fix: https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf + - web: http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html + - web: http://www.openwall.com/lists/oss-security/2024/02/01/1 + - web: http://www.openwall.com/lists/oss-security/2024/02/02/3 + - web: https://github.com/opencontainers/runc/releases/tag/v1.1.12 + - web: https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL +source: + id: GHSA-xr7r-f8xq-vfvv + created: 2024-06-14T11:37:42.756616-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2495.yaml b/data/reports/GO-2024-2495.yaml new file mode 100644 index 00000000..57ef13c3 --- /dev/null +++ b/data/reports/GO-2024-2495.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2495 +modules: + - module: github.com/apache/servicecomb-service-center + non_go_versions: + - fixed: 2.2.0 + vulnerable_at: 1.4.8 +summary: Apache ServiceComb Service-Center Server-Side Request Forgery vulnerability in github.com/apache/servicecomb-service-center +cves: + - CVE-2023-44313 +ghsas: + - GHSA-9xc9-xq7w-vpcr +references: + - advisory: https://github.com/advisories/GHSA-9xc9-xq7w-vpcr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-44313 + - web: http://www.openwall.com/lists/oss-security/2024/01/31/4 + - web: https://lists.apache.org/thread/kxovd455o9h4f2v811hcov2qknbwld5r +source: + id: GHSA-9xc9-xq7w-vpcr + created: 2024-06-14T11:37:55.379016-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2496.yaml b/data/reports/GO-2024-2496.yaml new file mode 100644 index 00000000..019131f2 --- /dev/null +++ b/data/reports/GO-2024-2496.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2496 +modules: + - module: github.com/apache/servicecomb-service-center + non_go_versions: + - fixed: 2.2.0 + vulnerable_at: 1.4.8 +summary: |- + Apache ServiceComb Service-Center Exposure of Sensitive Information to an + Unauthorized Actor vulnerability in github.com/apache/servicecomb-service-center +cves: + - CVE-2023-44312 +ghsas: + - GHSA-r8xp-52mq-rmm8 +references: + - advisory: https://github.com/advisories/GHSA-r8xp-52mq-rmm8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-44312 + - web: http://www.openwall.com/lists/oss-security/2024/01/31/5 + - web: https://lists.apache.org/thread/dkvlgnrmc17qzjdy9k0cr60wpzcssk1s +source: + id: GHSA-r8xp-52mq-rmm8 + created: 2024-06-14T11:38:00.285197-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2499.yaml b/data/reports/GO-2024-2499.yaml new file mode 100644 index 00000000..8f57083e --- /dev/null +++ b/data/reports/GO-2024-2499.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2499 +modules: + - module: github.com/minio/minio + versions: + - fixed: 0.0.0-20240131185645-0ae4915a9391 +summary: |- + Minio unsafe default: Access keys inherit `admin` of root user, allowing + privilege escalation in github.com/minio/minio +cves: + - CVE-2024-24747 +ghsas: + - GHSA-xx8w-mq23-29g4 +unknown_aliases: + - BIT-minio-2024-24747 +references: + - advisory: https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-24747 + - fix: https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776 + - web: https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z +notes: + - fix: 'github.com/minio/minio: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version' +source: + id: GHSA-xx8w-mq23-29g4 + created: 2024-06-14T11:38:05.147981-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2500.yaml b/data/reports/GO-2024-2500.yaml new file mode 100644 index 00000000..9ee192b1 --- /dev/null +++ b/data/reports/GO-2024-2500.yaml @@ -0,0 +1,27 @@ +id: GO-2024-2500 +modules: + - module: github.com/docker/docker + versions: + - fixed: 20.10.9+incompatible + vulnerable_at: 20.10.8+incompatible + - module: github.com/moby/moby + versions: + - fixed: 20.10.9+incompatible + vulnerable_at: 20.10.8+incompatible +summary: Moby (Docker Engine) Insufficiently restricted permissions on data directory in github.com/docker/docker +cves: + - CVE-2021-41091 +ghsas: + - GHSA-3fwx-pjgw-3558 +references: + - advisory: https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-41091 + - fix: https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64 + - web: https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB +source: + id: GHSA-3fwx-pjgw-3558 + created: 2024-06-14T11:38:10.238616-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2501.yaml b/data/reports/GO-2024-2501.yaml new file mode 100644 index 00000000..1f4bd2a8 --- /dev/null +++ b/data/reports/GO-2024-2501.yaml @@ -0,0 +1,29 @@ +id: GO-2024-2501 +modules: + - module: github.com/hashicorp/consul + versions: + - introduced: 1.7.0 + fixed: 1.7.9 + - introduced: 1.8.0 + fixed: 1.8.5 + vulnerable_at: 1.8.4 +summary: Denial of service in HashiCorp Consul in github.com/hashicorp/consul +cves: + - CVE-2020-25201 +ghsas: + - GHSA-496g-fr33-whrf +unknown_aliases: + - BIT-consul-2020-25201 +references: + - advisory: https://github.com/advisories/GHSA-496g-fr33-whrf + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-25201 + - fix: https://github.com/hashicorp/consul/pull/9024 + - web: https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#185-october-23-2020 + - web: https://github.com/hashicorp/consul/releases/tag/v1.8.5 + - web: https://security.gentoo.org/glsa/202208-09 + - web: https://www.hashicorp.com/blog/category/consul +source: + id: GHSA-496g-fr33-whrf + created: 2024-06-14T11:38:16.725105-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2505.yaml b/data/reports/GO-2024-2505.yaml new file mode 100644 index 00000000..5d3eda37 --- /dev/null +++ b/data/reports/GO-2024-2505.yaml @@ -0,0 +1,31 @@ +id: GO-2024-2505 +modules: + - module: github.com/hashicorp/consul + versions: + - introduced: 1.2.0 + fixed: 1.6.10 + - introduced: 1.7.0 + fixed: 1.7.10 + - introduced: 1.8.0 + fixed: 1.8.6 + vulnerable_at: 1.8.5 +summary: Privilege Escalation in HashiCorp Consul in github.com/hashicorp/consul +cves: + - CVE-2020-28053 +ghsas: + - GHSA-6m72-467w-94rh +unknown_aliases: + - BIT-consul-2020-28053 +references: + - advisory: https://github.com/advisories/GHSA-6m72-467w-94rh + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-28053 + - fix: https://github.com/hashicorp/consul/commit/ff5215d882ac51b49c2647aac46b42aa9c890ce3 + - fix: https://github.com/hashicorp/consul/pull/9240 + - web: https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#186-november-19-2020 + - web: https://security.gentoo.org/glsa/202208-09 + - web: https://www.hashicorp.com/blog/category/consul +source: + id: GHSA-6m72-467w-94rh + created: 2024-06-14T11:38:32.702692-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2508.yaml b/data/reports/GO-2024-2508.yaml new file mode 100644 index 00000000..6060a838 --- /dev/null +++ b/data/reports/GO-2024-2508.yaml @@ -0,0 +1,27 @@ +id: GO-2024-2508 +modules: + - module: github.com/hashicorp/vault + versions: + - introduced: 1.5.0 + fixed: 1.5.6 + - introduced: 1.6.0 + fixed: 1.6.1 + vulnerable_at: 1.6.0 +summary: Enumeration of users in HashiCorp Vault in github.com/hashicorp/vault +cves: + - CVE-2020-35177 +ghsas: + - GHSA-rpgp-9hmg-j25x +unknown_aliases: + - BIT-vault-2020-35177 +references: + - advisory: https://github.com/advisories/GHSA-rpgp-9hmg-j25x + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-35177 + - fix: https://github.com/hashicorp/vault/pull/10537 + - web: https://discuss.hashicorp.com/t/hcsec-2020-25-vault-s-ldap-auth-method-allows-user-enumeration/18984 + - web: https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#161 +source: + id: GHSA-rpgp-9hmg-j25x + created: 2024-06-14T11:38:39.105424-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2509.yaml b/data/reports/GO-2024-2509.yaml new file mode 100644 index 00000000..26f2e1a8 --- /dev/null +++ b/data/reports/GO-2024-2509.yaml @@ -0,0 +1,25 @@ +id: GO-2024-2509 +modules: + - module: github.com/hashicorp/vault + versions: + - introduced: 1.6.0 + fixed: 1.6.2 + vulnerable_at: 1.6.1 +summary: Improper Authentication in HashiCorp Vault in github.com/hashicorp/vault +cves: + - CVE-2021-3282 +ghsas: + - GHSA-rq95-xf66-j689 +unknown_aliases: + - BIT-vault-2021-3282 +references: + - advisory: https://github.com/advisories/GHSA-rq95-xf66-j689 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-3282 + - fix: https://github.com/hashicorp/vault/commit/09f9068e22f762da123160233518b440e00bdb3b + - web: https://discuss.hashicorp.com/t/hcsec-2021-04-vault-enterprise-s-dr-secondaries-allowed-raft-peer-removal-without-authentication/20337 + - web: https://security.gentoo.org/glsa/202207-01 +source: + id: GHSA-rq95-xf66-j689 + created: 2024-06-14T11:38:45.419225-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2510.yaml b/data/reports/GO-2024-2510.yaml new file mode 100644 index 00000000..b340c190 --- /dev/null +++ b/data/reports/GO-2024-2510.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2510 +modules: + - module: github.com/grafana/grafana + versions: + - fixed: 5.2.0-beta1+incompatible + vulnerable_at: 5.1.5+incompatible +summary: Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana +cves: + - CVE-2018-12099 +ghsas: + - GHSA-v5gq-qvjq-8p53 +references: + - advisory: https://github.com/advisories/GHSA-v5gq-qvjq-8p53 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2018-12099 + - fix: https://github.com/grafana/grafana/pull/11813 + - web: https://github.com/grafana/grafana/releases/tag/v5.2.0-beta1 + - web: https://security.netapp.com/advisory/ntap-20190416-0004 +source: + id: GHSA-v5gq-qvjq-8p53 + created: 2024-06-14T11:38:50.241825-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2024-2511.yaml b/data/reports/GO-2024-2511.yaml new file mode 100644 index 00000000..306f2baa --- /dev/null +++ b/data/reports/GO-2024-2511.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2511 +modules: + - module: github.com/hashicorp/vault + versions: + - introduced: 1.15.0 + fixed: 1.15.5 + vulnerable_at: 1.15.4 +summary: Hashicorp Vault may expose sensitive log information in github.com/hashicorp/vault +cves: + - CVE-2024-0831 +ghsas: + - GHSA-vgh3-mwxq-rcp8 +unknown_aliases: + - BIT-vault-2024-0831 +references: + - advisory: https://github.com/advisories/GHSA-vgh3-mwxq-rcp8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-0831 + - fix: https://github.com/hashicorp/vault/commit/2a72f2a8a5b57de88c22a2a94c4a5f08c6f3770b + - web: https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration + - web: https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311 + - web: https://security.netapp.com/advisory/ntap-20240223-0005 +source: + id: GHSA-vgh3-mwxq-rcp8 + created: 2024-06-14T11:38:56.000042-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2512.yaml b/data/reports/GO-2024-2512.yaml new file mode 100644 index 00000000..a7c84acc --- /dev/null +++ b/data/reports/GO-2024-2512.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2512 +modules: + - module: github.com/docker/docker + versions: + - fixed: 24.0.9+incompatible + - introduced: 25.0.0+incompatible + - fixed: 25.0.2+incompatible + vulnerable_at: 25.0.1+incompatible +summary: Classic builder cache poisoning in github.com/docker/docker +cves: + - CVE-2024-24557 +ghsas: + - GHSA-xw73-rw38-6vjc +references: + - advisory: https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc + - web: https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae + - web: https://github.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd + - web: https://github.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff +source: + id: GHSA-xw73-rw38-6vjc + created: 2024-06-26T16:09:36.799744-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2513.yaml b/data/reports/GO-2024-2513.yaml new file mode 100644 index 00000000..2fd7946f --- /dev/null +++ b/data/reports/GO-2024-2513.yaml @@ -0,0 +1,28 @@ +id: GO-2024-2513 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - fixed: 7.2.1 + vulnerable_at: 5.4.5+incompatible +summary: Grafana information disclosure in github.com/grafana/grafana +cves: + - CVE-2020-12458 +ghsas: + - GHSA-3jq7-8ph8-63xm +unknown_aliases: + - BIT-grafana-2020-12458 +references: + - advisory: https://github.com/advisories/GHSA-3jq7-8ph8-63xm + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-12458 + - fix: https://github.com/grafana/grafana/commit/102448040d5132460e3b0013e03ebedec0677e00 + - report: https://github.com/grafana/grafana/issues/8283 + - web: https://access.redhat.com/security/cve/CVE-2020-12458 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=1827765 + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A + - web: https://security.netapp.com/advisory/ntap-20200518-0001 +source: + id: GHSA-3jq7-8ph8-63xm + created: 2024-06-14T11:39:09.292022-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2514.yaml b/data/reports/GO-2024-2514.yaml new file mode 100644 index 00000000..ab1aaf5f --- /dev/null +++ b/data/reports/GO-2024-2514.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2514 +modules: + - module: github.com/hashicorp/vault + versions: + - introduced: 1.0.0 + fixed: 1.5.4 + vulnerable_at: 1.5.3 +summary: Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault +cves: + - CVE-2020-25816 +ghsas: + - GHSA-57gg-cj55-q5g2 +unknown_aliases: + - BIT-vault-2020-25816 +references: + - advisory: https://github.com/advisories/GHSA-57gg-cj55-q5g2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-25816 + - fix: https://github.com/hashicorp/vault/pull/10020/commits/f192878110fe93eb13da914b2bee28caa7866a29 + - web: https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#147 + - web: https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#154 + - web: https://www.hashicorp.com/blog/category/vault +source: + id: GHSA-57gg-cj55-q5g2 + created: 2024-06-14T11:39:20.73164-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2515.yaml b/data/reports/GO-2024-2515.yaml new file mode 100644 index 00000000..eb3a7f34 --- /dev/null +++ b/data/reports/GO-2024-2515.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2515 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - fixed: 7.0.0 + vulnerable_at: 5.4.5+incompatible +summary: Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana +cves: + - CVE-2020-13430 +ghsas: + - GHSA-7m2x-qhrq-rp8h +unknown_aliases: + - BIT-grafana-2020-13430 +references: + - advisory: https://github.com/advisories/GHSA-7m2x-qhrq-rp8h + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-13430 + - fix: https://github.com/grafana/grafana/pull/24539 + - web: https://github.com/grafana/grafana/releases/tag/v7.0.0 + - web: https://security.netapp.com/advisory/ntap-20200528-0003 +source: + id: GHSA-7m2x-qhrq-rp8h + created: 2024-06-14T11:39:28.904078-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2024-2516.yaml b/data/reports/GO-2024-2516.yaml new file mode 100644 index 00000000..6f941872 --- /dev/null +++ b/data/reports/GO-2024-2516.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2516 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - fixed: 7.0.0 + vulnerable_at: 5.4.5+incompatible +summary: Grafana XSS via a column style in github.com/grafana/grafana +cves: + - CVE-2018-18624 +ghsas: + - GHSA-9hv8-4frf-cprf +references: + - advisory: https://github.com/advisories/GHSA-9hv8-4frf-cprf + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2018-18624 + - fix: https://github.com/grafana/grafana/commit/0284747c88eb9435899006d26ffaf65f89dec88e + - fix: https://github.com/grafana/grafana/pull/11813 + - fix: https://github.com/grafana/grafana/pull/23816 + - web: https://security.netapp.com/advisory/ntap-20200608-0008 +source: + id: GHSA-9hv8-4frf-cprf + created: 2024-06-14T11:39:35.057497-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2024-2517.yaml b/data/reports/GO-2024-2517.yaml new file mode 100644 index 00000000..7ae1fe5f --- /dev/null +++ b/data/reports/GO-2024-2517.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2517 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - fixed: 6.7.3 + vulnerable_at: 5.4.5+incompatible +summary: Grafana XSS in header column rename in github.com/grafana/grafana +cves: + - CVE-2020-12245 +ghsas: + - GHSA-ccmg-w4xm-p28v +unknown_aliases: + - BIT-grafana-2020-12245 +references: + - advisory: https://github.com/advisories/GHSA-ccmg-w4xm-p28v + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-12245 + - fix: https://github.com/grafana/grafana/commit/0284747c88eb9435899006d26ffaf65f89dec88e + - fix: https://github.com/grafana/grafana/pull/23816 + - web: http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html + - web: http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html + - web: http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html + - web: http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html + - web: https://community.grafana.com/t/release-notes-v6-7-x/27119 + - web: https://github.com/grafana/grafana/blob/master/CHANGELOG.md#673-2020-04-23 + - web: https://security.netapp.com/advisory/ntap-20200511-0001 +source: + id: GHSA-ccmg-w4xm-p28v + created: 2024-06-14T11:39:42.736913-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2024-2520.yaml b/data/reports/GO-2024-2520.yaml new file mode 100644 index 00000000..70955cff --- /dev/null +++ b/data/reports/GO-2024-2520.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2520 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - fixed: 7.1.0-beta1 + vulnerable_at: 5.4.5+incompatible +summary: Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana +cves: + - CVE-2020-24303 +ghsas: + - GHSA-mvpr-q6rh-8vrp +unknown_aliases: + - BIT-grafana-2020-24303 +references: + - advisory: https://github.com/advisories/GHSA-mvpr-q6rh-8vrp + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-24303 + - fix: https://github.com/grafana/grafana/pull/25401 + - web: https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01 + - web: https://security.netapp.com/advisory/ntap-20201123-0002 +source: + id: GHSA-mvpr-q6rh-8vrp + created: 2024-06-14T11:39:55.698815-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2024-2521.yaml b/data/reports/GO-2024-2521.yaml new file mode 100644 index 00000000..1d3b4559 --- /dev/null +++ b/data/reports/GO-2024-2521.yaml @@ -0,0 +1,29 @@ +id: GO-2024-2521 +modules: + - module: github.com/moby/moby + non_go_versions: + - introduced: 19.03.0 + fixed: 19.03.1 + vulnerable_at: 26.1.4+incompatible +summary: Moby Docker cp broken with debian containers in github.com/moby/moby +cves: + - CVE-2019-14271 +ghsas: + - GHSA-v2cv-wwxq-qq97 +references: + - advisory: https://github.com/advisories/GHSA-v2cv-wwxq-qq97 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-14271 + - fix: https://github.com/moby/moby/commit/11e48badcb67554b3d795241855028f28d244545 + - fix: https://github.com/moby/moby/commit/fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b + - fix: https://github.com/moby/moby/pull/39612 + - report: https://github.com/moby/moby/issues/39449 + - web: http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html + - web: https://docs.docker.com/engine/release-notes + - web: https://seclists.org/bugtraq/2019/Sep/21 + - web: https://security.netapp.com/advisory/ntap-20190828-0003 + - web: https://www.debian.org/security/2019/dsa-4521 +source: + id: GHSA-v2cv-wwxq-qq97 + created: 2024-06-14T11:40:02.184106-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2523.yaml b/data/reports/GO-2024-2523.yaml new file mode 100644 index 00000000..11720247 --- /dev/null +++ b/data/reports/GO-2024-2523.yaml @@ -0,0 +1,25 @@ +id: GO-2024-2523 +modules: + - module: github.com/grafana/grafana + non_go_versions: + - fixed: 6.7.2 + vulnerable_at: 5.4.5+incompatible +summary: Grafana stored XSS in github.com/grafana/grafana +cves: + - CVE-2020-11110 +ghsas: + - GHSA-xr3x-62qw-vc4w +unknown_aliases: + - BIT-grafana-2020-11110 +references: + - advisory: https://github.com/advisories/GHSA-xr3x-62qw-vc4w + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-11110 + - fix: https://github.com/grafana/grafana/commit/fb114a75241aaef4c08581b42509c750738b768a + - fix: https://github.com/grafana/grafana/pull/23254 + - web: https://github.com/grafana/grafana/blob/master/CHANGELOG.md + - web: https://security.netapp.com/advisory/ntap-20200810-0002 +source: + id: GHSA-xr3x-62qw-vc4w + created: 2024-06-14T11:40:12.676807-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2527.yaml b/data/reports/GO-2024-2527.yaml new file mode 100644 index 00000000..28d837a5 --- /dev/null +++ b/data/reports/GO-2024-2527.yaml @@ -0,0 +1,18 @@ +id: GO-2024-2527 +modules: + - module: go.etcd.io/etcd/client/pkg/v3 + non_go_versions: + - fixed: 3.3.23 + - introduced: 3.4.0-rc.0 + fixed: 3.4.10 + vulnerable_at: 3.5.14 +summary: Etcd pkg Insecure ciphers are allowed by default in go.etcd.io/etcd/client/pkg/v3 +ghsas: + - GHSA-5x4g-q5rc-36jp +references: + - advisory: https://github.com/etcd-io/etcd/security/advisories/GHSA-5x4g-q5rc-36jp +source: + id: GHSA-5x4g-q5rc-36jp + created: 2024-06-14T11:40:23.789526-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2528.yaml b/data/reports/GO-2024-2528.yaml new file mode 100644 index 00000000..b3426ac1 --- /dev/null +++ b/data/reports/GO-2024-2528.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2528 +modules: + - module: go.etcd.io/etcd + vulnerable_at: 2.3.8+incompatible + - module: go.etcd.io/etcd/v3 + non_go_versions: + - fixed: 3.3.23 + - introduced: 3.4.0-rc.0 + - fixed: 3.4.10 + vulnerable_at: 3.5.14 +summary: Etcd Gateway TLS endpoint validation only confirms TCP reachability in go.etcd.io/etcd +ghsas: + - GHSA-j86v-2vjr-fg8f +references: + - advisory: https://github.com/etcd-io/etcd/security/advisories/GHSA-j86v-2vjr-fg8f +source: + id: GHSA-j86v-2vjr-fg8f + created: 2024-06-26T16:10:23.766937-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2529.yaml b/data/reports/GO-2024-2529.yaml new file mode 100644 index 00000000..aad625b7 --- /dev/null +++ b/data/reports/GO-2024-2529.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2529 +modules: + - module: go.etcd.io/etcd + vulnerable_at: 2.3.8+incompatible + - module: go.etcd.io/etcd/v3 + non_go_versions: + - fixed: 3.3.23 + - introduced: 3.4.0-rc.0 + - fixed: 3.4.10 + vulnerable_at: 3.5.14 +summary: |- + Etcd embed auto compaction retention negative value causing a compaction loop or + a crash in go.etcd.io/etcd +ghsas: + - GHSA-pm3m-32r3-7mfh +references: + - advisory: https://github.com/etcd-io/etcd/security/advisories/GHSA-pm3m-32r3-7mfh +source: + id: GHSA-pm3m-32r3-7mfh + created: 2024-06-26T16:10:36.366486-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2530.yaml b/data/reports/GO-2024-2530.yaml new file mode 100644 index 00000000..f56ff814 --- /dev/null +++ b/data/reports/GO-2024-2530.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2530 +modules: + - module: go.etcd.io/etcd + vulnerable_at: 2.3.8+incompatible + - module: go.etcd.io/etcd/v3 + non_go_versions: + - fixed: 3.3.23 + - introduced: 3.4.0-rc.0 + - fixed: 3.4.10 + vulnerable_at: 3.5.14 +summary: |- + Etcd auth Inaccurate logging of authentication attempts for users with CN-based + auth only in go.etcd.io/etcd +ghsas: + - GHSA-vjg6-93fv-qv64 +references: + - advisory: https://github.com/etcd-io/etcd/security/advisories/GHSA-vjg6-93fv-qv64 +source: + id: GHSA-vjg6-93fv-qv64 + created: 2024-06-26T16:05:38.246759-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2531.yaml b/data/reports/GO-2024-2531.yaml new file mode 100644 index 00000000..0d2dd2b5 --- /dev/null +++ b/data/reports/GO-2024-2531.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2531 +modules: + - module: github.com/1Panel-dev/1Panel + versions: + - fixed: 1.9.6 + vulnerable_at: 1.9.5 +summary: 1Panel set-cookie is missing the Secure keyword in github.com/1Panel-dev/1Panel +cves: + - CVE-2024-24768 +ghsas: + - GHSA-9xfw-jjq2-7v8h +references: + - advisory: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-9xfw-jjq2-7v8h + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-24768 + - fix: https://github.com/1Panel-dev/1Panel/commit/1169648162c4b9b48e0b4aa508f9dea4d6bc50d5 + - fix: https://github.com/1Panel-dev/1Panel/pull/3817 +source: + id: GHSA-9xfw-jjq2-7v8h + created: 2024-06-14T11:40:41.579857-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2532.yaml b/data/reports/GO-2024-2532.yaml new file mode 100644 index 00000000..622f5454 --- /dev/null +++ b/data/reports/GO-2024-2532.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2532 +modules: + - module: github.com/hashicorp/boundary + versions: + - introduced: 0.8.0 + fixed: 0.15.0 + vulnerable_at: 0.14.5 +summary: Boundary vulnerable to session hijacking through TLS certificate tampering in github.com/hashicorp/boundary +cves: + - CVE-2024-1052 +ghsas: + - GHSA-vh73-q3rw-qx7w +references: + - advisory: https://github.com/advisories/GHSA-vh73-q3rw-qx7w + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1052 + - web: https://discuss.hashicorp.com/t/hcsec-2024-02-boundary-vulnerable-to-session-hijacking-through-tls-certificate-tampering/62458 +source: + id: GHSA-vh73-q3rw-qx7w + created: 2024-06-14T11:40:47.48502-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2535.yaml b/data/reports/GO-2024-2535.yaml new file mode 100644 index 00000000..3c4e676b --- /dev/null +++ b/data/reports/GO-2024-2535.yaml @@ -0,0 +1,25 @@ +id: GO-2024-2535 +modules: + - module: github.com/rancher/rancher + non_go_versions: + - introduced: 2.6.0 + fixed: 2.6.14 + - introduced: 2.7.0 + fixed: 2.7.10 + - introduced: 2.8.0 + fixed: 2.8.2 + vulnerable_at: 1.6.30 +summary: |- + Rancher permissions on 'namespaces' in any API group grants 'edit' permissions + on namespaces in 'core' in github.com/rancher/rancher +cves: + - CVE-2023-32194 +ghsas: + - GHSA-c85r-fwc7-45vc +references: + - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-c85r-fwc7-45vc +source: + id: GHSA-c85r-fwc7-45vc + created: 2024-06-14T11:40:51.774851-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2537.yaml b/data/reports/GO-2024-2537.yaml new file mode 100644 index 00000000..87d527cc --- /dev/null +++ b/data/reports/GO-2024-2537.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2537 +modules: + - module: github.com/rancher/rancher + non_go_versions: + - introduced: 2.6.0 + fixed: 2.6.14 + - introduced: 2.7.0 + fixed: 2.7.10 + - introduced: 2.8.0 + fixed: 2.8.2 + vulnerable_at: 1.6.30 +summary: Rancher 'Audit Log' leaks sensitive information in github.com/rancher/rancher +cves: + - CVE-2023-22649 +ghsas: + - GHSA-xfj7-qf8w-2gcr +references: + - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-xfj7-qf8w-2gcr +source: + id: GHSA-xfj7-qf8w-2gcr + created: 2024-06-14T11:40:59.93657-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2540.yaml b/data/reports/GO-2024-2540.yaml new file mode 100644 index 00000000..f7c5e7f6 --- /dev/null +++ b/data/reports/GO-2024-2540.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2540 +modules: + - module: github.com/mattermost/mattermost-plugin-jira + non_go_versions: + - fixed: 4.0.0-rc1 + vulnerable_at: 1.1.1 +summary: Mattermost Jira Plugin does not properly check security levels in github.com/mattermost/mattermost-plugin-jira +cves: + - CVE-2024-24774 +ghsas: + - GHSA-qr8f-cjw7-838m +unknown_aliases: + - BIT-mattermost-2024-24774 +references: + - advisory: https://github.com/advisories/GHSA-qr8f-cjw7-838m + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-24774 + - fix: https://github.com/mattermost/mattermost-plugin-jira/commit/5f5e084d169bf6b82d5c46a7a7eb033e1a01c6de + - web: https://mattermost.com/security-updates +source: + id: GHSA-qr8f-cjw7-838m + created: 2024-06-14T11:41:03.591421-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2541.yaml b/data/reports/GO-2024-2541.yaml new file mode 100644 index 00000000..26b1c4a1 --- /dev/null +++ b/data/reports/GO-2024-2541.yaml @@ -0,0 +1,37 @@ +id: GO-2024-2541 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.1.0+incompatible + - fixed: 9.1.5+incompatible + - introduced: 9.2.0+incompatible + - fixed: 9.2.4+incompatible + vulnerable_at: 9.2.4-rc1+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.8 + vulnerable_at: 8.0.0-20240626184126-817e18414e41 +summary: Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server +cves: + - CVE-2024-1402 +ghsas: + - GHSA-32h7-7j94-8fc2 +unknown_aliases: + - BIT-mattermost-2024-1402 + - CGA-xjf7-9r4q-527v +references: + - advisory: https://github.com/advisories/GHSA-32h7-7j94-8fc2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1402 + - web: https://github.com/mattermost/mattermost/commit/64cb0ca8af2dbda1afcddd1604460591a4799b81 + - web: https://github.com/mattermost/mattermost/commit/6d2440de9fd774b67e65e3aac4ab8b6ef9aba2d8 + - web: https://github.com/mattermost/mattermost/commit/81190e2da128a6985914ea7023a69ac400513fc4 + - web: https://mattermost.com/security-updates +source: + id: GHSA-32h7-7j94-8fc2 + created: 2024-06-26T16:13:23.271388-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2549.yaml b/data/reports/GO-2024-2549.yaml new file mode 100644 index 00000000..c2c3488d --- /dev/null +++ b/data/reports/GO-2024-2549.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2549 +modules: + - module: github.com/greenpau/caddy-security + unsupported_versions: + - version: 1.1.20 + type: last_affected + vulnerable_at: 1.1.29 +summary: caddy-security plugin for Caddy vulnerable to reflected Cross-site Scripting in github.com/greenpau/caddy-security +cves: + - CVE-2023-52430 +ghsas: + - GHSA-xwmv-cx7p-fqfc +references: + - advisory: https://github.com/advisories/GHSA-xwmv-cx7p-fqfc + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-52430 + - report: https://github.com/greenpau/caddy-security/issues/264 + - web: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy +source: + id: GHSA-xwmv-cx7p-fqfc + created: 2024-06-14T11:41:20.789976-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2550.yaml b/data/reports/GO-2024-2550.yaml new file mode 100644 index 00000000..34031db2 --- /dev/null +++ b/data/reports/GO-2024-2550.yaml @@ -0,0 +1,22 @@ +id: GO-2024-2550 +modules: + - module: github.com/mongodb/mongo-tools + non_go_versions: + - introduced: 100.0.0 + fixed: 100.2.0 + vulnerable_at: 0.0.0-20240614142727-3a6386047711 +summary: MongoDB Tools Improper Certificate Validation vulnerability in github.com/mongodb/mongo-tools +cves: + - CVE-2020-7924 +ghsas: + - GHSA-6cwm-wm82-hgrw +references: + - advisory: https://github.com/advisories/GHSA-6cwm-wm82-hgrw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-7924 + - fix: https://github.com/mongodb/mongo-tools/commit/8c1800b5155084f954a39a1f2f259efac3bb86de + - web: https://jira.mongodb.org/browse/TOOLS-2587 +source: + id: GHSA-6cwm-wm82-hgrw + created: 2024-06-14T11:41:26.128315-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2024-2556.yaml b/data/reports/GO-2024-2556.yaml new file mode 100644 index 00000000..b14d81f8 --- /dev/null +++ b/data/reports/GO-2024-2556.yaml @@ -0,0 +1,21 @@ +id: GO-2024-2556 +modules: + - module: github.com/elastic/apm-server + non_go_versions: + - fixed: 8.12.1 + vulnerable_at: 6.8.23+incompatible +summary: APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server +cves: + - CVE-2024-23448 +ghsas: + - GHSA-8r33-q5j5-rh7g +references: + - advisory: https://github.com/advisories/GHSA-8r33-q5j5-rh7g + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-23448 + - web: https://discuss.elastic.co/t/apm-server-8-12-1-security-update-esa-2024-03/352688 + - web: https://www.elastic.co/community/security +source: + id: GHSA-8r33-q5j5-rh7g + created: 2024-06-14T11:41:38.704445-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2557.yaml b/data/reports/GO-2024-2557.yaml new file mode 100644 index 00000000..f859bedd --- /dev/null +++ b/data/reports/GO-2024-2557.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2557 +modules: + - module: github.com/greenpau/caddy-security + unsupported_versions: + - version: 1.1.23 + type: last_affected + vulnerable_at: 1.1.29 +summary: Insufficient Session Expiration in github.com/greenpau/caddy-security +cves: + - CVE-2024-21492 +ghsas: + - GHSA-vp66-gf7w-9m4x +references: + - advisory: https://github.com/advisories/GHSA-vp66-gf7w-9m4x + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21492 + - report: https://github.com/greenpau/caddy-security/issues/272 + - web: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy + - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5920787 +source: + id: GHSA-vp66-gf7w-9m4x + created: 2024-06-14T11:41:43.266028-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2558.yaml b/data/reports/GO-2024-2558.yaml new file mode 100644 index 00000000..0d816bf4 --- /dev/null +++ b/data/reports/GO-2024-2558.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2558 +modules: + - module: github.com/greenpau/caddy-security + unsupported_versions: + - version: 1.1.23 + type: last_affected + vulnerable_at: 1.1.29 +summary: Authentication Bypass by Spoofing in github.com/greenpau/caddy-security +cves: + - CVE-2024-21494 +ghsas: + - GHSA-vj36-3ccr-6563 +references: + - advisory: https://github.com/advisories/GHSA-vj36-3ccr-6563 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21494 + - report: https://github.com/greenpau/caddy-security/issues/266 + - web: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy + - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249859 +source: + id: GHSA-vj36-3ccr-6563 + created: 2024-06-14T11:41:47.937414-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2559.yaml b/data/reports/GO-2024-2559.yaml new file mode 100644 index 00000000..1481b7fa --- /dev/null +++ b/data/reports/GO-2024-2559.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2559 +modules: + - module: github.com/greenpau/caddy-security + unsupported_versions: + - version: 1.1.23 + type: last_affected + vulnerable_at: 1.1.29 +summary: Cross-site Scripting in github.com/greenpau/caddy-security +cves: + - CVE-2024-21496 +ghsas: + - GHSA-ff72-ff42-c3gw +references: + - advisory: https://github.com/advisories/GHSA-ff72-ff42-c3gw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21496 + - report: https://github.com/greenpau/caddy-security/issues/267 + - web: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy + - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249860 +source: + id: GHSA-ff72-ff42-c3gw + created: 2024-06-14T11:41:53.201238-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2560.yaml b/data/reports/GO-2024-2560.yaml new file mode 100644 index 00000000..c1c1a620 --- /dev/null +++ b/data/reports/GO-2024-2560.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2560 +modules: + - module: github.com/greenpau/caddy-security + unsupported_versions: + - version: 1.1.23 + type: last_affected + vulnerable_at: 1.1.29 +summary: Open Redirect in github.com/greenpau/caddy-security +cves: + - CVE-2024-21497 +ghsas: + - GHSA-8hp3-rmr7-xh88 +references: + - advisory: https://github.com/advisories/GHSA-8hp3-rmr7-xh88 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21497 + - report: https://github.com/greenpau/caddy-security/issues/268 + - web: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy + - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249861 +source: + id: GHSA-8hp3-rmr7-xh88 + created: 2024-06-14T11:41:57.639653-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2561.yaml b/data/reports/GO-2024-2561.yaml new file mode 100644 index 00000000..02fdd1e2 --- /dev/null +++ b/data/reports/GO-2024-2561.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2561 +modules: + - module: github.com/greenpau/caddy-security + unsupported_versions: + - version: 1.1.23 + type: last_affected + vulnerable_at: 1.1.29 +summary: Server-Side Request Forgery in github.com/greenpau/caddy-security +cves: + - CVE-2024-21498 +ghsas: + - GHSA-93x8-66j2-wwr5 +references: + - advisory: https://github.com/advisories/GHSA-93x8-66j2-wwr5 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21498 + - report: https://github.com/greenpau/caddy-security/issues/269 + - web: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy + - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249862 +source: + id: GHSA-93x8-66j2-wwr5 + created: 2024-06-14T11:42:01.981167-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2562.yaml b/data/reports/GO-2024-2562.yaml new file mode 100644 index 00000000..0a4db8c2 --- /dev/null +++ b/data/reports/GO-2024-2562.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2562 +modules: + - module: github.com/greenpau/caddy-security + unsupported_versions: + - version: 1.1.23 + type: last_affected + vulnerable_at: 1.1.29 +summary: Improper Neutralization of HTTP Headers in github.com/greenpau/caddy-security +cves: + - CVE-2024-21499 +ghsas: + - GHSA-r969-783f-6jqr +references: + - advisory: https://github.com/advisories/GHSA-r969-783f-6jqr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21499 + - report: https://github.com/greenpau/caddy-security/issues/270 + - web: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy + - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249863 +source: + id: GHSA-r969-783f-6jqr + created: 2024-06-14T11:42:07.479664-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2563.yaml b/data/reports/GO-2024-2563.yaml new file mode 100644 index 00000000..11bb4512 --- /dev/null +++ b/data/reports/GO-2024-2563.yaml @@ -0,0 +1,25 @@ +id: GO-2024-2563 +modules: + - module: github.com/greenpau/caddy-security + unsupported_versions: + - version: 1.1.23 + type: last_affected + vulnerable_at: 1.1.29 +summary: |- + Improper Restriction of Excessive Authentication Attempts in + github.com/greenpau/caddy-security +cves: + - CVE-2024-21500 +ghsas: + - GHSA-vfph-hjfv-cpv2 +references: + - advisory: https://github.com/advisories/GHSA-vfph-hjfv-cpv2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21500 + - report: https://github.com/greenpau/caddy-security/issues/271 + - web: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy + - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249864 +source: + id: GHSA-vfph-hjfv-cpv2 + created: 2024-06-14T11:42:12.085045-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2564.yaml b/data/reports/GO-2024-2564.yaml new file mode 100644 index 00000000..f6ce421e --- /dev/null +++ b/data/reports/GO-2024-2564.yaml @@ -0,0 +1,23 @@ +id: GO-2024-2564 +modules: + - module: github.com/greenpau/caddy-security + unsupported_versions: + - version: 1.1.23 + type: last_affected + vulnerable_at: 1.1.29 +summary: Improper Validation of Array Index in github.com/greenpau/caddy-security +cves: + - CVE-2024-21493 +ghsas: + - GHSA-8h95-jcp5-pjpr +references: + - advisory: https://github.com/advisories/GHSA-8h95-jcp5-pjpr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21493 + - report: https://github.com/greenpau/caddy-security/issues/263 + - web: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy + - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078 +source: + id: GHSA-8h95-jcp5-pjpr + created: 2024-06-14T11:42:16.399855-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2565.yaml b/data/reports/GO-2024-2565.yaml new file mode 100644 index 00000000..2559a262 --- /dev/null +++ b/data/reports/GO-2024-2565.yaml @@ -0,0 +1,24 @@ +id: GO-2024-2565 +modules: + - module: github.com/greenpau/caddy-security + unsupported_versions: + - version: 1.0.42 + type: last_affected + vulnerable_at: 1.1.29 +summary: Use of Insufficiently Random Values in github.com/greenpau/caddy-security +cves: + - CVE-2024-21495 +ghsas: + - GHSA-c7vf-m394-m4x4 +references: + - advisory: https://github.com/advisories/GHSA-c7vf-m394-m4x4 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21495 + - report: https://github.com/greenpau/caddy-security/issues/265 + - web: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy + - web: https://github.com/greenpau/go-authcrunch/commit/ecd3725baf2683eb1519bb3c81ae41085fbf7dc2 + - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6248275 +source: + id: GHSA-c7vf-m394-m4x4 + created: 2024-06-14T11:42:21.52675-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2582.yaml b/data/reports/GO-2024-2582.yaml new file mode 100644 index 00000000..b3a808cb --- /dev/null +++ b/data/reports/GO-2024-2582.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2582 +modules: + - module: github.com/stacklok/minder + non_go_versions: + - fixed: 0.20240226.1425 + vulnerable_at: 0.0.51 +summary: Minder trusts client-provided mapping from repo name to upstream ID in github.com/stacklok/minder +cves: + - CVE-2024-27093 +ghsas: + - GHSA-q6h8-4j2v-pjg4 +references: + - advisory: https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-27093 + - fix: https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d +source: + id: GHSA-q6h8-4j2v-pjg4 + created: 2024-06-14T11:42:26.439797-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2024-2588.yaml b/data/reports/GO-2024-2588.yaml new file mode 100644 index 00000000..dd2ef757 --- /dev/null +++ b/data/reports/GO-2024-2588.yaml @@ -0,0 +1,31 @@ +id: GO-2024-2588 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.0.0+incompatible + - fixed: 9.4.2+incompatible + vulnerable_at: 9.4.2-rc2+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.9 + vulnerable_at: 8.0.0-20240626184126-817e18414e41 +summary: Mattermost race condition in github.com/mattermost/mattermost-server +cves: + - CVE-2024-1949 +ghsas: + - GHSA-3g35-v53r-gpxc +unknown_aliases: + - CGA-jmr7-jr2v-rjcq +references: + - advisory: https://github.com/advisories/GHSA-3g35-v53r-gpxc + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1949 + - web: https://mattermost.com/security-updates +source: + id: GHSA-3g35-v53r-gpxc + created: 2024-06-26T16:10:37.990276-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2589.yaml b/data/reports/GO-2024-2589.yaml new file mode 100644 index 00000000..06099f55 --- /dev/null +++ b/data/reports/GO-2024-2589.yaml @@ -0,0 +1,33 @@ +id: GO-2024-2589 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.2.0+incompatible + - fixed: 9.2.5+incompatible + - introduced: 9.3.0+incompatible + - fixed: 9.3.1+incompatible + vulnerable_at: 9.3.1-rc2+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.9 + vulnerable_at: 8.0.0-20240626184126-817e18414e41 +summary: Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server +cves: + - CVE-2024-24988 +ghsas: + - GHSA-6mx3-9qfh-77gj +unknown_aliases: + - CGA-hxgx-rg66-hvqr +references: + - advisory: https://github.com/advisories/GHSA-6mx3-9qfh-77gj + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-24988 + - web: https://mattermost.com/security-updates +source: + id: GHSA-6mx3-9qfh-77gj + created: 2024-06-26T16:08:34.50613-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2590.yaml b/data/reports/GO-2024-2590.yaml new file mode 100644 index 00000000..a3188968 --- /dev/null +++ b/data/reports/GO-2024-2590.yaml @@ -0,0 +1,35 @@ +id: GO-2024-2590 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.2.0+incompatible + - fixed: 9.2.5+incompatible + - introduced: 9.3.0+incompatible + - fixed: 9.3.1+incompatible + - introduced: 9.4.0+incompatible + - fixed: 9.4.2+incompatible + vulnerable_at: 9.4.2-rc2+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.9 + vulnerable_at: 8.0.0-20240626184126-817e18414e41 +summary: Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server +cves: + - CVE-2024-23493 +ghsas: + - GHSA-7v3v-984v-h74r +unknown_aliases: + - CGA-gvhx-fgcw-f546 +references: + - advisory: https://github.com/advisories/GHSA-7v3v-984v-h74r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-23493 + - web: https://mattermost.com/security-updates +source: + id: GHSA-7v3v-984v-h74r + created: 2024-06-26T16:06:07.408556-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2591.yaml b/data/reports/GO-2024-2591.yaml new file mode 100644 index 00000000..b93b4107 --- /dev/null +++ b/data/reports/GO-2024-2591.yaml @@ -0,0 +1,33 @@ +id: GO-2024-2591 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.2.0+incompatible + - fixed: 9.2.5+incompatible + - introduced: 9.3.0+incompatible + - fixed: 9.3.1+incompatible + vulnerable_at: 9.3.1-rc2+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.9 + vulnerable_at: 8.0.0-20240626184126-817e18414e41 +summary: Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server +cves: + - CVE-2024-1887 +ghsas: + - GHSA-fx48-xv6q-6gp3 +unknown_aliases: + - CGA-9c85-rg9h-4w8m +references: + - advisory: https://github.com/advisories/GHSA-fx48-xv6q-6gp3 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1887 + - web: https://mattermost.com/security-updates +source: + id: GHSA-fx48-xv6q-6gp3 + created: 2024-06-26T16:10:47.852031-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2592.yaml b/data/reports/GO-2024-2592.yaml new file mode 100644 index 00000000..a2951339 --- /dev/null +++ b/data/reports/GO-2024-2592.yaml @@ -0,0 +1,33 @@ +id: GO-2024-2592 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.2.0+incompatible + - fixed: 9.2.5+incompatible + - introduced: 9.3.0+incompatible + - fixed: 9.3.1+incompatible + vulnerable_at: 9.3.1-rc2+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.9 + vulnerable_at: 8.0.0-20240626184126-817e18414e41 +summary: Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server +cves: + - CVE-2024-1942 +ghsas: + - GHSA-hwjf-4667-gqwx +unknown_aliases: + - CGA-xvq7-x2jj-6hg4 +references: + - advisory: https://github.com/advisories/GHSA-hwjf-4667-gqwx + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1942 + - web: https://mattermost.com/security-updates +source: + id: GHSA-hwjf-4667-gqwx + created: 2024-06-26T16:07:03.779047-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2593.yaml b/data/reports/GO-2024-2593.yaml new file mode 100644 index 00000000..c8e2a99c --- /dev/null +++ b/data/reports/GO-2024-2593.yaml @@ -0,0 +1,35 @@ +id: GO-2024-2593 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.2.0+incompatible + - fixed: 9.2.5+incompatible + - introduced: 9.3.0+incompatible + - fixed: 9.3.1+incompatible + - introduced: 9.4.0+incompatible + - fixed: 9.4.2+incompatible + vulnerable_at: 9.4.2-rc2+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.9 + vulnerable_at: 8.0.0-20240626184126-817e18414e41 +summary: Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server +cves: + - CVE-2024-1888 +ghsas: + - GHSA-pfw6-5rx3-xh3c +unknown_aliases: + - CGA-f9x4-gc5p-g8jr +references: + - advisory: https://github.com/advisories/GHSA-pfw6-5rx3-xh3c + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1888 + - web: https://mattermost.com/security-updates +source: + id: GHSA-pfw6-5rx3-xh3c + created: 2024-06-26T16:09:33.224974-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2594.yaml b/data/reports/GO-2024-2594.yaml new file mode 100644 index 00000000..cab2b3ae --- /dev/null +++ b/data/reports/GO-2024-2594.yaml @@ -0,0 +1,35 @@ +id: GO-2024-2594 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.2.0+incompatible + - fixed: 9.2.5+incompatible + - introduced: 9.3.0+incompatible + - fixed: 9.3.1+incompatible + - introduced: 9.4.0+incompatible + - fixed: 9.4.2+incompatible + vulnerable_at: 9.4.2-rc2+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.9 + vulnerable_at: 8.0.0-20240626184126-817e18414e41 +summary: Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server +cves: + - CVE-2024-1953 +ghsas: + - GHSA-vm9m-57jr-4pxh +unknown_aliases: + - CGA-25vp-ggq8-49x6 +references: + - advisory: https://github.com/advisories/GHSA-vm9m-57jr-4pxh + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1953 + - web: https://mattermost.com/security-updates +source: + id: GHSA-vm9m-57jr-4pxh + created: 2024-06-26T16:08:54.70065-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2595.yaml b/data/reports/GO-2024-2595.yaml new file mode 100644 index 00000000..3d1ed7f7 --- /dev/null +++ b/data/reports/GO-2024-2595.yaml @@ -0,0 +1,31 @@ +id: GO-2024-2595 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.0.0+incompatible + - fixed: 9.4.2+incompatible + vulnerable_at: 9.4.2-rc2+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + non_go_versions: + - fixed: 8.1.9 + vulnerable_at: 8.0.0-20240626184126-817e18414e41 +summary: Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server +cves: + - CVE-2024-23488 +ghsas: + - GHSA-xgxj-j98c-59rv +unknown_aliases: + - CGA-cp3f-8rch-xvmv +references: + - advisory: https://github.com/advisories/GHSA-xgxj-j98c-59rv + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-23488 + - web: https://mattermost.com/security-updates +source: + id: GHSA-xgxj-j98c-59rv + created: 2024-06-26T16:13:06.887134-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE