From 48d6810d06d7ebe625382139c89b5bdc9f289a8f Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Thu, 26 Sep 2024 14:14:56 -0400 Subject: [PATCH] data/reports: add 11 unreviewed reports - data/reports/GO-2024-3135.yaml - data/reports/GO-2024-3136.yaml - data/reports/GO-2024-3137.yaml - data/reports/GO-2024-3138.yaml - data/reports/GO-2024-3139.yaml - data/reports/GO-2024-3153.yaml - data/reports/GO-2024-3155.yaml - data/reports/GO-2024-3156.yaml - data/reports/GO-2024-3157.yaml - data/reports/GO-2024-3158.yaml - data/reports/GO-2024-3160.yaml Fixes golang/vulndb#3135 Fixes golang/vulndb#3136 Fixes golang/vulndb#3137 Fixes golang/vulndb#3138 Fixes golang/vulndb#3139 Fixes golang/vulndb#3153 Fixes golang/vulndb#3155 Fixes golang/vulndb#3156 Fixes golang/vulndb#3157 Fixes golang/vulndb#3158 Fixes golang/vulndb#3160 Change-Id: I35e14a6e3457549217ad4853570de94f94fc0281 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/616060 Reviewed-by: Zvonimir Pavlinovic LUCI-TryBot-Result: Go LUCI Auto-Submit: Tatiana Bradley --- data/osv/GO-2024-3135.json | 97 ++++++++++++++++++++++++++++++ data/osv/GO-2024-3136.json | 56 +++++++++++++++++ data/osv/GO-2024-3137.json | 107 +++++++++++++++++++++++++++++++++ data/osv/GO-2024-3138.json | 107 +++++++++++++++++++++++++++++++++ data/osv/GO-2024-3139.json | 107 +++++++++++++++++++++++++++++++++ data/osv/GO-2024-3153.json | 52 ++++++++++++++++ data/osv/GO-2024-3155.json | 48 +++++++++++++++ data/osv/GO-2024-3156.json | 48 +++++++++++++++ data/osv/GO-2024-3157.json | 60 ++++++++++++++++++ data/osv/GO-2024-3158.json | 56 +++++++++++++++++ data/osv/GO-2024-3160.json | 44 ++++++++++++++ data/reports/GO-2024-3135.yaml | 28 +++++++++ data/reports/GO-2024-3136.yaml | 20 ++++++ data/reports/GO-2024-3137.yaml | 34 +++++++++++ data/reports/GO-2024-3138.yaml | 34 +++++++++++ data/reports/GO-2024-3139.yaml | 34 +++++++++++ data/reports/GO-2024-3153.yaml | 19 ++++++ data/reports/GO-2024-3155.yaml | 15 +++++ data/reports/GO-2024-3156.yaml | 15 +++++ data/reports/GO-2024-3157.yaml | 21 +++++++ data/reports/GO-2024-3158.yaml | 20 ++++++ data/reports/GO-2024-3160.yaml | 19 ++++++ 22 files changed, 1041 insertions(+) create mode 100644 data/osv/GO-2024-3135.json create mode 100644 data/osv/GO-2024-3136.json create mode 100644 data/osv/GO-2024-3137.json create mode 100644 data/osv/GO-2024-3138.json create mode 100644 data/osv/GO-2024-3139.json create mode 100644 data/osv/GO-2024-3153.json create mode 100644 data/osv/GO-2024-3155.json create mode 100644 data/osv/GO-2024-3156.json create mode 100644 data/osv/GO-2024-3157.json create mode 100644 data/osv/GO-2024-3158.json create mode 100644 data/osv/GO-2024-3160.json create mode 100644 data/reports/GO-2024-3135.yaml create mode 100644 data/reports/GO-2024-3136.yaml create mode 100644 data/reports/GO-2024-3137.yaml create mode 100644 data/reports/GO-2024-3138.yaml create mode 100644 data/reports/GO-2024-3139.yaml create mode 100644 data/reports/GO-2024-3153.yaml create mode 100644 data/reports/GO-2024-3155.yaml create mode 100644 data/reports/GO-2024-3156.yaml create mode 100644 data/reports/GO-2024-3157.yaml create mode 100644 data/reports/GO-2024-3158.yaml create mode 100644 data/reports/GO-2024-3160.yaml diff --git a/data/osv/GO-2024-3135.json b/data/osv/GO-2024-3135.json new file mode 100644 index 00000000..e4243cb5 --- /dev/null +++ b/data/osv/GO-2024-3135.json @@ -0,0 +1,97 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3135", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-45410", + "GHSA-62c8-mh53-4cqv" + ], + "summary": "HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik", + "details": "HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik", + "affected": [ + { + "package": { + "name": "github.com/traefik/traefik", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.11.9" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.0.0-beta3" + }, + { + "fixed": "3.1.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45410" + }, + { + "type": "FIX", + "url": "https://github.com/traefik/traefik/commit/584144100524277829f26219baaab29a53b8134f" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v2.11.9" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v3.1.3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3135", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3136.json b/data/osv/GO-2024-3136.json new file mode 100644 index 00000000..1209d96d --- /dev/null +++ b/data/osv/GO-2024-3136.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3136", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-27584", + "GHSA-hpc8-7wpm-889w" + ], + "summary": "Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly", + "details": "Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly", + "affected": [ + { + "package": { + "name": "d7y.io/dragonfly/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.0-beta.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27584" + }, + { + "type": "WEB", + "url": "https://github.com/dragonflyoss/Dragonfly2/commit/e9da69dc4048bf2a18a671be94616d85e3429433" + }, + { + "type": "WEB", + "url": "https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3136", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3137.json b/data/osv/GO-2024-3137.json new file mode 100644 index 00000000..e70a1a47 --- /dev/null +++ b/data/osv/GO-2024-3137.json @@ -0,0 +1,107 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3137", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-46999", + "GHSA-2w5j-qfvw-2hf5" + ], + "summary": "ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel", + "details": "ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.", + "affected": [ + { + "package": { + "name": "github.com/zitadel/zitadel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.54.10" + }, + { + "introduced": "2.55.0" + }, + { + "fixed": "2.55.8" + }, + { + "introduced": "2.56.0" + }, + { + "fixed": "2.56.6" + }, + { + "introduced": "2.57.0" + }, + { + "fixed": "2.57.5" + }, + { + "introduced": "2.58.0" + }, + { + "fixed": "2.58.5" + }, + { + "introduced": "2.59.0" + }, + { + "fixed": "2.59.3" + }, + { + "introduced": "2.60.0" + }, + { + "fixed": "2.60.2" + }, + { + "introduced": "2.61.0" + }, + { + "fixed": "2.61.1" + }, + { + "introduced": "2.62.0" + }, + { + "fixed": "2.62.1" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46999" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3137", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3138.json b/data/osv/GO-2024-3138.json new file mode 100644 index 00000000..097e0731 --- /dev/null +++ b/data/osv/GO-2024-3138.json @@ -0,0 +1,107 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3138", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47060", + "GHSA-jj94-6f5c-65r8" + ], + "summary": "ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel", + "details": "ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.", + "affected": [ + { + "package": { + "name": "github.com/zitadel/zitadel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.54.10" + }, + { + "introduced": "2.55.0" + }, + { + "fixed": "2.55.8" + }, + { + "introduced": "2.56.0" + }, + { + "fixed": "2.56.6" + }, + { + "introduced": "2.57.0" + }, + { + "fixed": "2.57.5" + }, + { + "introduced": "2.58.0" + }, + { + "fixed": "2.58.5" + }, + { + "introduced": "2.59.0" + }, + { + "fixed": "2.59.3" + }, + { + "introduced": "2.60.0" + }, + { + "fixed": "2.60.2" + }, + { + "introduced": "2.61.0" + }, + { + "fixed": "2.61.1" + }, + { + "introduced": "2.62.0" + }, + { + "fixed": "2.62.1" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47060" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3138", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3139.json b/data/osv/GO-2024-3139.json new file mode 100644 index 00000000..4c01dcc3 --- /dev/null +++ b/data/osv/GO-2024-3139.json @@ -0,0 +1,107 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3139", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47000", + "GHSA-qr2h-7pwm-h393" + ], + "summary": "ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel", + "details": "ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.", + "affected": [ + { + "package": { + "name": "github.com/zitadel/zitadel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.54.10" + }, + { + "introduced": "2.55.0" + }, + { + "fixed": "2.55.8" + }, + { + "introduced": "2.56.0" + }, + { + "fixed": "2.56.6" + }, + { + "introduced": "2.57.0" + }, + { + "fixed": "2.57.5" + }, + { + "introduced": "2.58.0" + }, + { + "fixed": "2.58.5" + }, + { + "introduced": "2.59.0" + }, + { + "fixed": "2.59.3" + }, + { + "introduced": "2.60.0" + }, + { + "fixed": "2.60.2" + }, + { + "introduced": "2.61.0" + }, + { + "fixed": "2.61.1" + }, + { + "introduced": "2.62.0" + }, + { + "fixed": "2.62.1" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47000" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3139", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3153.json b/data/osv/GO-2024-3153.json new file mode 100644 index 00000000..f4b6002d --- /dev/null +++ b/data/osv/GO-2024-3153.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3153", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47062", + "GHSA-58vj-cv5w-v4v6" + ], + "summary": "Navidrome has Multiple SQL Injections and ORM Leak in github.com/navidrome/navidrome", + "details": "Navidrome has Multiple SQL Injections and ORM Leak in github.com/navidrome/navidrome", + "affected": [ + { + "package": { + "name": "github.com/navidrome/navidrome", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.53.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-58vj-cv5w-v4v6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47062" + }, + { + "type": "FIX", + "url": "https://github.com/navidrome/navidrome/commit/3107170afd9f557a10f7031f23cb3c9e975a71f9" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3153", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3155.json b/data/osv/GO-2024-3155.json new file mode 100644 index 00000000..9bb118b3 --- /dev/null +++ b/data/osv/GO-2024-3155.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3155", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47218" + ], + "summary": "CVE-2024-47218 in github.com/vesoft-inc/nebula", + "details": "CVE-2024-47218 in github.com/vesoft-inc/nebula", + "affected": [ + { + "package": { + "name": "github.com/vesoft-inc/nebula", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47218" + }, + { + "type": "FIX", + "url": "https://github.com/vesoft-inc/nebula/pull/5936" + }, + { + "type": "FIX", + "url": "https://github.com/vesoft-inc/nebula/pull/5936/commits/cd6c5976ccfe817b2e0a2d46227cd361bfefb45c" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3155", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3156.json b/data/osv/GO-2024-3156.json new file mode 100644 index 00000000..3fddf184 --- /dev/null +++ b/data/osv/GO-2024-3156.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3156", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47219" + ], + "summary": "CVE-2024-47219 in github.com/vesoft-inc/nebula", + "details": "CVE-2024-47219 in github.com/vesoft-inc/nebula", + "affected": [ + { + "package": { + "name": "github.com/vesoft-inc/nebula", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47219" + }, + { + "type": "FIX", + "url": "https://github.com/vesoft-inc/nebula/pull/5936" + }, + { + "type": "FIX", + "url": "https://github.com/vesoft-inc/nebula/pull/5936/commits/cd6c5976ccfe817b2e0a2d46227cd361bfefb45c" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3156", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3157.json b/data/osv/GO-2024-3157.json new file mode 100644 index 00000000..6eacb0da --- /dev/null +++ b/data/osv/GO-2024-3157.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3157", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-46957", + "GHSA-98hf-m87w-cq6h" + ], + "summary": "Mellium allows Authentication Bypass by Spoofing in mellium.im/xmpp", + "details": "Mellium allows Authentication Bypass by Spoofing in mellium.im/xmpp", + "affected": [ + { + "package": { + "name": "mellium.im/xmpp", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.22.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-98hf-m87w-cq6h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46957" + }, + { + "type": "WEB", + "url": "https://codeberg.org/mellium/xmpp/releases" + }, + { + "type": "WEB", + "url": "https://codeberg.org/mellium/xmpp/releases/tag/v0.22.0" + }, + { + "type": "WEB", + "url": "https://mellium.im/cve/cve-2024-46957" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3157", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3158.json b/data/osv/GO-2024-3158.json new file mode 100644 index 00000000..4276edfd --- /dev/null +++ b/data/osv/GO-2024-3158.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3158", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-40761", + "GHSA-48cr-j2cx-mcr8" + ], + "summary": "Apache Answer: Avatar URL leaked user email addresses in github.com/apache/incubator-answer", + "details": "Apache Answer: Avatar URL leaked user email addresses in github.com/apache/incubator-answer", + "affected": [ + { + "package": { + "name": "github.com/apache/incubator-answer", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-48cr-j2cx-mcr8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40761" + }, + { + "type": "FIX", + "url": "https://github.com/apache/incubator-answer/commit/c3a17046c6c3be1cec16ba49d07d9f7742b7260f" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3158", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3160.json b/data/osv/GO-2024-3160.json new file mode 100644 index 00000000..2ceca483 --- /dev/null +++ b/data/osv/GO-2024-3160.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3160", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-45042", + "GHSA-wc43-73w7-x2f5" + ], + "summary": "Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials in github.com/ory/kratos", + "details": "Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials in github.com/ory/kratos", + "affected": [ + { + "package": { + "name": "github.com/ory/kratos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/ory/kratos/security/advisories/GHSA-wc43-73w7-x2f5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3160", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-3135.yaml b/data/reports/GO-2024-3135.yaml new file mode 100644 index 00000000..6bef63ad --- /dev/null +++ b/data/reports/GO-2024-3135.yaml @@ -0,0 +1,28 @@ +id: GO-2024-3135 +modules: + - module: github.com/traefik/traefik + vulnerable_at: 1.7.34 + - module: github.com/traefik/traefik/v2 + versions: + - fixed: 2.11.9 + vulnerable_at: 2.11.8 + - module: github.com/traefik/traefik/v3 + versions: + - introduced: 3.0.0-beta3 + - fixed: 3.1.3 + vulnerable_at: 3.1.2 +summary: HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik +cves: + - CVE-2024-45410 +ghsas: + - GHSA-62c8-mh53-4cqv +references: + - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45410 + - fix: https://github.com/traefik/traefik/commit/584144100524277829f26219baaab29a53b8134f + - web: https://github.com/traefik/traefik/releases/tag/v2.11.9 + - web: https://github.com/traefik/traefik/releases/tag/v3.1.3 +source: + id: GHSA-62c8-mh53-4cqv + created: 2024-09-26T14:14:07.271684-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3136.yaml b/data/reports/GO-2024-3136.yaml new file mode 100644 index 00000000..1cd3555c --- /dev/null +++ b/data/reports/GO-2024-3136.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3136 +modules: + - module: d7y.io/dragonfly/v2 + versions: + - fixed: 2.1.0-beta.1 + vulnerable_at: 2.1.0-beta.0 +summary: Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly +cves: + - CVE-2023-27584 +ghsas: + - GHSA-hpc8-7wpm-889w +references: + - advisory: https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-27584 + - web: https://github.com/dragonflyoss/Dragonfly2/commit/e9da69dc4048bf2a18a671be94616d85e3429433 + - web: https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9 +source: + id: GHSA-hpc8-7wpm-889w + created: 2024-09-26T14:14:02.766385-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3137.yaml b/data/reports/GO-2024-3137.yaml new file mode 100644 index 00000000..a08f2165 --- /dev/null +++ b/data/reports/GO-2024-3137.yaml @@ -0,0 +1,34 @@ +id: GO-2024-3137 +modules: + - module: github.com/zitadel/zitadel + non_go_versions: + - fixed: 2.54.10 + - introduced: 2.55.0 + - fixed: 2.55.8 + - introduced: 2.56.0 + - fixed: 2.56.6 + - introduced: 2.57.0 + - fixed: 2.57.5 + - introduced: 2.58.0 + - fixed: 2.58.5 + - introduced: 2.59.0 + - fixed: 2.59.3 + - introduced: 2.60.0 + - fixed: 2.60.2 + - introduced: 2.61.0 + - fixed: 2.61.1 + - introduced: 2.62.0 + - fixed: 2.62.1 + vulnerable_at: 1.87.5 +summary: ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel +cves: + - CVE-2024-46999 +ghsas: + - GHSA-2w5j-qfvw-2hf5 +references: + - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-46999 +source: + id: GHSA-2w5j-qfvw-2hf5 + created: 2024-09-26T14:13:58.061279-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3138.yaml b/data/reports/GO-2024-3138.yaml new file mode 100644 index 00000000..aadd2d7d --- /dev/null +++ b/data/reports/GO-2024-3138.yaml @@ -0,0 +1,34 @@ +id: GO-2024-3138 +modules: + - module: github.com/zitadel/zitadel + non_go_versions: + - fixed: 2.54.10 + - introduced: 2.55.0 + - fixed: 2.55.8 + - introduced: 2.56.0 + - fixed: 2.56.6 + - introduced: 2.57.0 + - fixed: 2.57.5 + - introduced: 2.58.0 + - fixed: 2.58.5 + - introduced: 2.59.0 + - fixed: 2.59.3 + - introduced: 2.60.0 + - fixed: 2.60.2 + - introduced: 2.61.0 + - fixed: 2.61.1 + - introduced: 2.62.0 + - fixed: 2.62.1 + vulnerable_at: 1.87.5 +summary: ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel +cves: + - CVE-2024-47060 +ghsas: + - GHSA-jj94-6f5c-65r8 +references: + - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47060 +source: + id: GHSA-jj94-6f5c-65r8 + created: 2024-09-26T14:13:53.271528-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3139.yaml b/data/reports/GO-2024-3139.yaml new file mode 100644 index 00000000..7ee6fbb1 --- /dev/null +++ b/data/reports/GO-2024-3139.yaml @@ -0,0 +1,34 @@ +id: GO-2024-3139 +modules: + - module: github.com/zitadel/zitadel + non_go_versions: + - fixed: 2.54.10 + - introduced: 2.55.0 + - fixed: 2.55.8 + - introduced: 2.56.0 + - fixed: 2.56.6 + - introduced: 2.57.0 + - fixed: 2.57.5 + - introduced: 2.58.0 + - fixed: 2.58.5 + - introduced: 2.59.0 + - fixed: 2.59.3 + - introduced: 2.60.0 + - fixed: 2.60.2 + - introduced: 2.61.0 + - fixed: 2.61.1 + - introduced: 2.62.0 + - fixed: 2.62.1 + vulnerable_at: 1.87.5 +summary: ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel +cves: + - CVE-2024-47000 +ghsas: + - GHSA-qr2h-7pwm-h393 +references: + - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47000 +source: + id: GHSA-qr2h-7pwm-h393 + created: 2024-09-26T14:13:47.784324-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3153.yaml b/data/reports/GO-2024-3153.yaml new file mode 100644 index 00000000..3abfbe47 --- /dev/null +++ b/data/reports/GO-2024-3153.yaml @@ -0,0 +1,19 @@ +id: GO-2024-3153 +modules: + - module: github.com/navidrome/navidrome + versions: + - fixed: 0.53.0 + vulnerable_at: 0.52.5 +summary: Navidrome has Multiple SQL Injections and ORM Leak in github.com/navidrome/navidrome +cves: + - CVE-2024-47062 +ghsas: + - GHSA-58vj-cv5w-v4v6 +references: + - advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-58vj-cv5w-v4v6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47062 + - fix: https://github.com/navidrome/navidrome/commit/3107170afd9f557a10f7031f23cb3c9e975a71f9 +source: + id: GHSA-58vj-cv5w-v4v6 + created: 2024-09-26T14:13:41.458938-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3155.yaml b/data/reports/GO-2024-3155.yaml new file mode 100644 index 00000000..c0ae1f19 --- /dev/null +++ b/data/reports/GO-2024-3155.yaml @@ -0,0 +1,15 @@ +id: GO-2024-3155 +modules: + - module: github.com/vesoft-inc/nebula + vulnerable_at: 3.8.0+incompatible +summary: CVE-2024-47218 in github.com/vesoft-inc/nebula +cves: + - CVE-2024-47218 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47218 + - fix: https://github.com/vesoft-inc/nebula/pull/5936 + - fix: https://github.com/vesoft-inc/nebula/pull/5936/commits/cd6c5976ccfe817b2e0a2d46227cd361bfefb45c +source: + id: CVE-2024-47218 + created: 2024-09-26T14:13:38.921871-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3156.yaml b/data/reports/GO-2024-3156.yaml new file mode 100644 index 00000000..a7ed54d8 --- /dev/null +++ b/data/reports/GO-2024-3156.yaml @@ -0,0 +1,15 @@ +id: GO-2024-3156 +modules: + - module: github.com/vesoft-inc/nebula + vulnerable_at: 3.8.0+incompatible +summary: CVE-2024-47219 in github.com/vesoft-inc/nebula +cves: + - CVE-2024-47219 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47219 + - fix: https://github.com/vesoft-inc/nebula/pull/5936 + - fix: https://github.com/vesoft-inc/nebula/pull/5936/commits/cd6c5976ccfe817b2e0a2d46227cd361bfefb45c +source: + id: CVE-2024-47219 + created: 2024-09-26T14:13:35.679787-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3157.yaml b/data/reports/GO-2024-3157.yaml new file mode 100644 index 00000000..06230dd4 --- /dev/null +++ b/data/reports/GO-2024-3157.yaml @@ -0,0 +1,21 @@ +id: GO-2024-3157 +modules: + - module: mellium.im/xmpp + versions: + - fixed: 0.22.0 + vulnerable_at: 0.21.4 +summary: Mellium allows Authentication Bypass by Spoofing in mellium.im/xmpp +cves: + - CVE-2024-46957 +ghsas: + - GHSA-98hf-m87w-cq6h +references: + - advisory: https://github.com/advisories/GHSA-98hf-m87w-cq6h + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-46957 + - web: https://codeberg.org/mellium/xmpp/releases + - web: https://codeberg.org/mellium/xmpp/releases/tag/v0.22.0 + - web: https://mellium.im/cve/cve-2024-46957 +source: + id: GHSA-98hf-m87w-cq6h + created: 2024-09-26T14:13:29.228384-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3158.yaml b/data/reports/GO-2024-3158.yaml new file mode 100644 index 00000000..958915e4 --- /dev/null +++ b/data/reports/GO-2024-3158.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3158 +modules: + - module: github.com/apache/incubator-answer + versions: + - fixed: 1.4.0 + vulnerable_at: 1.4.0-RC1 +summary: 'Apache Answer: Avatar URL leaked user email addresses in github.com/apache/incubator-answer' +cves: + - CVE-2024-40761 +ghsas: + - GHSA-48cr-j2cx-mcr8 +references: + - advisory: https://github.com/advisories/GHSA-48cr-j2cx-mcr8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40761 + - fix: https://github.com/apache/incubator-answer/commit/c3a17046c6c3be1cec16ba49d07d9f7742b7260f + - web: https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x +source: + id: GHSA-48cr-j2cx-mcr8 + created: 2024-09-26T14:13:23.434349-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3160.yaml b/data/reports/GO-2024-3160.yaml new file mode 100644 index 00000000..a230401d --- /dev/null +++ b/data/reports/GO-2024-3160.yaml @@ -0,0 +1,19 @@ +id: GO-2024-3160 +modules: + - module: github.com/ory/kratos + versions: + - fixed: 1.3.0 + vulnerable_at: 1.3.0-pre.0 +summary: |- + Ory Kratos's setting required_aal `highest_available` does not properly respect + code + mfa credentials in github.com/ory/kratos +cves: + - CVE-2024-45042 +ghsas: + - GHSA-wc43-73w7-x2f5 +references: + - advisory: https://github.com/ory/kratos/security/advisories/GHSA-wc43-73w7-x2f5 +source: + id: GHSA-wc43-73w7-x2f5 + created: 2024-09-26T14:13:19.945453-04:00 +review_status: UNREVIEWED