data/excluded,data/reports: add 6 reports

  - data/excluded/GO-2024-2985.yaml
  - data/excluded/GO-2024-2986.yaml
  - data/reports/GO-2024-2987.yaml
  - data/reports/GO-2024-2989.yaml
  - data/reports/GO-2024-2990.yaml
  - data/reports/GO-2024-2992.yaml

Fixes #2985
Fixes #2986
Fixes #2987
Fixes #2989
Fixes #2990
Fixes #2992

Change-Id: Ic7fbcd2b3fb62df054f13fdba9b4b4cb1aee8d6e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599457
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>

data/excluded/GO-2024-2985.yaml

@@ -0,0 +1,6 @@
+id: GO-2024-2985
+excluded: NOT_GO_CODE
+modules:
+ - module: github.com/apache/airflow
+cves:
+ - CVE-2024-39863

data/excluded/GO-2024-2986.yaml

@@ -0,0 +1,6 @@
+id: GO-2024-2986
+excluded: NOT_GO_CODE
+modules:
+ - module: github.com/apache/airflow
+cves:
+ - CVE-2024-39877

data/osv/GO-2024-2987.json

@@ -0,0 +1,60 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2987",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-6535",
+ "GHSA-w799-v85j-88pg"
+ ],
+ "summary": "Skupper uses a static cookie secret for the openshift oauth-proxy in github.com/skupperproject/skupper",
+ "details": "Skupper uses a static cookie secret for the openshift oauth-proxy in github.com/skupperproject/skupper",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/skupperproject/skupper",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20240703184342-c26bce4079ff"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-w799-v85j-88pg"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6535"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/skupperproject/skupper/commit/d2cb3782e807853694ee66b6e3d4a1917485eb71"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/security/cve/CVE-2024-6535"
+ },
+ {
+ "type": "WEB",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296024"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2987",
+ "review_status": "UNREVIEWED"
+ }
+}

data/osv/GO-2024-2989.json

@@ -0,0 +1,82 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2989",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-40641",
+ "GHSA-c3q9-c27p-cw9h"
+ ],
+ "summary": "projectdiscovery/nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei",
+ "details": "projectdiscovery/nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/projectdiscovery/nuclei",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/projectdiscovery/nuclei/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/projectdiscovery/nuclei/v3",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.3.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40641"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2989",
+ "review_status": "UNREVIEWED"
+ }
+}

data/osv/GO-2024-2990.json

@@ -0,0 +1,63 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2990",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-39907",
+ "GHSA-5grx-v727-qmq6"
+ ],
+ "summary": "1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel",
+ "details": "1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/1Panel-dev/1Panel before v1.10.12-tls.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/1Panel-dev/1Panel",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.10.12-tls"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39907"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/1Panel-dev/1Panel/commit/ff549a47937c1314e6ee08453a1d2128242440cd"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2990",
+ "review_status": "UNREVIEWED"
+ }
+}

data/osv/GO-2024-2992.json

@@ -0,0 +1,51 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2992",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-39911"
+ ],
+ "summary": "1Panel SQL injection in github.com/1Panel-dev/1Panel",
+ "details": "1Panel SQL injection in github.com/1Panel-dev/1Panel",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/1Panel-dev/1Panel",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.10.12-lts"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39911"
+ },
+ {
+ "type": "WEB",
+ "url": "https://blog.mo60.cn/index.php/archives/1Panel_SQLinjection2Rce.html"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-7m53-pwp6-v3f5"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2992",
+ "review_status": "UNREVIEWED"
+ }
+}

data/reports/GO-2024-2987.yaml

@@ -0,0 +1,22 @@
+id: GO-2024-2987
+modules:
+ - module: github.com/skupperproject/skupper
+ versions:
+ - fixed: 0.0.0-20240703184342-c26bce4079ff
+summary: Skupper uses a static cookie secret for the openshift oauth-proxy in github.com/skupperproject/skupper
+cves:
+ - CVE-2024-6535
+ghsas:
+ - GHSA-w799-v85j-88pg
+references:
+ - advisory: https://github.com/advisories/GHSA-w799-v85j-88pg
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6535
+ - fix: https://github.com/skupperproject/skupper/commit/d2cb3782e807853694ee66b6e3d4a1917485eb71
+ - web: https://access.redhat.com/security/cve/CVE-2024-6535
+ - web: https://bugzilla.redhat.com/show_bug.cgi?id=2296024
+notes:
+ - fix: 'github.com/skupperproject/skupper: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+ id: GHSA-w799-v85j-88pg
+ created: 2024-07-18T16:18:19.770441-04:00
+review_status: UNREVIEWED

data/reports/GO-2024-2989.yaml

@@ -0,0 +1,24 @@
+id: GO-2024-2989
+modules:
+ - module: github.com/projectdiscovery/nuclei
+ vulnerable_at: 1.1.7
+ - module: github.com/projectdiscovery/nuclei/v2
+ vulnerable_at: 2.9.15
+ - module: github.com/projectdiscovery/nuclei/v3
+ versions:
+ - fixed: 3.3.0
+ vulnerable_at: 3.2.9
+summary: |-
+ projectdiscovery/nuclei allows unsigned code template execution through
+ workflows in github.com/projectdiscovery/nuclei
+cves:
+ - CVE-2024-40641
+ghsas:
+ - GHSA-c3q9-c27p-cw9h
+references:
+ - advisory: https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40641
+source:
+ id: GHSA-c3q9-c27p-cw9h
+ created: 2024-07-18T16:18:07.953998-04:00
+review_status: UNREVIEWED

data/reports/GO-2024-2990.yaml

@@ -0,0 +1,19 @@
+id: GO-2024-2990
+modules:
+ - module: github.com/1Panel-dev/1Panel
+ non_go_versions:
+ - fixed: 1.10.12-tls
+ vulnerable_at: 1.9.6
+summary: 1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel
+cves:
+ - CVE-2024-39907
+ghsas:
+ - GHSA-5grx-v727-qmq6
+references:
+ - advisory: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39907
+ - fix: https://github.com/1Panel-dev/1Panel/commit/ff549a47937c1314e6ee08453a1d2128242440cd
+source:
+ id: GHSA-5grx-v727-qmq6
+ created: 2024-07-18T16:18:04.925699-04:00
+review_status: UNREVIEWED

data/reports/GO-2024-2992.yaml

@@ -0,0 +1,17 @@
+id: GO-2024-2992
+modules:
+ - module: github.com/1Panel-dev/1Panel
+ versions:
+ - fixed: 1.10.12-lts
+ vulnerable_at: 1.10.12-beta
+summary: 1Panel SQL injection in github.com/1Panel-dev/1Panel
+cves:
+ - CVE-2024-39911
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39911
+ - web: https://blog.mo60.cn/index.php/archives/1Panel_SQLinjection2Rce.html
+ - web: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-7m53-pwp6-v3f5
+source:
+ id: CVE-2024-39911
+ created: 2024-07-18T16:18:00.687879-04:00
+review_status: UNREVIEWED