-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
data/excluded,data/reports: add 6 reports
- data/excluded/GO-2024-2985.yaml - data/excluded/GO-2024-2986.yaml - data/reports/GO-2024-2987.yaml - data/reports/GO-2024-2989.yaml - data/reports/GO-2024-2990.yaml - data/reports/GO-2024-2992.yaml Fixes #2985 Fixes #2986 Fixes #2987 Fixes #2989 Fixes #2990 Fixes #2992 Change-Id: Ic7fbcd2b3fb62df054f13fdba9b4b4cb1aee8d6e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599457 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com>
- Loading branch information
Showing
10 changed files
with
350 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
id: GO-2024-2985 | ||
excluded: NOT_GO_CODE | ||
modules: | ||
- module: github.com/apache/airflow | ||
cves: | ||
- CVE-2024-39863 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
id: GO-2024-2986 | ||
excluded: NOT_GO_CODE | ||
modules: | ||
- module: github.com/apache/airflow | ||
cves: | ||
- CVE-2024-39877 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
{ | ||
"schema_version": "1.3.1", | ||
"id": "GO-2024-2987", | ||
"modified": "0001-01-01T00:00:00Z", | ||
"published": "0001-01-01T00:00:00Z", | ||
"aliases": [ | ||
"CVE-2024-6535", | ||
"GHSA-w799-v85j-88pg" | ||
], | ||
"summary": "Skupper uses a static cookie secret for the openshift oauth-proxy in github.com/skupperproject/skupper", | ||
"details": "Skupper uses a static cookie secret for the openshift oauth-proxy in github.com/skupperproject/skupper", | ||
"affected": [ | ||
{ | ||
"package": { | ||
"name": "github.com/skupperproject/skupper", | ||
"ecosystem": "Go" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "SEMVER", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
}, | ||
{ | ||
"fixed": "0.0.0-20240703184342-c26bce4079ff" | ||
} | ||
] | ||
} | ||
], | ||
"ecosystem_specific": {} | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://github.com/advisories/GHSA-w799-v85j-88pg" | ||
}, | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6535" | ||
}, | ||
{ | ||
"type": "FIX", | ||
"url": "https://github.com/skupperproject/skupper/commit/d2cb3782e807853694ee66b6e3d4a1917485eb71" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://access.redhat.com/security/cve/CVE-2024-6535" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296024" | ||
} | ||
], | ||
"database_specific": { | ||
"url": "https://pkg.go.dev/vuln/GO-2024-2987", | ||
"review_status": "UNREVIEWED" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
{ | ||
"schema_version": "1.3.1", | ||
"id": "GO-2024-2989", | ||
"modified": "0001-01-01T00:00:00Z", | ||
"published": "0001-01-01T00:00:00Z", | ||
"aliases": [ | ||
"CVE-2024-40641", | ||
"GHSA-c3q9-c27p-cw9h" | ||
], | ||
"summary": "projectdiscovery/nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei", | ||
"details": "projectdiscovery/nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei", | ||
"affected": [ | ||
{ | ||
"package": { | ||
"name": "github.com/projectdiscovery/nuclei", | ||
"ecosystem": "Go" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "SEMVER", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
} | ||
] | ||
} | ||
], | ||
"ecosystem_specific": {} | ||
}, | ||
{ | ||
"package": { | ||
"name": "github.com/projectdiscovery/nuclei/v2", | ||
"ecosystem": "Go" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "SEMVER", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
} | ||
] | ||
} | ||
], | ||
"ecosystem_specific": {} | ||
}, | ||
{ | ||
"package": { | ||
"name": "github.com/projectdiscovery/nuclei/v3", | ||
"ecosystem": "Go" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "SEMVER", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
}, | ||
{ | ||
"fixed": "3.3.0" | ||
} | ||
] | ||
} | ||
], | ||
"ecosystem_specific": {} | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h" | ||
}, | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40641" | ||
} | ||
], | ||
"database_specific": { | ||
"url": "https://pkg.go.dev/vuln/GO-2024-2989", | ||
"review_status": "UNREVIEWED" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
{ | ||
"schema_version": "1.3.1", | ||
"id": "GO-2024-2990", | ||
"modified": "0001-01-01T00:00:00Z", | ||
"published": "0001-01-01T00:00:00Z", | ||
"aliases": [ | ||
"CVE-2024-39907", | ||
"GHSA-5grx-v727-qmq6" | ||
], | ||
"summary": "1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel", | ||
"details": "1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/1Panel-dev/1Panel before v1.10.12-tls.", | ||
"affected": [ | ||
{ | ||
"package": { | ||
"name": "github.com/1Panel-dev/1Panel", | ||
"ecosystem": "Go" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "SEMVER", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
} | ||
] | ||
} | ||
], | ||
"ecosystem_specific": { | ||
"custom_ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
}, | ||
{ | ||
"fixed": "1.10.12-tls" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6" | ||
}, | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39907" | ||
}, | ||
{ | ||
"type": "FIX", | ||
"url": "https://github.com/1Panel-dev/1Panel/commit/ff549a47937c1314e6ee08453a1d2128242440cd" | ||
} | ||
], | ||
"database_specific": { | ||
"url": "https://pkg.go.dev/vuln/GO-2024-2990", | ||
"review_status": "UNREVIEWED" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
{ | ||
"schema_version": "1.3.1", | ||
"id": "GO-2024-2992", | ||
"modified": "0001-01-01T00:00:00Z", | ||
"published": "0001-01-01T00:00:00Z", | ||
"aliases": [ | ||
"CVE-2024-39911" | ||
], | ||
"summary": "1Panel SQL injection in github.com/1Panel-dev/1Panel", | ||
"details": "1Panel SQL injection in github.com/1Panel-dev/1Panel", | ||
"affected": [ | ||
{ | ||
"package": { | ||
"name": "github.com/1Panel-dev/1Panel", | ||
"ecosystem": "Go" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "SEMVER", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
}, | ||
{ | ||
"fixed": "1.10.12-lts" | ||
} | ||
] | ||
} | ||
], | ||
"ecosystem_specific": {} | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39911" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://blog.mo60.cn/index.php/archives/1Panel_SQLinjection2Rce.html" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-7m53-pwp6-v3f5" | ||
} | ||
], | ||
"database_specific": { | ||
"url": "https://pkg.go.dev/vuln/GO-2024-2992", | ||
"review_status": "UNREVIEWED" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
id: GO-2024-2987 | ||
modules: | ||
- module: github.com/skupperproject/skupper | ||
versions: | ||
- fixed: 0.0.0-20240703184342-c26bce4079ff | ||
summary: Skupper uses a static cookie secret for the openshift oauth-proxy in github.com/skupperproject/skupper | ||
cves: | ||
- CVE-2024-6535 | ||
ghsas: | ||
- GHSA-w799-v85j-88pg | ||
references: | ||
- advisory: https://github.com/advisories/GHSA-w799-v85j-88pg | ||
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6535 | ||
- fix: https://github.com/skupperproject/skupper/commit/d2cb3782e807853694ee66b6e3d4a1917485eb71 | ||
- web: https://access.redhat.com/security/cve/CVE-2024-6535 | ||
- web: https://bugzilla.redhat.com/show_bug.cgi?id=2296024 | ||
notes: | ||
- fix: 'github.com/skupperproject/skupper: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version' | ||
source: | ||
id: GHSA-w799-v85j-88pg | ||
created: 2024-07-18T16:18:19.770441-04:00 | ||
review_status: UNREVIEWED |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
id: GO-2024-2989 | ||
modules: | ||
- module: github.com/projectdiscovery/nuclei | ||
vulnerable_at: 1.1.7 | ||
- module: github.com/projectdiscovery/nuclei/v2 | ||
vulnerable_at: 2.9.15 | ||
- module: github.com/projectdiscovery/nuclei/v3 | ||
versions: | ||
- fixed: 3.3.0 | ||
vulnerable_at: 3.2.9 | ||
summary: |- | ||
projectdiscovery/nuclei allows unsigned code template execution through | ||
workflows in github.com/projectdiscovery/nuclei | ||
cves: | ||
- CVE-2024-40641 | ||
ghsas: | ||
- GHSA-c3q9-c27p-cw9h | ||
references: | ||
- advisory: https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h | ||
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40641 | ||
source: | ||
id: GHSA-c3q9-c27p-cw9h | ||
created: 2024-07-18T16:18:07.953998-04:00 | ||
review_status: UNREVIEWED |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
id: GO-2024-2990 | ||
modules: | ||
- module: github.com/1Panel-dev/1Panel | ||
non_go_versions: | ||
- fixed: 1.10.12-tls | ||
vulnerable_at: 1.9.6 | ||
summary: 1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel | ||
cves: | ||
- CVE-2024-39907 | ||
ghsas: | ||
- GHSA-5grx-v727-qmq6 | ||
references: | ||
- advisory: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6 | ||
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39907 | ||
- fix: https://github.com/1Panel-dev/1Panel/commit/ff549a47937c1314e6ee08453a1d2128242440cd | ||
source: | ||
id: GHSA-5grx-v727-qmq6 | ||
created: 2024-07-18T16:18:04.925699-04:00 | ||
review_status: UNREVIEWED |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
id: GO-2024-2992 | ||
modules: | ||
- module: github.com/1Panel-dev/1Panel | ||
versions: | ||
- fixed: 1.10.12-lts | ||
vulnerable_at: 1.10.12-beta | ||
summary: 1Panel SQL injection in github.com/1Panel-dev/1Panel | ||
cves: | ||
- CVE-2024-39911 | ||
references: | ||
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39911 | ||
- web: https://blog.mo60.cn/index.php/archives/1Panel_SQLinjection2Rce.html | ||
- web: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-7m53-pwp6-v3f5 | ||
source: | ||
id: CVE-2024-39911 | ||
created: 2024-07-18T16:18:00.687879-04:00 | ||
review_status: UNREVIEWED |