data/reports: add GO-2024-2538.yaml

Aliases: CVE-2024-1329, GHSA-c866-8gpw-p3mv Fixes #2538 Change-Id: Iceddb1745feed48149a3535cd3256fb384c82e54 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/568056 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
golang · Mar 4, 2024 · e1ab50e · e1ab50e
1 parent 34a0283
commit e1ab50e
Show file tree

Hide file tree

Showing 2 changed files with 128 additions and 0 deletions.
diff --git a/data/osv/GO-2024-2538.json b/data/osv/GO-2024-2538.json
@@ -0,0 +1,93 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2538",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-1329",
+ "GHSA-c866-8gpw-p3mv"
+ ],
+ "summary": "Symlink attack in github.com/hashicorp/nomad",
+ "details": "Symlink attack in github.com/hashicorp/nomad",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/hashicorp/nomad",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.5.13"
+ },
+ {
+ "fixed": "1.5.14"
+ },
+ {
+ "introduced": "1.6.0"
+ },
+ {
+ "fixed": "1.6.7"
+ },
+ {
+ "introduced": "1.7.3"
+ },
+ {
+ "fixed": "1.7.4"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/hashicorp/nomad/helper/escapingfs",
+ "symbols": [
+ "PathEscapesAllocDir",
+ "pathEscapesBaseViaSymlink"
+ ]
+ },
+ {
+ "path": "github.com/hashicorp/nomad/client/allocwatcher",
+ "symbols": [
+ "remotePrevAlloc.Migrate",
+ "remotePrevAlloc.migrateAllocDir",
+ "remotePrevAlloc.streamAllocDir"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1329"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/hashicorp/nomad/issues/19888"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/hashicorp/nomad/commit/b3209cbc6921e703b0e9984ce70c10b378665834"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/hashicorp/nomad/commit/d1721c7a6fc1833778086603f818a822a34f445a"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/hashicorp/nomad/commit/de55da677a21ac7572c0f4a8cd9abd5473c47a70"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2538"
+ }
+}
diff --git a/data/reports/GO-2024-2538.yaml b/data/reports/GO-2024-2538.yaml
@@ -0,0 +1,35 @@
+id: GO-2024-2538
+modules:
+ - module: github.com/hashicorp/nomad
+ versions:
+ - introduced: 1.5.13
+ fixed: 1.5.14
+ - introduced: 1.6.0
+ fixed: 1.6.7
+ - introduced: 1.7.3
+ fixed: 1.7.4
+ vulnerable_at: 1.7.3
+ packages:
+ - package: github.com/hashicorp/nomad/helper/escapingfs
+ symbols:
+ - pathEscapesBaseViaSymlink
+ derived_symbols:
+ - PathEscapesAllocDir
+ - package: github.com/hashicorp/nomad/client/allocwatcher
+ symbols:
+ - remotePrevAlloc.streamAllocDir
+ - remotePrevAlloc.migrateAllocDir
+ derived_symbols:
+ - remotePrevAlloc.Migrate
+summary: Symlink attack in github.com/hashicorp/nomad
+cves:
+ - CVE-2024-1329
+ghsas:
+ - GHSA-c866-8gpw-p3mv
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1329
+ - report: https://github.com/hashicorp/nomad/issues/19888
+ - fix: https://github.com/hashicorp/nomad/commit/b3209cbc6921e703b0e9984ce70c10b378665834
+ - fix: https://github.com/hashicorp/nomad/commit/d1721c7a6fc1833778086603f818a822a34f445a
+ - fix: https://github.com/hashicorp/nomad/commit/de55da677a21ac7572c0f4a8cd9abd5473c47a70
+ - web: https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack