From e1ab50e2fefbf785e7d14882cc84a148ae35819a Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Wed, 28 Feb 2024 13:41:19 -0500 Subject: [PATCH] data/reports: add GO-2024-2538.yaml Aliases: CVE-2024-1329, GHSA-c866-8gpw-p3mv Fixes golang/vulndb#2538 Change-Id: Iceddb1745feed48149a3535cd3256fb384c82e54 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/568056 LUCI-TryBot-Result: Go LUCI Reviewed-by: Damien Neil --- data/osv/GO-2024-2538.json | 93 ++++++++++++++++++++++++++++++++++ data/reports/GO-2024-2538.yaml | 35 +++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 data/osv/GO-2024-2538.json create mode 100644 data/reports/GO-2024-2538.yaml diff --git a/data/osv/GO-2024-2538.json b/data/osv/GO-2024-2538.json new file mode 100644 index 00000000..6443b5c7 --- /dev/null +++ b/data/osv/GO-2024-2538.json @@ -0,0 +1,93 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2538", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-1329", + "GHSA-c866-8gpw-p3mv" + ], + "summary": "Symlink attack in github.com/hashicorp/nomad", + "details": "Symlink attack in github.com/hashicorp/nomad", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/nomad", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.13" + }, + { + "fixed": "1.5.14" + }, + { + "introduced": "1.6.0" + }, + { + "fixed": "1.6.7" + }, + { + "introduced": "1.7.3" + }, + { + "fixed": "1.7.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/hashicorp/nomad/helper/escapingfs", + "symbols": [ + "PathEscapesAllocDir", + "pathEscapesBaseViaSymlink" + ] + }, + { + "path": "github.com/hashicorp/nomad/client/allocwatcher", + "symbols": [ + "remotePrevAlloc.Migrate", + "remotePrevAlloc.migrateAllocDir", + "remotePrevAlloc.streamAllocDir" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1329" + }, + { + "type": "REPORT", + "url": "https://github.com/hashicorp/nomad/issues/19888" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/nomad/commit/b3209cbc6921e703b0e9984ce70c10b378665834" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/nomad/commit/d1721c7a6fc1833778086603f818a822a34f445a" + }, + { + "type": "FIX", + "url": "https://github.com/hashicorp/nomad/commit/de55da677a21ac7572c0f4a8cd9abd5473c47a70" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2538" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-2538.yaml b/data/reports/GO-2024-2538.yaml new file mode 100644 index 00000000..9b54e314 --- /dev/null +++ b/data/reports/GO-2024-2538.yaml @@ -0,0 +1,35 @@ +id: GO-2024-2538 +modules: + - module: github.com/hashicorp/nomad + versions: + - introduced: 1.5.13 + fixed: 1.5.14 + - introduced: 1.6.0 + fixed: 1.6.7 + - introduced: 1.7.3 + fixed: 1.7.4 + vulnerable_at: 1.7.3 + packages: + - package: github.com/hashicorp/nomad/helper/escapingfs + symbols: + - pathEscapesBaseViaSymlink + derived_symbols: + - PathEscapesAllocDir + - package: github.com/hashicorp/nomad/client/allocwatcher + symbols: + - remotePrevAlloc.streamAllocDir + - remotePrevAlloc.migrateAllocDir + derived_symbols: + - remotePrevAlloc.Migrate +summary: Symlink attack in github.com/hashicorp/nomad +cves: + - CVE-2024-1329 +ghsas: + - GHSA-c866-8gpw-p3mv +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-1329 + - report: https://github.com/hashicorp/nomad/issues/19888 + - fix: https://github.com/hashicorp/nomad/commit/b3209cbc6921e703b0e9984ce70c10b378665834 + - fix: https://github.com/hashicorp/nomad/commit/d1721c7a6fc1833778086603f818a822a34f445a + - fix: https://github.com/hashicorp/nomad/commit/de55da677a21ac7572c0f4a8cd9abd5473c47a70 + - web: https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack