From f268f3b6a768e34b930b8c7c2c4c254a88b212bc Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Mon, 8 Jul 2024 13:33:36 -0400 Subject: [PATCH] data/reports: add 7 unreviewed reports - data/reports/GO-2024-2968.yaml - data/reports/GO-2024-2969.yaml - data/reports/GO-2024-2970.yaml - data/reports/GO-2024-2971.yaml - data/reports/GO-2024-2972.yaml - data/reports/GO-2024-2973.yaml - data/reports/GO-2024-2974.yaml Fixes golang/vulndb#2968 Fixes golang/vulndb#2969 Fixes golang/vulndb#2970 Fixes golang/vulndb#2971 Fixes golang/vulndb#2972 Fixes golang/vulndb#2973 Fixes golang/vulndb#2974 Change-Id: I0dd8dd80accdd5842a9cb7ebdd49b7698f162f57 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/597158 LUCI-TryBot-Result: Go LUCI Reviewed-by: Damien Neil --- data/osv/GO-2024-2968.json | 107 +++++++++++++++++++++++++++++++++ data/osv/GO-2024-2969.json | 48 +++++++++++++++ data/osv/GO-2024-2970.json | 53 ++++++++++++++++ data/osv/GO-2024-2971.json | 53 ++++++++++++++++ data/osv/GO-2024-2972.json | 49 +++++++++++++++ data/osv/GO-2024-2973.json | 103 +++++++++++++++++++++++++++++++ data/osv/GO-2024-2974.json | 62 +++++++++++++++++++ data/reports/GO-2024-2968.yaml | 32 ++++++++++ data/reports/GO-2024-2969.yaml | 15 +++++ data/reports/GO-2024-2970.yaml | 20 ++++++ data/reports/GO-2024-2971.yaml | 20 ++++++ data/reports/GO-2024-2972.yaml | 19 ++++++ data/reports/GO-2024-2973.yaml | 32 ++++++++++ data/reports/GO-2024-2974.yaml | 17 ++++++ 14 files changed, 630 insertions(+) create mode 100644 data/osv/GO-2024-2968.json create mode 100644 data/osv/GO-2024-2969.json create mode 100644 data/osv/GO-2024-2970.json create mode 100644 data/osv/GO-2024-2971.json create mode 100644 data/osv/GO-2024-2972.json create mode 100644 data/osv/GO-2024-2973.json create mode 100644 data/osv/GO-2024-2974.json create mode 100644 data/reports/GO-2024-2968.yaml create mode 100644 data/reports/GO-2024-2969.yaml create mode 100644 data/reports/GO-2024-2970.yaml create mode 100644 data/reports/GO-2024-2971.yaml create mode 100644 data/reports/GO-2024-2972.yaml create mode 100644 data/reports/GO-2024-2973.yaml create mode 100644 data/reports/GO-2024-2974.yaml diff --git a/data/osv/GO-2024-2968.json b/data/osv/GO-2024-2968.json new file mode 100644 index 00000000..e9cd92b6 --- /dev/null +++ b/data/osv/GO-2024-2968.json @@ -0,0 +1,107 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2968", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-39683", + "GHSA-cvw9-c57h-3397" + ], + "summary": "ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel", + "details": "ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/zitadel/zitadel from v2.0.0 before v2.53.8, from v2.54.0 before v2.54.5, from v2.55.0 before v2.55.1.", + "affected": [ + { + "package": { + "name": "github.com/zitadel/zitadel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.53.8" + }, + { + "introduced": "2.54.0" + }, + { + "fixed": "2.54.5" + }, + { + "introduced": "2.55.0" + }, + { + "fixed": "2.55.1" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39683" + }, + { + "type": "FIX", + "url": "https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04" + }, + { + "type": "FIX", + "url": "https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da" + }, + { + "type": "FIX", + "url": "https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73" + }, + { + "type": "FIX", + "url": "https://github.com/zitadel/zitadel/pull/8231" + }, + { + "type": "REPORT", + "url": "https://github.com/zitadel/zitadel/issues/8213" + }, + { + "type": "WEB", + "url": "https://discord.com/channels/927474939156643850/1254096852937347153" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.53.8" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.54.5" + }, + { + "type": "WEB", + "url": "https://github.com/zitadel/zitadel/releases/tag/v2.55.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2968", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2969.json b/data/osv/GO-2024-2969.json new file mode 100644 index 00000000..1746ec40 --- /dev/null +++ b/data/osv/GO-2024-2969.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2969", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-39930" + ], + "summary": "CVE-2024-39930 in github.com/gogs/gogs", + "details": "CVE-2024-39930 in github.com/gogs/gogs", + "affected": [ + { + "package": { + "name": "github.com/gogs/gogs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39930" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/releases" + }, + { + "type": "WEB", + "url": "https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2969", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2970.json b/data/osv/GO-2024-2970.json new file mode 100644 index 00000000..580fb4d6 --- /dev/null +++ b/data/osv/GO-2024-2970.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2970", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-39931", + "GHSA-2vgj-3pvg-xh4w" + ], + "summary": "Gogs allows deletion of internal files in github.com/gogs/gogs", + "details": "Gogs allows deletion of internal files in github.com/gogs/gogs", + "affected": [ + { + "package": { + "name": "github.com/gogs/gogs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2vgj-3pvg-xh4w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39931" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/releases" + }, + { + "type": "WEB", + "url": "https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2970", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2971.json b/data/osv/GO-2024-2971.json new file mode 100644 index 00000000..928b0ad8 --- /dev/null +++ b/data/osv/GO-2024-2971.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2971", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-39932", + "GHSA-hf29-9hfh-w63j" + ], + "summary": "Gogs allows argument injection during the previewing of changes in github.com/gogs/gogs", + "details": "Gogs allows argument injection during the previewing of changes in github.com/gogs/gogs", + "affected": [ + { + "package": { + "name": "github.com/gogs/gogs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-hf29-9hfh-w63j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39932" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/releases" + }, + { + "type": "WEB", + "url": "https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2971", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2972.json b/data/osv/GO-2024-2972.json new file mode 100644 index 00000000..4cc15193 --- /dev/null +++ b/data/osv/GO-2024-2972.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2972", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-39933", + "GHSA-8mm6-wmpp-mmm3" + ], + "summary": "Gogs allows argument injection during the tagging of a new release in github.com/gogs/gogs", + "details": "Gogs allows argument injection during the tagging of a new release in github.com/gogs/gogs", + "affected": [ + { + "package": { + "name": "github.com/gogs/gogs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8mm6-wmpp-mmm3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39933" + }, + { + "type": "WEB", + "url": "https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2972", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2973.json b/data/osv/GO-2024-2973.json new file mode 100644 index 00000000..d685fa04 --- /dev/null +++ b/data/osv/GO-2024-2973.json @@ -0,0 +1,103 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2973", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-39321", + "GHSA-gxrv-wf35-62w9" + ], + "summary": "Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes in github.com/traefik/traefik", + "details": "Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes in github.com/traefik/traefik", + "affected": [ + { + "package": { + "name": "github.com/traefik/traefik", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.11.6" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.0.0-beta3" + }, + { + "fixed": "3.0.4" + }, + { + "introduced": "3.1.0-rc1" + }, + { + "fixed": "3.1.0-rc3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39321" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v2.11.6" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v3.0.4" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2973", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2974.json b/data/osv/GO-2024-2974.json new file mode 100644 index 00000000..dde7e90b --- /dev/null +++ b/data/osv/GO-2024-2974.json @@ -0,0 +1,62 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2974", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-39696" + ], + "summary": "Evmos vulnerable to exploit of smart contract account and vesting in github.com/evmos/evmos", + "details": "Evmos vulnerable to exploit of smart contract account and vesting in github.com/evmos/evmos.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/evmos/evmos before v19.0.0.", + "affected": [ + { + "package": { + "name": "github.com/evmos/evmos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "19.0.0" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39696" + }, + { + "type": "FIX", + "url": "https://github.com/evmos/evmos/commit/0a620e176617a835ac697eea494afea09185dfaf" + }, + { + "type": "WEB", + "url": "https://github.com/evmos/evmos/security/advisories/GHSA-q6hg-6m9x-5g9c" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2974", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-2968.yaml b/data/reports/GO-2024-2968.yaml new file mode 100644 index 00000000..9c9b06a9 --- /dev/null +++ b/data/reports/GO-2024-2968.yaml @@ -0,0 +1,32 @@ +id: GO-2024-2968 +modules: + - module: github.com/zitadel/zitadel + non_go_versions: + - introduced: 2.0.0 + - fixed: 2.53.8 + - introduced: 2.54.0 + - fixed: 2.54.5 + - introduced: 2.55.0 + - fixed: 2.55.1 + vulnerable_at: 1.87.5 +summary: ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel +cves: + - CVE-2024-39683 +ghsas: + - GHSA-cvw9-c57h-3397 +references: + - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39683 + - fix: https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04 + - fix: https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da + - fix: https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73 + - fix: https://github.com/zitadel/zitadel/pull/8231 + - report: https://github.com/zitadel/zitadel/issues/8213 + - web: https://discord.com/channels/927474939156643850/1254096852937347153 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.53.8 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.54.5 + - web: https://github.com/zitadel/zitadel/releases/tag/v2.55.1 +source: + id: GHSA-cvw9-c57h-3397 + created: 2024-07-08T13:24:14.455414-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2969.yaml b/data/reports/GO-2024-2969.yaml new file mode 100644 index 00000000..e81af78f --- /dev/null +++ b/data/reports/GO-2024-2969.yaml @@ -0,0 +1,15 @@ +id: GO-2024-2969 +modules: + - module: github.com/gogs/gogs + vulnerable_at: 0.13.0 +summary: CVE-2024-39930 in github.com/gogs/gogs +cves: + - CVE-2024-39930 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39930 + - web: https://github.com/gogs/gogs/releases + - web: https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/ +source: + id: CVE-2024-39930 + created: 2024-07-08T13:24:12.021689-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2970.yaml b/data/reports/GO-2024-2970.yaml new file mode 100644 index 00000000..9cabd977 --- /dev/null +++ b/data/reports/GO-2024-2970.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2970 +modules: + - module: github.com/gogs/gogs + unsupported_versions: + - last_affected: 0.13.0 + vulnerable_at: 0.13.0 +summary: Gogs allows deletion of internal files in github.com/gogs/gogs +cves: + - CVE-2024-39931 +ghsas: + - GHSA-2vgj-3pvg-xh4w +references: + - advisory: https://github.com/advisories/GHSA-2vgj-3pvg-xh4w + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39931 + - web: https://github.com/gogs/gogs/releases + - web: https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1 +source: + id: GHSA-2vgj-3pvg-xh4w + created: 2024-07-08T13:24:08.798271-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2971.yaml b/data/reports/GO-2024-2971.yaml new file mode 100644 index 00000000..f8b5cd7a --- /dev/null +++ b/data/reports/GO-2024-2971.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2971 +modules: + - module: github.com/gogs/gogs + unsupported_versions: + - last_affected: 0.13.0 + vulnerable_at: 0.13.0 +summary: Gogs allows argument injection during the previewing of changes in github.com/gogs/gogs +cves: + - CVE-2024-39932 +ghsas: + - GHSA-hf29-9hfh-w63j +references: + - advisory: https://github.com/advisories/GHSA-hf29-9hfh-w63j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39932 + - web: https://github.com/gogs/gogs/releases + - web: https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1 +source: + id: GHSA-hf29-9hfh-w63j + created: 2024-07-08T13:24:05.043922-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2972.yaml b/data/reports/GO-2024-2972.yaml new file mode 100644 index 00000000..f57c513d --- /dev/null +++ b/data/reports/GO-2024-2972.yaml @@ -0,0 +1,19 @@ +id: GO-2024-2972 +modules: + - module: github.com/gogs/gogs + unsupported_versions: + - last_affected: 0.13.0 + vulnerable_at: 0.13.0 +summary: Gogs allows argument injection during the tagging of a new release in github.com/gogs/gogs +cves: + - CVE-2024-39933 +ghsas: + - GHSA-8mm6-wmpp-mmm3 +references: + - advisory: https://github.com/advisories/GHSA-8mm6-wmpp-mmm3 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39933 + - web: https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1 +source: + id: GHSA-8mm6-wmpp-mmm3 + created: 2024-07-08T13:24:01.718651-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2973.yaml b/data/reports/GO-2024-2973.yaml new file mode 100644 index 00000000..1a6ff4be --- /dev/null +++ b/data/reports/GO-2024-2973.yaml @@ -0,0 +1,32 @@ +id: GO-2024-2973 +modules: + - module: github.com/traefik/traefik + vulnerable_at: 1.7.34 + - module: github.com/traefik/traefik/v2 + versions: + - fixed: 2.11.6 + vulnerable_at: 2.11.5 + - module: github.com/traefik/traefik/v3 + versions: + - introduced: 3.0.0-beta3 + - fixed: 3.0.4 + - introduced: 3.1.0-rc1 + - fixed: 3.1.0-rc3 + vulnerable_at: 3.1.0-rc2 +summary: |- + Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT + handshakes in github.com/traefik/traefik +cves: + - CVE-2024-39321 +ghsas: + - GHSA-gxrv-wf35-62w9 +references: + - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39321 + - web: https://github.com/traefik/traefik/releases/tag/v2.11.6 + - web: https://github.com/traefik/traefik/releases/tag/v3.0.4 + - web: https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3 +source: + id: GHSA-gxrv-wf35-62w9 + created: 2024-07-08T13:23:57.045256-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2974.yaml b/data/reports/GO-2024-2974.yaml new file mode 100644 index 00000000..2b808675 --- /dev/null +++ b/data/reports/GO-2024-2974.yaml @@ -0,0 +1,17 @@ +id: GO-2024-2974 +modules: + - module: github.com/evmos/evmos + non_go_versions: + - fixed: 19.0.0 + vulnerable_at: 1.1.3 +summary: Evmos vulnerable to exploit of smart contract account and vesting in github.com/evmos/evmos +cves: + - CVE-2024-39696 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39696 + - fix: https://github.com/evmos/evmos/commit/0a620e176617a835ac697eea494afea09185dfaf + - web: https://github.com/evmos/evmos/security/advisories/GHSA-q6hg-6m9x-5g9c +source: + id: CVE-2024-39696 + created: 2024-07-08T13:23:28.697883-04:00 +review_status: UNREVIEWED