From bbfc2dc6ae7727a458f825639fe2ac5473b9ed74 Mon Sep 17 00:00:00 2001 From: Zvonimir Pavlinovic Date: Fri, 12 Jul 2024 16:34:08 +0000 Subject: [PATCH] data/reports: add 3 reports - data/reports/GO-2024-2980.yaml - data/reports/GO-2024-2981.yaml - data/reports/GO-2024-2982.yaml Fixes golang/vulndb#2980 Fixes golang/vulndb#2981 Fixes golang/vulndb#2982 Change-Id: Ic6a3314c0a9ab2d8dc1f71a11437ef1f380ac466 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/597995 Auto-Submit: Zvonimir Pavlinovic LUCI-TryBot-Result: Go LUCI Reviewed-by: Tatiana Bradley --- data/osv/GO-2024-2980.json | 89 ++++++++++++++++++++++++++++++++++ data/osv/GO-2024-2981.json | 52 ++++++++++++++++++++ data/osv/GO-2024-2982.json | 72 +++++++++++++++++++++++++++ data/reports/GO-2024-2980.yaml | 27 +++++++++++ data/reports/GO-2024-2981.yaml | 20 ++++++++ data/reports/GO-2024-2982.yaml | 26 ++++++++++ 6 files changed, 286 insertions(+) create mode 100644 data/osv/GO-2024-2980.json create mode 100644 data/osv/GO-2024-2981.json create mode 100644 data/osv/GO-2024-2982.json create mode 100644 data/reports/GO-2024-2980.yaml create mode 100644 data/reports/GO-2024-2981.yaml create mode 100644 data/reports/GO-2024-2982.yaml diff --git a/data/osv/GO-2024-2980.json b/data/osv/GO-2024-2980.json new file mode 100644 index 00000000..6efe1a55 --- /dev/null +++ b/data/osv/GO-2024-2980.json @@ -0,0 +1,89 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2980", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29946", + "GHSA-2h2x-8hh2-mfq8" + ], + "summary": "NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects in github.com/nats-io/nats-server", + "details": "NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects in github.com/nats-io/nats-server", + "affected": [ + { + "package": { + "name": "github.com/nats-io/nats-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/nats-io/nats-server/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.8.2" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/nats-io/nats-streaming-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.24.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2h2x-8hh2-mfq8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29946" + }, + { + "type": "WEB", + "url": "https://github.com/nats-io/advisories/blob/main/CVE/CVE-2022-29946.txt" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2980", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2981.json b/data/osv/GO-2024-2981.json new file mode 100644 index 00000000..41b27d76 --- /dev/null +++ b/data/osv/GO-2024-2981.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2981", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-39909", + "GHSA-5248-h45p-9pgw" + ], + "summary": "SQL Injection in the KubeClarity REST API in github.com/openclarity/kubeclarity/backend", + "details": "SQL Injection in the KubeClarity REST API in github.com/openclarity/kubeclarity/backend", + "affected": [ + { + "package": { + "name": "github.com/openclarity/kubeclarity/backend", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20240711173334-1d1178840703" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/openclarity/kubeclarity/security/advisories/GHSA-5248-h45p-9pgw" + }, + { + "type": "WEB", + "url": "https://github.com/openclarity/kubeclarity/blob/main/backend/pkg/database/id_view.go#L79" + }, + { + "type": "WEB", + "url": "https://github.com/openclarity/kubeclarity/commit/1d1178840703a72d9082b7fc4aea0a3326c5d294" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2981", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2982.json b/data/osv/GO-2024-2982.json new file mode 100644 index 00000000..6f96081a --- /dev/null +++ b/data/osv/GO-2024-2982.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2982", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-6468", + "GHSA-2qmw-pvf7-4mw6" + ], + "summary": "Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions in github.com/hashicorp/vault", + "details": "Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions in github.com/hashicorp/vault.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/hashicorp/vault before v1.15.12.", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.16.0-rc1" + }, + { + "fixed": "1.16.3" + }, + { + "introduced": "1.17.0-rc1" + }, + { + "fixed": "1.17.2" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.12" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2qmw-pvf7-4mw6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6468" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2024-14-vault-vulnerable-to-denial-of-service-when-setting-a-proxy-protocol-behavior/68518" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2982", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-2980.yaml b/data/reports/GO-2024-2980.yaml new file mode 100644 index 00000000..c31ccbff --- /dev/null +++ b/data/reports/GO-2024-2980.yaml @@ -0,0 +1,27 @@ +id: GO-2024-2980 +modules: + - module: github.com/nats-io/nats-server + vulnerable_at: 1.4.1 + - module: github.com/nats-io/nats-server/v2 + versions: + - fixed: 2.8.2 + vulnerable_at: 2.8.1 + - module: github.com/nats-io/nats-streaming-server + versions: + - fixed: 0.24.6 + vulnerable_at: 0.24.5 +summary: |- + NATS Server and Streaming Server fails to enforce negative user permissions, may + allow denied subjects in github.com/nats-io/nats-server +cves: + - CVE-2022-29946 +ghsas: + - GHSA-2h2x-8hh2-mfq8 +references: + - advisory: https://github.com/advisories/GHSA-2h2x-8hh2-mfq8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-29946 + - web: https://github.com/nats-io/advisories/blob/main/CVE/CVE-2022-29946.txt +source: + id: GHSA-2h2x-8hh2-mfq8 + created: 2024-07-12T16:33:37.628744846Z +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2981.yaml b/data/reports/GO-2024-2981.yaml new file mode 100644 index 00000000..6de8df99 --- /dev/null +++ b/data/reports/GO-2024-2981.yaml @@ -0,0 +1,20 @@ +id: GO-2024-2981 +modules: + - module: github.com/openclarity/kubeclarity/backend + versions: + - fixed: 0.0.0-20240711173334-1d1178840703 +summary: SQL Injection in the KubeClarity REST API in github.com/openclarity/kubeclarity/backend +cves: + - CVE-2024-39909 +ghsas: + - GHSA-5248-h45p-9pgw +references: + - advisory: https://github.com/openclarity/kubeclarity/security/advisories/GHSA-5248-h45p-9pgw + - web: https://github.com/openclarity/kubeclarity/blob/main/backend/pkg/database/id_view.go#L79 + - web: https://github.com/openclarity/kubeclarity/commit/1d1178840703a72d9082b7fc4aea0a3326c5d294 +notes: + - fix: 'github.com/openclarity/kubeclarity/backend: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version' +source: + id: GHSA-5248-h45p-9pgw + created: 2024-07-12T16:33:34.102123356Z +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-2982.yaml b/data/reports/GO-2024-2982.yaml new file mode 100644 index 00000000..49fea40d --- /dev/null +++ b/data/reports/GO-2024-2982.yaml @@ -0,0 +1,26 @@ +id: GO-2024-2982 +modules: + - module: github.com/hashicorp/vault + versions: + - introduced: 1.16.0-rc1 + - fixed: 1.16.3 + - introduced: 1.17.0-rc1 + - fixed: 1.17.2 + non_go_versions: + - fixed: 1.15.12 + vulnerable_at: 1.17.1 +summary: |- + Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional + Conditions in github.com/hashicorp/vault +cves: + - CVE-2024-6468 +ghsas: + - GHSA-2qmw-pvf7-4mw6 +references: + - advisory: https://github.com/advisories/GHSA-2qmw-pvf7-4mw6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6468 + - web: https://discuss.hashicorp.com/t/hcsec-2024-14-vault-vulnerable-to-denial-of-service-when-setting-a-proxy-protocol-behavior/68518 +source: + id: GHSA-2qmw-pvf7-4mw6 + created: 2024-07-12T16:33:28.734714977Z +review_status: UNREVIEWED