From 4b212643a491659f67273b74c5338aa58bb68fb1 Mon Sep 17 00:00:00 2001 From: Maceo Thompson Date: Fri, 11 Oct 2024 10:17:06 -0400 Subject: [PATCH] data/reports: add 6 reports - data/reports/GO-2024-3184.yaml - data/reports/GO-2024-3185.yaml - data/reports/GO-2024-3186.yaml - data/reports/GO-2024-3188.yaml - data/reports/GO-2024-3190.yaml - data/reports/GO-2024-3191.yaml Fixes golang/vulndb#3184 Fixes golang/vulndb#3185 Fixes golang/vulndb#3186 Fixes golang/vulndb#3188 Fixes golang/vulndb#3190 Fixes golang/vulndb#3191 Change-Id: I5f0ad208f0a7e8bebe71f9b15ff38ebc852b783e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/619696 Auto-Submit: Maceo Thompson Reviewed-by: Tatiana Bradley LUCI-TryBot-Result: Go LUCI --- data/osv/GO-2024-3184.json | 68 +++++++++++++++++++++++++++++++ data/osv/GO-2024-3185.json | 52 ++++++++++++++++++++++++ data/osv/GO-2024-3186.json | 53 ++++++++++++++++++++++++ data/osv/GO-2024-3188.json | 49 +++++++++++++++++++++++ data/osv/GO-2024-3190.json | 73 ++++++++++++++++++++++++++++++++++ data/osv/GO-2024-3191.json | 52 ++++++++++++++++++++++++ data/reports/GO-2024-3184.yaml | 23 +++++++++++ data/reports/GO-2024-3185.yaml | 18 +++++++++ data/reports/GO-2024-3186.yaml | 20 ++++++++++ data/reports/GO-2024-3188.yaml | 19 +++++++++ data/reports/GO-2024-3190.yaml | 22 ++++++++++ data/reports/GO-2024-3191.yaml | 19 +++++++++ 12 files changed, 468 insertions(+) create mode 100644 data/osv/GO-2024-3184.json create mode 100644 data/osv/GO-2024-3185.json create mode 100644 data/osv/GO-2024-3186.json create mode 100644 data/osv/GO-2024-3188.json create mode 100644 data/osv/GO-2024-3190.json create mode 100644 data/osv/GO-2024-3191.json create mode 100644 data/reports/GO-2024-3184.yaml create mode 100644 data/reports/GO-2024-3185.yaml create mode 100644 data/reports/GO-2024-3186.yaml create mode 100644 data/reports/GO-2024-3188.yaml create mode 100644 data/reports/GO-2024-3190.yaml create mode 100644 data/reports/GO-2024-3191.yaml diff --git a/data/osv/GO-2024-3184.json b/data/osv/GO-2024-3184.json new file mode 100644 index 00000000..501101b6 --- /dev/null +++ b/data/osv/GO-2024-3184.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3184", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-36814", + "GHSA-9cp9-8gw2-8v7m" + ], + "summary": "Adguard Home arbitrary file read vulnerability in github.com/AdguardTeam/AdGuardHome", + "details": "Adguard Home arbitrary file read vulnerability in github.com/AdguardTeam/AdGuardHome", + "affected": [ + { + "package": { + "name": "github.com/AdguardTeam/AdGuardHome", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.107.53" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9cp9-8gw2-8v7m" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36814" + }, + { + "type": "FIX", + "url": "https://github.com/AdguardTeam/AdGuardHome/commit/e8fd4b187287a562cbe9018999e5ea576b4c7d68" + }, + { + "type": "WEB", + "url": "https://github.com/AdguardTeam/AdGuardHome/blob/7c002e1a99b9b4e4a40e8c66851eda33e666d52d/internal/filtering/http.go#L23C1-L51C2" + }, + { + "type": "WEB", + "url": "https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.53" + }, + { + "type": "WEB", + "url": "https://github.com/itz-d0dgy" + }, + { + "type": "WEB", + "url": "https://happy-little-accidents.pages.dev/posts/CVE-2024-36814" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3184", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3185.json b/data/osv/GO-2024-3185.json new file mode 100644 index 00000000..9ff340bc --- /dev/null +++ b/data/osv/GO-2024-3185.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3185", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47832" + ], + "summary": "XML Signature Bypass via differential XML parsing in ssoready in github.com/ssoready/ssoready", + "details": "XML Signature Bypass via differential XML parsing in ssoready in github.com/ssoready/ssoready", + "affected": [ + { + "package": { + "name": "github.com/ssoready/ssoready", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47832" + }, + { + "type": "FIX", + "url": "https://github.com/ssoready/ssoready/commit/7f92a0630439972fcbefa8c7eafe8c144bd89915" + }, + { + "type": "WEB", + "url": "https://github.com/ssoready/ssoready/security/advisories/GHSA-j2hr-q93x-gxvh" + }, + { + "type": "WEB", + "url": "https://ssoready.com/docs/self-hosting/self-hosting-sso-ready" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3185", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3186.json b/data/osv/GO-2024-3186.json new file mode 100644 index 00000000..9a1cd688 --- /dev/null +++ b/data/osv/GO-2024-3186.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3186", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-9675", + "GHSA-586p-749j-fhwp" + ], + "summary": "Buildah allows arbitrary directory mount in github.com/containers/buildah", + "details": "Buildah allows arbitrary directory mount in github.com/containers/buildah", + "affected": [ + { + "package": { + "name": "github.com/containers/buildah", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-586p-749j-fhwp" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9675" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-9675" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317458" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3186", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3188.json b/data/osv/GO-2024-3188.json new file mode 100644 index 00000000..b1765c04 --- /dev/null +++ b/data/osv/GO-2024-3188.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3188", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-9312", + "GHSA-4gfw-wf7c-w6g2" + ], + "summary": "Authd allows attacker-controlled usernames to yield controllable UIDs in github.com/ubuntu/authd", + "details": "Authd allows attacker-controlled usernames to yield controllable UIDs in github.com/ubuntu/authd", + "affected": [ + { + "package": { + "name": "github.com/ubuntu/authd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/ubuntu/authd/security/advisories/GHSA-4gfw-wf7c-w6g2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9312" + }, + { + "type": "ADVISORY", + "url": "https://www.cve.org/CVERecord?id=CVE-2024-9312" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3188", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3190.json b/data/osv/GO-2024-3190.json new file mode 100644 index 00000000..0bfdc531 --- /dev/null +++ b/data/osv/GO-2024-3190.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3190", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47067", + "GHSA-8pph-gfhp-w226" + ], + "summary": "Alist reflected Cross-Site Scripting vulnerability in github.com/alist-org/alist", + "details": "Alist reflected Cross-Site Scripting vulnerability in github.com/alist-org/alist", + "affected": [ + { + "package": { + "name": "github.com/alist-org/alist", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/alist-org/alist/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.29.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8pph-gfhp-w226" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47067" + }, + { + "type": "ADVISORY", + "url": "https://securitylab.github.com/advisories/GHSL-2023-220_Alist" + }, + { + "type": "FIX", + "url": "https://github.com/alist-org/alist/commit/6100647310594868e931f3de1188ddd8bde93b78" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3190", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3191.json b/data/osv/GO-2024-3191.json new file mode 100644 index 00000000..275d2fa3 --- /dev/null +++ b/data/osv/GO-2024-3191.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3191", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-9180", + "GHSA-rr8j-7w34-xp5j" + ], + "summary": "Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault", + "details": "Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-rr8j-7w34-xp5j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9180" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3191", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-3184.yaml b/data/reports/GO-2024-3184.yaml new file mode 100644 index 00000000..7a4f76f2 --- /dev/null +++ b/data/reports/GO-2024-3184.yaml @@ -0,0 +1,23 @@ +id: GO-2024-3184 +modules: + - module: github.com/AdguardTeam/AdGuardHome + versions: + - fixed: 0.107.53 + vulnerable_at: 0.107.52 +summary: Adguard Home arbitrary file read vulnerability in github.com/AdguardTeam/AdGuardHome +cves: + - CVE-2024-36814 +ghsas: + - GHSA-9cp9-8gw2-8v7m +references: + - advisory: https://github.com/advisories/GHSA-9cp9-8gw2-8v7m + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36814 + - fix: https://github.com/AdguardTeam/AdGuardHome/commit/e8fd4b187287a562cbe9018999e5ea576b4c7d68 + - web: https://github.com/AdguardTeam/AdGuardHome/blob/7c002e1a99b9b4e4a40e8c66851eda33e666d52d/internal/filtering/http.go#L23C1-L51C2 + - web: https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.53 + - web: https://github.com/itz-d0dgy + - web: https://happy-little-accidents.pages.dev/posts/CVE-2024-36814 +source: + id: GHSA-9cp9-8gw2-8v7m + created: 2024-10-11T10:16:23.951474-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3185.yaml b/data/reports/GO-2024-3185.yaml new file mode 100644 index 00000000..1bd82247 --- /dev/null +++ b/data/reports/GO-2024-3185.yaml @@ -0,0 +1,18 @@ +id: GO-2024-3185 +modules: + - module: github.com/ssoready/ssoready + unsupported_versions: + - cve_version_range: affected at commits prior to 7f92a06 + vulnerable_at: 0.0.0-20241009160555-27958e3f242c +summary: XML Signature Bypass via differential XML parsing in ssoready in github.com/ssoready/ssoready +cves: + - CVE-2024-47832 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47832 + - fix: https://github.com/ssoready/ssoready/commit/7f92a0630439972fcbefa8c7eafe8c144bd89915 + - web: https://github.com/ssoready/ssoready/security/advisories/GHSA-j2hr-q93x-gxvh + - web: https://ssoready.com/docs/self-hosting/self-hosting-sso-ready +source: + id: CVE-2024-47832 + created: 2024-10-11T10:16:19.821918-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3186.yaml b/data/reports/GO-2024-3186.yaml new file mode 100644 index 00000000..08837b12 --- /dev/null +++ b/data/reports/GO-2024-3186.yaml @@ -0,0 +1,20 @@ +id: GO-2024-3186 +modules: + - module: github.com/containers/buildah + unsupported_versions: + - last_affected: 1.37.0 + vulnerable_at: 1.37.4 +summary: Buildah allows arbitrary directory mount in github.com/containers/buildah +cves: + - CVE-2024-9675 +ghsas: + - GHSA-586p-749j-fhwp +references: + - advisory: https://github.com/advisories/GHSA-586p-749j-fhwp + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9675 + - web: https://access.redhat.com/security/cve/CVE-2024-9675 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2317458 +source: + id: GHSA-586p-749j-fhwp + created: 2024-10-11T10:16:13.933974-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3188.yaml b/data/reports/GO-2024-3188.yaml new file mode 100644 index 00000000..86724429 --- /dev/null +++ b/data/reports/GO-2024-3188.yaml @@ -0,0 +1,19 @@ +id: GO-2024-3188 +modules: + - module: github.com/ubuntu/authd + unsupported_versions: + - last_affected: 0.0.0-20230706090440-d8cb2d561419 + vulnerable_at: 0.0.0-20230706090440-d8cb2d561419 +summary: Authd allows attacker-controlled usernames to yield controllable UIDs in github.com/ubuntu/authd +cves: + - CVE-2024-9312 +ghsas: + - GHSA-4gfw-wf7c-w6g2 +references: + - advisory: https://github.com/ubuntu/authd/security/advisories/GHSA-4gfw-wf7c-w6g2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9312 + - advisory: https://www.cve.org/CVERecord?id=CVE-2024-9312 +source: + id: GHSA-4gfw-wf7c-w6g2 + created: 2024-10-11T10:16:08.934095-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3190.yaml b/data/reports/GO-2024-3190.yaml new file mode 100644 index 00000000..c9480837 --- /dev/null +++ b/data/reports/GO-2024-3190.yaml @@ -0,0 +1,22 @@ +id: GO-2024-3190 +modules: + - module: github.com/alist-org/alist + vulnerable_at: 1.0.6 + - module: github.com/alist-org/alist/v3 + versions: + - fixed: 3.29.0 + vulnerable_at: 3.28.0 +summary: Alist reflected Cross-Site Scripting vulnerability in github.com/alist-org/alist +cves: + - CVE-2024-47067 +ghsas: + - GHSA-8pph-gfhp-w226 +references: + - advisory: https://github.com/advisories/GHSA-8pph-gfhp-w226 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47067 + - advisory: https://securitylab.github.com/advisories/GHSL-2023-220_Alist + - fix: https://github.com/alist-org/alist/commit/6100647310594868e931f3de1188ddd8bde93b78 +source: + id: GHSA-8pph-gfhp-w226 + created: 2024-10-11T10:15:55.235968-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3191.yaml b/data/reports/GO-2024-3191.yaml new file mode 100644 index 00000000..95fc9963 --- /dev/null +++ b/data/reports/GO-2024-3191.yaml @@ -0,0 +1,19 @@ +id: GO-2024-3191 +modules: + - module: github.com/hashicorp/vault + versions: + - fixed: 1.18.0 + vulnerable_at: 1.18.0-rc1 +summary: Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault +cves: + - CVE-2024-9180 +ghsas: + - GHSA-rr8j-7w34-xp5j +references: + - advisory: https://github.com/advisories/GHSA-rr8j-7w34-xp5j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9180 + - web: https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565 +source: + id: GHSA-rr8j-7w34-xp5j + created: 2024-10-11T10:15:49.590706-04:00 +review_status: UNREVIEWED