-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
data/reports: add 5 unreviewed reports
- data/reports/GO-2024-3076.yaml - data/reports/GO-2024-3077.yaml - data/reports/GO-2024-3078.yaml - data/reports/GO-2024-3079.yaml - data/reports/GO-2024-3080.yaml Fixes #3076 Fixes #3077 Fixes #3078 Fixes #3079 Fixes #3080 Change-Id: Iaa16597434903127a8393697316faf903ac7896f Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607335 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
- Loading branch information
Showing
10 changed files
with
400 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
{ | ||
"schema_version": "1.3.1", | ||
"id": "GO-2024-3076", | ||
"modified": "0001-01-01T00:00:00Z", | ||
"published": "0001-01-01T00:00:00Z", | ||
"aliases": [ | ||
"CVE-2024-43379", | ||
"GHSA-3r74-v83p-f4f4" | ||
], | ||
"summary": "Trufflehog vulnerable to Blind SSRF in some Detectors in github.com/trufflesecurity/trufflehog", | ||
"details": "Trufflehog vulnerable to Blind SSRF in some Detectors in github.com/trufflesecurity/trufflehog", | ||
"affected": [ | ||
{ | ||
"package": { | ||
"name": "github.com/trufflesecurity/trufflehog", | ||
"ecosystem": "Go" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "SEMVER", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
} | ||
] | ||
} | ||
], | ||
"ecosystem_specific": {} | ||
}, | ||
{ | ||
"package": { | ||
"name": "github.com/trufflesecurity/trufflehog/v3", | ||
"ecosystem": "Go" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "SEMVER", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
}, | ||
{ | ||
"fixed": "3.81.9" | ||
} | ||
] | ||
} | ||
], | ||
"ecosystem_specific": {} | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://github.com/trufflesecurity/trufflehog/security/advisories/GHSA-3r74-v83p-f4f4" | ||
}, | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43379" | ||
}, | ||
{ | ||
"type": "FIX", | ||
"url": "https://github.com/trufflesecurity/trufflehog/commit/fe5624c70923355128868cffd647b6e2cfe11443" | ||
} | ||
], | ||
"database_specific": { | ||
"url": "https://pkg.go.dev/vuln/GO-2024-3076", | ||
"review_status": "UNREVIEWED" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
{ | ||
"schema_version": "1.3.1", | ||
"id": "GO-2024-3077", | ||
"modified": "0001-01-01T00:00:00Z", | ||
"published": "0001-01-01T00:00:00Z", | ||
"aliases": [ | ||
"CVE-2024-39690", | ||
"GHSA-mq69-4j5w-3qwp" | ||
], | ||
"summary": "Capsule tenant owner with \"patch namespace\" permission can hijack system namespaces in github.com/projectcapsule/capsule", | ||
"details": "Capsule tenant owner with \"patch namespace\" permission can hijack system namespaces in github.com/projectcapsule/capsule", | ||
"affected": [ | ||
{ | ||
"package": { | ||
"name": "github.com/projectcapsule/capsule", | ||
"ecosystem": "Go" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "SEMVER", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
} | ||
] | ||
} | ||
], | ||
"ecosystem_specific": {} | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp" | ||
}, | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39690" | ||
}, | ||
{ | ||
"type": "FIX", | ||
"url": "https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584" | ||
} | ||
], | ||
"database_specific": { | ||
"url": "https://pkg.go.dev/vuln/GO-2024-3077", | ||
"review_status": "UNREVIEWED" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
{ | ||
"schema_version": "1.3.1", | ||
"id": "GO-2024-3078", | ||
"modified": "0001-01-01T00:00:00Z", | ||
"published": "0001-01-01T00:00:00Z", | ||
"aliases": [ | ||
"CVE-2024-43406", | ||
"GHSA-r5ph-4jxm-6j9p" | ||
], | ||
"summary": "LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper", | ||
"details": "LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper", | ||
"affected": [ | ||
{ | ||
"package": { | ||
"name": "github.com/lf-edge/ekuiper", | ||
"ecosystem": "Go" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "SEMVER", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
}, | ||
{ | ||
"fixed": "1.14.2" | ||
} | ||
] | ||
} | ||
], | ||
"ecosystem_specific": {} | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p" | ||
}, | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43406" | ||
}, | ||
{ | ||
"type": "FIX", | ||
"url": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503" | ||
} | ||
], | ||
"database_specific": { | ||
"url": "https://pkg.go.dev/vuln/GO-2024-3078", | ||
"review_status": "UNREVIEWED" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
{ | ||
"schema_version": "1.3.1", | ||
"id": "GO-2024-3079", | ||
"modified": "0001-01-01T00:00:00Z", | ||
"published": "0001-01-01T00:00:00Z", | ||
"aliases": [ | ||
"CVE-2024-6322", | ||
"GHSA-hh8p-374f-qgr5" | ||
], | ||
"summary": "Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana", | ||
"details": "Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/grafana/grafana from v11.1.0 before v11.1.1, from v11.1.2 before v11.1.3.", | ||
"affected": [ | ||
{ | ||
"package": { | ||
"name": "github.com/grafana/grafana", | ||
"ecosystem": "Go" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "SEMVER", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
} | ||
] | ||
} | ||
], | ||
"ecosystem_specific": { | ||
"custom_ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "11.1.0" | ||
}, | ||
{ | ||
"fixed": "11.1.1" | ||
}, | ||
{ | ||
"introduced": "11.1.2" | ||
}, | ||
{ | ||
"fixed": "11.1.3" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://github.com/advisories/GHSA-hh8p-374f-qgr5" | ||
}, | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6322" | ||
}, | ||
{ | ||
"type": "FIX", | ||
"url": "https://github.com/grafana/grafana/commit/4cb3ba5d1a7ab8b9676034e89dada2fcde1766ef" | ||
}, | ||
{ | ||
"type": "FIX", | ||
"url": "https://github.com/grafana/grafana/commit/9cdba084a9100c6b11d32eef9d2bd53656c6964a" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://grafana.com/security/security-advisories/cve-2024-6322" | ||
} | ||
], | ||
"database_specific": { | ||
"url": "https://pkg.go.dev/vuln/GO-2024-3079", | ||
"review_status": "UNREVIEWED" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
{ | ||
"schema_version": "1.3.1", | ||
"id": "GO-2024-3080", | ||
"modified": "0001-01-01T00:00:00Z", | ||
"published": "0001-01-01T00:00:00Z", | ||
"aliases": [ | ||
"CVE-2024-43403", | ||
"GHSA-h27c-6xm3-mcqp" | ||
], | ||
"summary": "Kanister vulnerable to cluster-level privilege escalation in github.com/kanisterio/kanister", | ||
"details": "Kanister vulnerable to cluster-level privilege escalation in github.com/kanisterio/kanister", | ||
"affected": [ | ||
{ | ||
"package": { | ||
"name": "github.com/kanisterio/kanister", | ||
"ecosystem": "Go" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "SEMVER", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
} | ||
] | ||
} | ||
], | ||
"ecosystem_specific": {} | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://github.com/kanisterio/kanister/security/advisories/GHSA-h27c-6xm3-mcqp" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://github.com/kanisterio/kanister/blob/master/helm/kanister-operator/templates/rbac.yaml#L49" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://github.com/kanisterio/kanister/wiki/2023%E2%80%9024-Community-Meeting-Notes" | ||
} | ||
], | ||
"database_specific": { | ||
"url": "https://pkg.go.dev/vuln/GO-2024-3080", | ||
"review_status": "UNREVIEWED" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
id: GO-2024-3076 | ||
modules: | ||
- module: github.com/trufflesecurity/trufflehog | ||
vulnerable_at: 0.0.0-20220127183845-e9ac138996e7 | ||
- module: github.com/trufflesecurity/trufflehog/v3 | ||
versions: | ||
- fixed: 3.81.9 | ||
vulnerable_at: 3.81.8 | ||
summary: Trufflehog vulnerable to Blind SSRF in some Detectors in github.com/trufflesecurity/trufflehog | ||
cves: | ||
- CVE-2024-43379 | ||
ghsas: | ||
- GHSA-3r74-v83p-f4f4 | ||
references: | ||
- advisory: https://github.com/trufflesecurity/trufflehog/security/advisories/GHSA-3r74-v83p-f4f4 | ||
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43379 | ||
- fix: https://github.com/trufflesecurity/trufflehog/commit/fe5624c70923355128868cffd647b6e2cfe11443 | ||
source: | ||
id: GHSA-3r74-v83p-f4f4 | ||
created: 2024-08-21T10:26:13.043304-04:00 | ||
review_status: UNREVIEWED |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
id: GO-2024-3077 | ||
modules: | ||
- module: github.com/projectcapsule/capsule | ||
unsupported_versions: | ||
- last_affected: 0.7.0 | ||
vulnerable_at: 0.7.0 | ||
summary: |- | ||
Capsule tenant owner with "patch namespace" permission can hijack system | ||
namespaces in github.com/projectcapsule/capsule | ||
cves: | ||
- CVE-2024-39690 | ||
ghsas: | ||
- GHSA-mq69-4j5w-3qwp | ||
references: | ||
- advisory: https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp | ||
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39690 | ||
- fix: https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584 | ||
source: | ||
id: GHSA-mq69-4j5w-3qwp | ||
created: 2024-08-21T10:26:09.725236-04:00 | ||
review_status: UNREVIEWED |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
id: GO-2024-3078 | ||
modules: | ||
- module: github.com/lf-edge/ekuiper | ||
versions: | ||
- fixed: 1.14.2 | ||
vulnerable_at: 1.14.1 | ||
summary: LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper | ||
cves: | ||
- CVE-2024-43406 | ||
ghsas: | ||
- GHSA-r5ph-4jxm-6j9p | ||
references: | ||
- advisory: https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p | ||
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43406 | ||
- fix: https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503 | ||
source: | ||
id: GHSA-r5ph-4jxm-6j9p | ||
created: 2024-08-21T10:26:05.798948-04:00 | ||
review_status: UNREVIEWED |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
id: GO-2024-3079 | ||
modules: | ||
- module: github.com/grafana/grafana | ||
non_go_versions: | ||
- introduced: 11.1.0 | ||
- fixed: 11.1.1 | ||
- introduced: 11.1.2 | ||
- fixed: 11.1.3 | ||
vulnerable_at: 5.4.5+incompatible | ||
summary: Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana | ||
cves: | ||
- CVE-2024-6322 | ||
ghsas: | ||
- GHSA-hh8p-374f-qgr5 | ||
references: | ||
- advisory: https://github.com/advisories/GHSA-hh8p-374f-qgr5 | ||
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6322 | ||
- fix: https://github.com/grafana/grafana/commit/4cb3ba5d1a7ab8b9676034e89dada2fcde1766ef | ||
- fix: https://github.com/grafana/grafana/commit/9cdba084a9100c6b11d32eef9d2bd53656c6964a | ||
- web: https://grafana.com/security/security-advisories/cve-2024-6322 | ||
source: | ||
id: GHSA-hh8p-374f-qgr5 | ||
created: 2024-08-21T10:25:47.658165-04:00 | ||
review_status: UNREVIEWED |
Oops, something went wrong.