Skip to content

Commit

Permalink
data/reports: add 5 unreviewed reports
Browse files Browse the repository at this point in the history 
  - data/reports/GO-2024-3076.yaml
  - data/reports/GO-2024-3077.yaml
  - data/reports/GO-2024-3078.yaml
  - data/reports/GO-2024-3079.yaml
  - data/reports/GO-2024-3080.yaml

Fixes #3076
Fixes #3077
Fixes #3078
Fixes #3079
Fixes #3080

Change-Id: Iaa16597434903127a8393697316faf903ac7896f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607335
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
  • Loading branch information
@tatianab @gopherbot
tatianab authored and gopherbot committed Aug 22, 2024
1 parent a282e8f commit 6f05161
Show file tree
Hide file tree
Showing 10 changed files with 400 additions and 0 deletions.
69 changes: 69 additions & 0 deletions data/osv/GO-2024-3076.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3076",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-43379",
"GHSA-3r74-v83p-f4f4"
],
"summary": "Trufflehog vulnerable to Blind SSRF in some Detectors in github.com/trufflesecurity/trufflehog",
"details": "Trufflehog vulnerable to Blind SSRF in some Detectors in github.com/trufflesecurity/trufflehog",
"affected": [
{
"package": {
"name": "github.com/trufflesecurity/trufflehog",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/trufflesecurity/trufflehog/v3",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.81.9"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/trufflesecurity/trufflehog/security/advisories/GHSA-3r74-v83p-f4f4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43379"
},
{
"type": "FIX",
"url": "https://github.com/trufflesecurity/trufflehog/commit/fe5624c70923355128868cffd647b6e2cfe11443"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3076",
"review_status": "UNREVIEWED"
}
}
49 changes: 49 additions & 0 deletions data/osv/GO-2024-3077.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3077",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-39690",
"GHSA-mq69-4j5w-3qwp"
],
"summary": "Capsule tenant owner with \"patch namespace\" permission can hijack system namespaces in github.com/projectcapsule/capsule",
"details": "Capsule tenant owner with \"patch namespace\" permission can hijack system namespaces in github.com/projectcapsule/capsule",
"affected": [
{
"package": {
"name": "github.com/projectcapsule/capsule",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39690"
},
{
"type": "FIX",
"url": "https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3077",
"review_status": "UNREVIEWED"
}
}
52 changes: 52 additions & 0 deletions data/osv/GO-2024-3078.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3078",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-43406",
"GHSA-r5ph-4jxm-6j9p"
],
"summary": "LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper",
"details": "LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper",
"affected": [
{
"package": {
"name": "github.com/lf-edge/ekuiper",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.2"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43406"
},
{
"type": "FIX",
"url": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3078",
"review_status": "UNREVIEWED"
}
}
77 changes: 77 additions & 0 deletions data/osv/GO-2024-3079.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3079",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-6322",
"GHSA-hh8p-374f-qgr5"
],
"summary": "Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana",
"details": "Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/grafana/grafana from v11.1.0 before v11.1.1, from v11.1.2 before v11.1.3.",
"affected": [
{
"package": {
"name": "github.com/grafana/grafana",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"custom_ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.1.0"
},
{
"fixed": "11.1.1"
},
{
"introduced": "11.1.2"
},
{
"fixed": "11.1.3"
}
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-hh8p-374f-qgr5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6322"
},
{
"type": "FIX",
"url": "https://github.com/grafana/grafana/commit/4cb3ba5d1a7ab8b9676034e89dada2fcde1766ef"
},
{
"type": "FIX",
"url": "https://github.com/grafana/grafana/commit/9cdba084a9100c6b11d32eef9d2bd53656c6964a"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2024-6322"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3079",
"review_status": "UNREVIEWED"
}
}
49 changes: 49 additions & 0 deletions data/osv/GO-2024-3080.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3080",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-43403",
"GHSA-h27c-6xm3-mcqp"
],
"summary": "Kanister vulnerable to cluster-level privilege escalation in github.com/kanisterio/kanister",
"details": "Kanister vulnerable to cluster-level privilege escalation in github.com/kanisterio/kanister",
"affected": [
{
"package": {
"name": "github.com/kanisterio/kanister",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/kanisterio/kanister/security/advisories/GHSA-h27c-6xm3-mcqp"
},
{
"type": "WEB",
"url": "https://github.com/kanisterio/kanister/blob/master/helm/kanister-operator/templates/rbac.yaml#L49"
},
{
"type": "WEB",
"url": "https://github.com/kanisterio/kanister/wiki/2023%E2%80%9024-Community-Meeting-Notes"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3080",
"review_status": "UNREVIEWED"
}
}
21 changes: 21 additions & 0 deletions data/reports/GO-2024-3076.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
id: GO-2024-3076
modules:
- module: github.com/trufflesecurity/trufflehog
vulnerable_at: 0.0.0-20220127183845-e9ac138996e7
- module: github.com/trufflesecurity/trufflehog/v3
versions:
- fixed: 3.81.9
vulnerable_at: 3.81.8
summary: Trufflehog vulnerable to Blind SSRF in some Detectors in github.com/trufflesecurity/trufflehog
cves:
- CVE-2024-43379
ghsas:
- GHSA-3r74-v83p-f4f4
references:
- advisory: https://github.com/trufflesecurity/trufflehog/security/advisories/GHSA-3r74-v83p-f4f4
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43379
- fix: https://github.com/trufflesecurity/trufflehog/commit/fe5624c70923355128868cffd647b6e2cfe11443
source:
id: GHSA-3r74-v83p-f4f4
created: 2024-08-21T10:26:13.043304-04:00
review_status: UNREVIEWED
21 changes: 21 additions & 0 deletions data/reports/GO-2024-3077.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
id: GO-2024-3077
modules:
- module: github.com/projectcapsule/capsule
unsupported_versions:
- last_affected: 0.7.0
vulnerable_at: 0.7.0
summary: |-
Capsule tenant owner with "patch namespace" permission can hijack system
namespaces in github.com/projectcapsule/capsule
cves:
- CVE-2024-39690
ghsas:
- GHSA-mq69-4j5w-3qwp
references:
- advisory: https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39690
- fix: https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584
source:
id: GHSA-mq69-4j5w-3qwp
created: 2024-08-21T10:26:09.725236-04:00
review_status: UNREVIEWED
19 changes: 19 additions & 0 deletions data/reports/GO-2024-3078.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
id: GO-2024-3078
modules:
- module: github.com/lf-edge/ekuiper
versions:
- fixed: 1.14.2
vulnerable_at: 1.14.1
summary: LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper
cves:
- CVE-2024-43406
ghsas:
- GHSA-r5ph-4jxm-6j9p
references:
- advisory: https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43406
- fix: https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503
source:
id: GHSA-r5ph-4jxm-6j9p
created: 2024-08-21T10:26:05.798948-04:00
review_status: UNREVIEWED
24 changes: 24 additions & 0 deletions data/reports/GO-2024-3079.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
id: GO-2024-3079
modules:
- module: github.com/grafana/grafana
non_go_versions:
- introduced: 11.1.0
- fixed: 11.1.1
- introduced: 11.1.2
- fixed: 11.1.3
vulnerable_at: 5.4.5+incompatible
summary: Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana
cves:
- CVE-2024-6322
ghsas:
- GHSA-hh8p-374f-qgr5
references:
- advisory: https://github.com/advisories/GHSA-hh8p-374f-qgr5
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6322
- fix: https://github.com/grafana/grafana/commit/4cb3ba5d1a7ab8b9676034e89dada2fcde1766ef
- fix: https://github.com/grafana/grafana/commit/9cdba084a9100c6b11d32eef9d2bd53656c6964a
- web: https://grafana.com/security/security-advisories/cve-2024-6322
source:
id: GHSA-hh8p-374f-qgr5
created: 2024-08-21T10:25:47.658165-04:00
review_status: UNREVIEWED
Loading

0 comments on commit 6f05161

Please sign in to comment.