From c5e1ceaba1236a5cdfb2a1db363b5967ac7e6f84 Mon Sep 17 00:00:00 2001 From: Zvonimir Pavlinovic Date: Fri, 20 Sep 2024 14:29:48 +0000 Subject: [PATCH] data/reports: add GO-2024-3141 - data/reports/GO-2024-3141.yaml Fixes golang/vulndb#3141 Change-Id: I461da7aeecd2f3726dbcea1be5dd56b4281410e2 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/614615 Auto-Submit: Zvonimir Pavlinovic LUCI-TryBot-Result: Go LUCI Reviewed-by: Tatiana Bradley --- data/osv/GO-2024-3141.json | 72 ++++++++++++++++++++++++++++++++++ data/reports/GO-2024-3141.yaml | 42 ++++++++++++++++++++ 2 files changed, 114 insertions(+) create mode 100644 data/osv/GO-2024-3141.json create mode 100644 data/reports/GO-2024-3141.yaml diff --git a/data/osv/GO-2024-3141.json b/data/osv/GO-2024-3141.json new file mode 100644 index 00000000..d664941b --- /dev/null +++ b/data/osv/GO-2024-3141.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3141", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-8260", + "GHSA-c77r-fh37-x2px" + ], + "summary": "OPA for Windows has an SMB force-authentication vulnerability in github.com/open-policy-agent/opa", + "details": "OPA for Windows has an SMB force-authentication vulnerability. Due to improper input validation, it allows a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.", + "affected": [ + { + "package": { + "name": "github.com/open-policy-agent/opa", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.68.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/open-policy-agent/opa/loader", + "goos": [ + "windows" + ], + "symbols": [ + "All", + "AllRegos", + "AsBundle", + "Filtered", + "FilteredPaths", + "FilteredPathsFS", + "GetBundleDirectoryLoader", + "GetBundleDirectoryLoaderFS", + "GetBundleDirectoryLoaderWithFilter", + "allRec", + "fileLoader.All", + "fileLoader.AsBundle", + "fileLoader.Filtered" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/open-policy-agent/opa/commit/10f4d553e6bb6ae9c69611ecdd9a77dda857070e" + }, + { + "type": "WEB", + "url": "https://www.tenable.com/security/research/tra-2024-36" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3141", + "review_status": "REVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-3141.yaml b/data/reports/GO-2024-3141.yaml new file mode 100644 index 00000000..28de61b6 --- /dev/null +++ b/data/reports/GO-2024-3141.yaml @@ -0,0 +1,42 @@ +id: GO-2024-3141 +modules: + - module: github.com/open-policy-agent/opa + versions: + - fixed: 0.68.0 + vulnerable_at: 0.67.1 + packages: + - package: github.com/open-policy-agent/opa/loader + goos: + - windows + symbols: + - GetBundleDirectoryLoaderFS + - allRec + - fileLoader.AsBundle + derived_symbols: + - All + - AllRegos + - AsBundle + - Filtered + - FilteredPaths + - FilteredPathsFS + - GetBundleDirectoryLoader + - GetBundleDirectoryLoaderWithFilter + - fileLoader.All + - fileLoader.Filtered +summary: OPA for Windows has an SMB force-authentication vulnerability in github.com/open-policy-agent/opa +description: |- + OPA for Windows has an SMB force-authentication vulnerability. Due to + improper input validation, it allows a user to pass an arbitrary SMB + share instead of a Rego file as an argument to OPA CLI or to one of + the OPA Go library’s functions. +cves: + - CVE-2024-8260 +ghsas: + - GHSA-c77r-fh37-x2px +references: + - fix: https://github.com/open-policy-agent/opa/commit/10f4d553e6bb6ae9c69611ecdd9a77dda857070e + - web: https://www.tenable.com/security/research/tra-2024-36 +source: + id: GHSA-c77r-fh37-x2px + created: 2024-09-20T14:18:00.328371534Z +review_status: REVIEWED