vulndb/data/osv/GO-2024-2760.json

{
  "schema_version": "1.3.1",
  "id": "GO-2024-2760",
  "modified": "0001-01-01T00:00:00Z",
  "published": "0001-01-01T00:00:00Z",
  "aliases": [
    "CVE-2021-36775",
    "GHSA-28g7-896h-695v"
  ],
  "summary": "Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher",
  "details": "Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/rancher/rancher before v2.4.18, from v2.5.0 before v2.5.12, from v2.6.0 before v2.6.3.",
  "affected": [
    {
      "package": {
        "name": "github.com/rancher/rancher",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "custom_ranges": [
          {
            "type": "ECOSYSTEM",
            "events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "2.4.18"
              },
              {
                "introduced": "2.5.0"
              },
              {
                "fixed": "2.5.12"
              },
              {
                "introduced": "2.6.0"
              },
              {
                "fixed": "2.6.3"
              }
            ]
          }
        ]
      }
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-28g7-896h-695v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36775"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1189120"
    }
  ],
  "database_specific": {
    "url": "https://pkg.go.dev/vuln/GO-2024-2760",
    "review_status": "UNREVIEWED"
  }
}
data/reports: add 44 unreviewed reports - data/reports/GO-2024-2576.yaml - data/reports/GO-2024-2695.yaml - data/reports/GO-2024-2737.yaml - data/reports/GO-2024-2795.yaml - data/reports/GO-2024-2799.yaml - data/reports/GO-2024-2715.yaml - data/reports/GO-2024-2798.yaml - data/reports/GO-2024-2793.yaml - data/reports/GO-2024-2705.yaml - data/reports/GO-2024-2808.yaml - data/reports/GO-2024-2875.yaml - data/reports/GO-2024-2635.yaml - data/reports/GO-2024-2707.yaml - data/reports/GO-2024-2797.yaml - data/reports/GO-2024-2726.yaml - data/reports/GO-2024-2650.yaml - data/reports/GO-2024-2698.yaml - data/reports/GO-2024-2760.yaml - data/reports/GO-2024-2788.yaml - data/reports/GO-2024-2629.yaml - data/reports/GO-2024-2771.yaml - data/reports/GO-2024-2794.yaml - data/reports/GO-2024-2637.yaml - data/reports/GO-2024-2734.yaml - data/reports/GO-2024-2764.yaml - data/reports/GO-2024-2762.yaml - data/reports/GO-2024-2566.yaml - data/reports/GO-2024-2789.yaml - data/reports/GO-2024-2664.yaml - data/reports/GO-2024-2688.yaml - data/reports/GO-2024-2697.yaml - data/reports/GO-2024-2719.yaml - data/reports/GO-2024-2718.yaml - data/reports/GO-2024-2468.yaml - data/reports/GO-2024-2717.yaml - data/reports/GO-2024-2761.yaml - data/reports/GO-2024-2796.yaml - data/reports/GO-2024-2706.yaml - data/reports/GO-2024-2722.yaml - data/reports/GO-2024-2665.yaml - data/reports/GO-2024-2750.yaml - data/reports/GO-2024-2809.yaml - data/reports/GO-2024-2696.yaml - data/reports/GO-2024-2732.yaml Fixes golang/vulndb#2576 Fixes golang/vulndb#2695 Fixes golang/vulndb#2737 Fixes golang/vulndb#2795 Fixes golang/vulndb#2799 Fixes golang/vulndb#2715 Fixes golang/vulndb#2798 Fixes golang/vulndb#2793 Fixes golang/vulndb#2705 Fixes golang/vulndb#2808 Fixes golang/vulndb#2875 Fixes golang/vulndb#2635 Fixes golang/vulndb#2707 Fixes golang/vulndb#2797 Fixes golang/vulndb#2726 Fixes golang/vulndb#2650 Fixes golang/vulndb#2698 Fixes golang/vulndb#2760 Fixes golang/vulndb#2788 Fixes golang/vulndb#2629 Fixes golang/vulndb#2771 Fixes golang/vulndb#2794 Fixes golang/vulndb#2637 Fixes golang/vulndb#2734 Fixes golang/vulndb#2764 Fixes golang/vulndb#2762 Fixes golang/vulndb#2566 Fixes golang/vulndb#2789 Fixes golang/vulndb#2664 Fixes golang/vulndb#2688 Fixes golang/vulndb#2697 Fixes golang/vulndb#2719 Fixes golang/vulndb#2718 Fixes golang/vulndb#2468 Fixes golang/vulndb#2717 Fixes golang/vulndb#2761 Fixes golang/vulndb#2796 Fixes golang/vulndb#2706 Fixes golang/vulndb#2722 Fixes golang/vulndb#2665 Fixes golang/vulndb#2750 Fixes golang/vulndb#2809 Fixes golang/vulndb#2696 Fixes golang/vulndb#2732 Change-Id: I8f664cb56ccc1fbce1437179178f78fa3825a1c5 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590278 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> 2024-06-04 23:39:30 +03:00			`{`
			`"schema_version": "1.3.1",`
			`"id": "GO-2024-2760",`
			`"modified": "0001-01-01T00:00:00Z",`
			`"published": "0001-01-01T00:00:00Z",`
			`"aliases": [`
			`"CVE-2021-36775",`
			`"GHSA-28g7-896h-695v"`
			`],`
			`"summary": "Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher",`
internal/report,data/osv: add explanation of non-Go versions For unreviewed reports with "non_go_versions", add an explanation that the versions list may not match external advisories to the "details" section of the OSV. In the future, this should probably be part of the pkgsite UI, or embedded in structured OSV field, instead of placed in the OSV details, but it is causing enough confusion that it seems worth it to clarify this sooner rather than later. Change-Id: Id1409182f7fdef37c0a781d6e2ba06b1fc57c080 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/596182 Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> 2024-07-03 00:19:45 +03:00			"details": "Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/rancher/rancher before v2.4.18, from v2.5.0 before v2.5.12, from v2.6.0 before v2.6.3.",
data/reports: add 44 unreviewed reports - data/reports/GO-2024-2576.yaml - data/reports/GO-2024-2695.yaml - data/reports/GO-2024-2737.yaml - data/reports/GO-2024-2795.yaml - data/reports/GO-2024-2799.yaml - data/reports/GO-2024-2715.yaml - data/reports/GO-2024-2798.yaml - data/reports/GO-2024-2793.yaml - data/reports/GO-2024-2705.yaml - data/reports/GO-2024-2808.yaml - data/reports/GO-2024-2875.yaml - data/reports/GO-2024-2635.yaml - data/reports/GO-2024-2707.yaml - data/reports/GO-2024-2797.yaml - data/reports/GO-2024-2726.yaml - data/reports/GO-2024-2650.yaml - data/reports/GO-2024-2698.yaml - data/reports/GO-2024-2760.yaml - data/reports/GO-2024-2788.yaml - data/reports/GO-2024-2629.yaml - data/reports/GO-2024-2771.yaml - data/reports/GO-2024-2794.yaml - data/reports/GO-2024-2637.yaml - data/reports/GO-2024-2734.yaml - data/reports/GO-2024-2764.yaml - data/reports/GO-2024-2762.yaml - data/reports/GO-2024-2566.yaml - data/reports/GO-2024-2789.yaml - data/reports/GO-2024-2664.yaml - data/reports/GO-2024-2688.yaml - data/reports/GO-2024-2697.yaml - data/reports/GO-2024-2719.yaml - data/reports/GO-2024-2718.yaml - data/reports/GO-2024-2468.yaml - data/reports/GO-2024-2717.yaml - data/reports/GO-2024-2761.yaml - data/reports/GO-2024-2796.yaml - data/reports/GO-2024-2706.yaml - data/reports/GO-2024-2722.yaml - data/reports/GO-2024-2665.yaml - data/reports/GO-2024-2750.yaml - data/reports/GO-2024-2809.yaml - data/reports/GO-2024-2696.yaml - data/reports/GO-2024-2732.yaml Fixes golang/vulndb#2576 Fixes golang/vulndb#2695 Fixes golang/vulndb#2737 Fixes golang/vulndb#2795 Fixes golang/vulndb#2799 Fixes golang/vulndb#2715 Fixes golang/vulndb#2798 Fixes golang/vulndb#2793 Fixes golang/vulndb#2705 Fixes golang/vulndb#2808 Fixes golang/vulndb#2875 Fixes golang/vulndb#2635 Fixes golang/vulndb#2707 Fixes golang/vulndb#2797 Fixes golang/vulndb#2726 Fixes golang/vulndb#2650 Fixes golang/vulndb#2698 Fixes golang/vulndb#2760 Fixes golang/vulndb#2788 Fixes golang/vulndb#2629 Fixes golang/vulndb#2771 Fixes golang/vulndb#2794 Fixes golang/vulndb#2637 Fixes golang/vulndb#2734 Fixes golang/vulndb#2764 Fixes golang/vulndb#2762 Fixes golang/vulndb#2566 Fixes golang/vulndb#2789 Fixes golang/vulndb#2664 Fixes golang/vulndb#2688 Fixes golang/vulndb#2697 Fixes golang/vulndb#2719 Fixes golang/vulndb#2718 Fixes golang/vulndb#2468 Fixes golang/vulndb#2717 Fixes golang/vulndb#2761 Fixes golang/vulndb#2796 Fixes golang/vulndb#2706 Fixes golang/vulndb#2722 Fixes golang/vulndb#2665 Fixes golang/vulndb#2750 Fixes golang/vulndb#2809 Fixes golang/vulndb#2696 Fixes golang/vulndb#2732 Change-Id: I8f664cb56ccc1fbce1437179178f78fa3825a1c5 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590278 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> 2024-06-04 23:39:30 +03:00			`"affected": [`
			`{`
			`"package": {`
			`"name": "github.com/rancher/rancher",`
			`"ecosystem": "Go"`
			`},`
			`"ranges": [`
			`{`
			`"type": "SEMVER",`
			`"events": [`
			`{`
			`"introduced": "0"`
			`}`
			`]`
			`}`
			`],`
all: publish non_go_versions as custom_ranges in OSV Change-Id: I737910df80c37a6027b08916abe3b3f413795bbe Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/597155 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> 2024-07-08 19:30:31 +03:00			`"ecosystem_specific": {`
			`"custom_ranges": [`
			`{`
			`"type": "ECOSYSTEM",`
			`"events": [`
			`{`
			`"introduced": "0"`
			`},`
			`{`
			`"fixed": "2.4.18"`
			`},`
			`{`
			`"introduced": "2.5.0"`
			`},`
			`{`
			`"fixed": "2.5.12"`
			`},`
			`{`
			`"introduced": "2.6.0"`
			`},`
			`{`
			`"fixed": "2.6.3"`
			`}`
			`]`
			`}`
			`]`
			`}`
data/reports: add 44 unreviewed reports - data/reports/GO-2024-2576.yaml - data/reports/GO-2024-2695.yaml - data/reports/GO-2024-2737.yaml - data/reports/GO-2024-2795.yaml - data/reports/GO-2024-2799.yaml - data/reports/GO-2024-2715.yaml - data/reports/GO-2024-2798.yaml - data/reports/GO-2024-2793.yaml - data/reports/GO-2024-2705.yaml - data/reports/GO-2024-2808.yaml - data/reports/GO-2024-2875.yaml - data/reports/GO-2024-2635.yaml - data/reports/GO-2024-2707.yaml - data/reports/GO-2024-2797.yaml - data/reports/GO-2024-2726.yaml - data/reports/GO-2024-2650.yaml - data/reports/GO-2024-2698.yaml - data/reports/GO-2024-2760.yaml - data/reports/GO-2024-2788.yaml - data/reports/GO-2024-2629.yaml - data/reports/GO-2024-2771.yaml - data/reports/GO-2024-2794.yaml - data/reports/GO-2024-2637.yaml - data/reports/GO-2024-2734.yaml - data/reports/GO-2024-2764.yaml - data/reports/GO-2024-2762.yaml - data/reports/GO-2024-2566.yaml - data/reports/GO-2024-2789.yaml - data/reports/GO-2024-2664.yaml - data/reports/GO-2024-2688.yaml - data/reports/GO-2024-2697.yaml - data/reports/GO-2024-2719.yaml - data/reports/GO-2024-2718.yaml - data/reports/GO-2024-2468.yaml - data/reports/GO-2024-2717.yaml - data/reports/GO-2024-2761.yaml - data/reports/GO-2024-2796.yaml - data/reports/GO-2024-2706.yaml - data/reports/GO-2024-2722.yaml - data/reports/GO-2024-2665.yaml - data/reports/GO-2024-2750.yaml - data/reports/GO-2024-2809.yaml - data/reports/GO-2024-2696.yaml - data/reports/GO-2024-2732.yaml Fixes golang/vulndb#2576 Fixes golang/vulndb#2695 Fixes golang/vulndb#2737 Fixes golang/vulndb#2795 Fixes golang/vulndb#2799 Fixes golang/vulndb#2715 Fixes golang/vulndb#2798 Fixes golang/vulndb#2793 Fixes golang/vulndb#2705 Fixes golang/vulndb#2808 Fixes golang/vulndb#2875 Fixes golang/vulndb#2635 Fixes golang/vulndb#2707 Fixes golang/vulndb#2797 Fixes golang/vulndb#2726 Fixes golang/vulndb#2650 Fixes golang/vulndb#2698 Fixes golang/vulndb#2760 Fixes golang/vulndb#2788 Fixes golang/vulndb#2629 Fixes golang/vulndb#2771 Fixes golang/vulndb#2794 Fixes golang/vulndb#2637 Fixes golang/vulndb#2734 Fixes golang/vulndb#2764 Fixes golang/vulndb#2762 Fixes golang/vulndb#2566 Fixes golang/vulndb#2789 Fixes golang/vulndb#2664 Fixes golang/vulndb#2688 Fixes golang/vulndb#2697 Fixes golang/vulndb#2719 Fixes golang/vulndb#2718 Fixes golang/vulndb#2468 Fixes golang/vulndb#2717 Fixes golang/vulndb#2761 Fixes golang/vulndb#2796 Fixes golang/vulndb#2706 Fixes golang/vulndb#2722 Fixes golang/vulndb#2665 Fixes golang/vulndb#2750 Fixes golang/vulndb#2809 Fixes golang/vulndb#2696 Fixes golang/vulndb#2732 Change-Id: I8f664cb56ccc1fbce1437179178f78fa3825a1c5 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590278 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> 2024-06-04 23:39:30 +03:00			`}`
			`],`
			`"references": [`
			`{`
			`"type": "ADVISORY",`
			`"url": "https://github.com/rancher/rancher/security/advisories/GHSA-28g7-896h-695v"`
			`},`
			`{`
			`"type": "ADVISORY",`
			`"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36775"`
			`},`
			`{`
			`"type": "WEB",`
			`"url": "https://bugzilla.suse.com/show_bug.cgi?id=1189120"`
			`}`
			`],`
			`"database_specific": {`
			`"url": "https://pkg.go.dev/vuln/GO-2024-2760",`
			`"review_status": "UNREVIEWED"`
			`}`
			`}`