go
/
vulndb
зеркало из https://github.com/golang/vulndb.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

data/reports: add 4 reports 

- data/reports/GO-2024-3016.yaml
  - data/reports/GO-2024-3058.yaml
  - data/reports/GO-2024-3068.yaml
  - data/reports/GO-2024-3073.yaml

Fixes golang/vulndb#3016
Fixes golang/vulndb#3058
Fixes golang/vulndb#3068
Fixes golang/vulndb#3073

Change-Id: I9ba34b3e2fc2a8610552f25eb53248715625d3b8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606775
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
This commit is contained in:
Tatiana Bradley 2024-08-19 10:51:23 -04:00 коммит произвёл Gopher Robot
Родитель 52066e8f7d
Коммит 42832d44f2
8 изменённых файлов: 532 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

127
data/osv/GO-2024-3016.json Normal file
Просмотреть файл

@ -0,0 +1,127 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3016",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-40464",
"GHSA-r6qh-j42j-pw64"
],
"summary": "Beego privilege escalation vulnerability via sendMail in github.com/beego/beego/v2",
"details": "Beego privilege escalation vulnerability via sendMail in github.com/beego/beego/v2",
"affected": [
{
"package": {
"name": "github.com/beego/beego/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego/v2/core/logs",
"symbols": [
"AccessLog",
"Alert",
"Async",
"BeeLogger.Alert",
"BeeLogger.Async",
"BeeLogger.Close",
"BeeLogger.Critical",
"BeeLogger.Debug",
"BeeLogger.DelLogger",
"BeeLogger.Emergency",
"BeeLogger.Error",
"BeeLogger.Flush",
"BeeLogger.Info",
"BeeLogger.Informational",
"BeeLogger.Notice",
"BeeLogger.Reset",
"BeeLogger.SetLogger",
"BeeLogger.Trace",
"BeeLogger.Warn",
"BeeLogger.Warning",
"BeeLogger.Write",
"ColorByMethod",
"ColorByStatus",
"Critical",
"Debug",
"Emergency",
"Error",
"GetLogger",
"Info",
"Informational",
"JLWriter.Format",
"JLWriter.Init",
"JLWriter.WriteMsg",
"LogMsg.OldStyleFormat",
"NewLogger",
"Notice",
"PatternLogFormatter.Format",
"PatternLogFormatter.ToString",
"Reset",
"SLACKWriter.Format",
"SLACKWriter.Init",
"SLACKWriter.WriteMsg",
"SMTPWriter.Format",
"SMTPWriter.Init",
"SMTPWriter.WriteMsg",
"SMTPWriter.sendMail",
"SetLogger",
"Trace",
"Warn",
"Warning",
"connWriter.Format",
"connWriter.Init",
"connWriter.WriteMsg",
"consoleWriter.Format",
"consoleWriter.Init",
"consoleWriter.WriteMsg",
"fileLogWriter.Format",
"fileLogWriter.Init",
"fileLogWriter.WriteMsg",
"multiFileLogWriter.Format",
"multiFileLogWriter.Init",
"multiFileLogWriter.WriteMsg",
"newSMTPWriter"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-r6qh-j42j-pw64"
},
{
"type": "WEB",
"url": "https://gist.github.com/nyxfqq/b53b0148b9aa040de63f58a68fd11445"
},
{
"type": "FIX",
"url": "https://github.com/beego/beego/commit/8f89e12e6cafb106d5c201dbc3b2a338bfde74e2"
},
{
"type": "WEB",
"url": "https://github.com/beego/beego/security/advisories/GHSA-6g9p-wv47-4fxq"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3016",
"review_status": "REVIEWED"
}
}

65
data/osv/GO-2024-3058.json Normal file
Просмотреть файл

@ -0,0 +1,65 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3058",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-41270",
"GHSA-p3pf-mff8-3h47"
],
"summary": "Gorush uses deprecated TLS versions in github.com/appleboy/gorush",
"details": "An issue in the RunHTTPServer function in Gorush allows attackers to intercept and manipulate data due to the use of a deprecated TLS version.",
"affected": [
{
"package": {
"name": "github.com/appleboy/gorush",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.5"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/appleboy/gorush/router",
"symbols": [
"RunHTTPServer"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-p3pf-mff8-3h47"
},
{
"type": "FIX",
"url": "https://github.com/appleboy/gorush/commit/067cb597e485e40b790a267187bf7f00730b1c4b"
},
{
"type": "REPORT",
"url": "https://github.com/appleboy/gorush/issues/792"
},
{
"type": "WEB",
"url": "https://gist.github.com/nyxfqq/cfae38fada582a0f576d154be1aeb1fc"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3058",
"review_status": "REVIEWED"
}
}

94
data/osv/GO-2024-3068.json Normal file
Просмотреть файл

@ -0,0 +1,94 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3068",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"GHSA-83qr-9v2h-qxp4"
],
"summary": "Missing check for the height of cryptographic equivocation evidence in github.com/cosmos/gaia",
"details": "Missing check for the height of cryptographic equivocation evidence in github.com/cosmos/gaia",
"affected": [
{
"package": {
"name": "github.com/cosmos/gaia/v14",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "14.2.0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/cosmos/gaia/v15",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/cosmos/gaia/v16",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/cosmos/gaia/v17",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "17.3.0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-83qr-9v2h-qxp4"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3068",
"review_status": "UNREVIEWED"
}
}

78
data/osv/GO-2024-3073.json Normal file
Просмотреть файл

@ -0,0 +1,78 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3073",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-7625",
"GHSA-25qx-vfw2-fw8r"
],
"summary": "Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking in github.com/hashicorp/nomad",
"details": "Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking in github.com/hashicorp/nomad.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/hashicorp/nomad from v0.6.1 before v1.6.14, from v1.7.0 before v1.7.11, from v1.8.0 before v1.8.3.",
"affected": [
{
"package": {
"name": "github.com/hashicorp/nomad",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.6.1"
},
{
"fixed": "1.8.3"
}
]
}
],
"ecosystem_specific": {
"custom_ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0.6.1"
},
{
"fixed": "1.6.14"
},
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.11"
},
{
"introduced": "1.8.0"
},
{
"fixed": "1.8.3"
}
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-25qx-vfw2-fw8r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7625"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2024-17-nomad-vulnerable-to-allocation-directory-escape-on-non-existing-file-paths-through-archive-unpacking/69293"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3073",
"review_status": "UNREVIEWED"
}
}

87
data/reports/GO-2024-3016.yaml Normal file
Просмотреть файл

@ -0,0 +1,87 @@
id: GO-2024-3016
modules:
- module: github.com/beego/beego/v2
versions:
- fixed: 2.2.1
vulnerable_at: 2.2.0
packages:
- package: github.com/beego/beego/v2/core/logs
symbols:
- SMTPWriter.sendMail
- newSMTPWriter
derived_symbols:
- AccessLog
- Alert
- Async
- BeeLogger.Alert
- BeeLogger.Async
- BeeLogger.Close
- BeeLogger.Critical
- BeeLogger.Debug
- BeeLogger.DelLogger
- BeeLogger.Emergency
- BeeLogger.Error
- BeeLogger.Flush
- BeeLogger.Info
- BeeLogger.Informational
- BeeLogger.Notice
- BeeLogger.Reset
- BeeLogger.SetLogger
- BeeLogger.Trace
- BeeLogger.Warn
- BeeLogger.Warning
- BeeLogger.Write
- ColorByMethod
- ColorByStatus
- Critical
- Debug
- Emergency
- Error
- GetLogger
- Info
- Informational
- JLWriter.Format
- JLWriter.Init
- JLWriter.WriteMsg
- LogMsg.OldStyleFormat
- NewLogger
- Notice
- PatternLogFormatter.Format
- PatternLogFormatter.ToString
- Reset
- SLACKWriter.Format
- SLACKWriter.Init
- SLACKWriter.WriteMsg
- SMTPWriter.Format
- SMTPWriter.Init
- SMTPWriter.WriteMsg
- SetLogger
- Trace
- Warn
- Warning
- connWriter.Format
- connWriter.Init
- connWriter.WriteMsg
- consoleWriter.Format
- consoleWriter.Init
- consoleWriter.WriteMsg
- fileLogWriter.Format
- fileLogWriter.Init
- fileLogWriter.WriteMsg
- multiFileLogWriter.Format
- multiFileLogWriter.Init
- multiFileLogWriter.WriteMsg
summary: Beego privilege escalation vulnerability via sendMail in github.com/beego/beego/v2
cves:
- CVE-2024-40464
ghsas:
- GHSA-r6qh-j42j-pw64
references:
- advisory: https://github.com/advisories/GHSA-r6qh-j42j-pw64
- web: https://gist.github.com/nyxfqq/b53b0148b9aa040de63f58a68fd11445
- fix: https://github.com/beego/beego/commit/8f89e12e6cafb106d5c201dbc3b2a338bfde74e2
- web: https://github.com/beego/beego/security/advisories/GHSA-6g9p-wv47-4fxq
source:
id: GHSA-r6qh-j42j-pw64
created: 2024-08-16T17:25:07.740308-04:00
review_status: REVIEWED

27
data/reports/GO-2024-3058.yaml Normal file
Просмотреть файл

@ -0,0 +1,27 @@
id: GO-2024-3058
modules:
- module: github.com/appleboy/gorush
versions:
- fixed: 1.18.5
vulnerable_at: 1.18.4
packages:
- package: github.com/appleboy/gorush/router
symbols:
- RunHTTPServer
summary: Gorush uses deprecated TLS versions in github.com/appleboy/gorush
description: |-
An issue in the RunHTTPServer function in Gorush allows attackers to intercept
and manipulate data due to the use of a deprecated TLS version.
cves:
- CVE-2024-41270
ghsas:
- GHSA-p3pf-mff8-3h47
references:
- advisory: https://github.com/advisories/GHSA-p3pf-mff8-3h47
- fix: https://github.com/appleboy/gorush/commit/067cb597e485e40b790a267187bf7f00730b1c4b
- report: https://github.com/appleboy/gorush/issues/792
- web: https://gist.github.com/nyxfqq/cfae38fada582a0f576d154be1aeb1fc
source:
id: GHSA-p3pf-mff8-3h47
created: 2024-08-16T17:25:03.501057-04:00
review_status: REVIEWED

23
data/reports/GO-2024-3068.yaml Normal file
Просмотреть файл

@ -0,0 +1,23 @@
id: GO-2024-3068
modules:
- module: github.com/cosmos/gaia/v14
versions:
- introduced: 14.2.0
- module: github.com/cosmos/gaia/v15
- module: github.com/cosmos/gaia/v16
- module: github.com/cosmos/gaia/v17
versions:
- fixed: 17.3.0
summary: |
Missing check for the height of cryptographic equivocation evidence
in github.com/cosmos/gaia
ghsas:
- GHSA-83qr-9v2h-qxp4
references:
- advisory: https://github.com/advisories/GHSA-83qr-9v2h-qxp4
notes:
- Even though it exists via the UI, the GHSA could not be downloaded from the Github API, so this report was manually created in the style of UNREVIEWED reports.
source:
id: GHSA-83qr-9v2h-qxp4
created: 2024-08-19T10:38:23.527392-04:00
review_status: UNREVIEWED

31
data/reports/GO-2024-3073.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: GO-2024-3073
modules:
- module: github.com/hashicorp/nomad
versions:
- introduced: 0.6.1
- fixed: 1.8.3
non_go_versions:
- introduced: 0.6.1
- fixed: 1.6.14
- introduced: 1.7.0
- fixed: 1.7.11
- introduced: 1.8.0
- fixed: 1.8.3
vulnerable_at: 1.8.2
summary: |-
Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths
Through Archive Unpacking in github.com/hashicorp/nomad
cves:
- CVE-2024-7625
ghsas:
- GHSA-25qx-vfw2-fw8r
references:
- advisory: https://github.com/advisories/GHSA-25qx-vfw2-fw8r
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-7625
- web: https://discuss.hashicorp.com/t/hcsec-2024-17-nomad-vulnerable-to-allocation-directory-escape-on-non-existing-file-paths-through-archive-unpacking/69293
notes:
- manually fixed ranges (1.6.14 and 1.7.11 don't exist)
source:
id: GHSA-25qx-vfw2-fw8r
created: 2024-08-16T17:24:53.360481-04:00
review_status: UNREVIEWED