go
/
vulndb
зеркало из https://github.com/golang/vulndb.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

data/reports: add 6 reports 

- data/reports/GO-2024-3184.yaml
  - data/reports/GO-2024-3185.yaml
  - data/reports/GO-2024-3186.yaml
  - data/reports/GO-2024-3188.yaml
  - data/reports/GO-2024-3190.yaml
  - data/reports/GO-2024-3191.yaml

Fixes golang/vulndb#3184
Fixes golang/vulndb#3185
Fixes golang/vulndb#3186
Fixes golang/vulndb#3188
Fixes golang/vulndb#3190
Fixes golang/vulndb#3191

Change-Id: I5f0ad208f0a7e8bebe71f9b15ff38ebc852b783e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/619696
Auto-Submit: Maceo Thompson <maceothompson@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This commit is contained in:
Maceo Thompson 2024-10-11 10:17:06 -04:00 коммит произвёл Gopher Robot
Родитель 414fc8f3fe
Коммит 4b212643a4
12 изменённых файлов: 468 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

68
data/osv/GO-2024-3184.json Normal file
Просмотреть файл

@ -0,0 +1,68 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3184",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-36814",
"GHSA-9cp9-8gw2-8v7m"
],
"summary": "Adguard Home arbitrary file read vulnerability in github.com/AdguardTeam/AdGuardHome",
"details": "Adguard Home arbitrary file read vulnerability in github.com/AdguardTeam/AdGuardHome",
"affected": [
{
"package": {
"name": "github.com/AdguardTeam/AdGuardHome",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.107.53"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-9cp9-8gw2-8v7m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36814"
},
{
"type": "FIX",
"url": "https://github.com/AdguardTeam/AdGuardHome/commit/e8fd4b187287a562cbe9018999e5ea576b4c7d68"
},
{
"type": "WEB",
"url": "https://github.com/AdguardTeam/AdGuardHome/blob/7c002e1a99b9b4e4a40e8c66851eda33e666d52d/internal/filtering/http.go#L23C1-L51C2"
},
{
"type": "WEB",
"url": "https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.53"
},
{
"type": "WEB",
"url": "https://github.com/itz-d0dgy"
},
{
"type": "WEB",
"url": "https://happy-little-accidents.pages.dev/posts/CVE-2024-36814"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3184",
"review_status": "UNREVIEWED"
}
}

52
data/osv/GO-2024-3185.json Normal file
Просмотреть файл

@ -0,0 +1,52 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3185",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-47832"
],
"summary": "XML Signature Bypass via differential XML parsing in ssoready in github.com/ssoready/ssoready",
"details": "XML Signature Bypass via differential XML parsing in ssoready in github.com/ssoready/ssoready",
"affected": [
{
"package": {
"name": "github.com/ssoready/ssoready",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47832"
},
{
"type": "FIX",
"url": "https://github.com/ssoready/ssoready/commit/7f92a0630439972fcbefa8c7eafe8c144bd89915"
},
{
"type": "WEB",
"url": "https://github.com/ssoready/ssoready/security/advisories/GHSA-j2hr-q93x-gxvh"
},
{
"type": "WEB",
"url": "https://ssoready.com/docs/self-hosting/self-hosting-sso-ready"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3185",
"review_status": "UNREVIEWED"
}
}

53
data/osv/GO-2024-3186.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3186",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-9675",
"GHSA-586p-749j-fhwp"
],
"summary": "Buildah allows arbitrary directory mount in github.com/containers/buildah",
"details": "Buildah allows arbitrary directory mount in github.com/containers/buildah",
"affected": [
{
"package": {
"name": "github.com/containers/buildah",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-586p-749j-fhwp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9675"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-9675"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317458"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3186",
"review_status": "UNREVIEWED"
}
}

49
data/osv/GO-2024-3188.json Normal file
Просмотреть файл

@ -0,0 +1,49 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3188",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-9312",
"GHSA-4gfw-wf7c-w6g2"
],
"summary": "Authd allows attacker-controlled usernames to yield controllable UIDs in github.com/ubuntu/authd",
"details": "Authd allows attacker-controlled usernames to yield controllable UIDs in github.com/ubuntu/authd",
"affected": [
{
"package": {
"name": "github.com/ubuntu/authd",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/ubuntu/authd/security/advisories/GHSA-4gfw-wf7c-w6g2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9312"
},
{
"type": "ADVISORY",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9312"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3188",
"review_status": "UNREVIEWED"
}
}

73
data/osv/GO-2024-3190.json Normal file
Просмотреть файл

@ -0,0 +1,73 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3190",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-47067",
"GHSA-8pph-gfhp-w226"
],
"summary": "Alist reflected Cross-Site Scripting vulnerability in github.com/alist-org/alist",
"details": "Alist reflected Cross-Site Scripting vulnerability in github.com/alist-org/alist",
"affected": [
{
"package": {
"name": "github.com/alist-org/alist",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/alist-org/alist/v3",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.29.0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-8pph-gfhp-w226"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47067"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2023-220_Alist"
},
{
"type": "FIX",
"url": "https://github.com/alist-org/alist/commit/6100647310594868e931f3de1188ddd8bde93b78"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3190",
"review_status": "UNREVIEWED"
}
}

52
data/osv/GO-2024-3191.json Normal file
Просмотреть файл

@ -0,0 +1,52 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3191",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-9180",
"GHSA-rr8j-7w34-xp5j"
],
"summary": "Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault",
"details": "Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault",
"affected": [
{
"package": {
"name": "github.com/hashicorp/vault",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-rr8j-7w34-xp5j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9180"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3191",
"review_status": "UNREVIEWED"
}
}

23
data/reports/GO-2024-3184.yaml Normal file
Просмотреть файл

@ -0,0 +1,23 @@
id: GO-2024-3184
modules:
- module: github.com/AdguardTeam/AdGuardHome
versions:
- fixed: 0.107.53
vulnerable_at: 0.107.52
summary: Adguard Home arbitrary file read vulnerability in github.com/AdguardTeam/AdGuardHome
cves:
- CVE-2024-36814
ghsas:
- GHSA-9cp9-8gw2-8v7m
references:
- advisory: https://github.com/advisories/GHSA-9cp9-8gw2-8v7m
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36814
- fix: https://github.com/AdguardTeam/AdGuardHome/commit/e8fd4b187287a562cbe9018999e5ea576b4c7d68
- web: https://github.com/AdguardTeam/AdGuardHome/blob/7c002e1a99b9b4e4a40e8c66851eda33e666d52d/internal/filtering/http.go#L23C1-L51C2
- web: https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.53
- web: https://github.com/itz-d0dgy
- web: https://happy-little-accidents.pages.dev/posts/CVE-2024-36814
source:
id: GHSA-9cp9-8gw2-8v7m
created: 2024-10-11T10:16:23.951474-04:00
review_status: UNREVIEWED

18
data/reports/GO-2024-3185.yaml Normal file
Просмотреть файл

@ -0,0 +1,18 @@
id: GO-2024-3185
modules:
- module: github.com/ssoready/ssoready
unsupported_versions:
- cve_version_range: affected at commits prior to 7f92a06
vulnerable_at: 0.0.0-20241009160555-27958e3f242c
summary: XML Signature Bypass via differential XML parsing in ssoready in github.com/ssoready/ssoready
cves:
- CVE-2024-47832
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47832
- fix: https://github.com/ssoready/ssoready/commit/7f92a0630439972fcbefa8c7eafe8c144bd89915
- web: https://github.com/ssoready/ssoready/security/advisories/GHSA-j2hr-q93x-gxvh
- web: https://ssoready.com/docs/self-hosting/self-hosting-sso-ready
source:
id: CVE-2024-47832
created: 2024-10-11T10:16:19.821918-04:00
review_status: UNREVIEWED

20
data/reports/GO-2024-3186.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: GO-2024-3186
modules:
- module: github.com/containers/buildah
unsupported_versions:
- last_affected: 1.37.0
vulnerable_at: 1.37.4
summary: Buildah allows arbitrary directory mount in github.com/containers/buildah
cves:
- CVE-2024-9675
ghsas:
- GHSA-586p-749j-fhwp
references:
- advisory: https://github.com/advisories/GHSA-586p-749j-fhwp
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9675
- web: https://access.redhat.com/security/cve/CVE-2024-9675
- web: https://bugzilla.redhat.com/show_bug.cgi?id=2317458
source:
id: GHSA-586p-749j-fhwp
created: 2024-10-11T10:16:13.933974-04:00
review_status: UNREVIEWED

19
data/reports/GO-2024-3188.yaml Normal file
Просмотреть файл

@ -0,0 +1,19 @@
id: GO-2024-3188
modules:
- module: github.com/ubuntu/authd
unsupported_versions:
- last_affected: 0.0.0-20230706090440-d8cb2d561419
vulnerable_at: 0.0.0-20230706090440-d8cb2d561419
summary: Authd allows attacker-controlled usernames to yield controllable UIDs in github.com/ubuntu/authd
cves:
- CVE-2024-9312
ghsas:
- GHSA-4gfw-wf7c-w6g2
references:
- advisory: https://github.com/ubuntu/authd/security/advisories/GHSA-4gfw-wf7c-w6g2
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9312
- advisory: https://www.cve.org/CVERecord?id=CVE-2024-9312
source:
id: GHSA-4gfw-wf7c-w6g2
created: 2024-10-11T10:16:08.934095-04:00
review_status: UNREVIEWED

22
data/reports/GO-2024-3190.yaml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
id: GO-2024-3190
modules:
- module: github.com/alist-org/alist
vulnerable_at: 1.0.6
- module: github.com/alist-org/alist/v3
versions:
- fixed: 3.29.0
vulnerable_at: 3.28.0
summary: Alist reflected Cross-Site Scripting vulnerability in github.com/alist-org/alist
cves:
- CVE-2024-47067
ghsas:
- GHSA-8pph-gfhp-w226
references:
- advisory: https://github.com/advisories/GHSA-8pph-gfhp-w226
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47067
- advisory: https://securitylab.github.com/advisories/GHSL-2023-220_Alist
- fix: https://github.com/alist-org/alist/commit/6100647310594868e931f3de1188ddd8bde93b78
source:
id: GHSA-8pph-gfhp-w226
created: 2024-10-11T10:15:55.235968-04:00
review_status: UNREVIEWED

19
data/reports/GO-2024-3191.yaml Normal file
Просмотреть файл

@ -0,0 +1,19 @@
id: GO-2024-3191
modules:
- module: github.com/hashicorp/vault
versions:
- fixed: 1.18.0
vulnerable_at: 1.18.0-rc1
summary: Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault
cves:
- CVE-2024-9180
ghsas:
- GHSA-rr8j-7w34-xp5j
references:
- advisory: https://github.com/advisories/GHSA-rr8j-7w34-xp5j
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9180
- web: https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565
source:
id: GHSA-rr8j-7w34-xp5j
created: 2024-10-11T10:15:49.590706-04:00
review_status: UNREVIEWED