go
/
vulndb
зеркало из https://github.com/golang/vulndb.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

data/reports: add 9 unreviewed reports 

- data/reports/GO-2024-3267.yaml
  - data/reports/GO-2024-3269.yaml
  - data/reports/GO-2024-3271.yaml
  - data/reports/GO-2024-3272.yaml
  - data/reports/GO-2024-3273.yaml
  - data/reports/GO-2024-3274.yaml
  - data/reports/GO-2024-3275.yaml
  - data/reports/GO-2024-3277.yaml
  - data/reports/GO-2024-3278.yaml

Fixes golang/vulndb#3267
Fixes golang/vulndb#3269
Fixes golang/vulndb#3271
Fixes golang/vulndb#3272
Fixes golang/vulndb#3273
Fixes golang/vulndb#3274
Fixes golang/vulndb#3275
Fixes golang/vulndb#3277
Fixes golang/vulndb#3278

Change-Id: Iff40e4830d8ead8505d427db90e38c3e08bc9e38
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/629356
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This commit is contained in:
Tatiana Bradley 2024-11-19 12:02:02 -05:00
Родитель 847cfb8894
Коммит 6b4d4e227c
18 изменённых файлов: 683 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

67
data/osv/GO-2024-3267.json Normal file
Просмотреть файл

@ -0,0 +1,67 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3267",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-52010",
"GHSA-7hpf-g48v-hw3j"
],
"summary": "Zoraxy has an authenticated command injection in the Web SSH feature in github.com/tobychui/zoraxy",
"details": "Zoraxy has an authenticated command injection in the Web SSH feature in github.com/tobychui/zoraxy.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .",
"affected": [
{
"package": {
"name": "github.com/tobychui/zoraxy",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.3+incompatible"
}
]
}
],
"ecosystem_specific": {
"custom_ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "2.6.1"
}
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7hpf-g48v-hw3j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52010"
},
{
"type": "FIX",
"url": "https://github.com/tobychui/zoraxy/commit/2e9bc77a5d832bff1093058d42ce7a61382e4bc6"
},
{
"type": "FIX",
"url": "https://github.com/tobychui/zoraxy/commit/c07d5f85dfc37bd32819358ed7d4bc32c604e8f0"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3267",
"review_status": "UNREVIEWED"
}
}

65
data/osv/GO-2024-3269.json Normal file
Просмотреть файл

@ -0,0 +1,65 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3269",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-52308",
"GHSA-p2h2-3vg9-4p87"
],
"summary": "Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer in github.com/cli/cli",
"details": "Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer in github.com/cli/cli",
"affected": [
{
"package": {
"name": "github.com/cli/cli",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/cli/cli/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.62.0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52308"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3269",
"review_status": "UNREVIEWED"
}
}

51
data/osv/GO-2024-3271.json Normal file
Просмотреть файл

@ -0,0 +1,51 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3271",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-52522"
],
"summary": "Rclone Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata in github.com/rclone/rclone",
"details": "Rclone Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata in github.com/rclone/rclone",
"affected": [
{
"package": {
"name": "github.com/rclone/rclone",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.59.0"
},
{
"fixed": "1.68.2"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52522"
},
{
"type": "FIX",
"url": "https://github.com/rclone/rclone/commit/01ccf204f42b4f68541b16843292439090a2dcf0"
},
{
"type": "WEB",
"url": "https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3271",
"review_status": "UNREVIEWED"
}
}

52
data/osv/GO-2024-3272.json Normal file
Просмотреть файл

@ -0,0 +1,52 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3272",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-24425"
],
"summary": "CVE-2024-24425 in github.com/magma/magma",
"details": "CVE-2024-24425 in github.com/magma/magma",
"affected": [
{
"package": {
"name": "github.com/magma/magma",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24425"
},
{
"type": "WEB",
"url": "https://cellularsecurity.org/ransacked"
},
{
"type": "WEB",
"url": "https://github.com/OPENAIRINTERFACE/openair-epc-fed"
},
{
"type": "WEB",
"url": "https://github.com/magma/magma"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3272",
"review_status": "UNREVIEWED"
}
}

52
data/osv/GO-2024-3273.json Normal file
Просмотреть файл

@ -0,0 +1,52 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3273",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-24426"
],
"summary": "CVE-2024-24426 in github.com/magma/magma",
"details": "CVE-2024-24426 in github.com/magma/magma",
"affected": [
{
"package": {
"name": "github.com/magma/magma",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24426"
},
{
"type": "WEB",
"url": "https://cellularsecurity.org/ransacked"
},
{
"type": "WEB",
"url": "https://github.com/OPENAIRINTERFACE/openair-epc-fed"
},
{
"type": "WEB",
"url": "https://github.com/magma/magma"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3273",
"review_status": "UNREVIEWED"
}
}

56
data/osv/GO-2024-3274.json Normal file
Просмотреть файл

@ -0,0 +1,56 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3274",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2023-0109",
"GHSA-5r2g-59px-3q9w"
],
"summary": "Stored XSS using two files in usememos/memos in github.com/usememos/memos",
"details": "Stored XSS using two files in usememos/memos in github.com/usememos/memos",
"affected": [
{
"package": {
"name": "github.com/usememos/memos",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-5r2g-59px-3q9w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0109"
},
{
"type": "FIX",
"url": "https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/1899ffb2-ce1e-4dc0-af96-972612190f6e"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3274",
"review_status": "UNREVIEWED"
}
}

49
data/osv/GO-2024-3275.json Normal file
Просмотреть файл

@ -0,0 +1,49 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3275",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-44625",
"GHSA-phm4-wf3h-pc3r"
],
"summary": "Unpatched Remote Code Execution in Gogs in gogs.io/gogs",
"details": "Unpatched Remote Code Execution in Gogs in gogs.io/gogs",
"affected": [
{
"package": {
"name": "gogs.io/gogs",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-phm4-wf3h-pc3r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44625"
},
{
"type": "WEB",
"url": "https://fysac.github.io/posts/2024/11/unpatched-remote-code-execution-in-gogs"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3275",
"review_status": "UNREVIEWED"
}
}

72
data/osv/GO-2024-3277.json Normal file
Просмотреть файл

@ -0,0 +1,72 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3277",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-0793",
"GHSA-h7wq-jj8r-qm7p"
],
"summary": "Kubernetes Nil pointer dereference in KCM after v1 HPA patch request in k8s.io/kubernetes",
"details": "Kubernetes Nil pointer dereference in KCM after v1 HPA patch request in k8s.io/kubernetes",
"affected": [
{
"package": {
"name": "k8s.io/kubernetes",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.27.0-alpha.1"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-h7wq-jj8r-qm7p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0793"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0741"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1267"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-0793"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2214402"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/107038#issuecomment-1911327145"
},
{
"type": "WEB",
"url": "https://github.com/openshift/kubernetes/pull/1876"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3277",
"review_status": "UNREVIEWED"
}
}

44
data/osv/GO-2024-3278.json Normal file
Просмотреть файл

@ -0,0 +1,44 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3278",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-9526"
],
"summary": "Stored XSS in Kubeflow Pipeline View in github.com/kubeflow/pipelines",
"details": "Stored XSS in Kubeflow Pipeline View in github.com/kubeflow/pipelines",
"affected": [
{
"package": {
"name": "github.com/kubeflow/pipelines",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9526"
},
{
"type": "FIX",
"url": "https://github.com/kubeflow/pipelines/pull/10315"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3278",
"review_status": "UNREVIEWED"
}
}

22
data/reports/GO-2024-3267.yaml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
id: GO-2024-3267
modules:
- module: github.com/tobychui/zoraxy
versions:
- fixed: 3.1.3+incompatible
non_go_versions:
- introduced: 2.6.1
vulnerable_at: 3.1.2+incompatible
summary: Zoraxy has an authenticated command injection in the Web SSH feature in github.com/tobychui/zoraxy
cves:
- CVE-2024-52010
ghsas:
- GHSA-7hpf-g48v-hw3j
references:
- advisory: https://github.com/tobychui/zoraxy/security/advisories/GHSA-7hpf-g48v-hw3j
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52010
- fix: https://github.com/tobychui/zoraxy/commit/2e9bc77a5d832bff1093058d42ce7a61382e4bc6
- fix: https://github.com/tobychui/zoraxy/commit/c07d5f85dfc37bd32819358ed7d4bc32c604e8f0
source:
id: GHSA-7hpf-g48v-hw3j
created: 2024-11-19T12:00:28.789773-05:00
review_status: UNREVIEWED

22
data/reports/GO-2024-3269.yaml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
id: GO-2024-3269
modules:
- module: github.com/cli/cli
vulnerable_at: 1.14.0
- module: github.com/cli/cli/v2
versions:
- fixed: 2.62.0
vulnerable_at: 2.61.0
summary: |-
Connecting to a malicious Codespaces via GH CLI could allow command execution on
the user's computer in github.com/cli/cli
cves:
- CVE-2024-52308
ghsas:
- GHSA-p2h2-3vg9-4p87
references:
- advisory: https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52308
source:
id: GHSA-p2h2-3vg9-4p87
created: 2024-11-19T11:59:49.747538-05:00
review_status: UNREVIEWED

20
data/reports/GO-2024-3271.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: GO-2024-3271
modules:
- module: github.com/rclone/rclone
versions:
- introduced: 1.59.0
- fixed: 1.68.2
vulnerable_at: 1.68.1
summary: |-
Rclone Improper Permission and Ownership Handling on Symlink Targets with
--links and --metadata in github.com/rclone/rclone
cves:
- CVE-2024-52522
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52522
- fix: https://github.com/rclone/rclone/commit/01ccf204f42b4f68541b16843292439090a2dcf0
- web: https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv
source:
id: CVE-2024-52522
created: 2024-11-19T11:59:46.082737-05:00
review_status: UNREVIEWED

16
data/reports/GO-2024-3272.yaml Normal file
Просмотреть файл

@ -0,0 +1,16 @@
id: GO-2024-3272
modules:
- module: github.com/magma/magma
vulnerable_at: 1.8.0
summary: CVE-2024-24425 in github.com/magma/magma
cves:
- CVE-2024-24425
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-24425
- web: https://cellularsecurity.org/ransacked
- web: https://github.com/OPENAIRINTERFACE/openair-epc-fed
- web: https://github.com/magma/magma
source:
id: CVE-2024-24425
created: 2024-11-19T11:59:43.486905-05:00
review_status: UNREVIEWED

16
data/reports/GO-2024-3273.yaml Normal file
Просмотреть файл

@ -0,0 +1,16 @@
id: GO-2024-3273
modules:
- module: github.com/magma/magma
vulnerable_at: 1.8.0
summary: CVE-2024-24426 in github.com/magma/magma
cves:
- CVE-2024-24426
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-24426
- web: https://cellularsecurity.org/ransacked
- web: https://github.com/OPENAIRINTERFACE/openair-epc-fed
- web: https://github.com/magma/magma
source:
id: CVE-2024-24426
created: 2024-11-19T11:59:40.044127-05:00
review_status: UNREVIEWED

20
data/reports/GO-2024-3274.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: GO-2024-3274
modules:
- module: github.com/usememos/memos
versions:
- fixed: 0.10.0
vulnerable_at: 0.9.1
summary: Stored XSS using two files in usememos/memos in github.com/usememos/memos
cves:
- CVE-2023-0109
ghsas:
- GHSA-5r2g-59px-3q9w
references:
- advisory: https://github.com/advisories/GHSA-5r2g-59px-3q9w
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-0109
- fix: https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c
- web: https://huntr.com/bounties/1899ffb2-ce1e-4dc0-af96-972612190f6e
source:
id: GHSA-5r2g-59px-3q9w
created: 2024-11-19T11:59:36.387588-05:00
review_status: UNREVIEWED

19
data/reports/GO-2024-3275.yaml Normal file
Просмотреть файл

@ -0,0 +1,19 @@
id: GO-2024-3275
modules:
- module: gogs.io/gogs
unsupported_versions:
- last_affected: 0.13.0
vulnerable_at: 0.13.0
summary: Unpatched Remote Code Execution in Gogs in gogs.io/gogs
cves:
- CVE-2024-44625
ghsas:
- GHSA-phm4-wf3h-pc3r
references:
- advisory: https://github.com/advisories/GHSA-phm4-wf3h-pc3r
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-44625
- web: https://fysac.github.io/posts/2024/11/unpatched-remote-code-execution-in-gogs
source:
id: GHSA-phm4-wf3h-pc3r
created: 2024-11-19T11:59:32.635983-05:00
review_status: UNREVIEWED

24
data/reports/GO-2024-3277.yaml Normal file
Просмотреть файл

@ -0,0 +1,24 @@
id: GO-2024-3277
modules:
- module: k8s.io/kubernetes
versions:
- fixed: 1.27.0-alpha.1
vulnerable_at: 1.27.0-alpha.0
summary: Kubernetes Nil pointer dereference in KCM after v1 HPA patch request in k8s.io/kubernetes
cves:
- CVE-2024-0793
ghsas:
- GHSA-h7wq-jj8r-qm7p
references:
- advisory: https://github.com/advisories/GHSA-h7wq-jj8r-qm7p
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-0793
- web: https://access.redhat.com/errata/RHSA-2024:0741
- web: https://access.redhat.com/errata/RHSA-2024:1267
- web: https://access.redhat.com/security/cve/CVE-2024-0793
- web: https://bugzilla.redhat.com/show_bug.cgi?id=2214402
- web: https://github.com/kubernetes/kubernetes/issues/107038#issuecomment-1911327145
- web: https://github.com/openshift/kubernetes/pull/1876
source:
id: GHSA-h7wq-jj8r-qm7p
created: 2024-11-19T11:59:24.495186-05:00
review_status: UNREVIEWED

16
data/reports/GO-2024-3278.yaml Normal file
Просмотреть файл

@ -0,0 +1,16 @@
id: GO-2024-3278
modules:
- module: github.com/kubeflow/pipelines
unsupported_versions:
- cve_version_range: 'affected from 0 before 930c35f1c543998e60e8d648ce93185c9b5dbe8d (default: unaffected)'
vulnerable_at: 0.0.0-20241119091323-c57e8973ac4b
summary: Stored XSS in Kubeflow Pipeline View in github.com/kubeflow/pipelines
cves:
- CVE-2024-9526
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9526
- fix: https://github.com/kubeflow/pipelines/pull/10315
source:
id: CVE-2024-9526
created: 2024-11-19T11:59:20.555589-05:00
review_status: UNREVIEWED