go
/
vulndb
зеркало из https://github.com/golang/vulndb.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

data/reports: add 15 reports 

- data/reports/GO-2024-3161.yaml
  - data/reports/GO-2024-3162.yaml
  - data/reports/GO-2024-3163.yaml
  - data/reports/GO-2024-3166.yaml
  - data/reports/GO-2024-3167.yaml
  - data/reports/GO-2024-3168.yaml
  - data/reports/GO-2024-3169.yaml
  - data/reports/GO-2024-3170.yaml
  - data/reports/GO-2024-3172.yaml
  - data/reports/GO-2024-3173.yaml
  - data/reports/GO-2024-3174.yaml
  - data/reports/GO-2024-3175.yaml
  - data/reports/GO-2024-3179.yaml
  - data/reports/GO-2024-3181.yaml
  - data/reports/GO-2024-3182.yaml

Fixes golang/vulndb#3161
Fixes golang/vulndb#3162
Fixes golang/vulndb#3163
Fixes golang/vulndb#3166
Fixes golang/vulndb#3167
Fixes golang/vulndb#3168
Fixes golang/vulndb#3169
Fixes golang/vulndb#3170
Fixes golang/vulndb#3172
Fixes golang/vulndb#3173
Fixes golang/vulndb#3174
Fixes golang/vulndb#3175
Fixes golang/vulndb#3179
Fixes golang/vulndb#3181
Fixes golang/vulndb#3182

Change-Id: I6f47e813357034a674970920b6f0de6f4abac032
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/619135
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Auto-Submit: Maceo Thompson <maceothompson@google.com>
This commit is contained in:
Maceo Thompson 2024-10-09 16:17:29 -04:00 коммит произвёл Gopher Robot
Родитель 7a4bd20efd
Коммит 8c4ccf869d
30 изменённых файлов: 1390 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

75
data/osv/GO-2024-3161.json Normal file
Просмотреть файл

@ -0,0 +1,75 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3161",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-22030",
"GHSA-h4h5-9833-v2p4"
],
"summary": "Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher",
"details": "Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.15, from v2.8.0 before v2.8.8, from v2.9.0 before v2.9.2.",
"affected": [
{
"package": {
"name": "github.com/rancher/rancher",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"custom_ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.15"
},
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.8"
},
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.2"
}
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/rancher/rancher/security/advisories/GHSA-h4h5-9833-v2p4"
},
{
"type": "WEB",
"url": "https://github.com/rancherlabs/support-tools/tree/master/windows-agent-strict-verify"
},
{
"type": "WEB",
"url": "https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/tls-settings"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3161",
"review_status": "UNREVIEWED"
}
}

52
data/osv/GO-2024-3162.json Normal file
Просмотреть файл

@ -0,0 +1,52 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3162",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-7594",
"GHSA-jg74-mwgw-v6x3"
],
"summary": "Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault",
"details": "Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault",
"affected": [
{
"package": {
"name": "github.com/hashicorp/vault",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.7.7"
},
{
"fixed": "1.17.6"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jg74-mwgw-v6x3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7594"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/70251"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3162",
"review_status": "UNREVIEWED"
}
}

62
data/osv/GO-2024-3163.json Normal file
Просмотреть файл

@ -0,0 +1,62 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3163",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-47182"
],
"summary": "Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle",
"details": "Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/amir20/dozzle before v8.5.3.",
"affected": [
{
"package": {
"name": "github.com/amir20/dozzle",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"custom_ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.3"
}
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47182"
},
{
"type": "FIX",
"url": "https://github.com/amir20/dozzle/commit/de79f03aa3dbe5bb1e154a7e8d3dccbd229f3ea3"
},
{
"type": "WEB",
"url": "https://github.com/amir20/dozzle/security/advisories/GHSA-w7qr-q9fh-fj35"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3163",
"review_status": "UNREVIEWED"
}
}

77
data/osv/GO-2024-3166.json Normal file
Просмотреть файл

@ -0,0 +1,77 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3166",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-47534",
"GHSA-4f8r-qqr9-fq8j"
],
"summary": "Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf",
"details": "Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf",
"affected": [
{
"package": {
"name": "github.com/theupdateframework/go-tuf",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/theupdateframework/go-tuf/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.1"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47534"
},
{
"type": "FIX",
"url": "https://github.com/theupdateframework/go-tuf/commit/f36420caba9edbfdfd64f95a9554c0836d9cf819"
},
{
"type": "WEB",
"url": "https://github.com/theupdateframework/go-tuf/blob/f95222bdd22d2ac4e5b8ed6fe912b645e213c3b5/metadata/metadata.go#L565-L580"
},
{
"type": "WEB",
"url": "https://github.com/theupdateframework/tuf-conformance/pull/115"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3166",
"review_status": "UNREVIEWED"
}
}

78
data/osv/GO-2024-3167.json Normal file
Просмотреть файл

@ -0,0 +1,78 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3167",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-9355",
"GHSA-3h3x-2hwv-hr52"
],
"summary": "Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl",
"details": "Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl",
"affected": [
{
"package": {
"name": "github.com/golang-fips/openssl",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/golang-fips/openssl/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-3h3x-2hwv-hr52"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:7502"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:7550"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3167",
"review_status": "UNREVIEWED"
}
}

82
data/osv/GO-2024-3168.json Normal file
Просмотреть файл

@ -0,0 +1,82 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3168",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-8975",
"GHSA-chqx-36rm-rf8h"
],
"summary": "Grafana Alloy on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/alloy",
"details": "Grafana Alloy on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/alloy",
"affected": [
{
"package": {
"name": "github.com/grafana/alloy",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.4"
},
{
"introduced": "1.4.0-rc.0"
},
{
"fixed": "1.4.1"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-chqx-36rm-rf8h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8975"
},
{
"type": "FIX",
"url": "https://github.com/grafana/alloy/commit/88e779887690954c009503598a3f4bf563cb6596"
},
{
"type": "FIX",
"url": "https://github.com/grafana/alloy/commit/f14249012fd970d3fd73604e6fff9b6c7990a9bb"
},
{
"type": "WEB",
"url": "https://github.com/grafana/alloy/releases/tag/v1.3.4"
},
{
"type": "WEB",
"url": "https://github.com/grafana/alloy/releases/tag/v1.4.0"
},
{
"type": "WEB",
"url": "https://github.com/grafana/alloy/releases/tag/v1.4.1"
},
{
"type": "WEB",
"url": "https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2024-8975"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3168",
"review_status": "UNREVIEWED"
}
}

138
data/osv/GO-2024-3169.json Normal file
Просмотреть файл

@ -0,0 +1,138 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3169",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-9407",
"GHSA-fhqq-8f65-5xfc"
],
"summary": "Improper Input Validation in Buildah and Podman in github.com/containers/buildah",
"details": "Improper Input Validation in Buildah and Podman in github.com/containers/buildah",
"affected": [
{
"package": {
"name": "github.com/containers/buildah",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/containers/podman",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/containers/podman/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/containers/podman/v3",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/containers/podman/v4",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/containers/podman/v5",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-fhqq-8f65-5xfc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9407"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-9407"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315887"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3169",
"review_status": "UNREVIEWED"
}
}

68
data/osv/GO-2024-3170.json Normal file
Просмотреть файл

@ -0,0 +1,68 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3170",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-8996",
"GHSA-m5gv-m5f9-wgv4"
],
"summary": "Grafana Agent (Flow mode) on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/agent",
"details": "Grafana Agent (Flow mode) on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/agent",
"affected": [
{
"package": {
"name": "github.com/grafana/agent",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.43.3"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-m5gv-m5f9-wgv4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8996"
},
{
"type": "FIX",
"url": "https://github.com/grafana/agent/commit/91bab2c05906938d3f8e1e3c61a863f037985299"
},
{
"type": "WEB",
"url": "https://github.com/grafana/agent/releases/tag/v0.43.2"
},
{
"type": "WEB",
"url": "https://github.com/grafana/agent/releases/tag/v0.43.3"
},
{
"type": "WEB",
"url": "https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2024-8996"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3170",
"review_status": "UNREVIEWED"
}
}

75
data/osv/GO-2024-3172.json Normal file
Просмотреть файл

@ -0,0 +1,75 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3172",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-33662",
"GHSA-9mjw-79r6-c9m8"
],
"summary": "Portainer improperly uses an encryption algorithm in the AesEncrypt function in github.com/portainer/portainer",
"details": "Portainer improperly uses an encryption algorithm in the AesEncrypt function in github.com/portainer/portainer.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/portainer/portainer before v2.20.2.",
"affected": [
{
"package": {
"name": "github.com/portainer/portainer",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"custom_ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.20.2"
}
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-9mjw-79r6-c9m8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33662"
},
{
"type": "REPORT",
"url": "https://github.com/portainer/portainer/issues/11737"
},
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/compare/2.20.1...2.20.2"
},
{
"type": "WEB",
"url": "https://github.com/search?q=repo%3Aportainer%2Fportainer+EE-6764\u0026type=pullrequests"
},
{
"type": "WEB",
"url": "https://www.portainer.io"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3172",
"review_status": "UNREVIEWED"
}
}

52
data/osv/GO-2024-3173.json Normal file
Просмотреть файл

@ -0,0 +1,52 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3173",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-7558",
"GHSA-mh98-763h-m9v4"
],
"summary": "JUJU_CONTEXT_ID is a predictable authentication secret in github.com/juju/juju",
"details": "JUJU_CONTEXT_ID is a predictable authentication secret in github.com/juju/juju",
"affected": [
{
"package": {
"name": "github.com/juju/juju",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20240826044107-ecd7e2d0e986"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7558"
},
{
"type": "FIX",
"url": "https://github.com/juju/juju/commit/ecd7e2d0e9867576b9da04871e22232f06fa0cc7"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3173",
"review_status": "UNREVIEWED"
}
}

60
data/osv/GO-2024-3174.json Normal file
Просмотреть файл

@ -0,0 +1,60 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3174",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-8037",
"GHSA-8v4w-f4r9-7h6x"
],
"summary": "Vulnerable juju hook tool abstract UNIX domain socket in github.com/juju/juju",
"details": "Vulnerable juju hook tool abstract UNIX domain socket in github.com/juju/juju",
"affected": [
{
"package": {
"name": "github.com/juju/juju",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20240820065804-2f2ec128ef5a"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8037"
},
{
"type": "FIX",
"url": "https://github.com/juju/juju/commit/2f2ec128ef5a8ca81fc86ae79cfcdbab0007c206"
},
{
"type": "WEB",
"url": "https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/uniter/paths.go#L222"
},
{
"type": "WEB",
"url": "https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3174",
"review_status": "UNREVIEWED"
}
}

67
data/osv/GO-2024-3175.json Normal file
Просмотреть файл

@ -0,0 +1,67 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3175",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-8038",
"GHSA-xwgj-vpm9-q2rq"
],
"summary": "Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju",
"details": "Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/juju/juju before v0.0.0-20240829052008-43f0fc59790d.",
"affected": [
{
"package": {
"name": "github.com/juju/juju",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"custom_ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20240829052008-43f0fc59790d"
}
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8038"
},
{
"type": "FIX",
"url": "https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b"
},
{
"type": "WEB",
"url": "https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3175",
"review_status": "UNREVIEWED"
}
}

56
data/osv/GO-2024-3179.json Normal file
Просмотреть файл

@ -0,0 +1,56 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3179",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-47616",
"GHSA-r7rh-jww5-5fjr"
],
"summary": "Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium",
"details": "Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium",
"affected": [
{
"package": {
"name": "github.com/pomerium/pomerium",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.27.1"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-r7rh-jww5-5fjr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47616"
},
{
"type": "FIX",
"url": "https://github.com/pomerium/pomerium/commit/e018cf0fc0979d2abe25ff705db019feb7523444"
},
{
"type": "WEB",
"url": "https://github.com/pomerium/pomerium/releases/tag/v0.27.1"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3179",
"review_status": "UNREVIEWED"
}
}

67
data/osv/GO-2024-3181.json Normal file
Просмотреть файл

@ -0,0 +1,67 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3181",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-9313",
"GHSA-x5q3-c8rm-w787"
],
"summary": "PAM module may allow accessing with the credentials of another user in github.com/ubuntu/authd",
"details": "PAM module may allow accessing with the credentials of another user in github.com/ubuntu/authd.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/ubuntu/authd before v0.0.0-20240930103526-63e527496b01.",
"affected": [
{
"package": {
"name": "github.com/ubuntu/authd",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"custom_ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20240930103526-63e527496b01"
}
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/ubuntu/authd/security/advisories/GHSA-x5q3-c8rm-w787"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9313"
},
{
"type": "ADVISORY",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9313"
},
{
"type": "FIX",
"url": "https://github.com/ubuntu/authd/commit/63e527496b013bed46904c1c58be593c13ebdce5"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3181",
"review_status": "UNREVIEWED"
}
}

43
data/osv/GO-2024-3182.json Normal file
Просмотреть файл

@ -0,0 +1,43 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3182",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"GHSA-wpr2-j6gr-pjw9"
],
"summary": "OpenTofu potential leaking of secret variable values when using static evaluation in v1.8 in github.com/opentofu/opentofu",
"details": "OpenTofu potential leaking of secret variable values when using static evaluation in v1.8 in github.com/opentofu/opentofu",
"affected": [
{
"package": {
"name": "github.com/opentofu/opentofu",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.8.0"
},
{
"fixed": "1.8.3"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/opentofu/opentofu/security/advisories/GHSA-wpr2-j6gr-pjw9"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3182",
"review_status": "UNREVIEWED"
}
}

24
data/reports/GO-2024-3161.yaml Normal file
Просмотреть файл

@ -0,0 +1,24 @@
id: GO-2024-3161
modules:
- module: github.com/rancher/rancher
non_go_versions:
- introduced: 2.7.0
- fixed: 2.7.15
- introduced: 2.8.0
- fixed: 2.8.8
- introduced: 2.9.0
- fixed: 2.9.2
vulnerable_at: 1.6.30
summary: Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher
cves:
- CVE-2024-22030
ghsas:
- GHSA-h4h5-9833-v2p4
references:
- advisory: https://github.com/rancher/rancher/security/advisories/GHSA-h4h5-9833-v2p4
- web: https://github.com/rancherlabs/support-tools/tree/master/windows-agent-strict-verify
- web: https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/tls-settings
source:
id: GHSA-h4h5-9833-v2p4
created: 2024-10-08T11:00:07.819692-04:00
review_status: UNREVIEWED

22
data/reports/GO-2024-3162.yaml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
id: GO-2024-3162
modules:
- module: github.com/hashicorp/vault
versions:
- introduced: 1.7.7
- fixed: 1.17.6
vulnerable_at: 1.17.5
summary: |-
Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By
Default in github.com/hashicorp/vault
cves:
- CVE-2024-7594
ghsas:
- GHSA-jg74-mwgw-v6x3
references:
- advisory: https://github.com/advisories/GHSA-jg74-mwgw-v6x3
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-7594
- web: https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/70251
source:
id: GHSA-jg74-mwgw-v6x3
created: 2024-10-08T11:00:03.066641-04:00
review_status: UNREVIEWED

17
data/reports/GO-2024-3163.yaml Normal file
Просмотреть файл

@ -0,0 +1,17 @@
id: GO-2024-3163
modules:
- module: github.com/amir20/dozzle
non_go_versions:
- fixed: 8.5.3
vulnerable_at: 1.29.0
summary: Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle
cves:
- CVE-2024-47182
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47182
- fix: https://github.com/amir20/dozzle/commit/de79f03aa3dbe5bb1e154a7e8d3dccbd229f3ea3
- web: https://github.com/amir20/dozzle/security/advisories/GHSA-w7qr-q9fh-fj35
source:
id: CVE-2024-47182
created: 2024-10-08T10:59:53.97116-04:00
review_status: UNREVIEWED

23
data/reports/GO-2024-3166.yaml Normal file
Просмотреть файл

@ -0,0 +1,23 @@
id: GO-2024-3166
modules:
- module: github.com/theupdateframework/go-tuf
vulnerable_at: 0.7.0
- module: github.com/theupdateframework/go-tuf/v2
versions:
- fixed: 2.0.1
vulnerable_at: 2.0.0
summary: Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf
cves:
- CVE-2024-47534
ghsas:
- GHSA-4f8r-qqr9-fq8j
references:
- advisory: https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8j
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47534
- fix: https://github.com/theupdateframework/go-tuf/commit/f36420caba9edbfdfd64f95a9554c0836d9cf819
- web: https://github.com/theupdateframework/go-tuf/blob/f95222bdd22d2ac4e5b8ed6fe912b645e213c3b5/metadata/metadata.go#L565-L580
- web: https://github.com/theupdateframework/tuf-conformance/pull/115
source:
id: GHSA-4f8r-qqr9-fq8j
created: 2024-10-08T10:58:11.67149-04:00
review_status: UNREVIEWED

24
data/reports/GO-2024-3167.yaml Normal file
Просмотреть файл

@ -0,0 +1,24 @@
id: GO-2024-3167
modules:
- module: github.com/golang-fips/openssl
vulnerable_at: 0.0.0-20230605154532-724e32b0f4b8
- module: github.com/golang-fips/openssl/v2
unsupported_versions:
- last_affected: 2.0.3
vulnerable_at: 2.0.3
summary: Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl
cves:
- CVE-2024-9355
ghsas:
- GHSA-3h3x-2hwv-hr52
references:
- advisory: https://github.com/advisories/GHSA-3h3x-2hwv-hr52
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9355
- web: https://access.redhat.com/errata/RHSA-2024:7502
- web: https://access.redhat.com/errata/RHSA-2024:7550
- web: https://access.redhat.com/security/cve/CVE-2024-9355
- web: https://bugzilla.redhat.com/show_bug.cgi?id=2315719
source:
id: GHSA-3h3x-2hwv-hr52
created: 2024-10-08T10:58:05.90723-04:00
review_status: UNREVIEWED

27
data/reports/GO-2024-3168.yaml Normal file
Просмотреть файл

@ -0,0 +1,27 @@
id: GO-2024-3168
modules:
- module: github.com/grafana/alloy
versions:
- fixed: 1.3.4
- introduced: 1.4.0-rc.0
- fixed: 1.4.1
vulnerable_at: 1.4.0
summary: Grafana Alloy on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/alloy
cves:
- CVE-2024-8975
ghsas:
- GHSA-chqx-36rm-rf8h
references:
- advisory: https://github.com/advisories/GHSA-chqx-36rm-rf8h
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8975
- fix: https://github.com/grafana/alloy/commit/88e779887690954c009503598a3f4bf563cb6596
- fix: https://github.com/grafana/alloy/commit/f14249012fd970d3fd73604e6fff9b6c7990a9bb
- web: https://github.com/grafana/alloy/releases/tag/v1.3.4
- web: https://github.com/grafana/alloy/releases/tag/v1.4.0
- web: https://github.com/grafana/alloy/releases/tag/v1.4.1
- web: https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996
- web: https://grafana.com/security/security-advisories/cve-2024-8975
source:
id: GHSA-chqx-36rm-rf8h
created: 2024-10-08T10:57:59.230434-04:00
review_status: UNREVIEWED

32
data/reports/GO-2024-3169.yaml Normal file
Просмотреть файл

@ -0,0 +1,32 @@
id: GO-2024-3169
modules:
- module: github.com/containers/buildah
unsupported_versions:
- last_affected: 1.37.3
vulnerable_at: 1.37.4
- module: github.com/containers/podman
vulnerable_at: 1.9.3
- module: github.com/containers/podman/v2
vulnerable_at: 2.2.1
- module: github.com/containers/podman/v3
vulnerable_at: 3.4.7
- module: github.com/containers/podman/v4
vulnerable_at: 4.9.5
- module: github.com/containers/podman/v5
unsupported_versions:
- last_affected: 5.2.3
vulnerable_at: 5.2.4
summary: Improper Input Validation in Buildah and Podman in github.com/containers/buildah
cves:
- CVE-2024-9407
ghsas:
- GHSA-fhqq-8f65-5xfc
references:
- advisory: https://github.com/advisories/GHSA-fhqq-8f65-5xfc
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9407
- web: https://access.redhat.com/security/cve/CVE-2024-9407
- web: https://bugzilla.redhat.com/show_bug.cgi?id=2315887
source:
id: GHSA-fhqq-8f65-5xfc
created: 2024-10-08T10:57:52.867555-04:00
review_status: UNREVIEWED

25
data/reports/GO-2024-3170.yaml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
id: GO-2024-3170
modules:
- module: github.com/grafana/agent
versions:
- fixed: 0.43.3
vulnerable_at: 0.43.2
summary: |-
Grafana Agent (Flow mode) on Windows has Unquoted Search Path or Element
vulnerability in github.com/grafana/agent
cves:
- CVE-2024-8996
ghsas:
- GHSA-m5gv-m5f9-wgv4
references:
- advisory: https://github.com/advisories/GHSA-m5gv-m5f9-wgv4
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8996
- fix: https://github.com/grafana/agent/commit/91bab2c05906938d3f8e1e3c61a863f037985299
- web: https://github.com/grafana/agent/releases/tag/v0.43.2
- web: https://github.com/grafana/agent/releases/tag/v0.43.3
- web: https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996
- web: https://grafana.com/security/security-advisories/cve-2024-8996
source:
id: GHSA-m5gv-m5f9-wgv4
created: 2024-10-08T10:57:47.066929-04:00
review_status: UNREVIEWED

22
data/reports/GO-2024-3172.yaml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
id: GO-2024-3172
modules:
- module: github.com/portainer/portainer
non_go_versions:
- fixed: 2.20.2
vulnerable_at: 0.10.1
summary: Portainer improperly uses an encryption algorithm in the AesEncrypt function in github.com/portainer/portainer
cves:
- CVE-2024-33662
ghsas:
- GHSA-9mjw-79r6-c9m8
references:
- advisory: https://github.com/advisories/GHSA-9mjw-79r6-c9m8
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-33662
- report: https://github.com/portainer/portainer/issues/11737
- web: https://github.com/portainer/portainer/compare/2.20.1...2.20.2
- web: https://github.com/search?q=repo%3Aportainer%2Fportainer+EE-6764&type=pullrequests
- web: https://www.portainer.io
source:
id: GHSA-9mjw-79r6-c9m8
created: 2024-10-08T10:56:56.076983-04:00
review_status: UNREVIEWED

20
data/reports/GO-2024-3173.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: GO-2024-3173
modules:
- module: github.com/juju/juju
versions:
- fixed: 0.0.0-20240826044107-ecd7e2d0e986
summary: JUJU_CONTEXT_ID is a predictable authentication secret in github.com/juju/juju
cves:
- CVE-2024-7558
ghsas:
- GHSA-mh98-763h-m9v4
references:
- advisory: https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-7558
- fix: https://github.com/juju/juju/commit/ecd7e2d0e9867576b9da04871e22232f06fa0cc7
notes:
- fix: 'github.com/juju/juju: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
id: GHSA-mh98-763h-m9v4
created: 2024-10-08T10:56:11.849364-04:00
review_status: UNREVIEWED

22
data/reports/GO-2024-3174.yaml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
id: GO-2024-3174
modules:
- module: github.com/juju/juju
versions:
- fixed: 0.0.0-20240820065804-2f2ec128ef5a
summary: Vulnerable juju hook tool abstract UNIX domain socket in github.com/juju/juju
cves:
- CVE-2024-8037
ghsas:
- GHSA-8v4w-f4r9-7h6x
references:
- advisory: https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8037
- fix: https://github.com/juju/juju/commit/2f2ec128ef5a8ca81fc86ae79cfcdbab0007c206
- web: https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/uniter/paths.go#L222
- web: https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4
notes:
- fix: 'github.com/juju/juju: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
id: GHSA-8v4w-f4r9-7h6x
created: 2024-10-08T10:55:15.039767-04:00
review_status: UNREVIEWED

20
data/reports/GO-2024-3175.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: GO-2024-3175
modules:
- module: github.com/juju/juju
non_go_versions:
- fixed: 0.0.0-20240829052008-43f0fc59790d
vulnerable_at: 0.0.0-20241008120523-919931217918
summary: Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju
cves:
- CVE-2024-8038
ghsas:
- GHSA-xwgj-vpm9-q2rq
references:
- advisory: https://github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8038
- fix: https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b
- web: https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125
source:
id: GHSA-xwgj-vpm9-q2rq
created: 2024-10-08T10:54:30.860927-04:00
review_status: UNREVIEWED

22
data/reports/GO-2024-3179.yaml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
id: GO-2024-3179
modules:
- module: github.com/pomerium/pomerium
versions:
- fixed: 0.27.1
vulnerable_at: 0.27.0
summary: |-
Pomerium service account access token may grant unintended access to databroker
API in github.com/pomerium/pomerium
cves:
- CVE-2024-47616
ghsas:
- GHSA-r7rh-jww5-5fjr
references:
- advisory: https://github.com/pomerium/pomerium/security/advisories/GHSA-r7rh-jww5-5fjr
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47616
- fix: https://github.com/pomerium/pomerium/commit/e018cf0fc0979d2abe25ff705db019feb7523444
- web: https://github.com/pomerium/pomerium/releases/tag/v0.27.1
source:
id: GHSA-r7rh-jww5-5fjr
created: 2024-10-08T10:54:22.040469-04:00
review_status: UNREVIEWED

20
data/reports/GO-2024-3181.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: GO-2024-3181
modules:
- module: github.com/ubuntu/authd
non_go_versions:
- fixed: 0.0.0-20240930103526-63e527496b01
vulnerable_at: 0.0.0-20230706090440-d8cb2d561419
summary: PAM module may allow accessing with the credentials of another user in github.com/ubuntu/authd
cves:
- CVE-2024-9313
ghsas:
- GHSA-x5q3-c8rm-w787
references:
- advisory: https://github.com/ubuntu/authd/security/advisories/GHSA-x5q3-c8rm-w787
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9313
- advisory: https://www.cve.org/CVERecord?id=CVE-2024-9313
- fix: https://github.com/ubuntu/authd/commit/63e527496b013bed46904c1c58be593c13ebdce5
source:
id: GHSA-x5q3-c8rm-w787
created: 2024-10-08T10:54:15.521922-04:00
review_status: UNREVIEWED

18
data/reports/GO-2024-3182.yaml Normal file
Просмотреть файл

@ -0,0 +1,18 @@
id: GO-2024-3182
modules:
- module: github.com/opentofu/opentofu
versions:
- introduced: 1.8.0
- fixed: 1.8.3
vulnerable_at: 1.8.2
summary: |-
OpenTofu potential leaking of secret variable values when using static
evaluation in v1.8 in github.com/opentofu/opentofu
ghsas:
- GHSA-wpr2-j6gr-pjw9
references:
- advisory: https://github.com/opentofu/opentofu/security/advisories/GHSA-wpr2-j6gr-pjw9
source:
id: GHSA-wpr2-j6gr-pjw9
created: 2024-10-08T10:54:13.414193-04:00
review_status: UNREVIEWED