go
/
vulndb
зеркало из https://github.com/golang/vulndb.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

data/reports: add 5 unreviewed reports 

- data/reports/GO-2024-2612.yaml
  - data/reports/GO-2024-2684.yaml
  - data/reports/GO-2024-2699.yaml
  - data/reports/GO-2024-2776.yaml
  - data/reports/GO-2024-2769.yaml

Fixes golang/vulndb#2612
Fixes golang/vulndb#2684
Fixes golang/vulndb#2699
Fixes golang/vulndb#2776
Fixes golang/vulndb#2769

Change-Id: I233aeca23f767773c1238eeec2450617801ae69b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/591199
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
This commit is contained in:
Tatiana Bradley 2024-06-06 16:20:39 -04:00
Родитель afddd60f5a
Коммит f74ecab81b
10 изменённых файлов: 410 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

60
data/osv/GO-2024-2612.json Normal file
Просмотреть файл

@ -0,0 +1,60 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-2612",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-2056"
],
"summary": "Artica Proxy Loopback Services Remotely Accessible Unauthenticated in github.com/gvalkov/tailon",
"details": "Artica Proxy Loopback Services Remotely Accessible Unauthenticated in github.com/gvalkov/tailon",
"affected": [
{
"package": {
"name": "github.com/gvalkov/tailon",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2056"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/14"
},
{
"type": "WEB",
"url": "https://github.com/gvalkov/tailon#security"
},
{
"type": "WEB",
"url": "https://korelogic.com/Resources/Advisories/KL-001-2024-004.txt"
}
],
"credits": [
{
"name": "Jim Becher of KoreLogic, Inc."
},
{
"name": "Jaggar Henry of KoreLogic, Inc."
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-2612",
"review_status": "UNREVIEWED"
}
}

53
data/osv/GO-2024-2684.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-2684",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-22780",
"GHSA-hwvw-gh23-qpvq"
],
"summary": "CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs",
"details": "CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs",
"affected": [
{
"package": {
"name": "github.com/ca17/teamsacs",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-hwvw-gh23-qpvq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22780"
},
{
"type": "WEB",
"url": "https://fuo.fi/CVE-2024-22780"
},
{
"type": "WEB",
"url": "https://github.com/CA17/TeamsACS/issues/26"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-2684",
"review_status": "UNREVIEWED"
}
}

56
data/osv/GO-2024-2699.json Normal file
Просмотреть файл

@ -0,0 +1,56 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-2699",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-28224",
"GHSA-5jx5-hqx5-2vrj"
],
"summary": "Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama",
"details": "Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama",
"affected": [
{
"package": {
"name": "github.com/jmorganca/ollama",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.29"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-5jx5-hqx5-2vrj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28224"
},
{
"type": "WEB",
"url": "https://github.com/ollama/ollama/releases"
},
{
"type": "WEB",
"url": "https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebinding-attack-cve-2024-28224"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-2699",
"review_status": "UNREVIEWED"
}
}

60
data/osv/GO-2024-2769.json Normal file
Просмотреть файл

@ -0,0 +1,60 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-2769",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2022-38183",
"GHSA-fhv8-m4j4-cww2"
],
"summary": "Gitea allowed assignment of private issues in code.gitea.io/gitea",
"details": "Gitea allowed assignment of private issues in code.gitea.io/gitea",
"affected": [
{
"package": {
"name": "code.gitea.io/gitea",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.9"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-fhv8-m4j4-cww2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38183"
},
{
"type": "WEB",
"url": "https://blog.gitea.io/2022/07/gitea-1.16.9-is-released"
},
{
"type": "WEB",
"url": "https://github.com/go-gitea/gitea/pull/20133"
},
{
"type": "WEB",
"url": "https://github.com/go-gitea/gitea/pull/20196"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-2769",
"review_status": "UNREVIEWED"
}
}

70
data/osv/GO-2024-2776.json Normal file
Просмотреть файл

@ -0,0 +1,70 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-2776",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2021-43350",
"GHSA-mg2c-rc36-p594"
],
"summary": "Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol",
"details": "Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol",
"affected": [
{
"package": {
"name": "github.com/apache/trafficcontrol",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "5.1.0+incompatible"
},
{
"fixed": "5.1.4+incompatible"
},
{
"introduced": "6.0.0+incompatible"
},
{
"fixed": "6.0.1+incompatible"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-mg2c-rc36-p594"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43350"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/11/11/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/11/11/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/11/17/1"
},
{
"type": "WEB",
"url": "https://trafficcontrol.apache.org/security"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-2776",
"review_status": "UNREVIEWED"
}
}

22
data/reports/GO-2024-2612.yaml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
id: GO-2024-2612
modules:
- module: github.com/gvalkov/tailon
unsupported_versions:
- version: 'affected at 4.50 (default: unaffected)'
type: cve_version_range
vulnerable_at: 1.1.0
summary: Artica Proxy Loopback Services Remotely Accessible Unauthenticated in github.com/gvalkov/tailon
cves:
- CVE-2024-2056
credits:
- Jim Becher of KoreLogic, Inc.
- Jaggar Henry of KoreLogic, Inc.
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-2056
- web: http://seclists.org/fulldisclosure/2024/Mar/14
- web: https://github.com/gvalkov/tailon#security
- web: https://korelogic.com/Resources/Advisories/KL-001-2024-004.txt
source:
id: CVE-2024-2056
created: 2024-06-06T16:15:26.949858-04:00
review_status: UNREVIEWED

21
data/reports/GO-2024-2684.yaml Normal file
Просмотреть файл

@ -0,0 +1,21 @@
id: GO-2024-2684
modules:
- module: github.com/ca17/teamsacs
unsupported_versions:
- version: 1.0.2
type: last_affected
vulnerable_at: 1.0.3
summary: CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs
cves:
- CVE-2024-22780
ghsas:
- GHSA-hwvw-gh23-qpvq
references:
- advisory: https://github.com/advisories/GHSA-hwvw-gh23-qpvq
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-22780
- web: https://fuo.fi/CVE-2024-22780
- web: https://github.com/CA17/TeamsACS/issues/26
source:
id: GHSA-hwvw-gh23-qpvq
created: 2024-06-06T16:16:42.764735-04:00
review_status: UNREVIEWED

20
data/reports/GO-2024-2699.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: GO-2024-2699
modules:
- module: github.com/jmorganca/ollama
versions:
- fixed: 0.1.29
vulnerable_at: 0.1.28
summary: Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama
cves:
- CVE-2024-28224
ghsas:
- GHSA-5jx5-hqx5-2vrj
references:
- advisory: https://github.com/advisories/GHSA-5jx5-hqx5-2vrj
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-28224
- web: https://github.com/ollama/ollama/releases
- web: https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebinding-attack-cve-2024-28224
source:
id: GHSA-5jx5-hqx5-2vrj
created: 2024-06-06T16:17:36.326182-04:00
review_status: UNREVIEWED

23
data/reports/GO-2024-2769.yaml Normal file
Просмотреть файл

@ -0,0 +1,23 @@
id: GO-2024-2769
modules:
- module: code.gitea.io/gitea
versions:
- fixed: 1.16.9
vulnerable_at: 1.16.8
summary: Gitea allowed assignment of private issues in code.gitea.io/gitea
cves:
- CVE-2022-38183
ghsas:
- GHSA-fhv8-m4j4-cww2
unknown_aliases:
- BIT-gitea-2022-38183
references:
- advisory: https://github.com/advisories/GHSA-fhv8-m4j4-cww2
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-38183
- web: https://blog.gitea.io/2022/07/gitea-1.16.9-is-released
- web: https://github.com/go-gitea/gitea/pull/20133
- web: https://github.com/go-gitea/gitea/pull/20196
source:
id: GHSA-fhv8-m4j4-cww2
created: 2024-06-06T16:18:38.02836-04:00
review_status: UNREVIEWED

25
data/reports/GO-2024-2776.yaml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
id: GO-2024-2776
modules:
- module: github.com/apache/trafficcontrol
versions:
- introduced: 5.1.0+incompatible
fixed: 5.1.4+incompatible
- introduced: 6.0.0+incompatible
fixed: 6.0.1+incompatible
vulnerable_at: 6.0.0+incompatible
summary: Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol
cves:
- CVE-2021-43350
ghsas:
- GHSA-mg2c-rc36-p594
references:
- advisory: https://github.com/advisories/GHSA-mg2c-rc36-p594
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-43350
- web: http://www.openwall.com/lists/oss-security/2021/11/11/3
- web: http://www.openwall.com/lists/oss-security/2021/11/11/4
- web: http://www.openwall.com/lists/oss-security/2021/11/17/1
- web: https://trafficcontrol.apache.org/security
source:
id: GHSA-mg2c-rc36-p594
created: 2024-06-06T16:13:56.758827-04:00
review_status: UNREVIEWED