diff --git a/data/excluded/GO-2022-0367.yaml b/data/excluded/GO-2022-0367.yaml deleted file mode 100644 index a29f28944..000000000 --- a/data/excluded/GO-2022-0367.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0367 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/keep-network/keep-ecdsa -ghsas: - - GHSA-gp6j-vx54-5pmf diff --git a/data/excluded/GO-2022-0368.yaml b/data/excluded/GO-2022-0368.yaml deleted file mode 100644 index 39994ffac..000000000 --- a/data/excluded/GO-2022-0368.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0368 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/coredns/coredns -ghsas: - - GHSA-gv9j-4w24-q7vx diff --git a/data/excluded/GO-2022-0369.yaml b/data/excluded/GO-2022-0369.yaml deleted file mode 100644 index b79ffa792..000000000 --- a/data/excluded/GO-2022-0369.yaml +++ /dev/null @@ -1,9 +0,0 @@ -id: GO-2022-0369 -excluded: NOT_IMPORTABLE -modules: - - module: gogs.io/gogs -cves: - - CVE-2022-0871 -ghsas: - - GHSA-65f3-3278-7m65 - - GHSA-gw5h-h6hj-f56g diff --git a/data/excluded/GO-2022-0372.yaml b/data/excluded/GO-2022-0372.yaml deleted file mode 100644 index e9d0d0f10..000000000 --- a/data/excluded/GO-2022-0372.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0372 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/projectdiscovery/interactsh -cves: - - CVE-2023-36474 -ghsas: - - GHSA-m36x-mgfh-8g78 diff --git a/data/excluded/GO-2022-0374.yaml b/data/excluded/GO-2022-0374.yaml deleted file mode 100644 index 2198331f8..000000000 --- a/data/excluded/GO-2022-0374.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0374 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/foxcpp/maddy -ghsas: - - GHSA-m6m5-pp4g-fcc8 diff --git a/data/excluded/GO-2022-0375.yaml b/data/excluded/GO-2022-0375.yaml deleted file mode 100644 index e2519c7f9..000000000 --- a/data/excluded/GO-2022-0375.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0375 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/treeverse/lakefs -ghsas: - - GHSA-m836-gxwq-j2pm diff --git a/data/excluded/GO-2022-0377.yaml b/data/excluded/GO-2022-0377.yaml deleted file mode 100644 index 92d1955fb..000000000 --- a/data/excluded/GO-2022-0377.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0377 -excluded: NOT_IMPORTABLE -modules: - - module: gogs.io/gogs -ghsas: - - GHSA-q347-cg56-pcq4 diff --git a/data/excluded/GO-2022-0378.yaml b/data/excluded/GO-2022-0378.yaml deleted file mode 100644 index 808beb2c6..000000000 --- a/data/excluded/GO-2022-0378.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0378 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/foxcpp/maddy -ghsas: - - GHSA-qh54-9vc5-m9fg diff --git a/data/excluded/GO-2022-0381.yaml b/data/excluded/GO-2022-0381.yaml deleted file mode 100644 index 86a041649..000000000 --- a/data/excluded/GO-2022-0381.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0381 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/google/exposure-notifications-server -ghsas: - - GHSA-3wxm-m9m4-cprj diff --git a/data/excluded/GO-2022-0387.yaml b/data/excluded/GO-2022-0387.yaml deleted file mode 100644 index 1d9203012..000000000 --- a/data/excluded/GO-2022-0387.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0387 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/argoproj/argo-cd -ghsas: - - GHSA-6w87-g839-9wv7 diff --git a/data/excluded/GO-2022-0388.yaml b/data/excluded/GO-2022-0388.yaml deleted file mode 100644 index eb1312cc0..000000000 --- a/data/excluded/GO-2022-0388.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0388 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/argoproj/argo-workflows/v3 -ghsas: - - GHSA-6c73-2v8x-qpvm diff --git a/data/excluded/GO-2022-0389.yaml b/data/excluded/GO-2022-0389.yaml deleted file mode 100644 index e2ad9a29c..000000000 --- a/data/excluded/GO-2022-0389.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0389 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/pterodactyl/wings -ghsas: - - GHSA-6rg3-8h8x-5xfv diff --git a/data/excluded/GO-2022-0390.yaml b/data/excluded/GO-2022-0390.yaml deleted file mode 100644 index 0e2ab9d2a..000000000 --- a/data/excluded/GO-2022-0390.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0390 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/moby/moby -cves: - - CVE-2022-24769 -ghsas: - - GHSA-2mm7-x5h6-5pvq diff --git a/data/excluded/GO-2022-0392.yaml b/data/excluded/GO-2022-0392.yaml deleted file mode 100644 index d4727342c..000000000 --- a/data/excluded/GO-2022-0392.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0392 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/ethereum/go-ethereum -ghsas: - - GHSA-m6gx-rhvj-fh52 diff --git a/data/excluded/GO-2022-0393.yaml b/data/excluded/GO-2022-0393.yaml deleted file mode 100644 index 805a11f10..000000000 --- a/data/excluded/GO-2022-0393.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0393 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cilium/cilium -ghsas: - - GHSA-c66w-hq56-4q97 diff --git a/data/excluded/GO-2022-0395.yaml b/data/excluded/GO-2022-0395.yaml deleted file mode 100644 index 5b91cf522..000000000 --- a/data/excluded/GO-2022-0395.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0395 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cli/cli -ghsas: - - GHSA-fqfh-778m-2v32 diff --git a/data/excluded/GO-2022-0396.yaml b/data/excluded/GO-2022-0396.yaml deleted file mode 100644 index 0d503d811..000000000 --- a/data/excluded/GO-2022-0396.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0396 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/opencontainers/runc -ghsas: - - GHSA-g54h-m393-cpwq diff --git a/data/excluded/GO-2022-0398.yaml b/data/excluded/GO-2022-0398.yaml deleted file mode 100644 index dca54fbd1..000000000 --- a/data/excluded/GO-2022-0398.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0398 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/nats-io/nats-server/v2 -ghsas: - - GHSA-gwj5-3vfq-q992 diff --git a/data/excluded/GO-2022-0405.yaml b/data/excluded/GO-2022-0405.yaml deleted file mode 100644 index a71fae085..000000000 --- a/data/excluded/GO-2022-0405.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0405 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/argoproj/argo-workflows/v3 -ghsas: - - GHSA-prqf-xr2j-xf65 diff --git a/data/excluded/GO-2022-0406.yaml b/data/excluded/GO-2022-0406.yaml deleted file mode 100644 index 7bbcb239c..000000000 --- a/data/excluded/GO-2022-0406.yaml +++ /dev/null @@ -1,9 +0,0 @@ -id: GO-2022-0406 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/ory/oathkeeper -ghsas: - - GHSA-qvp4-rpmr-xwrr -related: - - CVE-2021-32701 - - GHSA-vfvf-6gx5-mqv6 diff --git a/data/osv/GO-2022-0367.json b/data/osv/GO-2022-0367.json new file mode 100644 index 000000000..5952e64b0 --- /dev/null +++ b/data/osv/GO-2022-0367.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0367", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-gp6j-vx54-5pmf" + ], + "summary": "Incorrect validation of parties IDs leaks secret keys in Secret-sharing scheme in github.com/keep-network/keep-ecdsa", + "details": "Incorrect validation of parties IDs leaks secret keys in Secret-sharing scheme in github.com/keep-network/keep-ecdsa", + "affected": [ + { + "package": { + "name": "github.com/keep-network/keep-ecdsa", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/keep-network/keep-ecdsa/security/advisories/GHSA-gp6j-vx54-5pmf" + }, + { + "type": "WEB", + "url": "https://github.com/keep-network/keep-ecdsa/releases/tag/v1.8.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0367", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0368.json b/data/osv/GO-2022-0368.json new file mode 100644 index 000000000..134531c2e --- /dev/null +++ b/data/osv/GO-2022-0368.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0368", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-gv9j-4w24-q7vx" + ], + "summary": "Improper random number generation in github.com/coredns/coredns", + "details": "Improper random number generation in github.com/coredns/coredns", + "affected": [ + { + "package": { + "name": "github.com/coredns/coredns", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/coredns/coredns/security/advisories/GHSA-gv9j-4w24-q7vx" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0368", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0369.json b/data/osv/GO-2022-0369.json new file mode 100644 index 000000000..27b806e04 --- /dev/null +++ b/data/osv/GO-2022-0369.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0369", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-0871", + "GHSA-gw5h-h6hj-f56g" + ], + "summary": "Gogs vulnerable to improper PAM authorization handling in gogs.io/gogs", + "details": "Gogs vulnerable to improper PAM authorization handling in gogs.io/gogs", + "affected": [ + { + "package": { + "name": "gogs.io/gogs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/gogs/gogs/security/advisories/GHSA-gw5h-h6hj-f56g" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0871" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/commit/64102be2c90e1b47dbdd379873ba76c80d4b0e78" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/issues/6810" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/ea82cfc9-b55c-41fe-ae58-0d0e0bd7ab62" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0369", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0372.json b/data/osv/GO-2022-0372.json new file mode 100644 index 000000000..1730b0559 --- /dev/null +++ b/data/osv/GO-2022-0372.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0372", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-36474", + "GHSA-m36x-mgfh-8g78" + ], + "summary": "Subdomain Takeover in Interactsh server in github.com/projectdiscovery/interactsh", + "details": "Subdomain Takeover in Interactsh server in github.com/projectdiscovery/interactsh", + "affected": [ + { + "package": { + "name": "github.com/projectdiscovery/interactsh", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36474" + }, + { + "type": "FIX", + "url": "https://github.com/projectdiscovery/interactsh/pull/155" + }, + { + "type": "REPORT", + "url": "https://github.com/projectdiscovery/interactsh/issues/136" + }, + { + "type": "WEB", + "url": "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0372", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0374.json b/data/osv/GO-2022-0374.json new file mode 100644 index 000000000..d4dbc20bb --- /dev/null +++ b/data/osv/GO-2022-0374.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0374", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-m6m5-pp4g-fcc8" + ], + "summary": "S3 storage write is not aborted on errors leading to unbounded memory usage in github.com/foxcpp/maddy", + "details": "S3 storage write is not aborted on errors leading to unbounded memory usage in github.com/foxcpp/maddy", + "affected": [ + { + "package": { + "name": "github.com/foxcpp/maddy", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.5.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/foxcpp/maddy/security/advisories/GHSA-m6m5-pp4g-fcc8" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0374", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0375.json b/data/osv/GO-2022-0375.json new file mode 100644 index 000000000..53ee4f6f5 --- /dev/null +++ b/data/osv/GO-2022-0375.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0375", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-m836-gxwq-j2pm" + ], + "summary": "Improper Access Control in github.com/treeverse/lakefs", + "details": "Improper Access Control in github.com/treeverse/lakefs", + "affected": [ + { + "package": { + "name": "github.com/treeverse/lakefs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.53.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/treeverse/lakeFS/security/advisories/GHSA-m836-gxwq-j2pm" + }, + { + "type": "WEB", + "url": "https://github.com/treeverse/lakeFS/commit/f2117281cadb14fdf9ac7fe287f84d5c10308b88" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0375", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0377.json b/data/osv/GO-2022-0377.json new file mode 100644 index 000000000..4ba3f5b15 --- /dev/null +++ b/data/osv/GO-2022-0377.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0377", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-q347-cg56-pcq4" + ], + "summary": "SSRF in repository migration in gogs.io/gogs", + "details": "SSRF in repository migration in gogs.io/gogs", + "affected": [ + { + "package": { + "name": "gogs.io/gogs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/gogs/gogs/security/advisories/GHSA-q347-cg56-pcq4" + }, + { + "type": "WEB", + "url": "https://www.huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0377", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0378.json b/data/osv/GO-2022-0378.json new file mode 100644 index 000000000..8e461646a --- /dev/null +++ b/data/osv/GO-2022-0378.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0378", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-qh54-9vc5-m9fg" + ], + "summary": "MD5 hash support in github.com/foxcpp/maddy", + "details": "MD5 hash support in github.com/foxcpp/maddy", + "affected": [ + { + "package": { + "name": "github.com/foxcpp/maddy", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.5.0" + }, + { + "fixed": "0.5.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/foxcpp/maddy/security/advisories/GHSA-qh54-9vc5-m9fg" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0378", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0381.json b/data/osv/GO-2022-0381.json new file mode 100644 index 000000000..f20719e67 --- /dev/null +++ b/data/osv/GO-2022-0381.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0381", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-3wxm-m9m4-cprj" + ], + "summary": "Import of incorrectly embargoed keys could cause early publication in github.com/google/exposure-notifications-server", + "details": "Import of incorrectly embargoed keys could cause early publication in github.com/google/exposure-notifications-server", + "affected": [ + { + "package": { + "name": "github.com/google/exposure-notifications-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.18.3" + }, + { + "introduced": "0.19.0" + }, + { + "fixed": "0.19.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/google/exposure-notifications-server/security/advisories/GHSA-3wxm-m9m4-cprj" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0381", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0387.json b/data/osv/GO-2022-0387.json new file mode 100644 index 000000000..df0bb9588 --- /dev/null +++ b/data/osv/GO-2022-0387.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0387", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-6w87-g839-9wv7" + ], + "summary": "Helm OCI credentials leaked into Argo CD logs in github.com/argoproj/argo-cd", + "details": "Helm OCI credentials leaked into Argo CD logs in github.com/argoproj/argo-cd", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-cd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.7.14" + }, + { + "introduced": "1.8.0" + }, + { + "fixed": "1.8.7" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6w87-g839-9wv7" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0387", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0388.json b/data/osv/GO-2022-0388.json new file mode 100644 index 000000000..b2e9b4d23 --- /dev/null +++ b/data/osv/GO-2022-0388.json @@ -0,0 +1,83 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0388", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-6c73-2v8x-qpvm" + ], + "summary": "Argo Server TLS requests could be forged by attacker with network access in github.com/argoproj/argo-workflows", + "details": "Argo Server TLS requests could be forged by attacker with network access in github.com/argoproj/argo-workflows", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-workflows", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-workflows/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-workflows/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.0.9" + }, + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-6c73-2v8x-qpvm" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0388", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0389.json b/data/osv/GO-2022-0389.json new file mode 100644 index 000000000..e9f9b9207 --- /dev/null +++ b/data/osv/GO-2022-0389.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0389", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-6rg3-8h8x-5xfv" + ], + "summary": "Unchecked hostname resolution could allow access to local network resources by users outside the local network in github.com/pterodactyl/wings", + "details": "Unchecked hostname resolution could allow access to local network resources by users outside the local network in github.com/pterodactyl/wings", + "affected": [ + { + "package": { + "name": "github.com/pterodactyl/wings", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.2.0" + }, + { + "fixed": "1.2.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0389", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0390.json b/data/osv/GO-2022-0390.json new file mode 100644 index 000000000..9daa57c7e --- /dev/null +++ b/data/osv/GO-2022-0390.json @@ -0,0 +1,140 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0390", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24769", + "GHSA-2mm7-x5h6-5pvq" + ], + "summary": "Moby (Docker Engine) started with non-empty inheritable Linux process capabilities in github.com/docker/docker", + "details": "Moby (Docker Engine) started with non-empty inheritable Linux process capabilities in github.com/docker/docker", + "affected": [ + { + "package": { + "name": "github.com/docker/docker", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "20.10.14+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/moby/moby", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "20.10.14+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24769" + }, + { + "type": "FIX", + "url": "https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f" + }, + { + "type": "FIX", + "url": "https://github.com/moby/moby/commit/7f375bcff41ce672cd61e9a31f3eeb2966e3dbe1" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2022/05/12/1" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/releases/tag/v20.10.14" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-31" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5162" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0390", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0392.json b/data/osv/GO-2022-0392.json new file mode 100644 index 000000000..cffc6588a --- /dev/null +++ b/data/osv/GO-2022-0392.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0392", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-m6gx-rhvj-fh52" + ], + "summary": "Denial of service in go-ethereum due to CVE-2020-28362 in github.com/ethereum/go-ethereum", + "details": "Denial of service in go-ethereum due to CVE-2020-28362 in github.com/ethereum/go-ethereum", + "affected": [ + { + "package": { + "name": "github.com/ethereum/go-ethereum", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.24" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-m6gx-rhvj-fh52" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0392", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0393.json b/data/osv/GO-2022-0393.json new file mode 100644 index 000000000..ccd595f55 --- /dev/null +++ b/data/osv/GO-2022-0393.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0393", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-c66w-hq56-4q97" + ], + "summary": "Network policy may be bypassed by some ICMP Echo Requests in github.com/cilium/cilium", + "details": "Network policy may be bypassed by some ICMP Echo Requests in github.com/cilium/cilium", + "affected": [ + { + "package": { + "name": "github.com/cilium/cilium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.7.8" + }, + { + "fixed": "1.7.15" + }, + { + "introduced": "1.8.3" + }, + { + "fixed": "1.8.8" + }, + { + "introduced": "1.9.0" + }, + { + "fixed": "1.9.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cilium/cilium/security/advisories/GHSA-c66w-hq56-4q97" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0393", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0395.json b/data/osv/GO-2022-0395.json new file mode 100644 index 000000000..fe2f4e1a7 --- /dev/null +++ b/data/osv/GO-2022-0395.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0395", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-fqfh-778m-2v32" + ], + "summary": "GitHub CLI can execute a git binary from the current directory in github.com/cli/cli", + "details": "GitHub CLI can execute a git binary from the current directory in github.com/cli/cli", + "affected": [ + { + "package": { + "name": "github.com/cli/cli", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cli/cli/security/advisories/GHSA-fqfh-778m-2v32" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0395", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0396.json b/data/osv/GO-2022-0396.json new file mode 100644 index 000000000..721b1ae01 --- /dev/null +++ b/data/osv/GO-2022-0396.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0396", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-g54h-m393-cpwq" + ], + "summary": "devices resource list treated as a blacklist by default in github.com/opencontainers/runc", + "details": "devices resource list treated as a blacklist by default in github.com/opencontainers/runc", + "affected": [ + { + "package": { + "name": "github.com/opencontainers/runc", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0-rc91" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0396", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0398.json b/data/osv/GO-2022-0398.json new file mode 100644 index 000000000..7b7f23bfa --- /dev/null +++ b/data/osv/GO-2022-0398.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0398", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-gwj5-3vfq-q992" + ], + "summary": "Import loops in account imports, nats-server DoS in github.com/nats-io/nats-server", + "details": "Import loops in account imports, nats-server DoS in github.com/nats-io/nats-server", + "affected": [ + { + "package": { + "name": "github.com/nats-io/nats-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/nats-io/nats-server/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-gwj5-3vfq-q992" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0398", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0405.json b/data/osv/GO-2022-0405.json new file mode 100644 index 000000000..c604f43bb --- /dev/null +++ b/data/osv/GO-2022-0405.json @@ -0,0 +1,83 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0405", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-prqf-xr2j-xf65" + ], + "summary": "Potential privilege escalation on Kubernetes \u003e= v1.19 when the Argo Sever is run with `--auth-mode=client` in github.com/argoproj/argo-workflows", + "details": "Potential privilege escalation on Kubernetes \u003e= v1.19 when the Argo Sever is run with `--auth-mode=client` in github.com/argoproj/argo-workflows", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-workflows", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-workflows/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-workflows/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.0.9" + }, + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-prqf-xr2j-xf65" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0405", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0406.json b/data/osv/GO-2022-0406.json new file mode 100644 index 000000000..f2ada0b2a --- /dev/null +++ b/data/osv/GO-2022-0406.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0406", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-qvp4-rpmr-xwrr" + ], + "summary": "Possible bypass of token claim validation when OAuth2 Introspection caching is enabled in github.com/ory/oathkeeper", + "details": "Possible bypass of token claim validation when OAuth2 Introspection caching is enabled in github.com/ory/oathkeeper", + "affected": [ + { + "package": { + "name": "github.com/ory/oathkeeper", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.38.0-beta.2" + }, + { + "fixed": "0.38.12-beta.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0406", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2022-0367.yaml b/data/reports/GO-2022-0367.yaml new file mode 100644 index 000000000..d886cb4c7 --- /dev/null +++ b/data/reports/GO-2022-0367.yaml @@ -0,0 +1,17 @@ +id: GO-2022-0367 +modules: + - module: github.com/keep-network/keep-ecdsa + versions: + - fixed: 1.8.1 + vulnerable_at: 1.8.0 +summary: Incorrect validation of parties IDs leaks secret keys in Secret-sharing scheme in github.com/keep-network/keep-ecdsa +ghsas: + - GHSA-gp6j-vx54-5pmf +references: + - advisory: https://github.com/keep-network/keep-ecdsa/security/advisories/GHSA-gp6j-vx54-5pmf + - web: https://github.com/keep-network/keep-ecdsa/releases/tag/v1.8.1 +source: + id: GHSA-gp6j-vx54-5pmf + created: 2024-08-20T13:52:42.80807-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0368.yaml b/data/reports/GO-2022-0368.yaml new file mode 100644 index 000000000..50df819f6 --- /dev/null +++ b/data/reports/GO-2022-0368.yaml @@ -0,0 +1,16 @@ +id: GO-2022-0368 +modules: + - module: github.com/coredns/coredns + versions: + - fixed: 1.6.6 + vulnerable_at: 1.6.5 +summary: Improper random number generation in github.com/coredns/coredns +ghsas: + - GHSA-gv9j-4w24-q7vx +references: + - advisory: https://github.com/coredns/coredns/security/advisories/GHSA-gv9j-4w24-q7vx +source: + id: GHSA-gv9j-4w24-q7vx + created: 2024-08-20T13:52:44.221047-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0369.yaml b/data/reports/GO-2022-0369.yaml new file mode 100644 index 000000000..f9903ae7b --- /dev/null +++ b/data/reports/GO-2022-0369.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0369 +modules: + - module: gogs.io/gogs + versions: + - fixed: 0.12.5 + vulnerable_at: 0.12.5-rc.1 +summary: Gogs vulnerable to improper PAM authorization handling in gogs.io/gogs +cves: + - CVE-2022-0871 +ghsas: + - GHSA-gw5h-h6hj-f56g +references: + - advisory: https://github.com/gogs/gogs/security/advisories/GHSA-gw5h-h6hj-f56g + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-0871 + - web: https://github.com/gogs/gogs/commit/64102be2c90e1b47dbdd379873ba76c80d4b0e78 + - web: https://github.com/gogs/gogs/issues/6810 + - web: https://huntr.dev/bounties/ea82cfc9-b55c-41fe-ae58-0d0e0bd7ab62 +source: + id: GHSA-gw5h-h6hj-f56g + created: 2024-08-20T13:56:06.770601-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0372.yaml b/data/reports/GO-2022-0372.yaml new file mode 100644 index 000000000..28811c701 --- /dev/null +++ b/data/reports/GO-2022-0372.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0372 +modules: + - module: github.com/projectdiscovery/interactsh + versions: + - fixed: 1.0.0 + vulnerable_at: 0.0.7 +summary: Subdomain Takeover in Interactsh server in github.com/projectdiscovery/interactsh +cves: + - CVE-2023-36474 +ghsas: + - GHSA-m36x-mgfh-8g78 +references: + - advisory: https://github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-36474 + - fix: https://github.com/projectdiscovery/interactsh/pull/155 + - report: https://github.com/projectdiscovery/interactsh/issues/136 + - web: https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more +source: + id: GHSA-m36x-mgfh-8g78 + created: 2024-08-20T13:52:49.290211-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0374.yaml b/data/reports/GO-2022-0374.yaml new file mode 100644 index 000000000..04f19e5a8 --- /dev/null +++ b/data/reports/GO-2022-0374.yaml @@ -0,0 +1,16 @@ +id: GO-2022-0374 +modules: + - module: github.com/foxcpp/maddy + versions: + - fixed: 0.5.1 + vulnerable_at: 0.5.0 +summary: S3 storage write is not aborted on errors leading to unbounded memory usage in github.com/foxcpp/maddy +ghsas: + - GHSA-m6m5-pp4g-fcc8 +references: + - advisory: https://github.com/foxcpp/maddy/security/advisories/GHSA-m6m5-pp4g-fcc8 +source: + id: GHSA-m6m5-pp4g-fcc8 + created: 2024-08-20T13:52:53.474132-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0375.yaml b/data/reports/GO-2022-0375.yaml new file mode 100644 index 000000000..d584d6fca --- /dev/null +++ b/data/reports/GO-2022-0375.yaml @@ -0,0 +1,17 @@ +id: GO-2022-0375 +modules: + - module: github.com/treeverse/lakefs + versions: + - fixed: 0.53.1 + vulnerable_at: 0.53.0 +summary: Improper Access Control in github.com/treeverse/lakefs +ghsas: + - GHSA-m836-gxwq-j2pm +references: + - advisory: https://github.com/treeverse/lakeFS/security/advisories/GHSA-m836-gxwq-j2pm + - web: https://github.com/treeverse/lakeFS/commit/f2117281cadb14fdf9ac7fe287f84d5c10308b88 +source: + id: GHSA-m836-gxwq-j2pm + created: 2024-08-20T13:52:54.301101-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0377.yaml b/data/reports/GO-2022-0377.yaml new file mode 100644 index 000000000..7872c8647 --- /dev/null +++ b/data/reports/GO-2022-0377.yaml @@ -0,0 +1,17 @@ +id: GO-2022-0377 +modules: + - module: gogs.io/gogs + versions: + - fixed: 0.12.5 + vulnerable_at: 0.12.5-rc.1 +summary: SSRF in repository migration in gogs.io/gogs +ghsas: + - GHSA-q347-cg56-pcq4 +references: + - advisory: https://github.com/gogs/gogs/security/advisories/GHSA-q347-cg56-pcq4 + - web: https://www.huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531 +source: + id: GHSA-q347-cg56-pcq4 + created: 2024-08-20T13:52:55.674421-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0378.yaml b/data/reports/GO-2022-0378.yaml new file mode 100644 index 000000000..be69174e8 --- /dev/null +++ b/data/reports/GO-2022-0378.yaml @@ -0,0 +1,17 @@ +id: GO-2022-0378 +modules: + - module: github.com/foxcpp/maddy + versions: + - introduced: 0.5.0 + - fixed: 0.5.2 + vulnerable_at: 0.5.1 +summary: MD5 hash support in github.com/foxcpp/maddy +ghsas: + - GHSA-qh54-9vc5-m9fg +references: + - advisory: https://github.com/foxcpp/maddy/security/advisories/GHSA-qh54-9vc5-m9fg +source: + id: GHSA-qh54-9vc5-m9fg + created: 2024-08-20T13:52:57.218273-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0381.yaml b/data/reports/GO-2022-0381.yaml new file mode 100644 index 000000000..9a8aa8751 --- /dev/null +++ b/data/reports/GO-2022-0381.yaml @@ -0,0 +1,18 @@ +id: GO-2022-0381 +modules: + - module: github.com/google/exposure-notifications-server + versions: + - fixed: 0.18.3 + - introduced: 0.19.0 + - fixed: 0.19.2 + vulnerable_at: 0.19.1 +summary: Import of incorrectly embargoed keys could cause early publication in github.com/google/exposure-notifications-server +ghsas: + - GHSA-3wxm-m9m4-cprj +references: + - advisory: https://github.com/google/exposure-notifications-server/security/advisories/GHSA-3wxm-m9m4-cprj +source: + id: GHSA-3wxm-m9m4-cprj + created: 2024-08-20T13:52:58.070049-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0387.yaml b/data/reports/GO-2022-0387.yaml new file mode 100644 index 000000000..cdb395edc --- /dev/null +++ b/data/reports/GO-2022-0387.yaml @@ -0,0 +1,18 @@ +id: GO-2022-0387 +modules: + - module: github.com/argoproj/argo-cd + versions: + - fixed: 1.7.14 + - introduced: 1.8.0 + - fixed: 1.8.7 + vulnerable_at: 1.8.6 +summary: Helm OCI credentials leaked into Argo CD logs in github.com/argoproj/argo-cd +ghsas: + - GHSA-6w87-g839-9wv7 +references: + - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-6w87-g839-9wv7 +source: + id: GHSA-6w87-g839-9wv7 + created: 2024-08-20T13:52:59.098008-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0388.yaml b/data/reports/GO-2022-0388.yaml new file mode 100644 index 000000000..77a95cf13 --- /dev/null +++ b/data/reports/GO-2022-0388.yaml @@ -0,0 +1,23 @@ +id: GO-2022-0388 +modules: + - module: github.com/argoproj/argo-workflows + vulnerable_at: 0.4.7 + - module: github.com/argoproj/argo-workflows/v2 + vulnerable_at: 2.12.13 + - module: github.com/argoproj/argo-workflows/v3 + versions: + - introduced: 3.0.0 + - fixed: 3.0.9 + - introduced: 3.1.0 + - fixed: 3.1.6 + vulnerable_at: 3.1.5 +summary: Argo Server TLS requests could be forged by attacker with network access in github.com/argoproj/argo-workflows +ghsas: + - GHSA-6c73-2v8x-qpvm +references: + - advisory: https://github.com/argoproj/argo-workflows/security/advisories/GHSA-6c73-2v8x-qpvm +source: + id: GHSA-6c73-2v8x-qpvm + created: 2024-08-20T13:53:00.141889-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0389.yaml b/data/reports/GO-2022-0389.yaml new file mode 100644 index 000000000..58f3b02b0 --- /dev/null +++ b/data/reports/GO-2022-0389.yaml @@ -0,0 +1,19 @@ +id: GO-2022-0389 +modules: + - module: github.com/pterodactyl/wings + versions: + - introduced: 1.2.0 + - fixed: 1.2.1 + vulnerable_at: 1.2.0 +summary: |- + Unchecked hostname resolution could allow access to local network resources by + users outside the local network in github.com/pterodactyl/wings +ghsas: + - GHSA-6rg3-8h8x-5xfv +references: + - advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv +source: + id: GHSA-6rg3-8h8x-5xfv + created: 2024-08-20T13:53:04.584245-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0390.yaml b/data/reports/GO-2022-0390.yaml new file mode 100644 index 000000000..75f7eb362 --- /dev/null +++ b/data/reports/GO-2022-0390.yaml @@ -0,0 +1,43 @@ +id: GO-2022-0390 +modules: + - module: github.com/docker/docker + versions: + - fixed: 20.10.14+incompatible + vulnerable_at: 20.10.13+incompatible + - module: github.com/moby/moby + versions: + - fixed: 20.10.14+incompatible + vulnerable_at: 20.10.13+incompatible +summary: |- + Moby (Docker Engine) started with non-empty inheritable Linux process + capabilities in github.com/docker/docker +cves: + - CVE-2022-24769 +ghsas: + - GHSA-2mm7-x5h6-5pvq +references: + - advisory: https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-24769 + - fix: https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f + - fix: https://github.com/moby/moby/commit/7f375bcff41ce672cd61e9a31f3eeb2966e3dbe1 + - web: http://www.openwall.com/lists/oss-security/2022/05/12/1 + - web: https://github.com/moby/moby/releases/tag/v20.10.14 + - web: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC + - web: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG + - web: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY + - web: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL + - web: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH + - web: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7 + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7 + - web: https://security.gentoo.org/glsa/202401-31 + - web: https://www.debian.org/security/2022/dsa-5162 +source: + id: GHSA-2mm7-x5h6-5pvq + created: 2024-08-20T13:53:06.37257-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0392.yaml b/data/reports/GO-2022-0392.yaml new file mode 100644 index 000000000..1e4083634 --- /dev/null +++ b/data/reports/GO-2022-0392.yaml @@ -0,0 +1,16 @@ +id: GO-2022-0392 +modules: + - module: github.com/ethereum/go-ethereum + versions: + - fixed: 1.9.24 + vulnerable_at: 1.9.23 +summary: Denial of service in go-ethereum due to CVE-2020-28362 in github.com/ethereum/go-ethereum +ghsas: + - GHSA-m6gx-rhvj-fh52 +references: + - advisory: https://github.com/ethereum/go-ethereum/security/advisories/GHSA-m6gx-rhvj-fh52 +source: + id: GHSA-m6gx-rhvj-fh52 + created: 2024-08-20T13:53:33.679607-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0393.yaml b/data/reports/GO-2022-0393.yaml new file mode 100644 index 000000000..6e436aebd --- /dev/null +++ b/data/reports/GO-2022-0393.yaml @@ -0,0 +1,21 @@ +id: GO-2022-0393 +modules: + - module: github.com/cilium/cilium + versions: + - introduced: 1.7.8 + - fixed: 1.7.15 + - introduced: 1.8.3 + - fixed: 1.8.8 + - introduced: 1.9.0 + - fixed: 1.9.5 + vulnerable_at: 1.9.4 +summary: Network policy may be bypassed by some ICMP Echo Requests in github.com/cilium/cilium +ghsas: + - GHSA-c66w-hq56-4q97 +references: + - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-c66w-hq56-4q97 +source: + id: GHSA-c66w-hq56-4q97 + created: 2024-08-20T13:53:34.49248-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0395.yaml b/data/reports/GO-2022-0395.yaml new file mode 100644 index 000000000..b1cd149fc --- /dev/null +++ b/data/reports/GO-2022-0395.yaml @@ -0,0 +1,16 @@ +id: GO-2022-0395 +modules: + - module: github.com/cli/cli + versions: + - fixed: 1.2.1 + vulnerable_at: 1.2.0 +summary: GitHub CLI can execute a git binary from the current directory in github.com/cli/cli +ghsas: + - GHSA-fqfh-778m-2v32 +references: + - advisory: https://github.com/cli/cli/security/advisories/GHSA-fqfh-778m-2v32 +source: + id: GHSA-fqfh-778m-2v32 + created: 2024-08-20T13:53:36.961823-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0396.yaml b/data/reports/GO-2022-0396.yaml new file mode 100644 index 000000000..8466041ec --- /dev/null +++ b/data/reports/GO-2022-0396.yaml @@ -0,0 +1,16 @@ +id: GO-2022-0396 +modules: + - module: github.com/opencontainers/runc + versions: + - fixed: 1.0.0-rc91 + vulnerable_at: 1.0.0-rc90 +summary: devices resource list treated as a blacklist by default in github.com/opencontainers/runc +ghsas: + - GHSA-g54h-m393-cpwq +references: + - advisory: https://github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq +source: + id: GHSA-g54h-m393-cpwq + created: 2024-08-20T13:53:38.258274-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0398.yaml b/data/reports/GO-2022-0398.yaml new file mode 100644 index 000000000..a030aba8b --- /dev/null +++ b/data/reports/GO-2022-0398.yaml @@ -0,0 +1,18 @@ +id: GO-2022-0398 +modules: + - module: github.com/nats-io/nats-server + vulnerable_at: 1.4.1 + - module: github.com/nats-io/nats-server/v2 + versions: + - fixed: 2.2.0 + vulnerable_at: 2.1.9 +summary: Import loops in account imports, nats-server DoS in github.com/nats-io/nats-server +ghsas: + - GHSA-gwj5-3vfq-q992 +references: + - advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-gwj5-3vfq-q992 +source: + id: GHSA-gwj5-3vfq-q992 + created: 2024-08-20T13:53:39.168551-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0405.yaml b/data/reports/GO-2022-0405.yaml new file mode 100644 index 000000000..8f8584cfc --- /dev/null +++ b/data/reports/GO-2022-0405.yaml @@ -0,0 +1,25 @@ +id: GO-2022-0405 +modules: + - module: github.com/argoproj/argo-workflows + vulnerable_at: 0.4.7 + - module: github.com/argoproj/argo-workflows/v2 + vulnerable_at: 2.12.13 + - module: github.com/argoproj/argo-workflows/v3 + versions: + - introduced: 3.0.0 + - fixed: 3.0.9 + - introduced: 3.1.0 + - fixed: 3.1.6 + vulnerable_at: 3.1.5 +summary: |- + Potential privilege escalation on Kubernetes >= v1.19 when the Argo Sever is run + with `--auth-mode=client` in github.com/argoproj/argo-workflows +ghsas: + - GHSA-prqf-xr2j-xf65 +references: + - advisory: https://github.com/argoproj/argo-workflows/security/advisories/GHSA-prqf-xr2j-xf65 +source: + id: GHSA-prqf-xr2j-xf65 + created: 2024-08-20T13:53:43.396058-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0406.yaml b/data/reports/GO-2022-0406.yaml new file mode 100644 index 000000000..0c7743e65 --- /dev/null +++ b/data/reports/GO-2022-0406.yaml @@ -0,0 +1,19 @@ +id: GO-2022-0406 +modules: + - module: github.com/ory/oathkeeper + versions: + - introduced: 0.38.0-beta.2 + - fixed: 0.38.12-beta.1 + vulnerable_at: 0.38.11-beta.1 +summary: |- + Possible bypass of token claim validation when OAuth2 Introspection caching is + enabled in github.com/ory/oathkeeper +ghsas: + - GHSA-qvp4-rpmr-xwrr +references: + - advisory: https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr +source: + id: GHSA-qvp4-rpmr-xwrr + created: 2024-08-20T13:53:44.179456-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE