From 6b8d7686dc705f4d9231673d5d12664bf593cc84 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Mon, 1 Jul 2024 16:33:14 -0400 Subject: [PATCH] data/reports: review 3 reports, add 2 reports - data/reports/GO-2024-2491.yaml - data/reports/GO-2024-2698.yaml - data/reports/GO-2024-2785.yaml - data/reports/GO-2024-2912.yaml - data/reports/GO-2024-2918.yaml Updates golang/vulndb#2491 Updates golang/vulndb#2698 Updates golang/vulndb#2785 Fixes golang/vulndb#2912 Fixes golang/vulndb#2918 Change-Id: I296bb2155b7a3ad7b8f8e7e3f1cc829a159c6cc8 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595960 Auto-Submit: Tatiana Bradley LUCI-TryBot-Result: Go LUCI Reviewed-by: Zvonimir Pavlinovic --- data/osv/GO-2024-2491.json | 63 +++++++++++++----------- data/osv/GO-2024-2698.json | 8 +--- data/osv/GO-2024-2785.json | 30 +++++++++--- data/osv/GO-2024-2912.json | 64 +++++++++++++++++++++++++ data/osv/GO-2024-2918.json | 87 ++++++++++++++++++++++++++++++++++ data/reports/GO-2024-2491.yaml | 37 ++++++++++----- data/reports/GO-2024-2698.yaml | 17 ++++--- data/reports/GO-2024-2785.yaml | 21 ++++++-- data/reports/GO-2024-2912.yaml | 30 ++++++++++++ data/reports/GO-2024-2918.yaml | 47 ++++++++++++++++++ 10 files changed, 343 insertions(+), 61 deletions(-) create mode 100644 data/osv/GO-2024-2912.json create mode 100644 data/osv/GO-2024-2918.json create mode 100644 data/reports/GO-2024-2912.yaml create mode 100644 data/reports/GO-2024-2918.yaml diff --git a/data/osv/GO-2024-2491.json b/data/osv/GO-2024-2491.json index 4c52ce3c..b3c9c479 100644 --- a/data/osv/GO-2024-2491.json +++ b/data/osv/GO-2024-2491.json @@ -7,8 +7,8 @@ "CVE-2024-21626", "GHSA-xr7r-f8xq-vfvv" ], - "summary": "runc vulnerable to container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc", - "details": "runc vulnerable to container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc", + "summary": "Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc", + "details": "Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc", "affected": [ { "package": { @@ -28,7 +28,33 @@ ] } ], - "ecosystem_specific": {} + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/opencontainers/runc/libcontainer/utils", + "symbols": [ + "CloseExecFrom" + ] + }, + { + "path": "github.com/opencontainers/runc/libcontainer/cgroups", + "symbols": [ + "openFile", + "prepareOpenat2" + ] + }, + { + "path": "github.com/opencontainers/runc/libcontainer", + "symbols": [ + "Container.start", + "Init", + "finalizeNamespace", + "linuxSetnsInit.Init", + "linuxStandardInit.Init" + ] + } + ] + } } ], "references": [ @@ -36,10 +62,6 @@ "type": "ADVISORY", "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv" }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21626" - }, { "type": "FIX", "url": "https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf" @@ -47,34 +69,21 @@ { "type": "WEB", "url": "http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2024/02/01/1" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2024/02/02/3" - }, - { - "type": "WEB", - "url": "https://github.com/opencontainers/runc/releases/tag/v1.1.12" - }, + } + ], + "credits": [ { - "type": "WEB", - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html" + "name": "Rory McNamara from Snyk" }, { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J" + "name": "@lifubang from acmcoder" }, { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL" + "name": "Aleksa Sarai from SUSE" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2491", - "review_status": "UNREVIEWED" + "review_status": "REVIEWED" } } \ No newline at end of file diff --git a/data/osv/GO-2024-2698.json b/data/osv/GO-2024-2698.json index abecb892..cb03ee63 100644 --- a/data/osv/GO-2024-2698.json +++ b/data/osv/GO-2024-2698.json @@ -8,7 +8,7 @@ "GHSA-rhh4-rh7c-7r5v" ], "summary": "Archiver Path Traversal vulnerability in github.com/mholt/archiver", - "details": "Archiver Path Traversal vulnerability in github.com/mholt/archiver", + "details": "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.", "affected": [ { "package": { @@ -50,10 +50,6 @@ "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-rhh4-rh7c-7r5v" }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0406" - }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-0406" @@ -65,6 +61,6 @@ ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2698", - "review_status": "UNREVIEWED" + "review_status": "REVIEWED" } } \ No newline at end of file diff --git a/data/osv/GO-2024-2785.json b/data/osv/GO-2024-2785.json index 195cf1a6..bf2d6f8b 100644 --- a/data/osv/GO-2024-2785.json +++ b/data/osv/GO-2024-2785.json @@ -8,7 +8,7 @@ "GHSA-m9w6-wp3h-vq8g" ], "summary": "CoreDNS may return invalid cache entries in github.com/coredns/coredns", - "details": "CoreDNS may return invalid cache entries in github.com/coredns/coredns", + "details": "A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.", "affected": [ { "package": { @@ -28,7 +28,23 @@ ] } ], - "ecosystem_specific": {} + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/coredns/coredns/plugin/cache", + "symbols": [ + "Cache.ServeDNS", + "Cache.exists", + "Cache.getIgnoreTTL", + "ResponseWriter.WriteMsg", + "hash", + "key", + "newPrefetchResponseWriter", + "verifyStaleResponseWriter.WriteMsg" + ] + } + ] + } } ], "references": [ @@ -36,10 +52,6 @@ "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-m9w6-wp3h-vq8g" }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0874" - }, { "type": "FIX", "url": "https://github.com/coredns/coredns/commit/997c7f953962d47c242273f0e41398fdfb5b0151" @@ -52,6 +64,10 @@ "type": "REPORT", "url": "https://github.com/coredns/coredns/issues/6186" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0041" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-0874" @@ -63,6 +79,6 @@ ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2785", - "review_status": "UNREVIEWED" + "review_status": "REVIEWED" } } \ No newline at end of file diff --git a/data/osv/GO-2024-2912.json b/data/osv/GO-2024-2912.json new file mode 100644 index 00000000..d4dfd7ba --- /dev/null +++ b/data/osv/GO-2024-2912.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2912", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-41092", + "GHSA-99pg-grm5-qq3v" + ], + "summary": "Docker CLI leaks private registry credentials to registry-1.docker.io in github.com/docker/cli", + "details": "Docker CLI leaks private registry credentials to registry-1.docker.io in github.com/docker/cli", + "affected": [ + { + "package": { + "name": "github.com/docker/cli", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "20.10.9+incompatible" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/docker/cli/command", + "symbols": [ + "GetDefaultAuthConfig", + "RegistryAuthenticationPrivilegedFunc" + ] + }, + { + "path": "github.com/docker/cli/command/registry", + "symbols": [ + "runLogin" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/docker/cli/security/advisories/GHSA-99pg-grm5-qq3v" + }, + { + "type": "FIX", + "url": "https://github.com/docker/cli/commit/893e52cf4ba4b048d72e99748e0f86b2767c6c6b" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2912", + "review_status": "REVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-2918.json b/data/osv/GO-2024-2918.json new file mode 100644 index 00000000..df22d286 --- /dev/null +++ b/data/osv/GO-2024-2918.json @@ -0,0 +1,87 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2918", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-35255", + "GHSA-m5vv-6r4h-3vj9" + ], + "summary": "Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity", + "details": "Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity", + "affected": [ + { + "package": { + "name": "github.com/Azure/azure-sdk-for-go/sdk/azidentity", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/Azure/azure-sdk-for-go/sdk/azidentity", + "symbols": [ + "AzurePipelinesCredential.GetToken", + "ChainedTokenCredential.GetToken", + "ClientAssertionCredential.GetToken", + "ClientCertificateCredential.GetToken", + "ClientSecretCredential.GetToken", + "DefaultAzureCredential.GetToken", + "EnvironmentCredential.GetToken", + "ManagedIdentityCredential.GetToken", + "NewDefaultAzureCredential", + "NewManagedIdentityCredential", + "OnBehalfOfCredential.GetToken", + "WorkloadIdentityCredential.GetToken", + "confidentialClient.GetToken", + "managedIdentityClient.authenticate", + "managedIdentityClient.createAccessToken", + "managedIdentityClient.createAppServiceAuthRequest", + "managedIdentityClient.createAzureArcAuthRequest", + "managedIdentityClient.createAzureMLAuthRequest", + "managedIdentityClient.createCloudShellAuthRequest", + "managedIdentityClient.createIMDSAuthRequest", + "managedIdentityClient.createServiceFabricAuthRequest", + "managedIdentityClient.getAzureArcSecretKey", + "newManagedIdentityClient" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-m5vv-6r4h-3vj9" + }, + { + "type": "FIX", + "url": "https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499" + }, + { + "type": "WEB", + "url": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340" + }, + { + "type": "WEB", + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2918", + "review_status": "REVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-2491.yaml b/data/reports/GO-2024-2491.yaml index 49e15ff5..9e59dbfc 100644 --- a/data/reports/GO-2024-2491.yaml +++ b/data/reports/GO-2024-2491.yaml @@ -3,28 +3,43 @@ modules: - module: github.com/opencontainers/runc versions: - introduced: 1.0.0-rc93 - fixed: 1.1.12 + - fixed: 1.1.12 vulnerable_at: 1.1.11 + packages: + - package: github.com/opencontainers/runc/libcontainer/utils + symbols: + - CloseExecFrom + skip_fix: cgo related fix error + - package: github.com/opencontainers/runc/libcontainer/cgroups + symbols: + - openFile + - prepareOpenat2 + skip_fix: cgo related fix error + - package: github.com/opencontainers/runc/libcontainer + symbols: + - Container.start + - linuxSetnsInit.Init + - linuxStandardInit.Init + - Init + - finalizeNamespace + skip_fix: cgo related fix error summary: |- - runc vulnerable to container breakout through process.cwd trickery and leaked + Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc cves: - CVE-2024-21626 ghsas: - GHSA-xr7r-f8xq-vfvv +credits: + - Rory McNamara from Snyk + - '@lifubang from acmcoder' + - Aleksa Sarai from SUSE references: - advisory: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv - - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21626 - fix: https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf - web: http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html - - web: http://www.openwall.com/lists/oss-security/2024/02/01/1 - - web: http://www.openwall.com/lists/oss-security/2024/02/02/3 - - web: https://github.com/opencontainers/runc/releases/tag/v1.1.12 - - web: https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html - - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J - - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL source: id: GHSA-xr7r-f8xq-vfvv - created: 2024-06-14T11:37:42.756616-04:00 -review_status: UNREVIEWED + created: 2024-07-01T16:15:02.647859-04:00 +review_status: REVIEWED unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2698.yaml b/data/reports/GO-2024-2698.yaml index 2b6beb96..65c49168 100644 --- a/data/reports/GO-2024-2698.yaml +++ b/data/reports/GO-2024-2698.yaml @@ -3,22 +3,25 @@ modules: - module: github.com/mholt/archiver vulnerable_at: 2.1.0+incompatible - module: github.com/mholt/archiver/v3 - non_go_versions: - - introduced: 3.0.0 - unsupported_versions: - - last_affected: 3.5.1 vulnerable_at: 3.5.1 summary: Archiver Path Traversal vulnerability in github.com/mholt/archiver +description: |- + A flaw was discovered in the mholt/archiver package. This flaw allows an + attacker to create a specially crafted tar file, which, when unpacked, may allow + access to restricted files or directories. This issue can allow the creation or + overwriting of files with the user's or application's privileges using the + library. cves: - CVE-2024-0406 ghsas: - GHSA-rhh4-rh7c-7r5v references: - advisory: https://github.com/advisories/GHSA-rhh4-rh7c-7r5v - - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-0406 - web: https://access.redhat.com/security/cve/CVE-2024-0406 - web: https://bugzilla.redhat.com/show_bug.cgi?id=2257749 +notes: + - no known fix source: id: GHSA-rhh4-rh7c-7r5v - created: 2024-06-26T13:59:57.78635-04:00 -review_status: UNREVIEWED + created: 2024-07-01T16:15:06.574303-04:00 +review_status: REVIEWED diff --git a/data/reports/GO-2024-2785.yaml b/data/reports/GO-2024-2785.yaml index f98df157..97afaa82 100644 --- a/data/reports/GO-2024-2785.yaml +++ b/data/reports/GO-2024-2785.yaml @@ -4,20 +4,35 @@ modules: versions: - fixed: 1.11.2 vulnerable_at: 1.11.1 + packages: + - package: github.com/coredns/coredns/plugin/cache + symbols: + - Cache.ServeDNS + - Cache.getIgnoreTTL + - Cache.exists + - key + - hash + - newPrefetchResponseWriter + - ResponseWriter.WriteMsg + derived_symbols: + - verifyStaleResponseWriter.WriteMsg summary: CoreDNS may return invalid cache entries in github.com/coredns/coredns +description: |- + A flaw was found in coredns. This issue could lead to invalid cache entries + returning due to incorrectly implemented caching. cves: - CVE-2024-0874 ghsas: - GHSA-m9w6-wp3h-vq8g references: - advisory: https://github.com/advisories/GHSA-m9w6-wp3h-vq8g - - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-0874 - fix: https://github.com/coredns/coredns/commit/997c7f953962d47c242273f0e41398fdfb5b0151 - fix: https://github.com/coredns/coredns/pull/6354 - report: https://github.com/coredns/coredns/issues/6186 + - web: https://access.redhat.com/errata/RHSA-2024:0041 - web: https://access.redhat.com/security/cve/CVE-2024-0874 - web: https://bugzilla.redhat.com/show_bug.cgi?id=2219234 source: id: GHSA-m9w6-wp3h-vq8g - created: 2024-05-17T16:10:54.00605-04:00 -review_status: UNREVIEWED + created: 2024-07-01T16:15:04.682445-04:00 +review_status: REVIEWED diff --git a/data/reports/GO-2024-2912.yaml b/data/reports/GO-2024-2912.yaml new file mode 100644 index 00000000..87ac3f05 --- /dev/null +++ b/data/reports/GO-2024-2912.yaml @@ -0,0 +1,30 @@ +id: GO-2024-2912 +modules: + - module: github.com/docker/cli + versions: + - fixed: 20.10.9+incompatible + vulnerable_at: 20.10.8+incompatible + packages: + - package: github.com/docker/cli/command + symbols: + - RegistryAuthenticationPrivilegedFunc + - GetDefaultAuthConfig + skip_fix: fix error due to incompatible version + - package: github.com/docker/cli/command/registry + symbols: + - runLogin + skip_fix: fix error due to incompatible version +summary: Docker CLI leaks private registry credentials to registry-1.docker.io in github.com/docker/cli +cves: + - CVE-2021-41092 +ghsas: + - GHSA-99pg-grm5-qq3v +unknown_aliases: + - CGA-f849-gq83-8362 +references: + - advisory: https://github.com/docker/cli/security/advisories/GHSA-99pg-grm5-qq3v + - fix: https://github.com/docker/cli/commit/893e52cf4ba4b048d72e99748e0f86b2767c6c6b +source: + id: GHSA-99pg-grm5-qq3v + created: 2024-07-01T16:01:00.847043-04:00 +review_status: REVIEWED diff --git a/data/reports/GO-2024-2918.yaml b/data/reports/GO-2024-2918.yaml new file mode 100644 index 00000000..17b8e8cc --- /dev/null +++ b/data/reports/GO-2024-2918.yaml @@ -0,0 +1,47 @@ +id: GO-2024-2918 +modules: + - module: github.com/Azure/azure-sdk-for-go/sdk/azidentity + versions: + - fixed: 1.6.0 + vulnerable_at: 1.6.0-beta.4 + packages: + - package: github.com/Azure/azure-sdk-for-go/sdk/azidentity + symbols: + - managedIdentityClient.createServiceFabricAuthRequest + - managedIdentityClient.createIMDSAuthRequest + - managedIdentityClient.createAzureMLAuthRequest + - managedIdentityClient.createAccessToken + - managedIdentityClient.createCloudShellAuthRequest + - newManagedIdentityClient + - managedIdentityClient.createAppServiceAuthRequest + - managedIdentityClient.getAzureArcSecretKey + - managedIdentityClient.authenticate + - managedIdentityClient.createAzureArcAuthRequest + derived_symbols: + - AzurePipelinesCredential.GetToken + - ChainedTokenCredential.GetToken + - ClientAssertionCredential.GetToken + - ClientCertificateCredential.GetToken + - ClientSecretCredential.GetToken + - DefaultAzureCredential.GetToken + - EnvironmentCredential.GetToken + - ManagedIdentityCredential.GetToken + - NewDefaultAzureCredential + - NewManagedIdentityCredential + - OnBehalfOfCredential.GetToken + - WorkloadIdentityCredential.GetToken + - confidentialClient.GetToken +summary: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity +cves: + - CVE-2024-35255 +ghsas: + - GHSA-m5vv-6r4h-3vj9 +references: + - advisory: https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 + - fix: https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499 + - web: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340 + - web: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255 +source: + id: GHSA-m5vv-6r4h-3vj9 + created: 2024-07-01T16:01:15.242669-04:00 +review_status: REVIEWED