From 76e28a5b023d9f7d3581d23114a6c5dd36d9931d Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Mon, 1 Jul 2024 15:51:12 -0400 Subject: [PATCH] data/reports: review 7 reports Review 7 vulns that need REVIEWED reports based on estimated impact. - data/reports/GO-2024-2500.yaml - data/reports/GO-2024-2512.yaml - data/reports/GO-2024-2572.yaml - data/reports/GO-2024-2575.yaml - data/reports/GO-2024-2846.yaml - data/reports/GO-2024-2913.yaml - data/reports/GO-2024-2914.yaml Fixes golang/vulndb#2500 Fixes golang/vulndb#2512 Fixes golang/vulndb#2572 Fixes golang/vulndb#2575 Fixes golang/vulndb#2846 Fixes golang/vulndb#2913 Fixes golang/vulndb#2914 Change-Id: I65341fdb981196e44d09545d84e7b77261a549f3 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595999 Reviewed-by: Zvonimir Pavlinovic LUCI-TryBot-Result: Go LUCI --- data/osv/GO-2024-2500.json | 143 ++++++++++++++++++++++++++++----- data/osv/GO-2024-2512.json | 110 +++++++++++++++++++++++-- data/osv/GO-2024-2572.json | 17 +++- data/osv/GO-2024-2575.json | 61 ++++++++------ data/osv/GO-2024-2846.json | 28 ++++++- data/osv/GO-2024-2913.json | 64 ++++++++++----- data/osv/GO-2024-2914.json | 25 +++++- data/reports/GO-2024-2500.yaml | 92 +++++++++++++++++++-- data/reports/GO-2024-2512.yaml | 67 +++++++++++++-- data/reports/GO-2024-2572.yaml | 14 +++- data/reports/GO-2024-2575.yaml | 32 ++++++-- data/reports/GO-2024-2846.yaml | 21 ++++- data/reports/GO-2024-2913.yaml | 26 ++++-- data/reports/GO-2024-2914.yaml | 12 ++- 14 files changed, 597 insertions(+), 115 deletions(-) diff --git a/data/osv/GO-2024-2500.json b/data/osv/GO-2024-2500.json index 57e20ccc..223c1a33 100644 --- a/data/osv/GO-2024-2500.json +++ b/data/osv/GO-2024-2500.json @@ -28,7 +28,66 @@ ] } ], - "ecosystem_specific": {} + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/docker/docker/daemon", + "symbols": [ + "Daemon.create", + "Daemon.setupContainerMountsRoot", + "NewDaemon", + "setupDaemonRoot" + ] + }, + { + "path": "github.com/docker/docker/daemon/graphdriver/aufs", + "symbols": [ + "Init" + ] + }, + { + "path": "github.com/docker/docker/daemon/graphdriver/btrfs", + "symbols": [ + "Driver.Create", + "Init" + ] + }, + { + "path": "github.com/docker/docker/daemon/graphdriver/fuse-overlayfs", + "symbols": [ + "Driver.create", + "Init" + ] + }, + { + "path": "github.com/docker/docker/daemon/graphdriver/overlay", + "symbols": [ + "Driver.Create", + "Init" + ] + }, + { + "path": "github.com/docker/docker/daemon/graphdriver/overlay2", + "symbols": [ + "Driver.create", + "Init" + ] + }, + { + "path": "github.com/docker/docker/daemon/graphdriver/vfs", + "symbols": [ + "Driver.Create", + "Init" + ] + }, + { + "path": "github.com/docker/docker/daemon/graphdriver/zfs", + "symbols": [ + "Init" + ] + } + ] + } }, { "package": { @@ -48,7 +107,66 @@ ] } ], - "ecosystem_specific": {} + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/moby/moby/daemon", + "symbols": [ + "Daemon.create", + "Daemon.setupContainerMountsRoot", + "NewDaemon", + "setupDaemonRoot" + ] + }, + { + "path": "github.com/moby/moby/daemon/graphdriver/aufs", + "symbols": [ + "Init" + ] + }, + { + "path": "github.com/moby/moby/daemon/graphdriver/btrfs", + "symbols": [ + "Driver.Create", + "Init" + ] + }, + { + "path": "github.com/moby/moby/daemon/graphdriver/fuse-overlayfs", + "symbols": [ + "Driver.create", + "Init" + ] + }, + { + "path": "github.com/moby/moby/daemon/graphdriver/overlay", + "symbols": [ + "Driver.Create", + "Init" + ] + }, + { + "path": "github.com/moby/moby/daemon/graphdriver/overlay2", + "symbols": [ + "Driver.create", + "Init" + ] + }, + { + "path": "github.com/moby/moby/daemon/graphdriver/vfs", + "symbols": [ + "Driver.Create", + "Init" + ] + }, + { + "path": "github.com/moby/moby/daemon/graphdriver/zfs", + "symbols": [ + "Init" + ] + } + ] + } } ], "references": [ @@ -56,29 +174,18 @@ "type": "ADVISORY", "url": "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558" }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41091" - }, { "type": "FIX", "url": "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64" - }, - { - "type": "WEB", - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB" - }, + } + ], + "credits": [ { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB" + "name": "Joan Bruguera" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2500", - "review_status": "UNREVIEWED" + "review_status": "REVIEWED" } } \ No newline at end of file diff --git a/data/osv/GO-2024-2512.json b/data/osv/GO-2024-2512.json index ed3e153f..8345cd24 100644 --- a/data/osv/GO-2024-2512.json +++ b/data/osv/GO-2024-2512.json @@ -34,7 +34,107 @@ ] } ], - "ecosystem_specific": {} + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/docker/docker/builder/dockerfile" + }, + { + "path": "github.com/docker/docker/daemon/containerd", + "symbols": [ + "imageCache.GetCache", + "isMatch", + "localCache.GetCache" + ] + }, + { + "path": "github.com/docker/docker/daemon/images", + "symbols": [ + "ImageService.CommitImage", + "ImageService.CreateImage" + ] + }, + { + "path": "github.com/docker/docker/image", + "symbols": [ + "store.IsBuiltLocally", + "store.SetBuiltLocally" + ] + }, + { + "path": "github.com/docker/docker/image/cache", + "symbols": [ + "ImageCache.GetCache", + "LocalImageCache.GetCache", + "compare", + "getLocalCachedImage" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/moby/moby", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "24.0.9+incompatible" + }, + { + "introduced": "25.0.0+incompatible" + }, + { + "fixed": "25.0.2+incompatible" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/moby/moby/builder/dockerfile" + }, + { + "path": "github.com/moby/moby/daemon/containerd", + "symbols": [ + "imageCache.GetCache", + "isMatch", + "localCache.GetCache" + ] + }, + { + "path": "github.com/moby/moby/daemon/images", + "symbols": [ + "ImageService.CommitImage", + "ImageService.CreateImage" + ] + }, + { + "path": "github.com/moby/moby/image", + "symbols": [ + "store.IsBuiltLocally", + "store.SetBuiltLocally" + ] + }, + { + "path": "github.com/moby/moby/image/cache", + "symbols": [ + "ImageCache.GetCache", + "LocalImageCache.GetCache", + "compare", + "getLocalCachedImage" + ] + } + ] + } } ], "references": [ @@ -43,20 +143,20 @@ "url": "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc" }, { - "type": "WEB", + "type": "FIX", "url": "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae" }, { - "type": "WEB", + "type": "FIX", "url": "https://github.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd" }, { - "type": "WEB", + "type": "FIX", "url": "https://github.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2512", - "review_status": "UNREVIEWED" + "review_status": "REVIEWED" } } \ No newline at end of file diff --git a/data/osv/GO-2024-2572.json b/data/osv/GO-2024-2572.json index a911ebc0..213f3463 100644 --- a/data/osv/GO-2024-2572.json +++ b/data/osv/GO-2024-2572.json @@ -6,8 +6,8 @@ "aliases": [ "GHSA-4j93-fm92-rp4m" ], - "summary": "ASA-2024-003: Missing `BlockedAddressed` Validation in Vesting Module in github.com/cosmos/cosmos-sdk", - "details": "ASA-2024-003: Missing `BlockedAddressed` Validation in Vesting Module in github.com/cosmos/cosmos-sdk", + "summary": "Missing BlockedAddressed Validation in Vesting Module in github.com/cosmos/cosmos-sdk", + "details": "Missing BlockedAddressed Validation in Vesting Module in github.com/cosmos/cosmos-sdk", "affected": [ { "package": { @@ -33,7 +33,16 @@ ] } ], - "ecosystem_specific": {} + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/cosmos/cosmos-sdk/x/auth/vesting", + "symbols": [ + "msgServer.CreatePeriodicVestingAccount" + ] + } + ] + } } ], "references": [ @@ -56,6 +65,6 @@ ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2572", - "review_status": "UNREVIEWED" + "review_status": "REVIEWED" } } \ No newline at end of file diff --git a/data/osv/GO-2024-2575.json b/data/osv/GO-2024-2575.json index 1a5b06dd..8afff4da 100644 --- a/data/osv/GO-2024-2575.json +++ b/data/osv/GO-2024-2575.json @@ -7,26 +7,9 @@ "CVE-2024-26147", "GHSA-r53h-jv2g-vpx6" ], - "summary": "Helm's Missing YAML Content Leads To Panic in helm.sh/helm", - "details": "Helm's Missing YAML Content Leads To Panic in helm.sh/helm", + "summary": "Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3", + "details": "Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3", "affected": [ - { - "package": { - "name": "helm.sh/helm", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - } - ] - } - ], - "ecosystem_specific": {} - }, { "package": { "name": "helm.sh/helm/v3", @@ -45,7 +28,32 @@ ] } ], - "ecosystem_specific": {} + "ecosystem_specific": { + "imports": [ + { + "path": "helm.sh/helm/v3/pkg/plugin", + "symbols": [ + "FindPlugins", + "LoadAll", + "LoadDir", + "validatePluginData" + ] + }, + { + "path": "helm.sh/helm/v3/pkg/repo", + "symbols": [ + "ChartRepository.DownloadIndexFile", + "ChartRepository.Load", + "FindChartInAuthAndTLSAndPassRepoURL", + "FindChartInAuthAndTLSRepoURL", + "FindChartInAuthRepoURL", + "FindChartInRepoURL", + "LoadIndexFile", + "loadIndex" + ] + } + ] + } } ], "references": [ @@ -54,16 +62,17 @@ "url": "https://github.com/helm/helm/security/advisories/GHSA-r53h-jv2g-vpx6" }, { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26147" - }, - { - "type": "WEB", + "type": "FIX", "url": "https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af" } ], + "credits": [ + { + "name": "Jakub Ciolek at AlphaSense" + } + ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2575", - "review_status": "UNREVIEWED" + "review_status": "REVIEWED" } } \ No newline at end of file diff --git a/data/osv/GO-2024-2846.json b/data/osv/GO-2024-2846.json index 95ec836f..d5376a46 100644 --- a/data/osv/GO-2024-2846.json +++ b/data/osv/GO-2024-2846.json @@ -6,8 +6,8 @@ "aliases": [ "GHSA-c9cp-9c75-9v8c" ], - "summary": "containerd started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd", - "details": "containerd started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd", + "summary": "Containers started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd", + "details": "Containers started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd", "affected": [ { "package": { @@ -33,17 +33,37 @@ ] } ], - "ecosystem_specific": {} + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/containerd/containerd/oci", + "symbols": [ + "ApplyOpts", + "GenerateSpec", + "GenerateSpecWithPlatform", + "WithAddedCapabilities", + "WithAmbientCapabilities", + "WithCapabilities", + "WithDroppedCapabilities", + "populateDefaultUnixSpec" + ] + } + ] + } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c" + }, + { + "type": "FIX", + "url": "https://github.com/containerd/containerd/commit/e9af808591ee1468f9b0ad6a0d41fdf93ee0c1bc" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2846", - "review_status": "UNREVIEWED" + "review_status": "REVIEWED" } } \ No newline at end of file diff --git a/data/osv/GO-2024-2913.json b/data/osv/GO-2024-2913.json index 7ea7bfb6..36527a9c 100644 --- a/data/osv/GO-2024-2913.json +++ b/data/osv/GO-2024-2913.json @@ -7,8 +7,8 @@ "CVE-2021-41089", "GHSA-v994-f8vw-g7j4" ], - "summary": "`docker cp` allows unexpected chmod of host files in Moby Docker Engine in github.com/docker/docker", - "details": "`docker cp` allows unexpected chmod of host files in Moby Docker Engine in github.com/docker/docker", + "summary": "Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker", + "details": "Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker", "affected": [ { "package": { @@ -28,7 +28,45 @@ ] } ], - "ecosystem_specific": {} + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/docker/docker/pkg/chrootarchive", + "symbols": [ + "untarHandler" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/moby/moby", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "20.10.9+incompatible" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/moby/moby/pkg/chrootarchive", + "symbols": [ + "untarHandler" + ] + } + ] + } } ], "references": [ @@ -37,28 +75,12 @@ "url": "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4" }, { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41089" - }, - { - "type": "WEB", - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" - }, - { - "type": "WEB", + "type": "FIX", "url": "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2913", - "review_status": "UNREVIEWED" + "review_status": "REVIEWED" } } \ No newline at end of file diff --git a/data/osv/GO-2024-2914.json b/data/osv/GO-2024-2914.json index 6429ed54..d815675a 100644 --- a/data/osv/GO-2024-2914.json +++ b/data/osv/GO-2024-2914.json @@ -6,6 +6,9 @@ "aliases": [ "GHSA-xmmx-7jpf-fx42" ], + "related": [ + "CVE-2021-41190" + ], "summary": "Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in github.com/docker/docker", "details": "Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in github.com/docker/docker", "affected": [ @@ -28,6 +31,26 @@ } ], "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/moby/moby", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "20.10.11+incompatible" + } + ] + } + ], + "ecosystem_specific": {} } ], "references": [ @@ -38,6 +61,6 @@ ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2914", - "review_status": "UNREVIEWED" + "review_status": "REVIEWED" } } \ No newline at end of file diff --git a/data/reports/GO-2024-2500.yaml b/data/reports/GO-2024-2500.yaml index 9ee192b1..958a1949 100644 --- a/data/reports/GO-2024-2500.yaml +++ b/data/reports/GO-2024-2500.yaml @@ -4,24 +4,104 @@ modules: versions: - fixed: 20.10.9+incompatible vulnerable_at: 20.10.8+incompatible + packages: + - package: github.com/docker/docker/daemon + symbols: + - Daemon.setupContainerMountsRoot + - Daemon.create + - NewDaemon + - setupDaemonRoot + skip_fix: fix does not work due to incompatible versions + - package: github.com/docker/docker/daemon/graphdriver/aufs + symbols: + - Init + skip_fix: fix does not work due to incompatible versions + - package: github.com/docker/docker/daemon/graphdriver/btrfs + symbols: + - Init + - Driver.Create + skip_fix: fix does not work due to incompatible versions + - package: github.com/docker/docker/daemon/graphdriver/fuse-overlayfs + symbols: + - Init + - Driver.create + skip_fix: fix does not work due to incompatible versions + - package: github.com/docker/docker/daemon/graphdriver/overlay + symbols: + - Init + - Driver.Create + skip_fix: fix does not work due to incompatible versions + - package: github.com/docker/docker/daemon/graphdriver/overlay2 + symbols: + - Init + - Driver.create + skip_fix: fix does not work due to incompatible versions + - package: github.com/docker/docker/daemon/graphdriver/vfs + symbols: + - Init + - Driver.Create + skip_fix: fix does not work due to incompatible versions + - package: github.com/docker/docker/daemon/graphdriver/zfs + symbols: + - Init + skip_fix: fix does not work due to incompatible versions - module: github.com/moby/moby versions: - fixed: 20.10.9+incompatible vulnerable_at: 20.10.8+incompatible + packages: + - package: github.com/moby/moby/daemon + symbols: + - Daemon.setupContainerMountsRoot + - Daemon.create + - NewDaemon + - setupDaemonRoot + skip_fix: fix does not work due to incompatible versions + - package: github.com/moby/moby/daemon/graphdriver/aufs + symbols: + - Init + skip_fix: fix does not work due to incompatible versions + - package: github.com/moby/moby/daemon/graphdriver/btrfs + symbols: + - Init + - Driver.Create + skip_fix: fix does not work due to incompatible versions + - package: github.com/moby/moby/daemon/graphdriver/fuse-overlayfs + symbols: + - Init + - Driver.create + skip_fix: fix doesn't work due to build tags + - package: github.com/moby/moby/daemon/graphdriver/overlay + symbols: + - Init + - Driver.Create + skip_fix: fix does not work due to incompatible versions + - package: github.com/moby/moby/daemon/graphdriver/overlay2 + symbols: + - Init + - Driver.create + skip_fix: fix does not work due to incompatible versions + - package: github.com/moby/moby/daemon/graphdriver/vfs + symbols: + - Init + - Driver.Create + skip_fix: fix does not work due to incompatible versions + - package: github.com/moby/moby/daemon/graphdriver/zfs + symbols: + - Init + skip_fix: fix does not work due to incompatible versions summary: Moby (Docker Engine) Insufficiently restricted permissions on data directory in github.com/docker/docker cves: - CVE-2021-41091 ghsas: - GHSA-3fwx-pjgw-3558 +credits: + - Joan Bruguera references: - advisory: https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558 - - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-41091 - fix: https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64 - - web: https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf - - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB - - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB source: id: GHSA-3fwx-pjgw-3558 - created: 2024-06-14T11:38:10.238616-04:00 -review_status: UNREVIEWED + created: 2024-07-01T15:02:17.770473-04:00 +review_status: REVIEWED unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2512.yaml b/data/reports/GO-2024-2512.yaml index a7c84acc..8bed4c8c 100644 --- a/data/reports/GO-2024-2512.yaml +++ b/data/reports/GO-2024-2512.yaml @@ -6,6 +6,63 @@ modules: - introduced: 25.0.0+incompatible - fixed: 25.0.2+incompatible vulnerable_at: 25.0.1+incompatible + packages: + - package: github.com/docker/docker/builder/dockerfile + skip_fix: fix error due to incompatible version + - package: github.com/docker/docker/daemon/containerd + symbols: + - localCache.GetCache + - imageCache.GetCache + - isMatch + skip_fix: fix error due to incompatible version + - package: github.com/docker/docker/daemon/images + symbols: + - ImageService.CreateImage + - ImageService.CommitImage + skip_fix: fix error due to incompatible version + - package: github.com/docker/docker/image + symbols: + - store.SetBuiltLocally + - store.IsBuiltLocally + skip_fix: fix error due to incompatible version + - package: github.com/docker/docker/image/cache + symbols: + - LocalImageCache.GetCache + - ImageCache.GetCache + - getLocalCachedImage + - compare + skip_fix: fix error due to incompatible version + - module: github.com/moby/moby + versions: + - fixed: 24.0.9+incompatible + - introduced: 25.0.0+incompatible + - fixed: 25.0.2+incompatible + packages: + - package: github.com/moby/moby/builder/dockerfile + skip_fix: fix error due to incompatible version + - package: github.com/moby/moby/daemon/containerd + symbols: + - localCache.GetCache + - imageCache.GetCache + - isMatch + skip_fix: fix error due to incompatible version + - package: github.com/moby/moby/daemon/images + symbols: + - ImageService.CreateImage + - ImageService.CommitImage + skip_fix: fix error due to incompatible version + - package: github.com/moby/moby/image + symbols: + - store.SetBuiltLocally + - store.IsBuiltLocally + skip_fix: fix error due to incompatible version + - package: github.com/moby/moby/image/cache + symbols: + - LocalImageCache.GetCache + - ImageCache.GetCache + - getLocalCachedImage + - compare + skip_fix: fix error due to incompatible version summary: Classic builder cache poisoning in github.com/docker/docker cves: - CVE-2024-24557 @@ -13,11 +70,11 @@ ghsas: - GHSA-xw73-rw38-6vjc references: - advisory: https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc - - web: https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae - - web: https://github.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd - - web: https://github.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff + - fix: https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae + - fix: https://github.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd + - fix: https://github.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff source: id: GHSA-xw73-rw38-6vjc - created: 2024-06-26T16:09:36.799744-04:00 -review_status: UNREVIEWED + created: 2024-07-01T15:02:00.395966-04:00 +review_status: REVIEWED unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2024-2572.yaml b/data/reports/GO-2024-2572.yaml index f64e19ce..3e09d188 100644 --- a/data/reports/GO-2024-2572.yaml +++ b/data/reports/GO-2024-2572.yaml @@ -4,9 +4,15 @@ modules: versions: - fixed: 0.47.9 - introduced: 0.50.0 - fixed: 0.50.4 + - fixed: 0.50.4 vulnerable_at: 0.50.3 -summary: 'ASA-2024-003: Missing `BlockedAddressed` Validation in Vesting Module in github.com/cosmos/cosmos-sdk' + packages: + - package: github.com/cosmos/cosmos-sdk/x/auth/vesting + symbols: + - msgServer.CreatePeriodicVestingAccount +summary: |- + Missing BlockedAddressed Validation in Vesting Module in + github.com/cosmos/cosmos-sdk ghsas: - GHSA-4j93-fm92-rp4m references: @@ -16,5 +22,5 @@ references: - web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.4 source: id: GHSA-4j93-fm92-rp4m - created: 2024-06-05T13:39:14.736542-04:00 -review_status: UNREVIEWED + created: 2024-07-01T15:01:58.512805-04:00 +review_status: REVIEWED diff --git a/data/reports/GO-2024-2575.yaml b/data/reports/GO-2024-2575.yaml index 54b9994d..0d6bcb2b 100644 --- a/data/reports/GO-2024-2575.yaml +++ b/data/reports/GO-2024-2575.yaml @@ -1,23 +1,41 @@ id: GO-2024-2575 modules: - - module: helm.sh/helm - vulnerable_at: 2.17.0+incompatible - module: helm.sh/helm/v3 versions: - fixed: 3.14.2 vulnerable_at: 3.14.1 -summary: Helm's Missing YAML Content Leads To Panic in helm.sh/helm + packages: + - package: helm.sh/helm/v3/pkg/plugin + symbols: + - validatePluginData + derived_symbols: + - FindPlugins + - LoadAll + - LoadDir + - package: helm.sh/helm/v3/pkg/repo + symbols: + - loadIndex + derived_symbols: + - ChartRepository.DownloadIndexFile + - ChartRepository.Load + - FindChartInAuthAndTLSAndPassRepoURL + - FindChartInAuthAndTLSRepoURL + - FindChartInAuthRepoURL + - FindChartInRepoURL + - LoadIndexFile +summary: Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3 cves: - CVE-2024-26147 ghsas: - GHSA-r53h-jv2g-vpx6 unknown_aliases: - BIT-helm-2024-26147 +credits: + - Jakub Ciolek at AlphaSense references: - advisory: https://github.com/helm/helm/security/advisories/GHSA-r53h-jv2g-vpx6 - - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-26147 - - web: https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af + - fix: https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af source: id: GHSA-r53h-jv2g-vpx6 - created: 2024-06-26T13:57:18.093508-04:00 -review_status: UNREVIEWED + created: 2024-07-01T14:57:47.79335-04:00 +review_status: REVIEWED diff --git a/data/reports/GO-2024-2846.yaml b/data/reports/GO-2024-2846.yaml index 60cf2333..f0743ae7 100644 --- a/data/reports/GO-2024-2846.yaml +++ b/data/reports/GO-2024-2846.yaml @@ -4,14 +4,27 @@ modules: versions: - fixed: 1.5.11 - introduced: 1.6.0 - fixed: 1.6.2 + - fixed: 1.6.2 vulnerable_at: 1.6.1 -summary: containerd started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd + packages: + - package: github.com/containerd/containerd/oci + symbols: + - WithDroppedCapabilities + - WithAddedCapabilities + - WithAmbientCapabilities + - WithCapabilities + - populateDefaultUnixSpec + derived_symbols: + - ApplyOpts + - GenerateSpec + - GenerateSpecWithPlatform +summary: Containers started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd ghsas: - GHSA-c9cp-9c75-9v8c references: - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c + - fix: https://github.com/containerd/containerd/commit/e9af808591ee1468f9b0ad6a0d41fdf93ee0c1bc source: id: GHSA-c9cp-9c75-9v8c - created: 2024-05-17T16:09:26.822128-04:00 -review_status: UNREVIEWED + created: 2024-07-01T14:50:25.651568-04:00 +review_status: REVIEWED diff --git a/data/reports/GO-2024-2913.yaml b/data/reports/GO-2024-2913.yaml index b339f717..e932f532 100644 --- a/data/reports/GO-2024-2913.yaml +++ b/data/reports/GO-2024-2913.yaml @@ -4,19 +4,29 @@ modules: versions: - fixed: 20.10.9+incompatible vulnerable_at: 20.10.8+incompatible -summary: '`docker cp` allows unexpected chmod of host files in Moby Docker Engine in github.com/docker/docker' + packages: + - package: github.com/docker/docker/pkg/chrootarchive + symbols: + - untarHandler + skip_fix: fix error due to incompatible versions + - module: github.com/moby/moby + versions: + - fixed: 20.10.9+incompatible + vulnerable_at: 20.10.8+incompatible + packages: + - package: github.com/moby/moby/pkg/chrootarchive + symbols: + - untarHandler + skip_fix: fix error due to incompatible versions +summary: Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker cves: - CVE-2021-41089 ghsas: - GHSA-v994-f8vw-g7j4 references: - advisory: https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4 - - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-41089 - - web: https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf - - web: https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a - - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB - - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB + - fix: https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a source: id: GHSA-v994-f8vw-g7j4 - created: 2024-06-13T12:05:51.631402-04:00 -review_status: UNREVIEWED + created: 2024-07-01T14:35:32.733244-04:00 +review_status: REVIEWED diff --git a/data/reports/GO-2024-2914.yaml b/data/reports/GO-2024-2914.yaml index 48e6f799..773a2bf5 100644 --- a/data/reports/GO-2024-2914.yaml +++ b/data/reports/GO-2024-2914.yaml @@ -4,12 +4,20 @@ modules: versions: - fixed: 20.10.11+incompatible vulnerable_at: 20.10.10+incompatible + - module: github.com/moby/moby + versions: + - fixed: 20.10.11+incompatible + vulnerable_at: 20.10.10+incompatible summary: Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in github.com/docker/docker ghsas: - GHSA-xmmx-7jpf-fx42 +related: + - CVE-2021-41190 references: - advisory: https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42 +notes: + - could not locate fix commit source: id: GHSA-xmmx-7jpf-fx42 - created: 2024-06-13T12:05:50.079707-04:00 -review_status: UNREVIEWED + created: 2024-07-01T14:25:08.035766-04:00 +review_status: REVIEWED