From e9d3f29ef3e65fcfc2d63aa1dd3552f36de8fbe8 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Tue, 20 Aug 2024 15:30:47 -0400 Subject: [PATCH] data/reports: unexclude 20 reports (16) - data/reports/GO-2022-0407.yaml - data/reports/GO-2022-0410.yaml - data/reports/GO-2022-0413.yaml - data/reports/GO-2022-0416.yaml - data/reports/GO-2022-0418.yaml - data/reports/GO-2022-0424.yaml - data/reports/GO-2022-0426.yaml - data/reports/GO-2022-0429.yaml - data/reports/GO-2022-0440.yaml - data/reports/GO-2022-0442.yaml - data/reports/GO-2022-0447.yaml - data/reports/GO-2022-0448.yaml - data/reports/GO-2022-0449.yaml - data/reports/GO-2022-0450.yaml - data/reports/GO-2022-0451.yaml - data/reports/GO-2022-0452.yaml - data/reports/GO-2022-0453.yaml - data/reports/GO-2022-0454.yaml - data/reports/GO-2022-0455.yaml - data/reports/GO-2022-0456.yaml Updates golang/vulndb#407 Updates golang/vulndb#410 Updates golang/vulndb#413 Updates golang/vulndb#416 Updates golang/vulndb#418 Updates golang/vulndb#424 Updates golang/vulndb#426 Updates golang/vulndb#429 Updates golang/vulndb#440 Updates golang/vulndb#442 Updates golang/vulndb#447 Updates golang/vulndb#448 Updates golang/vulndb#449 Updates golang/vulndb#450 Updates golang/vulndb#451 Updates golang/vulndb#452 Updates golang/vulndb#453 Updates golang/vulndb#454 Updates golang/vulndb#455 Updates golang/vulndb#456 Change-Id: I206c09343a83edd1fd9f1a37410a59391d904c6d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607218 Reviewed-by: Damien Neil Auto-Submit: Tatiana Bradley LUCI-TryBot-Result: Go LUCI --- data/excluded/GO-2022-0407.yaml | 6 -- data/excluded/GO-2022-0410.yaml | 6 -- data/excluded/GO-2022-0413.yaml | 8 --- data/excluded/GO-2022-0416.yaml | 8 --- data/excluded/GO-2022-0418.yaml | 6 -- data/excluded/GO-2022-0424.yaml | 6 -- data/excluded/GO-2022-0426.yaml | 8 --- data/excluded/GO-2022-0429.yaml | 8 --- data/excluded/GO-2022-0440.yaml | 8 --- data/excluded/GO-2022-0442.yaml | 8 --- data/excluded/GO-2022-0447.yaml | 8 --- data/excluded/GO-2022-0448.yaml | 8 --- data/excluded/GO-2022-0449.yaml | 8 --- data/excluded/GO-2022-0450.yaml | 8 --- data/excluded/GO-2022-0451.yaml | 8 --- data/excluded/GO-2022-0452.yaml | 8 --- data/excluded/GO-2022-0453.yaml | 8 --- data/excluded/GO-2022-0454.yaml | 8 --- data/excluded/GO-2022-0455.yaml | 8 --- data/excluded/GO-2022-0456.yaml | 8 --- data/osv/GO-2022-0407.json | 43 +++++++++++ data/osv/GO-2022-0410.json | 60 ++++++++++++++++ data/osv/GO-2022-0413.json | 56 +++++++++++++++ data/osv/GO-2022-0416.json | 123 ++++++++++++++++++++++++++++++++ data/osv/GO-2022-0418.json | 55 ++++++++++++++ data/osv/GO-2022-0424.json | 47 ++++++++++++ data/osv/GO-2022-0426.json | 52 ++++++++++++++ data/osv/GO-2022-0429.json | 52 ++++++++++++++ data/osv/GO-2022-0440.json | 60 ++++++++++++++++ data/osv/GO-2022-0442.json | 56 +++++++++++++++ data/osv/GO-2022-0447.json | 76 ++++++++++++++++++++ data/osv/GO-2022-0448.json | 68 ++++++++++++++++++ data/osv/GO-2022-0449.json | 52 ++++++++++++++ data/osv/GO-2022-0450.json | 68 ++++++++++++++++++ data/osv/GO-2022-0451.json | 69 ++++++++++++++++++ data/osv/GO-2022-0452.json | 72 +++++++++++++++++++ data/osv/GO-2022-0453.json | 101 ++++++++++++++++++++++++++ data/osv/GO-2022-0454.json | 89 +++++++++++++++++++++++ data/osv/GO-2022-0455.json | 89 +++++++++++++++++++++++ data/osv/GO-2022-0456.json | 52 ++++++++++++++ data/reports/GO-2022-0407.yaml | 16 +++++ data/reports/GO-2022-0410.yaml | 18 +++++ data/reports/GO-2022-0413.yaml | 22 ++++++ data/reports/GO-2022-0416.yaml | 31 ++++++++ data/reports/GO-2022-0418.yaml | 20 ++++++ data/reports/GO-2022-0424.yaml | 19 +++++ data/reports/GO-2022-0426.yaml | 20 ++++++ data/reports/GO-2022-0429.yaml | 20 ++++++ data/reports/GO-2022-0440.yaml | 22 ++++++ data/reports/GO-2022-0442.yaml | 21 ++++++ data/reports/GO-2022-0447.yaml | 25 +++++++ data/reports/GO-2022-0448.yaml | 25 +++++++ data/reports/GO-2022-0449.yaml | 21 ++++++ data/reports/GO-2022-0450.yaml | 24 +++++++ data/reports/GO-2022-0451.yaml | 22 ++++++ data/reports/GO-2022-0452.yaml | 25 +++++++ data/reports/GO-2022-0453.yaml | 33 +++++++++ data/reports/GO-2022-0454.yaml | 29 ++++++++ data/reports/GO-2022-0455.yaml | 28 ++++++++ data/reports/GO-2022-0456.yaml | 20 ++++++ 60 files changed, 1801 insertions(+), 152 deletions(-) delete mode 100644 data/excluded/GO-2022-0407.yaml delete mode 100644 data/excluded/GO-2022-0410.yaml delete mode 100644 data/excluded/GO-2022-0413.yaml delete mode 100644 data/excluded/GO-2022-0416.yaml delete mode 100644 data/excluded/GO-2022-0418.yaml delete mode 100644 data/excluded/GO-2022-0424.yaml delete mode 100644 data/excluded/GO-2022-0426.yaml delete mode 100644 data/excluded/GO-2022-0429.yaml delete mode 100644 data/excluded/GO-2022-0440.yaml delete mode 100644 data/excluded/GO-2022-0442.yaml delete mode 100644 data/excluded/GO-2022-0447.yaml delete mode 100644 data/excluded/GO-2022-0448.yaml delete mode 100644 data/excluded/GO-2022-0449.yaml delete mode 100644 data/excluded/GO-2022-0450.yaml delete mode 100644 data/excluded/GO-2022-0451.yaml delete mode 100644 data/excluded/GO-2022-0452.yaml delete mode 100644 data/excluded/GO-2022-0453.yaml delete mode 100644 data/excluded/GO-2022-0454.yaml delete mode 100644 data/excluded/GO-2022-0455.yaml delete mode 100644 data/excluded/GO-2022-0456.yaml create mode 100644 data/osv/GO-2022-0407.json create mode 100644 data/osv/GO-2022-0410.json create mode 100644 data/osv/GO-2022-0413.json create mode 100644 data/osv/GO-2022-0416.json create mode 100644 data/osv/GO-2022-0418.json create mode 100644 data/osv/GO-2022-0424.json create mode 100644 data/osv/GO-2022-0426.json create mode 100644 data/osv/GO-2022-0429.json create mode 100644 data/osv/GO-2022-0440.json create mode 100644 data/osv/GO-2022-0442.json create mode 100644 data/osv/GO-2022-0447.json create mode 100644 data/osv/GO-2022-0448.json create mode 100644 data/osv/GO-2022-0449.json create mode 100644 data/osv/GO-2022-0450.json create mode 100644 data/osv/GO-2022-0451.json create mode 100644 data/osv/GO-2022-0452.json create mode 100644 data/osv/GO-2022-0453.json create mode 100644 data/osv/GO-2022-0454.json create mode 100644 data/osv/GO-2022-0455.json create mode 100644 data/osv/GO-2022-0456.json create mode 100644 data/reports/GO-2022-0407.yaml create mode 100644 data/reports/GO-2022-0410.yaml create mode 100644 data/reports/GO-2022-0413.yaml create mode 100644 data/reports/GO-2022-0416.yaml create mode 100644 data/reports/GO-2022-0418.yaml create mode 100644 data/reports/GO-2022-0424.yaml create mode 100644 data/reports/GO-2022-0426.yaml create mode 100644 data/reports/GO-2022-0429.yaml create mode 100644 data/reports/GO-2022-0440.yaml create mode 100644 data/reports/GO-2022-0442.yaml create mode 100644 data/reports/GO-2022-0447.yaml create mode 100644 data/reports/GO-2022-0448.yaml create mode 100644 data/reports/GO-2022-0449.yaml create mode 100644 data/reports/GO-2022-0450.yaml create mode 100644 data/reports/GO-2022-0451.yaml create mode 100644 data/reports/GO-2022-0452.yaml create mode 100644 data/reports/GO-2022-0453.yaml create mode 100644 data/reports/GO-2022-0454.yaml create mode 100644 data/reports/GO-2022-0455.yaml create mode 100644 data/reports/GO-2022-0456.yaml diff --git a/data/excluded/GO-2022-0407.yaml b/data/excluded/GO-2022-0407.yaml deleted file mode 100644 index db1a01174..000000000 --- a/data/excluded/GO-2022-0407.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0407 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/ThomasLeister/prosody-filer -ghsas: - - GHSA-qmfx-75ff-8mw6 diff --git a/data/excluded/GO-2022-0410.yaml b/data/excluded/GO-2022-0410.yaml deleted file mode 100644 index d0361ed8b..000000000 --- a/data/excluded/GO-2022-0410.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0410 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: go.mozilla.org/sops/v3 -ghsas: - - GHSA-x5c7-x7m2-rhmf diff --git a/data/excluded/GO-2022-0413.yaml b/data/excluded/GO-2022-0413.yaml deleted file mode 100644 index 63b63a942..000000000 --- a/data/excluded/GO-2022-0413.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0413 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/pomerium/pomerium -cves: - - CVE-2022-24797 -ghsas: - - GHSA-q98f-2x4p-prjr diff --git a/data/excluded/GO-2022-0416.yaml b/data/excluded/GO-2022-0416.yaml deleted file mode 100644 index 6dfb4684d..000000000 --- a/data/excluded/GO-2022-0416.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0416 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/containers/podman -cves: - - CVE-2022-27649 -ghsas: - - GHSA-qvf8-p83w-v58j diff --git a/data/excluded/GO-2022-0418.yaml b/data/excluded/GO-2022-0418.yaml deleted file mode 100644 index 38e8ca17d..000000000 --- a/data/excluded/GO-2022-0418.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0418 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/ipfs/go-ipfs -ghsas: - - GHSA-fx5p-f64h-93xc diff --git a/data/excluded/GO-2022-0424.yaml b/data/excluded/GO-2022-0424.yaml deleted file mode 100644 index 4106e73ae..000000000 --- a/data/excluded/GO-2022-0424.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0424 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/github/git-sizer -ghsas: - - GHSA-57q7-rxqq-7vgp diff --git a/data/excluded/GO-2022-0426.yaml b/data/excluded/GO-2022-0426.yaml deleted file mode 100644 index 11e87d08c..000000000 --- a/data/excluded/GO-2022-0426.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0426 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/cri-o/cri-o -cves: - - CVE-2022-27652 -ghsas: - - GHSA-4hj2-r2pm-3hc6 diff --git a/data/excluded/GO-2022-0429.yaml b/data/excluded/GO-2022-0429.yaml deleted file mode 100644 index 5bdac3462..000000000 --- a/data/excluded/GO-2022-0429.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0429 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/stripe/smokescreen -cves: - - CVE-2022-24825 -ghsas: - - GHSA-gcj7-j438-hjj2 diff --git a/data/excluded/GO-2022-0440.yaml b/data/excluded/GO-2022-0440.yaml deleted file mode 100644 index 31f691339..000000000 --- a/data/excluded/GO-2022-0440.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0440 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/woodpecker-ci/woodpecker -cves: - - CVE-2022-29947 -ghsas: - - GHSA-vmp5-c5hp-6c65 diff --git a/data/excluded/GO-2022-0442.yaml b/data/excluded/GO-2022-0442.yaml deleted file mode 100644 index c917d9479..000000000 --- a/data/excluded/GO-2022-0442.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0442 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/go-gitea/gitea -cves: - - CVE-2022-27313 -ghsas: - - GHSA-g7p7-x6w7-w6qg diff --git a/data/excluded/GO-2022-0447.yaml b/data/excluded/GO-2022-0447.yaml deleted file mode 100644 index 446793801..000000000 --- a/data/excluded/GO-2022-0447.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0447 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/fluxcd/flux2 -cves: - - CVE-2022-24877 -ghsas: - - GHSA-j77r-2fxf-5jrw diff --git a/data/excluded/GO-2022-0448.yaml b/data/excluded/GO-2022-0448.yaml deleted file mode 100644 index 56c8c23cc..000000000 --- a/data/excluded/GO-2022-0448.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0448 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/fluxcd/flux2 -cves: - - CVE-2022-24878 -ghsas: - - GHSA-7pwf-jg34-hxwp diff --git a/data/excluded/GO-2022-0449.yaml b/data/excluded/GO-2022-0449.yaml deleted file mode 100644 index 19b7e7855..000000000 --- a/data/excluded/GO-2022-0449.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0449 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/charmbracelet/charm -cves: - - CVE-2022-29180 -ghsas: - - GHSA-4wpp-w5r4-7v5v diff --git a/data/excluded/GO-2022-0450.yaml b/data/excluded/GO-2022-0450.yaml deleted file mode 100644 index eb8891931..000000000 --- a/data/excluded/GO-2022-0450.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0450 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/go-gitea/gitea -cves: - - CVE-2022-30781 -ghsas: - - GHSA-p5f9-c9j9-g8qx diff --git a/data/excluded/GO-2022-0451.yaml b/data/excluded/GO-2022-0451.yaml deleted file mode 100644 index 0443ba02f..000000000 --- a/data/excluded/GO-2022-0451.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0451 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/coreos/ignition -cves: - - CVE-2022-1706 -ghsas: - - GHSA-hj57-j5cw-2mwp diff --git a/data/excluded/GO-2022-0452.yaml b/data/excluded/GO-2022-0452.yaml deleted file mode 100644 index d70793059..000000000 --- a/data/excluded/GO-2022-0452.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0452 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/opencontainers/runc -cves: - - CVE-2022-29162 -ghsas: - - GHSA-f3fp-gc8g-vw66 diff --git a/data/excluded/GO-2022-0453.yaml b/data/excluded/GO-2022-0453.yaml deleted file mode 100644 index 95cfa8485..000000000 --- a/data/excluded/GO-2022-0453.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0453 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/argoproj/argo-cd -cves: - - CVE-2022-24904 -ghsas: - - GHSA-6gcg-hp2x-q54h diff --git a/data/excluded/GO-2022-0454.yaml b/data/excluded/GO-2022-0454.yaml deleted file mode 100644 index 4d09eee6f..000000000 --- a/data/excluded/GO-2022-0454.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0454 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/argoproj/argo-cd -cves: - - CVE-2022-24905 -ghsas: - - GHSA-xmg8-99r8-jc2j diff --git a/data/excluded/GO-2022-0455.yaml b/data/excluded/GO-2022-0455.yaml deleted file mode 100644 index f8a7d0bb6..000000000 --- a/data/excluded/GO-2022-0455.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0455 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/argoproj/argo-cd -cves: - - CVE-2022-29165 -ghsas: - - GHSA-r642-gv9p-2wjj diff --git a/data/excluded/GO-2022-0456.yaml b/data/excluded/GO-2022-0456.yaml deleted file mode 100644 index d5b828eb3..000000000 --- a/data/excluded/GO-2022-0456.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0456 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/ethereum/go-ethereum -cves: - - CVE-2022-29177 -ghsas: - - GHSA-wjxw-gh3m-7pm5 diff --git a/data/osv/GO-2022-0407.json b/data/osv/GO-2022-0407.json new file mode 100644 index 000000000..265805e4e --- /dev/null +++ b/data/osv/GO-2022-0407.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0407", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-qmfx-75ff-8mw6" + ], + "summary": "Listing of upload directory contents possible in github.com/ThomasLeister/prosody-filer", + "details": "Listing of upload directory contents possible in github.com/ThomasLeister/prosody-filer", + "affected": [ + { + "package": { + "name": "github.com/ThomasLeister/prosody-filer", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/ThomasLeister/prosody-filer/security/advisories/GHSA-qmfx-75ff-8mw6" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0407", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0410.json b/data/osv/GO-2022-0410.json new file mode 100644 index 000000000..335ce27d2 --- /dev/null +++ b/data/osv/GO-2022-0410.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0410", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-x5c7-x7m2-rhmf" + ], + "summary": "Local directory executable lookup in sops (Windows-only) in go.mozilla.org/sops", + "details": "Local directory executable lookup in sops (Windows-only) in go.mozilla.org/sops", + "affected": [ + { + "package": { + "name": "go.mozilla.org/sops", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "go.mozilla.org/sops/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.7.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/mozilla/sops/security/advisories/GHSA-x5c7-x7m2-rhmf" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0410", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0413.json b/data/osv/GO-2022-0413.json new file mode 100644 index 000000000..545ee164f --- /dev/null +++ b/data/osv/GO-2022-0413.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0413", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24797", + "GHSA-q98f-2x4p-prjr" + ], + "summary": "Exposure of Sensitive Information in Pomerium in github.com/pomerium/pomerium", + "details": "Exposure of Sensitive Information in Pomerium in github.com/pomerium/pomerium", + "affected": [ + { + "package": { + "name": "github.com/pomerium/pomerium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.16.0" + }, + { + "fixed": "0.17.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-q98f-2x4p-prjr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24797" + }, + { + "type": "FIX", + "url": "https://github.com/pomerium/pomerium/commit/b435f73e2b54088da2aca5e8c3aa1808293d6903" + }, + { + "type": "FIX", + "url": "https://github.com/pomerium/pomerium/pull/3212" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0413", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0416.json b/data/osv/GO-2022-0416.json new file mode 100644 index 000000000..a10244eeb --- /dev/null +++ b/data/osv/GO-2022-0416.json @@ -0,0 +1,123 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0416", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-27649", + "GHSA-qvf8-p83w-v58j" + ], + "summary": "Podman's default inheritable capabilities for linux container not empty in github.com/containers/podman", + "details": "Podman's default inheritable capabilities for linux container not empty in github.com/containers/podman", + "affected": [ + { + "package": { + "name": "github.com/containers/podman", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/containers/podman/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/containers/podman/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/containers/podman/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.0.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27649" + }, + { + "type": "FIX", + "url": "https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066568" + }, + { + "type": "WEB", + "url": "https://github.com/containers/podman/releases/tag/v4.0.3" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0416", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0418.json b/data/osv/GO-2022-0418.json new file mode 100644 index 000000000..e6c12222d --- /dev/null +++ b/data/osv/GO-2022-0418.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0418", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-fx5p-f64h-93xc" + ], + "summary": "Opened exploitable ports in default docker-compose.yaml in go-ipfs in github.com/ipfs/go-ipfs", + "details": "Opened exploitable ports in default docker-compose.yaml in go-ipfs in github.com/ipfs/go-ipfs", + "affected": [ + { + "package": { + "name": "github.com/ipfs/go-ipfs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.11.0" + }, + { + "fixed": "0.12.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/ipfs/go-ipfs/security/advisories/GHSA-fx5p-f64h-93xc" + }, + { + "type": "FIX", + "url": "https://github.com/ipfs/go-ipfs/commit/816a128aaf963d72c4930852ce32b9a4e31924a1" + }, + { + "type": "FIX", + "url": "https://github.com/ipfs/go-ipfs/pull/8773" + }, + { + "type": "WEB", + "url": "https://github.com/ipfs/go-ipfs/releases/tag/v0.12.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0418", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0424.json b/data/osv/GO-2022-0424.json new file mode 100644 index 000000000..865edf3ea --- /dev/null +++ b/data/osv/GO-2022-0424.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0424", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-57q7-rxqq-7vgp" + ], + "summary": "On Windows, `git-sizer` might run a `git` executable within the repository being analyzed in github.com/github/git-sizer", + "details": "On Windows, `git-sizer` might run a `git` executable within the repository being analyzed in github.com/github/git-sizer", + "affected": [ + { + "package": { + "name": "github.com/github/git-sizer", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/github/git-sizer/security/advisories/GHSA-57q7-rxqq-7vgp" + }, + { + "type": "FIX", + "url": "https://github.com/github/git-sizer/commit/38400d6ddd79325e956b00ff584cfcc8dd96d536" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0424", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0426.json b/data/osv/GO-2022-0426.json new file mode 100644 index 000000000..49f5bd77f --- /dev/null +++ b/data/osv/GO-2022-0426.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0426", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-27652", + "GHSA-4hj2-r2pm-3hc6" + ], + "summary": "Incorrect Default Permissions in CRI-O in github.com/cri-o/cri-o", + "details": "Incorrect Default Permissions in CRI-O in github.com/cri-o/cri-o", + "affected": [ + { + "package": { + "name": "github.com/cri-o/cri-o", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27652" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066839" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0426", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0429.json b/data/osv/GO-2022-0429.json new file mode 100644 index 000000000..b8bf4d907 --- /dev/null +++ b/data/osv/GO-2022-0429.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0429", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24825", + "GHSA-gcj7-j438-hjj2" + ], + "summary": "Smokescreen SSRF via deny list bypass in github.com/stripe/smokescreen", + "details": "Smokescreen SSRF via deny list bypass in github.com/stripe/smokescreen", + "affected": [ + { + "package": { + "name": "github.com/stripe/smokescreen", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/stripe/smokescreen/security/advisories/GHSA-gcj7-j438-hjj2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24825" + }, + { + "type": "FIX", + "url": "https://github.com/stripe/smokescreen/commit/fafb6ae48c6c40aa011d87b61306abc48db8797b" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0429", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0440.json b/data/osv/GO-2022-0440.json new file mode 100644 index 000000000..5befaef77 --- /dev/null +++ b/data/osv/GO-2022-0440.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0440", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29947", + "GHSA-vmp5-c5hp-6c65" + ], + "summary": "Woodpecker allows cross-site scripting (XSS) via build logs in github.com/woodpecker-ci/woodpecker", + "details": "Woodpecker allows cross-site scripting (XSS) via build logs in github.com/woodpecker-ci/woodpecker", + "affected": [ + { + "package": { + "name": "github.com/woodpecker-ci/woodpecker", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.15.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-vmp5-c5hp-6c65" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29947" + }, + { + "type": "FIX", + "url": "https://github.com/woodpecker-ci/woodpecker/pull/879" + }, + { + "type": "WEB", + "url": "https://github.com/woodpecker-ci/woodpecker" + }, + { + "type": "WEB", + "url": "https://github.com/woodpecker-ci/woodpecker/releases/tag/v0.15.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0440", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0442.json b/data/osv/GO-2022-0442.json new file mode 100644 index 000000000..3c1956bf2 --- /dev/null +++ b/data/osv/GO-2022-0442.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0442", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-27313", + "GHSA-g7p7-x6w7-w6qg" + ], + "summary": "Arbitrary file deletion in gitea in code.gitea.io/gitea", + "details": "Arbitrary file deletion in gitea in code.gitea.io/gitea", + "affected": [ + { + "package": { + "name": "code.gitea.io/gitea", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-g7p7-x6w7-w6qg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27313" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/pull/19072" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/releases/tag/v1.16.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0442", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0447.json b/data/osv/GO-2022-0447.json new file mode 100644 index 000000000..75738e090 --- /dev/null +++ b/data/osv/GO-2022-0447.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0447", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24877", + "GHSA-j77r-2fxf-5jrw" + ], + "summary": "Improper path handling in kustomization files allows path traversal in github.com/fluxcd/flux2", + "details": "Improper path handling in kustomization files allows path traversal in github.com/fluxcd/flux2", + "affected": [ + { + "package": { + "name": "github.com/fluxcd/flux2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.29.0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/fluxcd/kustomize-controller", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.24.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24877" + }, + { + "type": "FIX", + "url": "https://github.com/fluxcd/kustomize-controller/commit/f4528fb25d611da94e491346bea056d5c5c3611f" + }, + { + "type": "WEB", + "url": "https://github.com/fluxcd/pkg/commit/0ec014baf417fd3879d366a45503a548b9267d2a" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0447", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0448.json b/data/osv/GO-2022-0448.json new file mode 100644 index 000000000..52eaf993c --- /dev/null +++ b/data/osv/GO-2022-0448.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0448", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24878", + "GHSA-7pwf-jg34-hxwp" + ], + "summary": "Improper path handling in Kustomization files allows for denial of service in github.com/fluxcd/flux2", + "details": "Improper path handling in Kustomization files allows for denial of service in github.com/fluxcd/flux2", + "affected": [ + { + "package": { + "name": "github.com/fluxcd/flux2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.19.0" + }, + { + "fixed": "0.29.0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/fluxcd/kustomize-controller", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.16.0" + }, + { + "fixed": "0.24.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24878" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0448", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0449.json b/data/osv/GO-2022-0449.json new file mode 100644 index 000000000..fc829b676 --- /dev/null +++ b/data/osv/GO-2022-0449.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0449", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29180", + "GHSA-4wpp-w5r4-7v5v" + ], + "summary": "Server-Side Request Forgery in charm in github.com/charmbracelet/charm", + "details": "Server-Side Request Forgery in charm in github.com/charmbracelet/charm", + "affected": [ + { + "package": { + "name": "github.com/charmbracelet/charm", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.9.0" + }, + { + "fixed": "0.12.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/charmbracelet/charm/security/advisories/GHSA-4wpp-w5r4-7v5v" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29180" + }, + { + "type": "FIX", + "url": "https://github.com/charmbracelet/charm/commit/3c90668f955c7ce5ef721e4fc9faee7053232fd3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0449", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0450.json b/data/osv/GO-2022-0450.json new file mode 100644 index 000000000..b371dd24a --- /dev/null +++ b/data/osv/GO-2022-0450.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0450", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-30781", + "GHSA-p5f9-c9j9-g8qx" + ], + "summary": "Shell command injection in gitea in code.gitea.io/gitea", + "details": "Shell command injection in gitea in code.gitea.io/gitea", + "affected": [ + { + "package": { + "name": "code.gitea.io/gitea", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.7" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-p5f9-c9j9-g8qx" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30781" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/168400/Gitea-1.16.6-Remote-Code-Execution.html" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/169928/Gitea-Git-Fetch-Remote-Code-Execution.html" + }, + { + "type": "WEB", + "url": "https://blog.gitea.io/2022/05/gitea-1.16.7-is-released" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/pull/19487" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/pull/19490" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0450", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0451.json b/data/osv/GO-2022-0451.json new file mode 100644 index 000000000..df4030a27 --- /dev/null +++ b/data/osv/GO-2022-0451.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0451", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-1706", + "GHSA-hj57-j5cw-2mwp" + ], + "summary": "Ignition config accessible to unprivileged software on VMware in github.com/coreos/ignition", + "details": "Ignition config accessible to unprivileged software on VMware in github.com/coreos/ignition", + "affected": [ + { + "package": { + "name": "github.com/coreos/ignition", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/coreos/ignition/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.14.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/coreos/ignition/security/advisories/GHSA-hj57-j5cw-2mwp" + }, + { + "type": "FIX", + "url": "https://github.com/coreos/ignition/pull/1350" + }, + { + "type": "REPORT", + "url": "https://github.com/coreos/ignition/issues/1300" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0451", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0452.json b/data/osv/GO-2022-0452.json new file mode 100644 index 000000000..57b6df87f --- /dev/null +++ b/data/osv/GO-2022-0452.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0452", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29162", + "GHSA-f3fp-gc8g-vw66" + ], + "summary": "Default inheritable capabilities for linux container should be empty in github.com/opencontainers/runc", + "details": "Default inheritable capabilities for linux container should be empty in github.com/opencontainers/runc", + "affected": [ + { + "package": { + "name": "github.com/opencontainers/runc", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29162" + }, + { + "type": "FIX", + "url": "https://github.com/opencontainers/runc/commit/d04de3a9b72d7a2455c1885fc75eb36d02cd17b5" + }, + { + "type": "WEB", + "url": "https://github.com/opencontainers/runc/releases/tag/v1.1.2" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVPZBV7ISA7QKRPTC7ZXWKMIQI2HZEBB" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D77CKD3AXPMU4PMQIQI5Q74SI4JATNND" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GPQU4YC4AAY54JDXGDQHJEYKSXXG5T2Y" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0452", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0453.json b/data/osv/GO-2022-0453.json new file mode 100644 index 000000000..dc51744d0 --- /dev/null +++ b/data/osv/GO-2022-0453.json @@ -0,0 +1,101 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0453", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24904", + "GHSA-6gcg-hp2x-q54h" + ], + "summary": "Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server in github.com/argoproj/argo-cd", + "details": "Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server in github.com/argoproj/argo-cd", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-cd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-cd/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.15" + }, + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.9" + }, + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24904" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/5e767a4b9e30983330c0fdec322192281a90eb84" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/7357cfdb58a560de70a0538c6e3bef6fe39505ea" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/d36d95dc9f71ec61c1a93794f81ece6d61a0d943" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0453", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0454.json b/data/osv/GO-2022-0454.json new file mode 100644 index 000000000..4e8b09e23 --- /dev/null +++ b/data/osv/GO-2022-0454.json @@ -0,0 +1,89 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0454", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24905", + "GHSA-xmg8-99r8-jc2j" + ], + "summary": "Login screen allows message spoofing if SSO is enabled in github.com/argoproj/argo-cd", + "details": "Login screen allows message spoofing if SSO is enabled in github.com/argoproj/argo-cd", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-cd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-cd/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.1.15" + }, + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.9" + }, + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24905" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0454", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0455.json b/data/osv/GO-2022-0455.json new file mode 100644 index 000000000..24821f3bf --- /dev/null +++ b/data/osv/GO-2022-0455.json @@ -0,0 +1,89 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0455", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29165", + "GHSA-r642-gv9p-2wjj" + ], + "summary": "Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd", + "details": "Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-cd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-cd/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.15" + }, + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.9" + }, + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29165" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0455", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0456.json b/data/osv/GO-2022-0456.json new file mode 100644 index 000000000..a8df2c23a --- /dev/null +++ b/data/osv/GO-2022-0456.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0456", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29177", + "GHSA-wjxw-gh3m-7pm5" + ], + "summary": "DoS via malicious p2p message in Go Ethereum in github.com/ethereum/go-ethereum", + "details": "DoS via malicious p2p message in Go Ethereum in github.com/ethereum/go-ethereum", + "affected": [ + { + "package": { + "name": "github.com/ethereum/go-ethereum", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.17" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-wjxw-gh3m-7pm5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29177" + }, + { + "type": "FIX", + "url": "https://github.com/ethereum/go-ethereum/pull/24507" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0456", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2022-0407.yaml b/data/reports/GO-2022-0407.yaml new file mode 100644 index 000000000..9cffc7735 --- /dev/null +++ b/data/reports/GO-2022-0407.yaml @@ -0,0 +1,16 @@ +id: GO-2022-0407 +modules: + - module: github.com/ThomasLeister/prosody-filer + versions: + - fixed: 1.0.1 + vulnerable_at: 1.0.0 +summary: Listing of upload directory contents possible in github.com/ThomasLeister/prosody-filer +ghsas: + - GHSA-qmfx-75ff-8mw6 +references: + - advisory: https://github.com/ThomasLeister/prosody-filer/security/advisories/GHSA-qmfx-75ff-8mw6 +source: + id: GHSA-qmfx-75ff-8mw6 + created: 2024-08-20T13:53:46.185028-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0410.yaml b/data/reports/GO-2022-0410.yaml new file mode 100644 index 000000000..d857dabaa --- /dev/null +++ b/data/reports/GO-2022-0410.yaml @@ -0,0 +1,18 @@ +id: GO-2022-0410 +modules: + - module: go.mozilla.org/sops + vulnerable_at: 0.0.0-20190912205235-14a22d7a7060 + - module: go.mozilla.org/sops/v3 + versions: + - fixed: 3.7.1 + vulnerable_at: 3.7.0 +summary: Local directory executable lookup in sops (Windows-only) in go.mozilla.org/sops +ghsas: + - GHSA-x5c7-x7m2-rhmf +references: + - advisory: https://github.com/mozilla/sops/security/advisories/GHSA-x5c7-x7m2-rhmf +source: + id: GHSA-x5c7-x7m2-rhmf + created: 2024-08-20T13:53:49.792541-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0413.yaml b/data/reports/GO-2022-0413.yaml new file mode 100644 index 000000000..07906c811 --- /dev/null +++ b/data/reports/GO-2022-0413.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0413 +modules: + - module: github.com/pomerium/pomerium + versions: + - introduced: 0.16.0 + - fixed: 0.17.1 + vulnerable_at: 0.17.0 +summary: Exposure of Sensitive Information in Pomerium in github.com/pomerium/pomerium +cves: + - CVE-2022-24797 +ghsas: + - GHSA-q98f-2x4p-prjr +references: + - advisory: https://github.com/pomerium/pomerium/security/advisories/GHSA-q98f-2x4p-prjr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-24797 + - fix: https://github.com/pomerium/pomerium/commit/b435f73e2b54088da2aca5e8c3aa1808293d6903 + - fix: https://github.com/pomerium/pomerium/pull/3212 +source: + id: CVE-2022-24797 + created: 2024-08-20T13:53:53.557884-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0416.yaml b/data/reports/GO-2022-0416.yaml new file mode 100644 index 000000000..bf95e7d01 --- /dev/null +++ b/data/reports/GO-2022-0416.yaml @@ -0,0 +1,31 @@ +id: GO-2022-0416 +modules: + - module: github.com/containers/podman + vulnerable_at: 1.9.3 + - module: github.com/containers/podman/v2 + vulnerable_at: 2.2.1 + - module: github.com/containers/podman/v3 + vulnerable_at: 3.4.7 + - module: github.com/containers/podman/v4 + versions: + - fixed: 4.0.3 + vulnerable_at: 4.0.2 +summary: Podman's default inheritable capabilities for linux container not empty in github.com/containers/podman +cves: + - CVE-2022-27649 +ghsas: + - GHSA-qvf8-p83w-v58j +references: + - advisory: https://github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-27649 + - fix: https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2066568 + - web: https://github.com/containers/podman/releases/tag/v4.0.3 + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3 + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX +source: + id: GHSA-qvf8-p83w-v58j + created: 2024-08-20T13:54:01.273668-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0418.yaml b/data/reports/GO-2022-0418.yaml new file mode 100644 index 000000000..fddb532c1 --- /dev/null +++ b/data/reports/GO-2022-0418.yaml @@ -0,0 +1,20 @@ +id: GO-2022-0418 +modules: + - module: github.com/ipfs/go-ipfs + versions: + - introduced: 0.11.0 + - fixed: 0.12.1 + vulnerable_at: 0.12.0 +summary: Opened exploitable ports in default docker-compose.yaml in go-ipfs in github.com/ipfs/go-ipfs +ghsas: + - GHSA-fx5p-f64h-93xc +references: + - advisory: https://github.com/ipfs/go-ipfs/security/advisories/GHSA-fx5p-f64h-93xc + - fix: https://github.com/ipfs/go-ipfs/commit/816a128aaf963d72c4930852ce32b9a4e31924a1 + - fix: https://github.com/ipfs/go-ipfs/pull/8773 + - web: https://github.com/ipfs/go-ipfs/releases/tag/v0.12.1 +source: + id: GHSA-fx5p-f64h-93xc + created: 2024-08-20T13:54:08.056591-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0424.yaml b/data/reports/GO-2022-0424.yaml new file mode 100644 index 000000000..440ea1c02 --- /dev/null +++ b/data/reports/GO-2022-0424.yaml @@ -0,0 +1,19 @@ +id: GO-2022-0424 +modules: + - module: github.com/github/git-sizer + versions: + - fixed: 1.4.0 + vulnerable_at: 1.3.0 +summary: |- + On Windows, `git-sizer` might run a `git` executable within the repository being + analyzed in github.com/github/git-sizer +ghsas: + - GHSA-57q7-rxqq-7vgp +references: + - advisory: https://github.com/github/git-sizer/security/advisories/GHSA-57q7-rxqq-7vgp + - fix: https://github.com/github/git-sizer/commit/38400d6ddd79325e956b00ff584cfcc8dd96d536 +source: + id: GHSA-57q7-rxqq-7vgp + created: 2024-08-20T13:54:22.068739-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0426.yaml b/data/reports/GO-2022-0426.yaml new file mode 100644 index 000000000..3deaf87e6 --- /dev/null +++ b/data/reports/GO-2022-0426.yaml @@ -0,0 +1,20 @@ +id: GO-2022-0426 +modules: + - module: github.com/cri-o/cri-o + versions: + - fixed: 1.24.0 + vulnerable_at: 1.23.5 +summary: Incorrect Default Permissions in CRI-O in github.com/cri-o/cri-o +cves: + - CVE-2022-27652 +ghsas: + - GHSA-4hj2-r2pm-3hc6 +references: + - advisory: https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-27652 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2066839 +source: + id: GHSA-4hj2-r2pm-3hc6 + created: 2024-08-20T13:54:23.778567-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0429.yaml b/data/reports/GO-2022-0429.yaml new file mode 100644 index 000000000..99000de5b --- /dev/null +++ b/data/reports/GO-2022-0429.yaml @@ -0,0 +1,20 @@ +id: GO-2022-0429 +modules: + - module: github.com/stripe/smokescreen + versions: + - fixed: 0.0.3 + vulnerable_at: 0.0.2 +summary: Smokescreen SSRF via deny list bypass in github.com/stripe/smokescreen +cves: + - CVE-2022-24825 +ghsas: + - GHSA-gcj7-j438-hjj2 +references: + - advisory: https://github.com/stripe/smokescreen/security/advisories/GHSA-gcj7-j438-hjj2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-24825 + - fix: https://github.com/stripe/smokescreen/commit/fafb6ae48c6c40aa011d87b61306abc48db8797b +source: + id: GHSA-gcj7-j438-hjj2 + created: 2024-08-20T13:56:31.823392-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0440.yaml b/data/reports/GO-2022-0440.yaml new file mode 100644 index 000000000..9dac13fe5 --- /dev/null +++ b/data/reports/GO-2022-0440.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0440 +modules: + - module: github.com/woodpecker-ci/woodpecker + versions: + - fixed: 0.15.1 + vulnerable_at: 0.15.0 +summary: Woodpecker allows cross-site scripting (XSS) via build logs in github.com/woodpecker-ci/woodpecker +cves: + - CVE-2022-29947 +ghsas: + - GHSA-vmp5-c5hp-6c65 +references: + - advisory: https://github.com/advisories/GHSA-vmp5-c5hp-6c65 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-29947 + - fix: https://github.com/woodpecker-ci/woodpecker/pull/879 + - web: https://github.com/woodpecker-ci/woodpecker + - web: https://github.com/woodpecker-ci/woodpecker/releases/tag/v0.15.1 +source: + id: GHSA-vmp5-c5hp-6c65 + created: 2024-08-20T13:56:52.364284-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0442.yaml b/data/reports/GO-2022-0442.yaml new file mode 100644 index 000000000..d38ab8ce9 --- /dev/null +++ b/data/reports/GO-2022-0442.yaml @@ -0,0 +1,21 @@ +id: GO-2022-0442 +modules: + - module: code.gitea.io/gitea + versions: + - fixed: 1.16.4 + vulnerable_at: 1.16.3 +summary: Arbitrary file deletion in gitea in code.gitea.io/gitea +cves: + - CVE-2022-27313 +ghsas: + - GHSA-g7p7-x6w7-w6qg +references: + - advisory: https://github.com/advisories/GHSA-g7p7-x6w7-w6qg + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-27313 + - web: https://github.com/go-gitea/gitea/pull/19072 + - web: https://github.com/go-gitea/gitea/releases/tag/v1.16.4 +source: + id: GHSA-g7p7-x6w7-w6qg + created: 2024-08-20T13:57:01.317518-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0447.yaml b/data/reports/GO-2022-0447.yaml new file mode 100644 index 000000000..13774c931 --- /dev/null +++ b/data/reports/GO-2022-0447.yaml @@ -0,0 +1,25 @@ +id: GO-2022-0447 +modules: + - module: github.com/fluxcd/flux2 + versions: + - fixed: 0.29.0 + vulnerable_at: 0.28.5 + - module: github.com/fluxcd/kustomize-controller + versions: + - fixed: 0.24.0 + vulnerable_at: 0.23.0 +summary: Improper path handling in kustomization files allows path traversal in github.com/fluxcd/flux2 +cves: + - CVE-2022-24877 +ghsas: + - GHSA-j77r-2fxf-5jrw +references: + - advisory: https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-24877 + - fix: https://github.com/fluxcd/kustomize-controller/commit/f4528fb25d611da94e491346bea056d5c5c3611f + - web: https://github.com/fluxcd/pkg/commit/0ec014baf417fd3879d366a45503a548b9267d2a +source: + id: GHSA-j77r-2fxf-5jrw + created: 2024-08-20T13:57:18.284097-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0448.yaml b/data/reports/GO-2022-0448.yaml new file mode 100644 index 000000000..43b0223f8 --- /dev/null +++ b/data/reports/GO-2022-0448.yaml @@ -0,0 +1,25 @@ +id: GO-2022-0448 +modules: + - module: github.com/fluxcd/flux2 + versions: + - introduced: 0.19.0 + - fixed: 0.29.0 + vulnerable_at: 0.28.5 + - module: github.com/fluxcd/kustomize-controller + versions: + - introduced: 0.16.0 + - fixed: 0.24.0 + vulnerable_at: 0.23.0 +summary: Improper path handling in Kustomization files allows for denial of service in github.com/fluxcd/flux2 +cves: + - CVE-2022-24878 +ghsas: + - GHSA-7pwf-jg34-hxwp +references: + - advisory: https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-24878 +source: + id: GHSA-7pwf-jg34-hxwp + created: 2024-08-20T13:57:22.461175-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0449.yaml b/data/reports/GO-2022-0449.yaml new file mode 100644 index 000000000..cf2ea204a --- /dev/null +++ b/data/reports/GO-2022-0449.yaml @@ -0,0 +1,21 @@ +id: GO-2022-0449 +modules: + - module: github.com/charmbracelet/charm + versions: + - introduced: 0.9.0 + - fixed: 0.12.1 + vulnerable_at: 0.12.0 +summary: Server-Side Request Forgery in charm in github.com/charmbracelet/charm +cves: + - CVE-2022-29180 +ghsas: + - GHSA-4wpp-w5r4-7v5v +references: + - advisory: https://github.com/charmbracelet/charm/security/advisories/GHSA-4wpp-w5r4-7v5v + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-29180 + - fix: https://github.com/charmbracelet/charm/commit/3c90668f955c7ce5ef721e4fc9faee7053232fd3 +source: + id: GHSA-4wpp-w5r4-7v5v + created: 2024-08-20T13:57:25.232587-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0450.yaml b/data/reports/GO-2022-0450.yaml new file mode 100644 index 000000000..c7df4fa4e --- /dev/null +++ b/data/reports/GO-2022-0450.yaml @@ -0,0 +1,24 @@ +id: GO-2022-0450 +modules: + - module: code.gitea.io/gitea + versions: + - fixed: 1.16.7 + vulnerable_at: 1.16.6 +summary: Shell command injection in gitea in code.gitea.io/gitea +cves: + - CVE-2022-30781 +ghsas: + - GHSA-p5f9-c9j9-g8qx +references: + - advisory: https://github.com/advisories/GHSA-p5f9-c9j9-g8qx + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-30781 + - web: http://packetstormsecurity.com/files/168400/Gitea-1.16.6-Remote-Code-Execution.html + - web: http://packetstormsecurity.com/files/169928/Gitea-Git-Fetch-Remote-Code-Execution.html + - web: https://blog.gitea.io/2022/05/gitea-1.16.7-is-released + - web: https://github.com/go-gitea/gitea/pull/19487 + - web: https://github.com/go-gitea/gitea/pull/19490 +source: + id: GHSA-p5f9-c9j9-g8qx + created: 2024-08-20T13:57:28.338772-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0451.yaml b/data/reports/GO-2022-0451.yaml new file mode 100644 index 000000000..9e5746bee --- /dev/null +++ b/data/reports/GO-2022-0451.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0451 +modules: + - module: github.com/coreos/ignition + vulnerable_at: 0.35.0 + - module: github.com/coreos/ignition/v2 + versions: + - fixed: 2.14.0 + vulnerable_at: 2.13.0 +summary: Ignition config accessible to unprivileged software on VMware in github.com/coreos/ignition +cves: + - CVE-2022-1706 +ghsas: + - GHSA-hj57-j5cw-2mwp +references: + - advisory: https://github.com/coreos/ignition/security/advisories/GHSA-hj57-j5cw-2mwp + - fix: https://github.com/coreos/ignition/pull/1350 + - report: https://github.com/coreos/ignition/issues/1300 +source: + id: GHSA-hj57-j5cw-2mwp + created: 2024-08-20T13:57:34.481069-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0452.yaml b/data/reports/GO-2022-0452.yaml new file mode 100644 index 000000000..437f461e1 --- /dev/null +++ b/data/reports/GO-2022-0452.yaml @@ -0,0 +1,25 @@ +id: GO-2022-0452 +modules: + - module: github.com/opencontainers/runc + versions: + - fixed: 1.1.2 + vulnerable_at: 1.1.1 +summary: Default inheritable capabilities for linux container should be empty in github.com/opencontainers/runc +cves: + - CVE-2022-29162 +ghsas: + - GHSA-f3fp-gc8g-vw66 +references: + - advisory: https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-29162 + - fix: https://github.com/opencontainers/runc/commit/d04de3a9b72d7a2455c1885fc75eb36d02cd17b5 + - web: https://github.com/opencontainers/runc/releases/tag/v1.1.2 + - web: https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVPZBV7ISA7QKRPTC7ZXWKMIQI2HZEBB + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D77CKD3AXPMU4PMQIQI5Q74SI4JATNND + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GPQU4YC4AAY54JDXGDQHJEYKSXXG5T2Y +source: + id: GHSA-f3fp-gc8g-vw66 + created: 2024-08-20T13:57:38.585931-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0453.yaml b/data/reports/GO-2022-0453.yaml new file mode 100644 index 000000000..be26d312c --- /dev/null +++ b/data/reports/GO-2022-0453.yaml @@ -0,0 +1,33 @@ +id: GO-2022-0453 +modules: + - module: github.com/argoproj/argo-cd + vulnerable_at: 1.8.6 + - module: github.com/argoproj/argo-cd/v2 + versions: + - fixed: 2.1.15 + - introduced: 2.2.0 + - fixed: 2.2.9 + - introduced: 2.3.0 + - fixed: 2.3.4 + vulnerable_at: 2.3.3 +summary: |- + Symlink following allows leaking out-of-bound manifests and JSON files from Argo + CD repo-server in github.com/argoproj/argo-cd +cves: + - CVE-2022-24904 +ghsas: + - GHSA-6gcg-hp2x-q54h +references: + - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-24904 + - fix: https://github.com/argoproj/argo-cd/commit/5e767a4b9e30983330c0fdec322192281a90eb84 + - fix: https://github.com/argoproj/argo-cd/commit/7357cfdb58a560de70a0538c6e3bef6fe39505ea + - fix: https://github.com/argoproj/argo-cd/commit/d36d95dc9f71ec61c1a93794f81ece6d61a0d943 + - web: https://github.com/argoproj/argo-cd/releases/tag/v2.1.15 + - web: https://github.com/argoproj/argo-cd/releases/tag/v2.2.9 + - web: https://github.com/argoproj/argo-cd/releases/tag/v2.3.4 +source: + id: GHSA-6gcg-hp2x-q54h + created: 2024-08-20T13:57:44.583507-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0454.yaml b/data/reports/GO-2022-0454.yaml new file mode 100644 index 000000000..6b8ecd6ae --- /dev/null +++ b/data/reports/GO-2022-0454.yaml @@ -0,0 +1,29 @@ +id: GO-2022-0454 +modules: + - module: github.com/argoproj/argo-cd + vulnerable_at: 1.8.6 + - module: github.com/argoproj/argo-cd/v2 + versions: + - introduced: 2.0.0 + - fixed: 2.1.15 + - introduced: 2.2.0 + - fixed: 2.2.9 + - introduced: 2.3.0 + - fixed: 2.3.4 + vulnerable_at: 2.3.3 +summary: Login screen allows message spoofing if SSO is enabled in github.com/argoproj/argo-cd +cves: + - CVE-2022-24905 +ghsas: + - GHSA-xmg8-99r8-jc2j +references: + - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-24905 + - web: https://github.com/argoproj/argo-cd/releases/tag/v2.1.15 + - web: https://github.com/argoproj/argo-cd/releases/tag/v2.2.9 + - web: https://github.com/argoproj/argo-cd/releases/tag/v2.3.4 +source: + id: GHSA-xmg8-99r8-jc2j + created: 2024-08-20T13:57:50.231112-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0455.yaml b/data/reports/GO-2022-0455.yaml new file mode 100644 index 000000000..6167006dd --- /dev/null +++ b/data/reports/GO-2022-0455.yaml @@ -0,0 +1,28 @@ +id: GO-2022-0455 +modules: + - module: github.com/argoproj/argo-cd + vulnerable_at: 1.8.6 + - module: github.com/argoproj/argo-cd/v2 + versions: + - fixed: 2.1.15 + - introduced: 2.2.0 + - fixed: 2.2.9 + - introduced: 2.3.0 + - fixed: 2.3.4 + vulnerable_at: 2.3.3 +summary: Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd +cves: + - CVE-2022-29165 +ghsas: + - GHSA-r642-gv9p-2wjj +references: + - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-29165 + - web: https://github.com/argoproj/argo-cd/releases/tag/v2.1.15 + - web: https://github.com/argoproj/argo-cd/releases/tag/v2.2.9 + - web: https://github.com/argoproj/argo-cd/releases/tag/v2.3.4 +source: + id: GHSA-r642-gv9p-2wjj + created: 2024-08-20T13:57:53.210022-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0456.yaml b/data/reports/GO-2022-0456.yaml new file mode 100644 index 000000000..2e4ae3571 --- /dev/null +++ b/data/reports/GO-2022-0456.yaml @@ -0,0 +1,20 @@ +id: GO-2022-0456 +modules: + - module: github.com/ethereum/go-ethereum + versions: + - fixed: 1.10.17 + vulnerable_at: 1.10.16 +summary: DoS via malicious p2p message in Go Ethereum in github.com/ethereum/go-ethereum +cves: + - CVE-2022-29177 +ghsas: + - GHSA-wjxw-gh3m-7pm5 +references: + - advisory: https://github.com/ethereum/go-ethereum/security/advisories/GHSA-wjxw-gh3m-7pm5 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-29177 + - fix: https://github.com/ethereum/go-ethereum/pull/24507 +source: + id: GHSA-wjxw-gh3m-7pm5 + created: 2024-08-20T13:57:55.902925-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE