diff --git a/data/excluded/GO-2023-1270.yaml b/data/excluded/GO-2023-1270.yaml deleted file mode 100644 index a42184a8..00000000 --- a/data/excluded/GO-2023-1270.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1270 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/usememos/memos -cves: - - CVE-2022-4863 -ghsas: - - GHSA-6whj-8g9g-5jvx diff --git a/data/excluded/GO-2023-1283.yaml b/data/excluded/GO-2023-1283.yaml deleted file mode 100644 index b9b27ce6..00000000 --- a/data/excluded/GO-2023-1283.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1283 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/KubeOperator/kubepi -cves: - - CVE-2023-22463 -ghsas: - - GHSA-vjhf-8vqx-vqpq diff --git a/data/excluded/GO-2023-1285.yaml b/data/excluded/GO-2023-1285.yaml deleted file mode 100644 index 7834c6e6..00000000 --- a/data/excluded/GO-2023-1285.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1285 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/usememos/memos -cves: - - CVE-2022-4851 -ghsas: - - GHSA-42q2-m54f-jh95 diff --git a/data/excluded/GO-2023-1291.yaml b/data/excluded/GO-2023-1291.yaml deleted file mode 100644 index 80899f81..00000000 --- a/data/excluded/GO-2023-1291.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1291 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/usememos/memos -cves: - - CVE-2022-4803 -ghsas: - - GHSA-mfmp-8mqg-q4wm diff --git a/data/excluded/GO-2023-1292.yaml b/data/excluded/GO-2023-1292.yaml deleted file mode 100644 index cbf5eb87..00000000 --- a/data/excluded/GO-2023-1292.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1292 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/usememos/memos -cves: - - CVE-2022-4805 -ghsas: - - GHSA-mq5q-gpgv-pwxw diff --git a/data/excluded/GO-2023-1294.yaml b/data/excluded/GO-2023-1294.yaml deleted file mode 100644 index a2e23e8e..00000000 --- a/data/excluded/GO-2023-1294.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1294 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/agnivade/easy-scrypt -cves: - - CVE-2014-125055 -ghsas: - - GHSA-r894-5r7v-7rx3 diff --git a/data/excluded/GO-2023-1377.yaml b/data/excluded/GO-2023-1377.yaml deleted file mode 100644 index 07a434fd..00000000 --- a/data/excluded/GO-2023-1377.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1377 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/weaveworks/weave-gitops -cves: - - CVE-2022-23508 -ghsas: - - GHSA-wr3c-g326-486c diff --git a/data/excluded/GO-2023-1388.yaml b/data/excluded/GO-2023-1388.yaml deleted file mode 100644 index e8f7728b..00000000 --- a/data/excluded/GO-2023-1388.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1388 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/weaveworks/weave-gitops -cves: - - CVE-2022-23509 -ghsas: - - GHSA-89qm-wcmw-3mgg diff --git a/data/excluded/GO-2023-1449.yaml b/data/excluded/GO-2023-1449.yaml deleted file mode 100644 index df97bdc3..00000000 --- a/data/excluded/GO-2023-1449.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1449 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/usememos/memos -cves: - - CVE-2022-4808 -ghsas: - - GHSA-r3p3-5f35-h6mf diff --git a/data/excluded/GO-2023-1461.yaml b/data/excluded/GO-2023-1461.yaml deleted file mode 100644 index 01be27d0..00000000 --- a/data/excluded/GO-2023-1461.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1461 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/usememos/memos -cves: - - CVE-2023-0112 -ghsas: - - GHSA-9h7x-9pmh-7gg8 diff --git a/data/excluded/GO-2023-1462.yaml b/data/excluded/GO-2023-1462.yaml deleted file mode 100644 index 6d9d9a2f..00000000 --- a/data/excluded/GO-2023-1462.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1462 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/usememos/memos -cves: - - CVE-2023-0108 -ghsas: - - GHSA-fpjc-cxr6-w6h8 diff --git a/data/excluded/GO-2023-1463.yaml b/data/excluded/GO-2023-1463.yaml deleted file mode 100644 index 0b572755..00000000 --- a/data/excluded/GO-2023-1463.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1463 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/KubeOperator/kubepi -cves: - - CVE-2023-22478 -ghsas: - - GHSA-gqx8-hxmv-c4v4 diff --git a/data/excluded/GO-2023-1465.yaml b/data/excluded/GO-2023-1465.yaml deleted file mode 100644 index d8a495cb..00000000 --- a/data/excluded/GO-2023-1465.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1465 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/usememos/memos -cves: - - CVE-2023-0111 -ghsas: - - GHSA-h2ph-9r76-37v5 diff --git a/data/excluded/GO-2023-1468.yaml b/data/excluded/GO-2023-1468.yaml deleted file mode 100644 index 62cd1b24..00000000 --- a/data/excluded/GO-2023-1468.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1468 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/KubeOperator/kubepi -cves: - - CVE-2023-22479 -ghsas: - - GHSA-v4w5-r2xc-7f8h diff --git a/data/excluded/GO-2023-1469.yaml b/data/excluded/GO-2023-1469.yaml deleted file mode 100644 index 49c3e51f..00000000 --- a/data/excluded/GO-2023-1469.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1469 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/usememos/memos -cves: - - CVE-2023-0110 -ghsas: - - GHSA-x22v-qgm2-7qc7 diff --git a/data/excluded/GO-2023-1471.yaml b/data/excluded/GO-2023-1471.yaml deleted file mode 100644 index aa8c64ae..00000000 --- a/data/excluded/GO-2023-1471.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2023-1471 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/gotify/server -ghsas: - - GHSA-3244-8mff-w398 diff --git a/data/excluded/GO-2023-1492.yaml b/data/excluded/GO-2023-1492.yaml deleted file mode 100644 index 1db95cca..00000000 --- a/data/excluded/GO-2023-1492.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1492 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: k8s.io/kubernetes -cves: - - CVE-2017-1000056 -ghsas: - - GHSA-2jx2-76rc-2v7v diff --git a/data/excluded/GO-2023-1502.yaml b/data/excluded/GO-2023-1502.yaml deleted file mode 100644 index 36135865..00000000 --- a/data/excluded/GO-2023-1502.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1502 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/Velocidex/velociraptor -cves: - - CVE-2023-0290 -ghsas: - - GHSA-7jf5-fvgf-48c6 diff --git a/data/excluded/GO-2023-1504.yaml b/data/excluded/GO-2023-1504.yaml deleted file mode 100644 index bc11ed8a..00000000 --- a/data/excluded/GO-2023-1504.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1504 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/nektos/act -cves: - - CVE-2023-22726 -ghsas: - - GHSA-pc99-qmg4-rcff diff --git a/data/excluded/GO-2023-1509.yaml b/data/excluded/GO-2023-1509.yaml deleted file mode 100644 index aa0708c7..00000000 --- a/data/excluded/GO-2023-1509.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-1509 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/go-sonic/sonic -cves: - - CVE-2022-46959 -ghsas: - - GHSA-2x48-p6cq-5xcw diff --git a/data/osv/GO-2023-1270.json b/data/osv/GO-2023-1270.json new file mode 100644 index 00000000..2b95cbbf --- /dev/null +++ b/data/osv/GO-2023-1270.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1270", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-4863", + "GHSA-6whj-8g9g-5jvx" + ], + "summary": "usememos/memos vulnerable to Improper Handling of Insufficient Permissions or Privileges in github.com/usememos/memos", + "details": "usememos/memos vulnerable to Improper Handling of Insufficient Permissions or Privileges in github.com/usememos/memos", + "affected": [ + { + "package": { + "name": "github.com/usememos/memos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-6whj-8g9g-5jvx" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4863" + }, + { + "type": "FIX", + "url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/42751929-e511-49a9-888d-d5b610da2a45" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1270", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1283.json b/data/osv/GO-2023-1283.json new file mode 100644 index 00000000..652e37b4 --- /dev/null +++ b/data/osv/GO-2023-1283.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1283", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-22463", + "GHSA-vjhf-8vqx-vqpq" + ], + "summary": "KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys in github.com/KubeOperator/kubepi", + "details": "KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys in github.com/KubeOperator/kubepi", + "affected": [ + { + "package": { + "name": "github.com/KubeOperator/kubepi", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/KubeOperator/KubePi/security/advisories/GHSA-vjhf-8vqx-vqpq" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22463" + }, + { + "type": "WEB", + "url": "https://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3a45a3/internal/api/v1/session/session.go#L35" + }, + { + "type": "WEB", + "url": "https://github.com/KubeOperator/KubePi/commit/3be58b8df5bc05d2343c30371dd5fcf6a9fbbf8b" + }, + { + "type": "WEB", + "url": "https://github.com/KubeOperator/KubePi/releases/tag/v1.6.3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1283", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1285.json b/data/osv/GO-2023-1285.json new file mode 100644 index 00000000..0a0ada34 --- /dev/null +++ b/data/osv/GO-2023-1285.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1285", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-4851", + "GHSA-42q2-m54f-jh95" + ], + "summary": "sememos/memos vulnerable to Improper Handling of Values in github.com/usememos/memos", + "details": "sememos/memos vulnerable to Improper Handling of Values in github.com/usememos/memos", + "affected": [ + { + "package": { + "name": "github.com/usememos/memos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-42q2-m54f-jh95" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4851" + }, + { + "type": "FIX", + "url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/e3cebc1a-1326-4a08-abad-0414a717fa0f" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1285", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1291.json b/data/osv/GO-2023-1291.json new file mode 100644 index 00000000..75998e73 --- /dev/null +++ b/data/osv/GO-2023-1291.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1291", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-4803", + "GHSA-mfmp-8mqg-q4wm" + ], + "summary": "usememos/memos Improper Access Control vulnerability in github.com/usememos/memos", + "details": "usememos/memos Improper Access Control vulnerability in github.com/usememos/memos", + "affected": [ + { + "package": { + "name": "github.com/usememos/memos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mfmp-8mqg-q4wm" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4803" + }, + { + "type": "FIX", + "url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/0fba72b9-db10-4d9f-a707-2acf2004a286" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1291", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1292.json b/data/osv/GO-2023-1292.json new file mode 100644 index 00000000..47df9b03 --- /dev/null +++ b/data/osv/GO-2023-1292.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1292", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-4805", + "GHSA-mq5q-gpgv-pwxw" + ], + "summary": "usememos/memos Incorrect Use of Privileged APIs vulnerability in github.com/usememos/memos", + "details": "usememos/memos Incorrect Use of Privileged APIs vulnerability in github.com/usememos/memos", + "affected": [ + { + "package": { + "name": "github.com/usememos/memos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mq5q-gpgv-pwxw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4805" + }, + { + "type": "FIX", + "url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/b03f6a9b-e49b-42d6-a318-1d7afd985873" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1292", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1294.json b/data/osv/GO-2023-1294.json new file mode 100644 index 00000000..1a2ba251 --- /dev/null +++ b/data/osv/GO-2023-1294.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1294", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2014-125055", + "GHSA-r894-5r7v-7rx3" + ], + "summary": "easy-scrypt Observable Timing Discrepancy vulnerability in github.com/agnivade/easy-scrypt", + "details": "easy-scrypt Observable Timing Discrepancy vulnerability in github.com/agnivade/easy-scrypt", + "affected": [ + { + "package": { + "name": "github.com/agnivade/easy-scrypt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-r894-5r7v-7rx3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-125055" + }, + { + "type": "FIX", + "url": "https://github.com/agnivade/easy-scrypt/commit/477c10cf3b144ddf96526aa09f5fdea613f21812" + }, + { + "type": "WEB", + "url": "https://github.com/agnivade/easy-scrypt/releases/tag/v1.0.0" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.217596" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.217596" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1294", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1377.json b/data/osv/GO-2023-1377.json new file mode 100644 index 00000000..3bbfa9f2 --- /dev/null +++ b/data/osv/GO-2023-1377.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1377", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-23508", + "GHSA-wr3c-g326-486c" + ], + "summary": "GitOps Run allows for Kubernetes workload injection in github.com/weaveworks/weave-gitops", + "details": "GitOps Run allows for Kubernetes workload injection in github.com/weaveworks/weave-gitops", + "affected": [ + { + "package": { + "name": "github.com/weaveworks/weave-gitops", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-wr3c-g326-486c" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23508" + }, + { + "type": "FIX", + "url": "https://github.com/weaveworks/weave-gitops/pull/3102/commits/966823bbda8c539a4661e2a4f8607c9307ba6225" + }, + { + "type": "FIX", + "url": "https://github.com/weaveworks/weave-gitops/pull/3114/commits/75268c4d2c8f7e4db22c63d76b451ba6545d117f" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1377", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1388.json b/data/osv/GO-2023-1388.json new file mode 100644 index 00000000..633f9ff8 --- /dev/null +++ b/data/osv/GO-2023-1388.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1388", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-23509", + "GHSA-89qm-wcmw-3mgg" + ], + "summary": "Gitops Run insecure communication in github.com/weaveworks/weave-gitops", + "details": "Gitops Run insecure communication in github.com/weaveworks/weave-gitops", + "affected": [ + { + "package": { + "name": "github.com/weaveworks/weave-gitops", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-89qm-wcmw-3mgg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23509" + }, + { + "type": "FIX", + "url": "https://github.com/weaveworks/weave-gitops/pull/3098/commits/babd91574b99b310b84aeec9f8f895bd18acb967" + }, + { + "type": "FIX", + "url": "https://github.com/weaveworks/weave-gitops/pull/3106/commits/ce2bbff0a3609c33396050ed544a5a21f8d0797f" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1388", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1449.json b/data/osv/GO-2023-1449.json new file mode 100644 index 00000000..174e4ee7 --- /dev/null +++ b/data/osv/GO-2023-1449.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1449", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-4808", + "GHSA-r3p3-5f35-h6mf" + ], + "summary": "usememos/memos Improper Privilege Management vulnerability in github.com/usememos/memos", + "details": "usememos/memos Improper Privilege Management vulnerability in github.com/usememos/memos", + "affected": [ + { + "package": { + "name": "github.com/usememos/memos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-r3p3-5f35-h6mf" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4808" + }, + { + "type": "FIX", + "url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/11877cbf-fcaf-42ef-813e-502c7293f2b5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1449", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1461.json b/data/osv/GO-2023-1461.json new file mode 100644 index 00000000..1ae1263c --- /dev/null +++ b/data/osv/GO-2023-1461.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1461", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-0112", + "GHSA-9h7x-9pmh-7gg8" + ], + "summary": "usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos", + "details": "usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos", + "affected": [ + { + "package": { + "name": "github.com/usememos/memos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.10.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9h7x-9pmh-7gg8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0112" + }, + { + "type": "FIX", + "url": "https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/ec2a29dc-79a3-44bd-a58b-15f676934af6" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1461", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1462.json b/data/osv/GO-2023-1462.json new file mode 100644 index 00000000..32ca61ad --- /dev/null +++ b/data/osv/GO-2023-1462.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1462", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-0108", + "GHSA-fpjc-cxr6-w6h8" + ], + "summary": "usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos", + "details": "usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos", + "affected": [ + { + "package": { + "name": "github.com/usememos/memos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.10.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-fpjc-cxr6-w6h8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0108" + }, + { + "type": "FIX", + "url": "https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/f66d33df-6588-4ab4-80a0-847451517944" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1462", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1463.json b/data/osv/GO-2023-1463.json new file mode 100644 index 00000000..29f6641d --- /dev/null +++ b/data/osv/GO-2023-1463.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1463", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-22478", + "GHSA-gqx8-hxmv-c4v4" + ], + "summary": "KubePi may allow unauthorized access to system API in github.com/KubeOperator/kubepi", + "details": "KubePi may allow unauthorized access to system API in github.com/KubeOperator/kubepi", + "affected": [ + { + "package": { + "name": "github.com/KubeOperator/kubepi", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/1Panel-dev/KubePi/security/advisories/GHSA-gqx8-hxmv-c4v4" + }, + { + "type": "ADVISORY", + "url": "https://github.com/KubeOperator/KubePi/security/advisories/GHSA-gqx8-hxmv-c4v4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22478" + }, + { + "type": "WEB", + "url": "https://github.com/KubeOperator/KubePi/commit/0c6774bf5d9003ae4d60257a3f207c131ff4a6d6" + }, + { + "type": "WEB", + "url": "https://github.com/KubeOperator/KubePi/releases/tag/v1.6.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1463", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1465.json b/data/osv/GO-2023-1465.json new file mode 100644 index 00000000..5b4e31cb --- /dev/null +++ b/data/osv/GO-2023-1465.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1465", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-0111", + "GHSA-h2ph-9r76-37v5" + ], + "summary": "usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos", + "details": "usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos", + "affected": [ + { + "package": { + "name": "github.com/usememos/memos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.10.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-h2ph-9r76-37v5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0111" + }, + { + "type": "FIX", + "url": "https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/70da256c-977a-487e-8a6a-9ae22caedbe3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1465", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1468.json b/data/osv/GO-2023-1468.json new file mode 100644 index 00000000..54775842 --- /dev/null +++ b/data/osv/GO-2023-1468.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1468", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-22479", + "GHSA-v4w5-r2xc-7f8h" + ], + "summary": "KubePi session fixation attack allows an attacker to hijack a legitimate user session. in github.com/KubeOperator/kubepi", + "details": "KubePi session fixation attack allows an attacker to hijack a legitimate user session. in github.com/KubeOperator/kubepi", + "affected": [ + { + "package": { + "name": "github.com/KubeOperator/kubepi", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/1Panel-dev/KubePi/security/advisories/GHSA-v4w5-r2xc-7f8h" + }, + { + "type": "ADVISORY", + "url": "https://github.com/KubeOperator/KubePi/security/advisories/GHSA-v4w5-r2xc-7f8h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22479" + }, + { + "type": "WEB", + "url": "https://github.com/KubeOperator/KubePi/commit/1e9c550356c1a425a742480efcf743d373e98dcb" + }, + { + "type": "WEB", + "url": "https://github.com/KubeOperator/KubePi/releases/tag/v1.6.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1468", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1469.json b/data/osv/GO-2023-1469.json new file mode 100644 index 00000000..6e2f234f --- /dev/null +++ b/data/osv/GO-2023-1469.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1469", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-0110", + "GHSA-x22v-qgm2-7qc7" + ], + "summary": "usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos", + "details": "usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos", + "affected": [ + { + "package": { + "name": "github.com/usememos/memos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.10.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-x22v-qgm2-7qc7" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0110" + }, + { + "type": "FIX", + "url": "https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/6e4a1961-dbca-46f6-ae21-c25a621e54a7" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1469", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1471.json b/data/osv/GO-2023-1471.json new file mode 100644 index 00000000..0afb39bf --- /dev/null +++ b/data/osv/GO-2023-1471.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1471", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-3244-8mff-w398" + ], + "summary": "Reflected XSS in Gotify's /docs via import of outdated Swagger UI in github.com/gotify/server", + "details": "Reflected XSS in Gotify's /docs via import of outdated Swagger UI in github.com/gotify/server", + "affected": [ + { + "package": { + "name": "github.com/gotify/server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/gotify/server/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/gotify/server/security/advisories/GHSA-3244-8mff-w398" + }, + { + "type": "FIX", + "url": "https://github.com/gotify/server/pull/541" + }, + { + "type": "WEB", + "url": "https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass" + }, + { + "type": "WEB", + "url": "https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1471", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1492.json b/data/osv/GO-2023-1492.json new file mode 100644 index 00000000..06da08c9 --- /dev/null +++ b/data/osv/GO-2023-1492.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1492", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2017-1000056", + "GHSA-2jx2-76rc-2v7v" + ], + "summary": "Kubernetes Privilege Escalation in k8s.io/kubernetes", + "details": "Kubernetes Privilege Escalation in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.0" + }, + { + "fixed": "1.5.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2jx2-76rc-2v7v" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000056" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/7fef0a4f6a44ea36f166c39fdade5324eff2dd5e" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/43459" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1492", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1502.json b/data/osv/GO-2023-1502.json new file mode 100644 index 00000000..688813b0 --- /dev/null +++ b/data/osv/GO-2023-1502.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1502", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-0290", + "GHSA-7jf5-fvgf-48c6" + ], + "summary": "Velociraptor subject to Path Traversal in www.velocidex.com/golang/velociraptor", + "details": "Velociraptor subject to Path Traversal in www.velocidex.com/golang/velociraptor", + "affected": [ + { + "package": { + "name": "www.velocidex.com/golang/velociraptor", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.6.7-5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-7jf5-fvgf-48c6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0290" + }, + { + "type": "WEB", + "url": "https://github.com/Velocidex/velociraptor/commit/4718bb0cb426564568abc77910e90a2c211a32e6" + }, + { + "type": "WEB", + "url": "https://github.com/Velocidex/velociraptor/compare/v0.6.7-4...v0.6.7-5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1502", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1504.json b/data/osv/GO-2023-1504.json new file mode 100644 index 00000000..e961f1f7 --- /dev/null +++ b/data/osv/GO-2023-1504.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1504", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-22726", + "GHSA-pc99-qmg4-rcff" + ], + "summary": "act vulnerable to arbitrary file upload in artifact server in github.com/nektos/act", + "details": "act vulnerable to arbitrary file upload in artifact server in github.com/nektos/act", + "affected": [ + { + "package": { + "name": "github.com/nektos/act", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.2.40" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/nektos/act/security/advisories/GHSA-pc99-qmg4-rcff" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22726" + }, + { + "type": "ADVISORY", + "url": "https://securitylab.github.com/advisories/GHSL-2023-004_act" + }, + { + "type": "FIX", + "url": "https://github.com/nektos/act/commit/63ae215071f94569d910964bdee866d91d6e3a10" + }, + { + "type": "REPORT", + "url": "https://github.com/nektos/act/issues/1553" + }, + { + "type": "WEB", + "url": "https://github.com/nektos/act/blob/master/pkg/artifacts/server.go#L65" + }, + { + "type": "WEB", + "url": "https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#L245" + }, + { + "type": "WEB", + "url": "https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#LL103C2-L103C2" + }, + { + "type": "WEB", + "url": "https://github.com/nektos/act/releases/tag/v0.2.40" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1504", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1509.json b/data/osv/GO-2023-1509.json new file mode 100644 index 00000000..4df357e8 --- /dev/null +++ b/data/osv/GO-2023-1509.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-1509", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-46959", + "GHSA-2x48-p6cq-5xcw" + ], + "summary": "Path Traversal in github.com/go-sonic/sonic", + "details": "Path Traversal in github.com/go-sonic/sonic", + "affected": [ + { + "package": { + "name": "github.com/go-sonic/sonic", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2x48-p6cq-5xcw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46959" + }, + { + "type": "FIX", + "url": "https://github.com/go-sonic/sonic/pull/61/commits/3b00266a13fa69284f4b3f4b37d29be8f8e02f31" + }, + { + "type": "REPORT", + "url": "https://github.com/go-sonic/sonic/issues/56" + }, + { + "type": "WEB", + "url": "https://github.com/go-sonic/sonic/releases/tag/v1.0.5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1509", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2023-1270.yaml b/data/reports/GO-2023-1270.yaml new file mode 100644 index 00000000..2b9a372c --- /dev/null +++ b/data/reports/GO-2023-1270.yaml @@ -0,0 +1,23 @@ +id: GO-2023-1270 +modules: + - module: github.com/usememos/memos + versions: + - fixed: 0.9.1 + vulnerable_at: 0.9.0 +summary: |- + usememos/memos vulnerable to Improper Handling of Insufficient Permissions or + Privileges in github.com/usememos/memos +cves: + - CVE-2022-4863 +ghsas: + - GHSA-6whj-8g9g-5jvx +references: + - advisory: https://github.com/advisories/GHSA-6whj-8g9g-5jvx + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-4863 + - fix: https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53 + - web: https://huntr.dev/bounties/42751929-e511-49a9-888d-d5b610da2a45 +source: + id: GHSA-6whj-8g9g-5jvx + created: 2024-08-20T11:27:44.029442-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1283.yaml b/data/reports/GO-2023-1283.yaml new file mode 100644 index 00000000..ec92d296 --- /dev/null +++ b/data/reports/GO-2023-1283.yaml @@ -0,0 +1,24 @@ +id: GO-2023-1283 +modules: + - module: github.com/KubeOperator/kubepi + versions: + - fixed: 1.6.3 + vulnerable_at: 1.6.2 +summary: |- + KubePi allows malicious actor to login with a forged JWT token via Hardcoded + Jwtsigkeys in github.com/KubeOperator/kubepi +cves: + - CVE-2023-22463 +ghsas: + - GHSA-vjhf-8vqx-vqpq +references: + - advisory: https://github.com/KubeOperator/KubePi/security/advisories/GHSA-vjhf-8vqx-vqpq + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-22463 + - web: https://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3a45a3/internal/api/v1/session/session.go#L35 + - web: https://github.com/KubeOperator/KubePi/commit/3be58b8df5bc05d2343c30371dd5fcf6a9fbbf8b + - web: https://github.com/KubeOperator/KubePi/releases/tag/v1.6.3 +source: + id: GHSA-vjhf-8vqx-vqpq + created: 2024-08-20T11:27:50.362607-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2023-1285.yaml b/data/reports/GO-2023-1285.yaml new file mode 100644 index 00000000..bb87c6e8 --- /dev/null +++ b/data/reports/GO-2023-1285.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1285 +modules: + - module: github.com/usememos/memos + versions: + - fixed: 0.9.1 + vulnerable_at: 0.9.0 +summary: sememos/memos vulnerable to Improper Handling of Values in github.com/usememos/memos +cves: + - CVE-2022-4851 +ghsas: + - GHSA-42q2-m54f-jh95 +references: + - advisory: https://github.com/advisories/GHSA-42q2-m54f-jh95 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-4851 + - fix: https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53 + - web: https://huntr.dev/bounties/e3cebc1a-1326-4a08-abad-0414a717fa0f +source: + id: GHSA-42q2-m54f-jh95 + created: 2024-08-20T11:27:55.06589-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1291.yaml b/data/reports/GO-2023-1291.yaml new file mode 100644 index 00000000..8d5882ab --- /dev/null +++ b/data/reports/GO-2023-1291.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1291 +modules: + - module: github.com/usememos/memos + versions: + - fixed: 0.9.1 + vulnerable_at: 0.9.0 +summary: usememos/memos Improper Access Control vulnerability in github.com/usememos/memos +cves: + - CVE-2022-4803 +ghsas: + - GHSA-mfmp-8mqg-q4wm +references: + - advisory: https://github.com/advisories/GHSA-mfmp-8mqg-q4wm + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-4803 + - fix: https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53 + - web: https://huntr.dev/bounties/0fba72b9-db10-4d9f-a707-2acf2004a286 +source: + id: GHSA-mfmp-8mqg-q4wm + created: 2024-08-20T11:28:01.977793-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1292.yaml b/data/reports/GO-2023-1292.yaml new file mode 100644 index 00000000..5c3020ab --- /dev/null +++ b/data/reports/GO-2023-1292.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1292 +modules: + - module: github.com/usememos/memos + versions: + - fixed: 0.9.1 + vulnerable_at: 0.9.0 +summary: usememos/memos Incorrect Use of Privileged APIs vulnerability in github.com/usememos/memos +cves: + - CVE-2022-4805 +ghsas: + - GHSA-mq5q-gpgv-pwxw +references: + - advisory: https://github.com/advisories/GHSA-mq5q-gpgv-pwxw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-4805 + - fix: https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53 + - web: https://huntr.dev/bounties/b03f6a9b-e49b-42d6-a318-1d7afd985873 +source: + id: GHSA-mq5q-gpgv-pwxw + created: 2024-08-20T11:28:05.375937-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1294.yaml b/data/reports/GO-2023-1294.yaml new file mode 100644 index 00000000..97316bd1 --- /dev/null +++ b/data/reports/GO-2023-1294.yaml @@ -0,0 +1,24 @@ +id: GO-2023-1294 +modules: + - module: github.com/agnivade/easy-scrypt + versions: + - fixed: 1.0.0 +summary: easy-scrypt Observable Timing Discrepancy vulnerability in github.com/agnivade/easy-scrypt +cves: + - CVE-2014-125055 +ghsas: + - GHSA-r894-5r7v-7rx3 +references: + - advisory: https://github.com/advisories/GHSA-r894-5r7v-7rx3 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2014-125055 + - fix: https://github.com/agnivade/easy-scrypt/commit/477c10cf3b144ddf96526aa09f5fdea613f21812 + - web: https://github.com/agnivade/easy-scrypt/releases/tag/v1.0.0 + - web: https://vuldb.com/?ctiid.217596 + - web: https://vuldb.com/?id.217596 +notes: + - fix: 'github.com/agnivade/easy-scrypt: could not add vulnerable_at: could not find tagged version between introduced and fixed' +source: + id: GHSA-r894-5r7v-7rx3 + created: 2024-08-20T11:28:09.081427-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2023-1377.yaml b/data/reports/GO-2023-1377.yaml new file mode 100644 index 00000000..1378e473 --- /dev/null +++ b/data/reports/GO-2023-1377.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1377 +modules: + - module: github.com/weaveworks/weave-gitops + versions: + - fixed: 0.12.0 + vulnerable_at: 0.11.0 +summary: GitOps Run allows for Kubernetes workload injection in github.com/weaveworks/weave-gitops +cves: + - CVE-2022-23508 +ghsas: + - GHSA-wr3c-g326-486c +references: + - advisory: https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-wr3c-g326-486c + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-23508 + - fix: https://github.com/weaveworks/weave-gitops/pull/3102/commits/966823bbda8c539a4661e2a4f8607c9307ba6225 + - fix: https://github.com/weaveworks/weave-gitops/pull/3114/commits/75268c4d2c8f7e4db22c63d76b451ba6545d117f +source: + id: GHSA-wr3c-g326-486c + created: 2024-08-20T11:28:29.197979-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1388.yaml b/data/reports/GO-2023-1388.yaml new file mode 100644 index 00000000..0f973e7e --- /dev/null +++ b/data/reports/GO-2023-1388.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1388 +modules: + - module: github.com/weaveworks/weave-gitops + versions: + - fixed: 0.12.0 + vulnerable_at: 0.11.0 +summary: Gitops Run insecure communication in github.com/weaveworks/weave-gitops +cves: + - CVE-2022-23509 +ghsas: + - GHSA-89qm-wcmw-3mgg +references: + - advisory: https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-89qm-wcmw-3mgg + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-23509 + - fix: https://github.com/weaveworks/weave-gitops/pull/3098/commits/babd91574b99b310b84aeec9f8f895bd18acb967 + - fix: https://github.com/weaveworks/weave-gitops/pull/3106/commits/ce2bbff0a3609c33396050ed544a5a21f8d0797f +source: + id: GHSA-89qm-wcmw-3mgg + created: 2024-08-20T11:28:33.490716-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1449.yaml b/data/reports/GO-2023-1449.yaml new file mode 100644 index 00000000..d3359e1f --- /dev/null +++ b/data/reports/GO-2023-1449.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1449 +modules: + - module: github.com/usememos/memos + versions: + - fixed: 0.9.1 + vulnerable_at: 0.9.0 +summary: usememos/memos Improper Privilege Management vulnerability in github.com/usememos/memos +cves: + - CVE-2022-4808 +ghsas: + - GHSA-r3p3-5f35-h6mf +references: + - advisory: https://github.com/advisories/GHSA-r3p3-5f35-h6mf + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-4808 + - fix: https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53 + - web: https://huntr.dev/bounties/11877cbf-fcaf-42ef-813e-502c7293f2b5 +source: + id: GHSA-r3p3-5f35-h6mf + created: 2024-08-20T11:28:38.564375-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1461.yaml b/data/reports/GO-2023-1461.yaml new file mode 100644 index 00000000..7857acd3 --- /dev/null +++ b/data/reports/GO-2023-1461.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1461 +modules: + - module: github.com/usememos/memos + versions: + - fixed: 0.10.0 + vulnerable_at: 0.9.1 +summary: usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos +cves: + - CVE-2023-0112 +ghsas: + - GHSA-9h7x-9pmh-7gg8 +references: + - advisory: https://github.com/advisories/GHSA-9h7x-9pmh-7gg8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-0112 + - fix: https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c + - web: https://huntr.dev/bounties/ec2a29dc-79a3-44bd-a58b-15f676934af6 +source: + id: GHSA-9h7x-9pmh-7gg8 + created: 2024-08-20T11:28:42.132667-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1462.yaml b/data/reports/GO-2023-1462.yaml new file mode 100644 index 00000000..e49a50d6 --- /dev/null +++ b/data/reports/GO-2023-1462.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1462 +modules: + - module: github.com/usememos/memos + versions: + - fixed: 0.10.0 + vulnerable_at: 0.9.1 +summary: usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos +cves: + - CVE-2023-0108 +ghsas: + - GHSA-fpjc-cxr6-w6h8 +references: + - advisory: https://github.com/advisories/GHSA-fpjc-cxr6-w6h8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-0108 + - fix: https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c + - web: https://huntr.dev/bounties/f66d33df-6588-4ab4-80a0-847451517944 +source: + id: GHSA-fpjc-cxr6-w6h8 + created: 2024-08-20T11:28:45.782286-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1463.yaml b/data/reports/GO-2023-1463.yaml new file mode 100644 index 00000000..03d1ea0b --- /dev/null +++ b/data/reports/GO-2023-1463.yaml @@ -0,0 +1,22 @@ +id: GO-2023-1463 +modules: + - module: github.com/KubeOperator/kubepi + versions: + - fixed: 1.6.4 + vulnerable_at: 1.6.3 +summary: KubePi may allow unauthorized access to system API in github.com/KubeOperator/kubepi +cves: + - CVE-2023-22478 +ghsas: + - GHSA-gqx8-hxmv-c4v4 +references: + - advisory: https://github.com/1Panel-dev/KubePi/security/advisories/GHSA-gqx8-hxmv-c4v4 + - advisory: https://github.com/KubeOperator/KubePi/security/advisories/GHSA-gqx8-hxmv-c4v4 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-22478 + - web: https://github.com/KubeOperator/KubePi/commit/0c6774bf5d9003ae4d60257a3f207c131ff4a6d6 + - web: https://github.com/KubeOperator/KubePi/releases/tag/v1.6.4 +source: + id: GHSA-gqx8-hxmv-c4v4 + created: 2024-08-20T11:28:49.296678-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2023-1465.yaml b/data/reports/GO-2023-1465.yaml new file mode 100644 index 00000000..8bc73d55 --- /dev/null +++ b/data/reports/GO-2023-1465.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1465 +modules: + - module: github.com/usememos/memos + versions: + - fixed: 0.10.0 + vulnerable_at: 0.9.1 +summary: usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos +cves: + - CVE-2023-0111 +ghsas: + - GHSA-h2ph-9r76-37v5 +references: + - advisory: https://github.com/advisories/GHSA-h2ph-9r76-37v5 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-0111 + - fix: https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c + - web: https://huntr.dev/bounties/70da256c-977a-487e-8a6a-9ae22caedbe3 +source: + id: GHSA-h2ph-9r76-37v5 + created: 2024-08-20T11:28:53.11851-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1468.yaml b/data/reports/GO-2023-1468.yaml new file mode 100644 index 00000000..8583e8f7 --- /dev/null +++ b/data/reports/GO-2023-1468.yaml @@ -0,0 +1,24 @@ +id: GO-2023-1468 +modules: + - module: github.com/KubeOperator/kubepi + versions: + - fixed: 1.6.4 + vulnerable_at: 1.6.3 +summary: |- + KubePi session fixation attack allows an attacker to hijack a legitimate user + session. in github.com/KubeOperator/kubepi +cves: + - CVE-2023-22479 +ghsas: + - GHSA-v4w5-r2xc-7f8h +references: + - advisory: https://github.com/1Panel-dev/KubePi/security/advisories/GHSA-v4w5-r2xc-7f8h + - advisory: https://github.com/KubeOperator/KubePi/security/advisories/GHSA-v4w5-r2xc-7f8h + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-22479 + - web: https://github.com/KubeOperator/KubePi/commit/1e9c550356c1a425a742480efcf743d373e98dcb + - web: https://github.com/KubeOperator/KubePi/releases/tag/v1.6.4 +source: + id: GHSA-v4w5-r2xc-7f8h + created: 2024-08-20T11:28:56.950332-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2023-1469.yaml b/data/reports/GO-2023-1469.yaml new file mode 100644 index 00000000..d5353856 --- /dev/null +++ b/data/reports/GO-2023-1469.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1469 +modules: + - module: github.com/usememos/memos + versions: + - fixed: 0.10.0 + vulnerable_at: 0.9.1 +summary: usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos +cves: + - CVE-2023-0110 +ghsas: + - GHSA-x22v-qgm2-7qc7 +references: + - advisory: https://github.com/advisories/GHSA-x22v-qgm2-7qc7 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-0110 + - fix: https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c + - web: https://huntr.dev/bounties/6e4a1961-dbca-46f6-ae21-c25a621e54a7 +source: + id: GHSA-x22v-qgm2-7qc7 + created: 2024-08-20T11:29:00.960908-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1471.yaml b/data/reports/GO-2023-1471.yaml new file mode 100644 index 00000000..589eaada --- /dev/null +++ b/data/reports/GO-2023-1471.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1471 +modules: + - module: github.com/gotify/server + vulnerable_at: 1.2.1 + - module: github.com/gotify/server/v2 + versions: + - fixed: 2.2.3 + vulnerable_at: 2.2.2 +summary: Reflected XSS in Gotify's /docs via import of outdated Swagger UI in github.com/gotify/server +ghsas: + - GHSA-3244-8mff-w398 +references: + - advisory: https://github.com/gotify/server/security/advisories/GHSA-3244-8mff-w398 + - fix: https://github.com/gotify/server/pull/541 + - web: https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass + - web: https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers +source: + id: GHSA-3244-8mff-w398 + created: 2024-08-20T11:29:03.980447-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1492.yaml b/data/reports/GO-2023-1492.yaml new file mode 100644 index 00000000..a12d6532 --- /dev/null +++ b/data/reports/GO-2023-1492.yaml @@ -0,0 +1,22 @@ +id: GO-2023-1492 +modules: + - module: k8s.io/kubernetes + versions: + - introduced: 1.5.0 + - fixed: 1.5.5 + vulnerable_at: 1.5.5-beta.0 +summary: Kubernetes Privilege Escalation in k8s.io/kubernetes +cves: + - CVE-2017-1000056 +ghsas: + - GHSA-2jx2-76rc-2v7v +references: + - advisory: https://github.com/advisories/GHSA-2jx2-76rc-2v7v + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2017-1000056 + - web: https://github.com/kubernetes/kubernetes/commit/7fef0a4f6a44ea36f166c39fdade5324eff2dd5e + - web: https://github.com/kubernetes/kubernetes/issues/43459 +source: + id: GHSA-2jx2-76rc-2v7v + created: 2024-08-20T11:29:33.94503-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1502.yaml b/data/reports/GO-2023-1502.yaml new file mode 100644 index 00000000..b66accd5 --- /dev/null +++ b/data/reports/GO-2023-1502.yaml @@ -0,0 +1,21 @@ +id: GO-2023-1502 +modules: + - module: www.velocidex.com/golang/velociraptor + versions: + - fixed: 0.6.7-5 + vulnerable_at: 0.6.7-4 +summary: Velociraptor subject to Path Traversal in www.velocidex.com/golang/velociraptor +cves: + - CVE-2023-0290 +ghsas: + - GHSA-7jf5-fvgf-48c6 +references: + - advisory: https://github.com/advisories/GHSA-7jf5-fvgf-48c6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-0290 + - web: https://github.com/Velocidex/velociraptor/commit/4718bb0cb426564568abc77910e90a2c211a32e6 + - web: https://github.com/Velocidex/velociraptor/compare/v0.6.7-4...v0.6.7-5 +source: + id: GHSA-7jf5-fvgf-48c6 + created: 2024-08-20T11:29:50.475891-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1504.yaml b/data/reports/GO-2023-1504.yaml new file mode 100644 index 00000000..5cac57e0 --- /dev/null +++ b/data/reports/GO-2023-1504.yaml @@ -0,0 +1,26 @@ +id: GO-2023-1504 +modules: + - module: github.com/nektos/act + versions: + - fixed: 0.2.40 + vulnerable_at: 0.2.39 +summary: act vulnerable to arbitrary file upload in artifact server in github.com/nektos/act +cves: + - CVE-2023-22726 +ghsas: + - GHSA-pc99-qmg4-rcff +references: + - advisory: https://github.com/nektos/act/security/advisories/GHSA-pc99-qmg4-rcff + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-22726 + - advisory: https://securitylab.github.com/advisories/GHSL-2023-004_act + - fix: https://github.com/nektos/act/commit/63ae215071f94569d910964bdee866d91d6e3a10 + - report: https://github.com/nektos/act/issues/1553 + - web: https://github.com/nektos/act/blob/master/pkg/artifacts/server.go#L65 + - web: https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#L245 + - web: https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#LL103C2-L103C2 + - web: https://github.com/nektos/act/releases/tag/v0.2.40 +source: + id: GHSA-pc99-qmg4-rcff + created: 2024-08-20T11:29:54.889428-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-1509.yaml b/data/reports/GO-2023-1509.yaml new file mode 100644 index 00000000..7aa924d9 --- /dev/null +++ b/data/reports/GO-2023-1509.yaml @@ -0,0 +1,22 @@ +id: GO-2023-1509 +modules: + - module: github.com/go-sonic/sonic + versions: + - fixed: 1.0.5 + vulnerable_at: 1.0.4 +summary: Path Traversal in github.com/go-sonic/sonic +cves: + - CVE-2022-46959 +ghsas: + - GHSA-2x48-p6cq-5xcw +references: + - advisory: https://github.com/advisories/GHSA-2x48-p6cq-5xcw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-46959 + - fix: https://github.com/go-sonic/sonic/pull/61/commits/3b00266a13fa69284f4b3f4b37d29be8f8e02f31 + - report: https://github.com/go-sonic/sonic/issues/56 + - web: https://github.com/go-sonic/sonic/releases/tag/v1.0.5 +source: + id: GHSA-2x48-p6cq-5xcw + created: 2024-08-20T11:29:59.937901-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE