diff --git a/data/excluded/GO-2022-0457.yaml b/data/excluded/GO-2022-0457.yaml deleted file mode 100644 index 961c95509..000000000 --- a/data/excluded/GO-2022-0457.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0457 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cilium/cilium -cves: - - CVE-2022-29178 -ghsas: - - GHSA-6p8v-8cq8-v2r3 diff --git a/data/excluded/GO-2022-0458.yaml b/data/excluded/GO-2022-0458.yaml deleted file mode 100644 index c86e89b48..000000000 --- a/data/excluded/GO-2022-0458.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0458 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cilium/cilium -cves: - - CVE-2022-29179 -ghsas: - - GHSA-fmrf-gvjp-5j5g diff --git a/data/excluded/GO-2022-0459.yaml b/data/excluded/GO-2022-0459.yaml deleted file mode 100644 index 5322f9280..000000000 --- a/data/excluded/GO-2022-0459.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0459 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/stripe/smokescreen -cves: - - CVE-2022-29188 -ghsas: - - GHSA-qwrf-gfpj-qvj6 diff --git a/data/excluded/GO-2022-0471.yaml b/data/excluded/GO-2022-0471.yaml deleted file mode 100644 index de8dfce72..000000000 --- a/data/excluded/GO-2022-0471.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0471 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/gogs/gogs -cves: - - CVE-2021-32546 -ghsas: - - GHSA-56j7-2pm8-rgmx diff --git a/data/excluded/GO-2022-0473.yaml b/data/excluded/GO-2022-0473.yaml deleted file mode 100644 index fda537f1c..000000000 --- a/data/excluded/GO-2022-0473.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2022-0473 -excluded: NOT_IMPORTABLE -modules: - - module: gogs.io/gogs -ghsas: - - GHSA-pj96-4jhv-v792 diff --git a/data/excluded/GO-2022-0480.yaml b/data/excluded/GO-2022-0480.yaml deleted file mode 100644 index 3f92dbc26..000000000 --- a/data/excluded/GO-2022-0480.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0480 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cri-o/cri-o -cves: - - CVE-2022-1708 -ghsas: - - GHSA-fcm2-6c3h-pg6j diff --git a/data/excluded/GO-2022-0482.yaml b/data/excluded/GO-2022-0482.yaml deleted file mode 100644 index 1c42fd0b6..000000000 --- a/data/excluded/GO-2022-0482.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0482 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/containerd/containerd -cves: - - CVE-2022-31030 -ghsas: - - GHSA-5ffw-gxpp-mxpf diff --git a/data/excluded/GO-2022-0483.yaml b/data/excluded/GO-2022-0483.yaml deleted file mode 100644 index 4054c3388..000000000 --- a/data/excluded/GO-2022-0483.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0483 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/gogs/gogs -cves: - - CVE-2022-31038 -ghsas: - - GHSA-xq4v-vrp9-vcf2 diff --git a/data/excluded/GO-2022-0490.yaml b/data/excluded/GO-2022-0490.yaml deleted file mode 100644 index 4476efe08..000000000 --- a/data/excluded/GO-2022-0490.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0490 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/argoproj/argo-events -cves: - - CVE-2022-31054 -ghsas: - - GHSA-5q86-62xr-3r57 diff --git a/data/excluded/GO-2022-0491.yaml b/data/excluded/GO-2022-0491.yaml deleted file mode 100644 index 27af7333e..000000000 --- a/data/excluded/GO-2022-0491.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0491 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/edgexfoundry/edgex-go -cves: - - CVE-2022-31066 -ghsas: - - GHSA-g63h-q855-vp3q diff --git a/data/excluded/GO-2022-0494.yaml b/data/excluded/GO-2022-0494.yaml deleted file mode 100644 index acfc28bac..000000000 --- a/data/excluded/GO-2022-0494.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0494 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/zalando/skipper -cves: - - CVE-2022-34296 -ghsas: - - GHSA-qx2j-85q5-ffp8 diff --git a/data/excluded/GO-2022-0495.yaml b/data/excluded/GO-2022-0495.yaml deleted file mode 100644 index 24e575353..000000000 --- a/data/excluded/GO-2022-0495.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0495 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/argoproj/argo-cd -cves: - - CVE-2022-31016 -ghsas: - - GHSA-jhqp-vf4w-rpwq diff --git a/data/excluded/GO-2022-0496.yaml b/data/excluded/GO-2022-0496.yaml deleted file mode 100644 index 01c64ccc8..000000000 --- a/data/excluded/GO-2022-0496.yaml +++ /dev/null @@ -1,10 +0,0 @@ -id: GO-2022-0496 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cloudflare/cfrpki -ghsas: - - GHSA-3jhm-87m6-x959 -related: - - CVE-2021-3907 - - GHSA-8459-6rc9-8vf8 - - GHSA-cqh2-vc2f-q4fh diff --git a/data/excluded/GO-2022-0497.yaml b/data/excluded/GO-2022-0497.yaml deleted file mode 100644 index cef7b08d0..000000000 --- a/data/excluded/GO-2022-0497.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0497 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/argoproj/argo-cd -cves: - - CVE-2022-31034 -ghsas: - - GHSA-2m7h-86qq-fp4v diff --git a/data/excluded/GO-2022-0498.yaml b/data/excluded/GO-2022-0498.yaml deleted file mode 100644 index 446b8b836..000000000 --- a/data/excluded/GO-2022-0498.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0498 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/argoproj/argo-cd -cves: - - CVE-2022-31035 -ghsas: - - GHSA-h4w9-6x78-8vrj diff --git a/data/excluded/GO-2022-0499.yaml b/data/excluded/GO-2022-0499.yaml deleted file mode 100644 index 6236ec4e7..000000000 --- a/data/excluded/GO-2022-0499.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0499 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/argoproj/argo-cd -cves: - - CVE-2022-31036 -ghsas: - - GHSA-q4w5-4gq2-98vm diff --git a/data/excluded/GO-2022-0500.yaml b/data/excluded/GO-2022-0500.yaml deleted file mode 100644 index 9b911c470..000000000 --- a/data/excluded/GO-2022-0500.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0500 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/kubeedge/kubeedge -cves: - - CVE-2022-31076 -ghsas: - - GHSA-8f4f-v9x5-cg6j diff --git a/data/excluded/GO-2022-0501.yaml b/data/excluded/GO-2022-0501.yaml deleted file mode 100644 index 2af5685fd..000000000 --- a/data/excluded/GO-2022-0501.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0501 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/kubeedge/kubeedge -cves: - - CVE-2022-31077 -ghsas: - - GHSA-x938-fvfw-7jh5 diff --git a/data/excluded/GO-2022-0502.yaml b/data/excluded/GO-2022-0502.yaml deleted file mode 100644 index 2e58d46bc..000000000 --- a/data/excluded/GO-2022-0502.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0502 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/weaveworks/weave-gitops -cves: - - CVE-2022-31098 -ghsas: - - GHSA-xggc-qprg-x6mw diff --git a/data/excluded/GO-2022-0505.yaml b/data/excluded/GO-2022-0505.yaml deleted file mode 100644 index 14355dd54..000000000 --- a/data/excluded/GO-2022-0505.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0505 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/openshift/origin -cves: - - CVE-2015-3207 -ghsas: - - GHSA-rqph-25q9-9jhp diff --git a/data/osv/GO-2022-0457.json b/data/osv/GO-2022-0457.json new file mode 100644 index 000000000..f1d0814cd --- /dev/null +++ b/data/osv/GO-2022-0457.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0457", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29178", + "GHSA-6p8v-8cq8-v2r3" + ], + "summary": "Access to Unix domain socket can lead to privileges escalation in Cilium in github.com/cilium/cilium", + "details": "Access to Unix domain socket can lead to privileges escalation in Cilium in github.com/cilium/cilium", + "affected": [ + { + "package": { + "name": "github.com/cilium/cilium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.16" + }, + { + "introduced": "1.10.0" + }, + { + "fixed": "1.10.11" + }, + { + "introduced": "1.11.0" + }, + { + "fixed": "1.11.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cilium/cilium/security/advisories/GHSA-6p8v-8cq8-v2r3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29178" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.10.11" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.11.5" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.9.16" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0457", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0458.json b/data/osv/GO-2022-0458.json new file mode 100644 index 000000000..7a9e267ce --- /dev/null +++ b/data/osv/GO-2022-0458.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0458", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29179", + "GHSA-fmrf-gvjp-5j5g" + ], + "summary": "Improper Privilege Management in Cilium in github.com/cilium/cilium", + "details": "Improper Privilege Management in Cilium in github.com/cilium/cilium", + "affected": [ + { + "package": { + "name": "github.com/cilium/cilium", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.16" + }, + { + "introduced": "1.10.0" + }, + { + "fixed": "1.10.11" + }, + { + "introduced": "1.11.0" + }, + { + "fixed": "1.11.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cilium/cilium/security/advisories/GHSA-fmrf-gvjp-5j5g" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29179" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.10.11" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.11.5" + }, + { + "type": "WEB", + "url": "https://github.com/cilium/cilium/releases/tag/v1.9.16" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0458", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0459.json b/data/osv/GO-2022-0459.json new file mode 100644 index 000000000..6e51676f1 --- /dev/null +++ b/data/osv/GO-2022-0459.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0459", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-29188", + "GHSA-qwrf-gfpj-qvj6" + ], + "summary": "Smokescreen SSRF via deny list bypass (square brackets) in github.com/stripe/smokescreen", + "details": "Smokescreen SSRF via deny list bypass (square brackets) in github.com/stripe/smokescreen", + "affected": [ + { + "package": { + "name": "github.com/stripe/smokescreen", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/stripe/smokescreen/security/advisories/GHSA-qwrf-gfpj-qvj6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29188" + }, + { + "type": "FIX", + "url": "https://github.com/stripe/smokescreen/commit/dea7b3c89df000f4072ff9866d61d78e30df6a36" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0459", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0471.json b/data/osv/GO-2022-0471.json new file mode 100644 index 000000000..973cbdf0d --- /dev/null +++ b/data/osv/GO-2022-0471.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0471", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-32546", + "GHSA-56j7-2pm8-rgmx" + ], + "summary": "OS Command Injection in gogs in gogs.io/gogs", + "details": "OS Command Injection in gogs in gogs.io/gogs", + "affected": [ + { + "package": { + "name": "gogs.io/gogs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.8" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/gogs/gogs/security/advisories/GHSA-56j7-2pm8-rgmx" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32546" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/issues/6555" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/pull/6986" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/releases" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/releases/tag/v0.12.8" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0471", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0473.json b/data/osv/GO-2022-0473.json new file mode 100644 index 000000000..5e05312a4 --- /dev/null +++ b/data/osv/GO-2022-0473.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0473", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-pj96-4jhv-v792" + ], + "summary": "Cross site scripting via cookies in gogs in gogs.io/gogs", + "details": "Cross site scripting via cookies in gogs in gogs.io/gogs", + "affected": [ + { + "package": { + "name": "gogs.io/gogs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.8" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/gogs/gogs/security/advisories/GHSA-pj96-4jhv-v792" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/issues/6953" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0473", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0480.json b/data/osv/GO-2022-0480.json new file mode 100644 index 000000000..8829f8b2a --- /dev/null +++ b/data/osv/GO-2022-0480.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0480", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-1708", + "GHSA-fcm2-6c3h-pg6j" + ], + "summary": "Node DOS by way of memory exhaustion through ExecSync request in CRI-O in github.com/cri-o/cri-o", + "details": "Node DOS by way of memory exhaustion through ExecSync request in CRI-O in github.com/cri-o/cri-o", + "affected": [ + { + "package": { + "name": "github.com/cri-o/cri-o", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.22.5" + }, + { + "introduced": "1.23.0" + }, + { + "fixed": "1.23.3" + }, + { + "introduced": "1.24.0" + }, + { + "fixed": "1.24.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1708" + }, + { + "type": "FIX", + "url": "https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0480", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0482.json b/data/osv/GO-2022-0482.json new file mode 100644 index 000000000..a09f08e00 --- /dev/null +++ b/data/osv/GO-2022-0482.json @@ -0,0 +1,86 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0482", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31030", + "GHSA-5ffw-gxpp-mxpf" + ], + "summary": "containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd", + "details": "containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd", + "affected": [ + { + "package": { + "name": "github.com/containerd/containerd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.13" + }, + { + "introduced": "1.6.0" + }, + { + "fixed": "1.6.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31030" + }, + { + "type": "FIX", + "url": "https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2022/06/07/1" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-31" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5162" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0482", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0483.json b/data/osv/GO-2022-0483.json new file mode 100644 index 000000000..5ee6ea098 --- /dev/null +++ b/data/osv/GO-2022-0483.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0483", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31038", + "GHSA-xq4v-vrp9-vcf2" + ], + "summary": "Cross-site Scripting vulnerability in repository issue list in Gogs in gogs.io/gogs", + "details": "Cross-site Scripting vulnerability in repository issue list in Gogs in gogs.io/gogs", + "affected": [ + { + "package": { + "name": "gogs.io/gogs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.9" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31038" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/pull/7009" + }, + { + "type": "WEB", + "url": "https://github.com/gogs/gogs/releases/tag/v0.12.9" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0483", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0490.json b/data/osv/GO-2022-0490.json new file mode 100644 index 000000000..c3c7cd86f --- /dev/null +++ b/data/osv/GO-2022-0490.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0490", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31054", + "GHSA-5q86-62xr-3r57" + ], + "summary": "Uses of deprecated API can be used to cause DoS in user-facing endpoints in github.com/argoproj/argo-events", + "details": "Uses of deprecated API can be used to cause DoS in user-facing endpoints in github.com/argoproj/argo-events", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-events", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.7.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r57" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31054" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-events/pull/1966" + }, + { + "type": "REPORT", + "url": "https://github.com/argoproj/argo-events/issues/1946" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0490", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0491.json b/data/osv/GO-2022-0491.json new file mode 100644 index 000000000..ec86887ab --- /dev/null +++ b/data/osv/GO-2022-0491.json @@ -0,0 +1,110 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0491", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31066", + "GHSA-g63h-q855-vp3q" + ], + "summary": "Configuration API in EdgeXFoundry 2.1.0 and earlier exposes message bus credentials to local unauthenticated users in github.com/edgexfoundry/app-functions-sdk-go", + "details": "Configuration API in EdgeXFoundry 2.1.0 and earlier exposes message bus credentials to local unauthenticated users in github.com/edgexfoundry/app-functions-sdk-go", + "affected": [ + { + "package": { + "name": "github.com/edgexfoundry/app-functions-sdk-go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/edgexfoundry/app-functions-sdk-go/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.1" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/edgexfoundry/device-sdk-go", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/edgexfoundry/device-sdk-go/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/edgexfoundry/edgex-go/security/advisories/GHSA-g63h-q855-vp3q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31066" + }, + { + "type": "FIX", + "url": "https://github.com/edgexfoundry/device-sdk-go/pull/1161" + }, + { + "type": "WEB", + "url": "https://github.com/edgexfoundry/edgex-go/pull/4016" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0491", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0494.json b/data/osv/GO-2022-0494.json new file mode 100644 index 000000000..d56d5d3d6 --- /dev/null +++ b/data/osv/GO-2022-0494.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0494", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-34296", + "GHSA-qx2j-85q5-ffp8" + ], + "summary": "Query predicate bypass in Zalando Skipper in github.com/zalando/skipper", + "details": "Query predicate bypass in Zalando Skipper in github.com/zalando/skipper", + "affected": [ + { + "package": { + "name": "github.com/zalando/skipper", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.13.218" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-qx2j-85q5-ffp8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34296" + }, + { + "type": "FIX", + "url": "https://github.com/zalando/skipper/commit/998a658ce5a68a336a98f4e63e4371e200860dfc" + }, + { + "type": "FIX", + "url": "https://github.com/zalando/skipper/pull/2028" + }, + { + "type": "WEB", + "url": "https://github.com/zalando/skipper/releases/tag/v0.13.218" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0494", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0495.json b/data/osv/GO-2022-0495.json new file mode 100644 index 000000000..095d562cb --- /dev/null +++ b/data/osv/GO-2022-0495.json @@ -0,0 +1,83 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0495", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31016", + "GHSA-jhqp-vf4w-rpwq" + ], + "summary": "DoS through large manifest files in Argo CD in github.com/argoproj/argo-cd", + "details": "DoS through large manifest files in Argo CD in github.com/argoproj/argo-cd", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-cd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.7.0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-cd/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.16" + }, + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.10" + }, + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.5" + }, + { + "introduced": "2.4.0" + }, + { + "fixed": "2.4.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31016" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0495", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0496.json b/data/osv/GO-2022-0496.json new file mode 100644 index 000000000..33dbee64e --- /dev/null +++ b/data/osv/GO-2022-0496.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0496", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-3jhm-87m6-x959" + ], + "summary": "Path traversal mitigation bypass in OctoRPKI in github.com/cloudflare/cfrpki", + "details": "Path traversal mitigation bypass in OctoRPKI in github.com/cloudflare/cfrpki", + "affected": [ + { + "package": { + "name": "github.com/cloudflare/cfrpki", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959" + }, + { + "type": "WEB", + "url": "https://github.com/cloudflare/cfrpki/releases/tag/v1.4.3" + }, + { + "type": "WEB", + "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3907" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0496", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0497.json b/data/osv/GO-2022-0497.json new file mode 100644 index 000000000..231ba6a28 --- /dev/null +++ b/data/osv/GO-2022-0497.json @@ -0,0 +1,87 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0497", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31034", + "GHSA-2m7h-86qq-fp4v" + ], + "summary": "Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params in github.com/argoproj/argo-cd", + "details": "Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params in github.com/argoproj/argo-cd", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-cd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.11.0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-cd/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.16" + }, + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.10" + }, + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.5" + }, + { + "introduced": "2.4.0" + }, + { + "fixed": "2.4.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31034" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0497", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0498.json b/data/osv/GO-2022-0498.json new file mode 100644 index 000000000..16e76819d --- /dev/null +++ b/data/osv/GO-2022-0498.json @@ -0,0 +1,91 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0498", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31035", + "GHSA-h4w9-6x78-8vrj" + ], + "summary": "Argo CD's external URLs for Deployments can include JavaScript in github.com/argoproj/argo-cd", + "details": "Argo CD's external URLs for Deployments can include JavaScript in github.com/argoproj/argo-cd", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-cd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.0.0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-cd/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.16" + }, + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.10" + }, + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.5" + }, + { + "introduced": "2.4.0" + }, + { + "fixed": "2.4.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31035" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/8bc3ef690de29c68a36f473908774346a44d4038" + }, + { + "type": "WEB", + "url": "https://argo-cd.readthedocs.io/en/stable/user-guide/external-url" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0498", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0499.json b/data/osv/GO-2022-0499.json new file mode 100644 index 000000000..aae08fffd --- /dev/null +++ b/data/osv/GO-2022-0499.json @@ -0,0 +1,87 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0499", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31036", + "GHSA-q4w5-4gq2-98vm" + ], + "summary": "Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server in github.com/argoproj/argo-cd", + "details": "Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server in github.com/argoproj/argo-cd", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-cd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.3.0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-cd/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.16" + }, + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.10" + }, + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.5" + }, + { + "introduced": "2.4.0" + }, + { + "fixed": "2.4.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31036" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/04c305396458508a31d03d44afea07b1c620d7cd" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0499", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0500.json b/data/osv/GO-2022-0500.json new file mode 100644 index 000000000..433bb5909 --- /dev/null +++ b/data/osv/GO-2022-0500.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0500", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31076", + "GHSA-8f4f-v9x5-cg6j" + ], + "summary": "CloudCore UDS Server: Malicious Message can crash CloudCore in github.com/kubeedge/kubeedge", + "details": "CloudCore UDS Server: Malicious Message can crash CloudCore in github.com/kubeedge/kubeedge", + "affected": [ + { + "package": { + "name": "github.com/kubeedge/kubeedge", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.3" + }, + { + "introduced": "1.10.0" + }, + { + "fixed": "1.10.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kubeedge/kubeedge/security/advisories/GHSA-8f4f-v9x5-cg6j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31076" + }, + { + "type": "FIX", + "url": "https://github.com/kubeedge/kubeedge/pull/3899/commits/5d60ae9eabd6b6b7afe38758e19bbe8137664701" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0500", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0501.json b/data/osv/GO-2022-0501.json new file mode 100644 index 000000000..8f186a37f --- /dev/null +++ b/data/osv/GO-2022-0501.json @@ -0,0 +1,62 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0501", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31077", + "GHSA-x938-fvfw-7jh5" + ], + "summary": "CloudCore CSI Driver: Malicious response from KubeEdge can crash CSI Driver controller server in github.com/kubeedge/kubeedge", + "details": "CloudCore CSI Driver: Malicious response from KubeEdge can crash CSI Driver controller server in github.com/kubeedge/kubeedge", + "affected": [ + { + "package": { + "name": "github.com/kubeedge/kubeedge", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.3" + }, + { + "introduced": "1.10.0" + }, + { + "fixed": "1.10.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kubeedge/kubeedge/security/advisories/GHSA-x938-fvfw-7jh5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31077" + }, + { + "type": "FIX", + "url": "https://github.com/kubeedge/kubeedge/pull/3899" + }, + { + "type": "FIX", + "url": "https://github.com/kubeedge/kubeedge/pull/3899/commits/5d60ae9eabd6b6b7afe38758e19bbe8137664701" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0501", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0502.json b/data/osv/GO-2022-0502.json new file mode 100644 index 000000000..5cdb2281e --- /dev/null +++ b/data/osv/GO-2022-0502.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0502", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-31098", + "GHSA-xggc-qprg-x6mw" + ], + "summary": "Weave GitOps leaked cluster credentials into logs on connection errors in github.com/weaveworks/weave-gitops", + "details": "Weave GitOps leaked cluster credentials into logs on connection errors in github.com/weaveworks/weave-gitops", + "affected": [ + { + "package": { + "name": "github.com/weaveworks/weave-gitops", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.8.1-rc.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-xggc-qprg-x6mw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31098" + }, + { + "type": "FIX", + "url": "https://github.com/weaveworks/weave-gitops/commit/567356f471353fb5c676c77f5abc2a04631d50ca" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0502", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0505.json b/data/osv/GO-2022-0505.json new file mode 100644 index 000000000..85eeaf28c --- /dev/null +++ b/data/osv/GO-2022-0505.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0505", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2015-3207", + "GHSA-rqph-25q9-9jhp" + ], + "summary": "Insecure cookies in Openshift Origin in github.com/openshift/origin", + "details": "Insecure cookies in Openshift Origin in github.com/openshift/origin", + "affected": [ + { + "package": { + "name": "github.com/openshift/origin", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-rqph-25q9-9jhp" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3207" + }, + { + "type": "FIX", + "url": "https://github.com/openshift/origin/pull/2261" + }, + { + "type": "FIX", + "url": "https://github.com/openshift/origin/pull/2291" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1221882" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0505", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2022-0457.yaml b/data/reports/GO-2022-0457.yaml new file mode 100644 index 000000000..43ac06536 --- /dev/null +++ b/data/reports/GO-2022-0457.yaml @@ -0,0 +1,26 @@ +id: GO-2022-0457 +modules: + - module: github.com/cilium/cilium + versions: + - fixed: 1.9.16 + - introduced: 1.10.0 + - fixed: 1.10.11 + - introduced: 1.11.0 + - fixed: 1.11.5 + vulnerable_at: 1.11.4 +summary: Access to Unix domain socket can lead to privileges escalation in Cilium in github.com/cilium/cilium +cves: + - CVE-2022-29178 +ghsas: + - GHSA-6p8v-8cq8-v2r3 +references: + - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-6p8v-8cq8-v2r3 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-29178 + - web: https://github.com/cilium/cilium/releases/tag/v1.10.11 + - web: https://github.com/cilium/cilium/releases/tag/v1.11.5 + - web: https://github.com/cilium/cilium/releases/tag/v1.9.16 +source: + id: GHSA-6p8v-8cq8-v2r3 + created: 2024-08-20T13:58:00.169841-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0458.yaml b/data/reports/GO-2022-0458.yaml new file mode 100644 index 000000000..9eeb16a02 --- /dev/null +++ b/data/reports/GO-2022-0458.yaml @@ -0,0 +1,26 @@ +id: GO-2022-0458 +modules: + - module: github.com/cilium/cilium + versions: + - fixed: 1.9.16 + - introduced: 1.10.0 + - fixed: 1.10.11 + - introduced: 1.11.0 + - fixed: 1.11.5 + vulnerable_at: 1.11.4 +summary: Improper Privilege Management in Cilium in github.com/cilium/cilium +cves: + - CVE-2022-29179 +ghsas: + - GHSA-fmrf-gvjp-5j5g +references: + - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-fmrf-gvjp-5j5g + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-29179 + - web: https://github.com/cilium/cilium/releases/tag/v1.10.11 + - web: https://github.com/cilium/cilium/releases/tag/v1.11.5 + - web: https://github.com/cilium/cilium/releases/tag/v1.9.16 +source: + id: GHSA-fmrf-gvjp-5j5g + created: 2024-08-20T13:58:04.25707-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0459.yaml b/data/reports/GO-2022-0459.yaml new file mode 100644 index 000000000..98d981e37 --- /dev/null +++ b/data/reports/GO-2022-0459.yaml @@ -0,0 +1,20 @@ +id: GO-2022-0459 +modules: + - module: github.com/stripe/smokescreen + versions: + - fixed: 0.0.4 + vulnerable_at: 0.0.3 +summary: Smokescreen SSRF via deny list bypass (square brackets) in github.com/stripe/smokescreen +cves: + - CVE-2022-29188 +ghsas: + - GHSA-qwrf-gfpj-qvj6 +references: + - advisory: https://github.com/stripe/smokescreen/security/advisories/GHSA-qwrf-gfpj-qvj6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-29188 + - fix: https://github.com/stripe/smokescreen/commit/dea7b3c89df000f4072ff9866d61d78e30df6a36 +source: + id: GHSA-qwrf-gfpj-qvj6 + created: 2024-08-20T13:58:07.599173-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0471.yaml b/data/reports/GO-2022-0471.yaml new file mode 100644 index 000000000..5aabdfb78 --- /dev/null +++ b/data/reports/GO-2022-0471.yaml @@ -0,0 +1,24 @@ +id: GO-2022-0471 +modules: + - module: gogs.io/gogs + versions: + - fixed: 0.12.8 + vulnerable_at: 0.12.8-rc.1 +summary: OS Command Injection in gogs in gogs.io/gogs +cves: + - CVE-2021-32546 +ghsas: + - GHSA-56j7-2pm8-rgmx +references: + - advisory: https://github.com/gogs/gogs/security/advisories/GHSA-56j7-2pm8-rgmx + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-32546 + - web: https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129 + - web: https://github.com/gogs/gogs/issues/6555 + - web: https://github.com/gogs/gogs/pull/6986 + - web: https://github.com/gogs/gogs/releases + - web: https://github.com/gogs/gogs/releases/tag/v0.12.8 +source: + id: GHSA-56j7-2pm8-rgmx + created: 2024-08-20T14:00:01.410991-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0473.yaml b/data/reports/GO-2022-0473.yaml new file mode 100644 index 000000000..4012c8a82 --- /dev/null +++ b/data/reports/GO-2022-0473.yaml @@ -0,0 +1,17 @@ +id: GO-2022-0473 +modules: + - module: gogs.io/gogs + versions: + - fixed: 0.12.8 + vulnerable_at: 0.12.8-rc.1 +summary: Cross site scripting via cookies in gogs in gogs.io/gogs +ghsas: + - GHSA-pj96-4jhv-v792 +references: + - advisory: https://github.com/gogs/gogs/security/advisories/GHSA-pj96-4jhv-v792 + - web: https://github.com/gogs/gogs/issues/6953 +source: + id: GHSA-pj96-4jhv-v792 + created: 2024-08-20T14:00:06.003285-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0480.yaml b/data/reports/GO-2022-0480.yaml new file mode 100644 index 000000000..1539efaa5 --- /dev/null +++ b/data/reports/GO-2022-0480.yaml @@ -0,0 +1,25 @@ +id: GO-2022-0480 +modules: + - module: github.com/cri-o/cri-o + versions: + - fixed: 1.22.5 + - introduced: 1.23.0 + - fixed: 1.23.3 + - introduced: 1.24.0 + - fixed: 1.24.1 + vulnerable_at: 1.24.0 +summary: Node DOS by way of memory exhaustion through ExecSync request in CRI-O in github.com/cri-o/cri-o +cves: + - CVE-2022-1708 +ghsas: + - GHSA-fcm2-6c3h-pg6j +references: + - advisory: https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-1708 + - fix: https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2085361 +source: + id: GHSA-fcm2-6c3h-pg6j + created: 2024-08-20T14:00:14.037331-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0482.yaml b/data/reports/GO-2022-0482.yaml new file mode 100644 index 000000000..b47db0262 --- /dev/null +++ b/data/reports/GO-2022-0482.yaml @@ -0,0 +1,29 @@ +id: GO-2022-0482 +modules: + - module: github.com/containerd/containerd + versions: + - fixed: 1.5.13 + - introduced: 1.6.0 + - fixed: 1.6.6 + vulnerable_at: 1.6.5 +summary: 'containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd' +cves: + - CVE-2022-31030 +ghsas: + - GHSA-5ffw-gxpp-mxpf +references: + - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31030 + - fix: https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382 + - web: http://www.openwall.com/lists/oss-security/2022/06/07/1 + - web: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO + - web: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD + - web: https://security.gentoo.org/glsa/202401-31 + - web: https://www.debian.org/security/2022/dsa-5162 +source: + id: GHSA-5ffw-gxpp-mxpf + created: 2024-08-20T14:00:25.354889-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0483.yaml b/data/reports/GO-2022-0483.yaml new file mode 100644 index 000000000..37be447d3 --- /dev/null +++ b/data/reports/GO-2022-0483.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0483 +modules: + - module: gogs.io/gogs + versions: + - fixed: 0.12.9 + vulnerable_at: 0.12.9-rc.1 +summary: Cross-site Scripting vulnerability in repository issue list in Gogs in gogs.io/gogs +cves: + - CVE-2022-31038 +ghsas: + - GHSA-xq4v-vrp9-vcf2 +references: + - advisory: https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31038 + - web: https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee + - web: https://github.com/gogs/gogs/pull/7009 + - web: https://github.com/gogs/gogs/releases/tag/v0.12.9 +source: + id: GHSA-xq4v-vrp9-vcf2 + created: 2024-08-20T14:00:31.527047-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0490.yaml b/data/reports/GO-2022-0490.yaml new file mode 100644 index 000000000..71865f845 --- /dev/null +++ b/data/reports/GO-2022-0490.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0490 +modules: + - module: github.com/argoproj/argo-events + versions: + - fixed: 1.7.1 + vulnerable_at: 1.7.0 +summary: Uses of deprecated API can be used to cause DoS in user-facing endpoints in github.com/argoproj/argo-events +cves: + - CVE-2022-31054 +ghsas: + - GHSA-5q86-62xr-3r57 +references: + - advisory: https://github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r57 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31054 + - fix: https://github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35 + - fix: https://github.com/argoproj/argo-events/pull/1966 + - report: https://github.com/argoproj/argo-events/issues/1946 +source: + id: GHSA-5q86-62xr-3r57 + created: 2024-08-20T14:00:43.850007-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0491.yaml b/data/reports/GO-2022-0491.yaml new file mode 100644 index 000000000..b513c5860 --- /dev/null +++ b/data/reports/GO-2022-0491.yaml @@ -0,0 +1,31 @@ +id: GO-2022-0491 +modules: + - module: github.com/edgexfoundry/app-functions-sdk-go + vulnerable_at: 1.3.1 + - module: github.com/edgexfoundry/app-functions-sdk-go/v2 + versions: + - fixed: 2.1.1 + vulnerable_at: 2.1.1-dev.4 + - module: github.com/edgexfoundry/device-sdk-go + vulnerable_at: 1.4.0 + - module: github.com/edgexfoundry/device-sdk-go/v2 + versions: + - fixed: 2.1.1 + vulnerable_at: 2.1.1-dev.3 +summary: |- + Configuration API in EdgeXFoundry 2.1.0 and earlier exposes message bus + credentials to local unauthenticated users in github.com/edgexfoundry/app-functions-sdk-go +cves: + - CVE-2022-31066 +ghsas: + - GHSA-g63h-q855-vp3q +references: + - advisory: https://github.com/edgexfoundry/edgex-go/security/advisories/GHSA-g63h-q855-vp3q + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31066 + - fix: https://github.com/edgexfoundry/device-sdk-go/pull/1161 + - web: https://github.com/edgexfoundry/edgex-go/pull/4016 +source: + id: GHSA-g63h-q855-vp3q + created: 2024-08-20T14:00:52.239812-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0494.yaml b/data/reports/GO-2022-0494.yaml new file mode 100644 index 000000000..eb2556dca --- /dev/null +++ b/data/reports/GO-2022-0494.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0494 +modules: + - module: github.com/zalando/skipper + versions: + - fixed: 0.13.218 + vulnerable_at: 0.13.217 +summary: Query predicate bypass in Zalando Skipper in github.com/zalando/skipper +cves: + - CVE-2022-34296 +ghsas: + - GHSA-qx2j-85q5-ffp8 +references: + - advisory: https://github.com/advisories/GHSA-qx2j-85q5-ffp8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-34296 + - fix: https://github.com/zalando/skipper/commit/998a658ce5a68a336a98f4e63e4371e200860dfc + - fix: https://github.com/zalando/skipper/pull/2028 + - web: https://github.com/zalando/skipper/releases/tag/v0.13.218 +source: + id: GHSA-qx2j-85q5-ffp8 + created: 2024-08-20T14:01:00.258355-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0495.yaml b/data/reports/GO-2022-0495.yaml new file mode 100644 index 000000000..301ebca0c --- /dev/null +++ b/data/reports/GO-2022-0495.yaml @@ -0,0 +1,29 @@ +id: GO-2022-0495 +modules: + - module: github.com/argoproj/argo-cd + versions: + - introduced: 0.7.0 + vulnerable_at: 1.8.6 + - module: github.com/argoproj/argo-cd/v2 + versions: + - fixed: 2.1.16 + - introduced: 2.2.0 + - fixed: 2.2.10 + - introduced: 2.3.0 + - fixed: 2.3.5 + - introduced: 2.4.0 + - fixed: 2.4.1 + vulnerable_at: 2.4.0 +summary: DoS through large manifest files in Argo CD in github.com/argoproj/argo-cd +cves: + - CVE-2022-31016 +ghsas: + - GHSA-jhqp-vf4w-rpwq +references: + - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31016 +source: + id: GHSA-jhqp-vf4w-rpwq + created: 2024-08-20T14:01:04.398374-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0496.yaml b/data/reports/GO-2022-0496.yaml new file mode 100644 index 000000000..3d7f3de14 --- /dev/null +++ b/data/reports/GO-2022-0496.yaml @@ -0,0 +1,19 @@ +id: GO-2022-0496 +modules: + - module: github.com/cloudflare/cfrpki + versions: + - fixed: 1.4.3 + vulnerable_at: 1.4.2 +summary: Path traversal mitigation bypass in OctoRPKI in github.com/cloudflare/cfrpki +ghsas: + - GHSA-3jhm-87m6-x959 +references: + - advisory: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959 + - web: https://github.com/cloudflare/cfrpki/releases/tag/v1.4.3 + - web: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh + - web: https://nvd.nist.gov/vuln/detail/CVE-2021-3907 +source: + id: GHSA-3jhm-87m6-x959 + created: 2024-08-20T14:01:06.921541-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0497.yaml b/data/reports/GO-2022-0497.yaml new file mode 100644 index 000000000..fd2ce38ef --- /dev/null +++ b/data/reports/GO-2022-0497.yaml @@ -0,0 +1,30 @@ +id: GO-2022-0497 +modules: + - module: github.com/argoproj/argo-cd + versions: + - introduced: 0.11.0 + vulnerable_at: 1.8.6 + - module: github.com/argoproj/argo-cd/v2 + versions: + - fixed: 2.1.16 + - introduced: 2.2.0 + - fixed: 2.2.10 + - introduced: 2.3.0 + - fixed: 2.3.5 + - introduced: 2.4.0 + - fixed: 2.4.1 + vulnerable_at: 2.4.0 +summary: Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params in github.com/argoproj/argo-cd +cves: + - CVE-2022-31034 +ghsas: + - GHSA-2m7h-86qq-fp4v +references: + - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31034 + - fix: https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0 +source: + id: GHSA-2m7h-86qq-fp4v + created: 2024-08-20T14:01:08.952699-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0498.yaml b/data/reports/GO-2022-0498.yaml new file mode 100644 index 000000000..6ddfc2a47 --- /dev/null +++ b/data/reports/GO-2022-0498.yaml @@ -0,0 +1,31 @@ +id: GO-2022-0498 +modules: + - module: github.com/argoproj/argo-cd + versions: + - introduced: 1.0.0 + vulnerable_at: 1.8.6 + - module: github.com/argoproj/argo-cd/v2 + versions: + - fixed: 2.1.16 + - introduced: 2.2.0 + - fixed: 2.2.10 + - introduced: 2.3.0 + - fixed: 2.3.5 + - introduced: 2.4.0 + - fixed: 2.4.1 + vulnerable_at: 2.4.0 +summary: Argo CD's external URLs for Deployments can include JavaScript in github.com/argoproj/argo-cd +cves: + - CVE-2022-31035 +ghsas: + - GHSA-h4w9-6x78-8vrj +references: + - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31035 + - fix: https://github.com/argoproj/argo-cd/commit/8bc3ef690de29c68a36f473908774346a44d4038 + - web: https://argo-cd.readthedocs.io/en/stable/user-guide/external-url +source: + id: GHSA-h4w9-6x78-8vrj + created: 2024-08-20T14:01:12.123371-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0499.yaml b/data/reports/GO-2022-0499.yaml new file mode 100644 index 000000000..d2f9961f5 --- /dev/null +++ b/data/reports/GO-2022-0499.yaml @@ -0,0 +1,32 @@ +id: GO-2022-0499 +modules: + - module: github.com/argoproj/argo-cd + versions: + - introduced: 1.3.0 + vulnerable_at: 1.8.6 + - module: github.com/argoproj/argo-cd/v2 + versions: + - fixed: 2.1.16 + - introduced: 2.2.0 + - fixed: 2.2.10 + - introduced: 2.3.0 + - fixed: 2.3.5 + - introduced: 2.4.0 + - fixed: 2.4.1 + vulnerable_at: 2.4.0 +summary: |- + Symlink following allows leaking out-of-bounds YAML files from Argo CD + repo-server in github.com/argoproj/argo-cd +cves: + - CVE-2022-31036 +ghsas: + - GHSA-q4w5-4gq2-98vm +references: + - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31036 + - fix: https://github.com/argoproj/argo-cd/commit/04c305396458508a31d03d44afea07b1c620d7cd +source: + id: GHSA-q4w5-4gq2-98vm + created: 2024-08-20T14:01:17.28123-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0500.yaml b/data/reports/GO-2022-0500.yaml new file mode 100644 index 000000000..e8994db49 --- /dev/null +++ b/data/reports/GO-2022-0500.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0500 +modules: + - module: github.com/kubeedge/kubeedge + versions: + - fixed: 1.9.3 + - introduced: 1.10.0 + - fixed: 1.10.1 + vulnerable_at: 1.10.0 +summary: 'CloudCore UDS Server: Malicious Message can crash CloudCore in github.com/kubeedge/kubeedge' +cves: + - CVE-2022-31076 +ghsas: + - GHSA-8f4f-v9x5-cg6j +references: + - advisory: https://github.com/kubeedge/kubeedge/security/advisories/GHSA-8f4f-v9x5-cg6j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31076 + - fix: https://github.com/kubeedge/kubeedge/pull/3899/commits/5d60ae9eabd6b6b7afe38758e19bbe8137664701 +source: + id: GHSA-8f4f-v9x5-cg6j + created: 2024-08-20T14:01:21.260289-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0501.yaml b/data/reports/GO-2022-0501.yaml new file mode 100644 index 000000000..c2962558f --- /dev/null +++ b/data/reports/GO-2022-0501.yaml @@ -0,0 +1,25 @@ +id: GO-2022-0501 +modules: + - module: github.com/kubeedge/kubeedge + versions: + - fixed: 1.9.3 + - introduced: 1.10.0 + - fixed: 1.10.1 + vulnerable_at: 1.10.0 +summary: |- + CloudCore CSI Driver: Malicious response from KubeEdge can crash CSI Driver + controller server in github.com/kubeedge/kubeedge +cves: + - CVE-2022-31077 +ghsas: + - GHSA-x938-fvfw-7jh5 +references: + - advisory: https://github.com/kubeedge/kubeedge/security/advisories/GHSA-x938-fvfw-7jh5 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31077 + - fix: https://github.com/kubeedge/kubeedge/pull/3899 + - fix: https://github.com/kubeedge/kubeedge/pull/3899/commits/5d60ae9eabd6b6b7afe38758e19bbe8137664701 +source: + id: GHSA-x938-fvfw-7jh5 + created: 2024-08-20T14:01:24.514983-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0502.yaml b/data/reports/GO-2022-0502.yaml new file mode 100644 index 000000000..bede28ba2 --- /dev/null +++ b/data/reports/GO-2022-0502.yaml @@ -0,0 +1,20 @@ +id: GO-2022-0502 +modules: + - module: github.com/weaveworks/weave-gitops + versions: + - fixed: 0.8.1-rc.6 + vulnerable_at: 0.8.1-rc.5 +summary: Weave GitOps leaked cluster credentials into logs on connection errors in github.com/weaveworks/weave-gitops +cves: + - CVE-2022-31098 +ghsas: + - GHSA-xggc-qprg-x6mw +references: + - advisory: https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-xggc-qprg-x6mw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31098 + - fix: https://github.com/weaveworks/weave-gitops/commit/567356f471353fb5c676c77f5abc2a04631d50ca +source: + id: GHSA-xggc-qprg-x6mw + created: 2024-08-20T14:01:28.019097-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0505.yaml b/data/reports/GO-2022-0505.yaml new file mode 100644 index 000000000..fef687a26 --- /dev/null +++ b/data/reports/GO-2022-0505.yaml @@ -0,0 +1,23 @@ +id: GO-2022-0505 +modules: + - module: github.com/openshift/origin + versions: + - fixed: 1.0.0 +summary: Insecure cookies in Openshift Origin in github.com/openshift/origin +cves: + - CVE-2015-3207 +ghsas: + - GHSA-rqph-25q9-9jhp +references: + - advisory: https://github.com/advisories/GHSA-rqph-25q9-9jhp + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2015-3207 + - fix: https://github.com/openshift/origin/pull/2261 + - fix: https://github.com/openshift/origin/pull/2291 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=1221882 +notes: + - fix: 'github.com/openshift/origin: could not add vulnerable_at: could not find tagged version between introduced and fixed' +source: + id: GHSA-rqph-25q9-9jhp + created: 2024-08-20T14:01:30.994655-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE