diff --git a/data/excluded/GO-2023-2340.yaml b/data/excluded/GO-2023-2340.yaml deleted file mode 100644 index 6d9707cda..000000000 --- a/data/excluded/GO-2023-2340.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2340 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/kyverno/kyverno -cves: - - CVE-2023-47630 -ghsas: - - GHSA-3hfq-cx9j-923w diff --git a/data/excluded/GO-2023-2341.yaml b/data/excluded/GO-2023-2341.yaml deleted file mode 100644 index e120c5368..000000000 --- a/data/excluded/GO-2023-2341.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2341 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: k8s.io/kubernetes -cves: - - CVE-2023-5528 -ghsas: - - GHSA-hq6q-c2x6-hmch diff --git a/data/excluded/GO-2023-2344.yaml b/data/excluded/GO-2023-2344.yaml deleted file mode 100644 index 99dbefe7e..000000000 --- a/data/excluded/GO-2023-2344.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2344 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/pydio/cells/v4 -cves: - - CVE-2023-2980 -ghsas: - - GHSA-j327-c69h-4gh8 diff --git a/data/excluded/GO-2023-2351.yaml b/data/excluded/GO-2023-2351.yaml deleted file mode 100644 index 5648b8cfc..000000000 --- a/data/excluded/GO-2023-2351.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2351 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/clastix/capsule-proxy -cves: - - CVE-2023-48312 -ghsas: - - GHSA-fpvw-6m5v-hqfp diff --git a/data/excluded/GO-2023-2355.yaml b/data/excluded/GO-2023-2355.yaml deleted file mode 100644 index 4f5f7445f..000000000 --- a/data/excluded/GO-2023-2355.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2355 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: knative.dev/serving -cves: - - CVE-2023-48713 -ghsas: - - GHSA-qmvj-4qr9-v547 diff --git a/data/excluded/GO-2023-2376.yaml b/data/excluded/GO-2023-2376.yaml deleted file mode 100644 index a54cb52e4..000000000 --- a/data/excluded/GO-2023-2376.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2376 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/traefik/traefik -cves: - - CVE-2023-47106 -ghsas: - - GHSA-fvhj-4qfh-q2hm diff --git a/data/excluded/GO-2023-2377.yaml b/data/excluded/GO-2023-2377.yaml deleted file mode 100644 index 39edd3d62..000000000 --- a/data/excluded/GO-2023-2377.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2377 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/traefik/traefik -cves: - - CVE-2023-47633 -ghsas: - - GHSA-6fwg-jrfw-ff7p diff --git a/data/excluded/GO-2023-2378.yaml b/data/excluded/GO-2023-2378.yaml deleted file mode 100644 index 63d6be07f..000000000 --- a/data/excluded/GO-2023-2378.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2023-2378 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/edgelesssys/marblerun -ghsas: - - GHSA-j3rq-4xjw-xg63 diff --git a/data/excluded/GO-2023-2381.yaml b/data/excluded/GO-2023-2381.yaml deleted file mode 100644 index 3484ad51c..000000000 --- a/data/excluded/GO-2023-2381.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2381 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/traefik/traefik/v3 -cves: - - CVE-2023-47124 -ghsas: - - GHSA-8g85-whqh-cr2f diff --git a/data/excluded/GO-2023-2388.yaml b/data/excluded/GO-2023-2388.yaml deleted file mode 100644 index 252b564a1..000000000 --- a/data/excluded/GO-2023-2388.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2023-2388 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: knative.dev/eventing-github -ghsas: - - GHSA-v7hc-87jc-qrrr diff --git a/data/excluded/GO-2023-2397.yaml b/data/excluded/GO-2023-2397.yaml deleted file mode 100644 index fde09230d..000000000 --- a/data/excluded/GO-2023-2397.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2023-2397 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/treeverse/lakefs -ghsas: - - GHSA-26hr-q2wp-rvc5 diff --git a/data/excluded/GO-2023-2398.yaml b/data/excluded/GO-2023-2398.yaml deleted file mode 100644 index 83c81801c..000000000 --- a/data/excluded/GO-2023-2398.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2023-2398 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/treeverse/lakefs -ghsas: - - GHSA-4rgc-5g6r-2rjf diff --git a/data/excluded/GO-2023-2414.yaml b/data/excluded/GO-2023-2414.yaml deleted file mode 100644 index 4ec16c970..000000000 --- a/data/excluded/GO-2023-2414.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2414 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/navidrome/navidrome -cves: - - CVE-2023-51442 -ghsas: - - GHSA-wq59-4q6r-635r diff --git a/data/excluded/GO-2023-2422.yaml b/data/excluded/GO-2023-2422.yaml deleted file mode 100644 index c03a7ce0e..000000000 --- a/data/excluded/GO-2023-2422.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2422 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/deis/workflow-manager -cves: - - CVE-2016-15036 -ghsas: - - GHSA-jpfp-xq3p-4h3r diff --git a/data/excluded/GO-2023-2426.yaml b/data/excluded/GO-2023-2426.yaml deleted file mode 100644 index e6cf7ab3c..000000000 --- a/data/excluded/GO-2023-2426.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2426 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/ewen-lbh/ffcss -cves: - - CVE-2023-52081 -ghsas: - - GHSA-wpmx-564x-h2mh diff --git a/data/osv/GO-2023-2340.json b/data/osv/GO-2023-2340.json new file mode 100644 index 000000000..eee0b8ff2 --- /dev/null +++ b/data/osv/GO-2023-2340.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2340", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-47630", + "GHSA-3hfq-cx9j-923w" + ], + "summary": "Attacker can cause Kyverno user to unintentionally consume insecure image in github.com/kyverno/kyverno", + "details": "Attacker can cause Kyverno user to unintentionally consume insecure image in github.com/kyverno/kyverno", + "affected": [ + { + "package": { + "name": "github.com/kyverno/kyverno", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-3hfq-cx9j-923w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47630" + }, + { + "type": "WEB", + "url": "https://github.com/kyverno/kyverno/releases/tag/v1.11.0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2340", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2341.json b/data/osv/GO-2023-2341.json new file mode 100644 index 000000000..7b7ff9338 --- /dev/null +++ b/data/osv/GO-2023-2341.json @@ -0,0 +1,110 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2341", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-5528", + "GHSA-hq6q-c2x6-hmch" + ], + "summary": "Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes", + "details": "Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.16" + }, + { + "introduced": "1.26.0" + }, + { + "fixed": "1.26.11" + }, + { + "introduced": "1.27.0" + }, + { + "fixed": "1.27.8" + }, + { + "introduced": "1.28.0" + }, + { + "fixed": "1.28.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-hq6q-c2x6-hmch" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5528" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/121879" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/121881" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/121882" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/121883" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/121884" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/121885" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/SL_d4NR8pzA" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3JH444PWZBINXLLFV7XLIJIZJHSK6UEZ" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XZIX727JIKF5RQW7RVVBLWXBCDIBJA7" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MPGMITSZXUCAVO7Q75675SOLXC2XXU4" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240119-0009" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2341", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2344.json b/data/osv/GO-2023-2344.json new file mode 100644 index 000000000..bf6e103a1 --- /dev/null +++ b/data/osv/GO-2023-2344.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2344", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-2980", + "GHSA-j327-c69h-4gh8" + ], + "summary": "Abstrium Pydio Cells Resource Injection vulnerability in github.com/pydio/cells", + "details": "Abstrium Pydio Cells Resource Injection vulnerability in github.com/pydio/cells", + "affected": [ + { + "package": { + "name": "github.com/pydio/cells", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/pydio/cells/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.2.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-j327-c69h-4gh8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2980" + }, + { + "type": "WEB", + "url": "https://popalltheshells.medium.com/multiple-cves-affecting-pydio-cells-4-2-0-321e7e4712be" + }, + { + "type": "WEB", + "url": "https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.230212" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.230212" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2344", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2351.json b/data/osv/GO-2023-2351.json new file mode 100644 index 000000000..458039727 --- /dev/null +++ b/data/osv/GO-2023-2351.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2351", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-48312", + "GHSA-fpvw-6m5v-hqfp" + ], + "summary": "Capsule Proxy Authentication bypass using an empty token in github.com/projectcapsule/capsule-proxy", + "details": "Capsule Proxy Authentication bypass using an empty token in github.com/projectcapsule/capsule-proxy", + "affected": [ + { + "package": { + "name": "github.com/projectcapsule/capsule-proxy", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.4.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/projectcapsule/capsule-proxy/security/advisories/GHSA-fpvw-6m5v-hqfp" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48312" + }, + { + "type": "FIX", + "url": "https://github.com/projectcapsule/capsule-proxy/commit/472404f7006a4152e4eec76dee07324dd1e6e823" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2351", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2355.json b/data/osv/GO-2023-2355.json new file mode 100644 index 000000000..92e0ccdee --- /dev/null +++ b/data/osv/GO-2023-2355.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2355", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-48713", + "GHSA-qmvj-4qr9-v547" + ], + "summary": "Knative Serving vulnerable to attacker-controlled pod causing denial of service of autoscaler in knative.dev/serving", + "details": "Knative Serving vulnerable to attacker-controlled pod causing denial of service of autoscaler in knative.dev/serving", + "affected": [ + { + "package": { + "name": "knative.dev/serving", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.39.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48713" + }, + { + "type": "WEB", + "url": "https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca" + }, + { + "type": "WEB", + "url": "https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1" + }, + { + "type": "WEB", + "url": "https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2355", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2376.json b/data/osv/GO-2023-2376.json new file mode 100644 index 000000000..d1d5641b7 --- /dev/null +++ b/data/osv/GO-2023-2376.json @@ -0,0 +1,97 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2376", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-47106", + "GHSA-fvhj-4qfh-q2hm" + ], + "summary": "Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass in github.com/traefik/traefik", + "details": "Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass in github.com/traefik/traefik", + "affected": [ + { + "package": { + "name": "github.com/traefik/traefik", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.10.6" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.0-beta5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-fvhj-4qfh-q2hm" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47106" + }, + { + "type": "WEB", + "url": "https://datatracker.ietf.org/doc/html/rfc7230#section-5.3.1" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v2.10.6" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2376", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2377.json b/data/osv/GO-2023-2377.json new file mode 100644 index 000000000..639f04f74 --- /dev/null +++ b/data/osv/GO-2023-2377.json @@ -0,0 +1,93 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2377", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-47633", + "GHSA-6fwg-jrfw-ff7p" + ], + "summary": "Traefik docker container using 100% CPU in github.com/traefik/traefik", + "details": "Traefik docker container using 100% CPU in github.com/traefik/traefik", + "affected": [ + { + "package": { + "name": "github.com/traefik/traefik", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.10.6" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.0-beta5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-6fwg-jrfw-ff7p" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47633" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v2.10.6" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2377", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2378.json b/data/osv/GO-2023-2378.json new file mode 100644 index 000000000..a66a65df8 --- /dev/null +++ b/data/osv/GO-2023-2378.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2378", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-j3rq-4xjw-xg63" + ], + "summary": "Go package github.com/edgelesssys/marblerun CLI commands susceptible to MITM attacks", + "details": "Go package github.com/edgelesssys/marblerun CLI commands susceptible to MITM attacks", + "affected": [ + { + "package": { + "name": "github.com/edgelesssys/marblerun", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/edgelesssys/marblerun/security/advisories/GHSA-j3rq-4xjw-xg63" + }, + { + "type": "WEB", + "url": "https://github.com/edgelesssys/marblerun/releases/tag/v1.4.0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2378", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2381.json b/data/osv/GO-2023-2381.json new file mode 100644 index 000000000..ca8fff02b --- /dev/null +++ b/data/osv/GO-2023-2381.json @@ -0,0 +1,109 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2381", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-47124", + "GHSA-8g85-whqh-cr2f" + ], + "summary": "Traefik vulnerable to potential DDoS via ACME HTTPChallenge in github.com/traefik/traefik", + "details": "Traefik vulnerable to potential DDoS via ACME HTTPChallenge in github.com/traefik/traefik", + "affected": [ + { + "package": { + "name": "github.com/traefik/traefik", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.10.6" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.0-beta5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-8g85-whqh-cr2f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47124" + }, + { + "type": "WEB", + "url": "https://doc.traefik.io/traefik/https/acme/#dnschallenge" + }, + { + "type": "WEB", + "url": "https://doc.traefik.io/traefik/https/acme/#httpchallenge" + }, + { + "type": "WEB", + "url": "https://doc.traefik.io/traefik/https/acme/#tlschallenge" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v2.10.6" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5" + }, + { + "type": "WEB", + "url": "https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2381", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2388.json b/data/osv/GO-2023-2388.json new file mode 100644 index 000000000..05c2b0e56 --- /dev/null +++ b/data/osv/GO-2023-2388.json @@ -0,0 +1,59 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2388", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-v7hc-87jc-qrrr" + ], + "summary": "eventing-github vulnerable to denial of service caused by improper enforcement of the timeout on individual read operations in knative.dev/eventing-github", + "details": "eventing-github vulnerable to denial of service caused by improper enforcement of the timeout on individual read operations in knative.dev/eventing-github", + "affected": [ + { + "package": { + "name": "knative.dev/eventing-github", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.39.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/knative-extensions/eventing-github/security/advisories/GHSA-v7hc-87jc-qrrr" + }, + { + "type": "WEB", + "url": "https://github.com/knative-extensions/eventing-github/commit/ea5cb8b25fc3410dde45ce2eb95454e4cfe77c40" + }, + { + "type": "WEB", + "url": "https://github.com/knative-extensions/eventing-github/pull/442" + }, + { + "type": "WEB", + "url": "https://github.com/knative-extensions/eventing-github/pull/446" + }, + { + "type": "WEB", + "url": "https://github.com/knative-extensions/eventing-github/pull/447" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2388", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2397.json b/data/osv/GO-2023-2397.json new file mode 100644 index 000000000..1a9cd7fb3 --- /dev/null +++ b/data/osv/GO-2023-2397.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2397", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-26hr-q2wp-rvc5" + ], + "summary": "User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs", + "details": "User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs", + "affected": [ + { + "package": { + "name": "github.com/treeverse/lakefs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/treeverse/lakeFS/security/advisories/GHSA-26hr-q2wp-rvc5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2397", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2398.json b/data/osv/GO-2023-2398.json new file mode 100644 index 000000000..9afd31d02 --- /dev/null +++ b/data/osv/GO-2023-2398.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2398", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-4rgc-5g6r-2rjf" + ], + "summary": "lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs", + "details": "lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs", + "affected": [ + { + "package": { + "name": "github.com/treeverse/lakefs", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.101.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/treeverse/lakeFS/security/advisories/GHSA-4rgc-5g6r-2rjf" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2398", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2414.json b/data/osv/GO-2023-2414.json new file mode 100644 index 000000000..eaa826d81 --- /dev/null +++ b/data/osv/GO-2023-2414.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2414", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-51442", + "GHSA-wq59-4q6r-635r" + ], + "summary": "Authentication bypass vulnerability in navidrome's subsonic endpoint in github.com/navidrome/navidrome", + "details": "Authentication bypass vulnerability in navidrome's subsonic endpoint in github.com/navidrome/navidrome", + "affected": [ + { + "package": { + "name": "github.com/navidrome/navidrome", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.50.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-wq59-4q6r-635r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51442" + }, + { + "type": "FIX", + "url": "https://github.com/navidrome/navidrome/commit/1132abb0135d1ecaebc41ed97a1e908a4ae02f7c" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2414", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2422.json b/data/osv/GO-2023-2422.json new file mode 100644 index 000000000..3af4fe960 --- /dev/null +++ b/data/osv/GO-2023-2422.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2422", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2016-15036", + "GHSA-jpfp-xq3p-4h3r" + ], + "summary": "Deis Workflow Manager race condition vulnerability in github.com/deis/workflow-manager", + "details": "Deis Workflow Manager race condition vulnerability in github.com/deis/workflow-manager", + "affected": [ + { + "package": { + "name": "github.com/deis/workflow-manager", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.3.3+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-jpfp-xq3p-4h3r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-15036" + }, + { + "type": "FIX", + "url": "https://github.com/deis/workflow-manager/commit/31fe3bccbdde134a185752e53380330d16053f7f" + }, + { + "type": "FIX", + "url": "https://github.com/deis/workflow-manager/pull/94" + }, + { + "type": "WEB", + "url": "https://github.com/deis/workflow-manager/releases/tag/v2.3.3" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.248847" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.248847" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2422", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2426.json b/data/osv/GO-2023-2426.json new file mode 100644 index 000000000..9f63cdfd2 --- /dev/null +++ b/data/osv/GO-2023-2426.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2426", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-52081", + "GHSA-wpmx-564x-h2mh" + ], + "summary": "ewen-lbh/ffcss Late-Unicode normalization vulnerability in github.com/ewen-lbh/ffcss", + "details": "ewen-lbh/ffcss Late-Unicode normalization vulnerability in github.com/ewen-lbh/ffcss", + "affected": [ + { + "package": { + "name": "github.com/ewen-lbh/ffcss", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.2.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/ewen-lbh/ffcss/security/advisories/GHSA-wpmx-564x-h2mh" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52081" + }, + { + "type": "FIX", + "url": "https://github.com/ewen-lbh/ffcss/commit/f9c491874b858a32fcae15045f169fd7d02f90dc" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2426", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2023-2340.yaml b/data/reports/GO-2023-2340.yaml new file mode 100644 index 000000000..2bb8eaadc --- /dev/null +++ b/data/reports/GO-2023-2340.yaml @@ -0,0 +1,20 @@ +id: GO-2023-2340 +modules: + - module: github.com/kyverno/kyverno + versions: + - fixed: 1.10.5 + vulnerable_at: 1.10.4 +summary: Attacker can cause Kyverno user to unintentionally consume insecure image in github.com/kyverno/kyverno +cves: + - CVE-2023-47630 +ghsas: + - GHSA-3hfq-cx9j-923w +references: + - advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-3hfq-cx9j-923w + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-47630 + - web: https://github.com/kyverno/kyverno/releases/tag/v1.11.0 +source: + id: GHSA-3hfq-cx9j-923w + created: 2024-08-20T12:15:58.763259-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2341.yaml b/data/reports/GO-2023-2341.yaml new file mode 100644 index 000000000..363727335 --- /dev/null +++ b/data/reports/GO-2023-2341.yaml @@ -0,0 +1,36 @@ +id: GO-2023-2341 +modules: + - module: k8s.io/kubernetes + versions: + - fixed: 1.25.16 + - introduced: 1.26.0 + - fixed: 1.26.11 + - introduced: 1.27.0 + - fixed: 1.27.8 + - introduced: 1.28.0 + - fixed: 1.28.4 + vulnerable_at: 1.28.3 +summary: Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes +cves: + - CVE-2023-5528 +ghsas: + - GHSA-hq6q-c2x6-hmch +references: + - advisory: https://github.com/advisories/GHSA-hq6q-c2x6-hmch + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-5528 + - web: https://github.com/kubernetes/kubernetes/issues/121879 + - web: https://github.com/kubernetes/kubernetes/pull/121881 + - web: https://github.com/kubernetes/kubernetes/pull/121882 + - web: https://github.com/kubernetes/kubernetes/pull/121883 + - web: https://github.com/kubernetes/kubernetes/pull/121884 + - web: https://github.com/kubernetes/kubernetes/pull/121885 + - web: https://groups.google.com/g/kubernetes-security-announce/c/SL_d4NR8pzA + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3JH444PWZBINXLLFV7XLIJIZJHSK6UEZ + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XZIX727JIKF5RQW7RVVBLWXBCDIBJA7 + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MPGMITSZXUCAVO7Q75675SOLXC2XXU4 + - web: https://security.netapp.com/advisory/ntap-20240119-0009 +source: + id: GHSA-hq6q-c2x6-hmch + created: 2024-08-20T12:16:02.633001-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2344.yaml b/data/reports/GO-2023-2344.yaml new file mode 100644 index 000000000..dbd1344da --- /dev/null +++ b/data/reports/GO-2023-2344.yaml @@ -0,0 +1,25 @@ +id: GO-2023-2344 +modules: + - module: github.com/pydio/cells + vulnerable_at: 3.0.9+incompatible + - module: github.com/pydio/cells/v4 + versions: + - fixed: 4.2.1 + vulnerable_at: 4.2.1-rc1 +summary: Abstrium Pydio Cells Resource Injection vulnerability in github.com/pydio/cells +cves: + - CVE-2023-2980 +ghsas: + - GHSA-j327-c69h-4gh8 +references: + - advisory: https://github.com/advisories/GHSA-j327-c69h-4gh8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-2980 + - web: https://popalltheshells.medium.com/multiple-cves-affecting-pydio-cells-4-2-0-321e7e4712be + - web: https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421 + - web: https://vuldb.com/?ctiid.230212 + - web: https://vuldb.com/?id.230212 +source: + id: GHSA-j327-c69h-4gh8 + created: 2024-08-20T12:16:22.888526-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2351.yaml b/data/reports/GO-2023-2351.yaml new file mode 100644 index 000000000..56eef1af8 --- /dev/null +++ b/data/reports/GO-2023-2351.yaml @@ -0,0 +1,20 @@ +id: GO-2023-2351 +modules: + - module: github.com/projectcapsule/capsule-proxy + versions: + - fixed: 0.4.6 + vulnerable_at: 0.4.5 +summary: Capsule Proxy Authentication bypass using an empty token in github.com/projectcapsule/capsule-proxy +cves: + - CVE-2023-48312 +ghsas: + - GHSA-fpvw-6m5v-hqfp +references: + - advisory: https://github.com/projectcapsule/capsule-proxy/security/advisories/GHSA-fpvw-6m5v-hqfp + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-48312 + - fix: https://github.com/projectcapsule/capsule-proxy/commit/472404f7006a4152e4eec76dee07324dd1e6e823 +source: + id: GHSA-fpvw-6m5v-hqfp + created: 2024-08-20T12:17:25.847809-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2355.yaml b/data/reports/GO-2023-2355.yaml new file mode 100644 index 000000000..aace4f4de --- /dev/null +++ b/data/reports/GO-2023-2355.yaml @@ -0,0 +1,24 @@ +id: GO-2023-2355 +modules: + - module: knative.dev/serving + versions: + - fixed: 0.39.0 + vulnerable_at: 0.38.6 +summary: |- + Knative Serving vulnerable to attacker-controlled pod causing denial of service + of autoscaler in knative.dev/serving +cves: + - CVE-2023-48713 +ghsas: + - GHSA-qmvj-4qr9-v547 +references: + - advisory: https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-48713 + - web: https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca + - web: https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1 + - web: https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a +source: + id: GHSA-qmvj-4qr9-v547 + created: 2024-08-20T12:19:28.431383-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2376.yaml b/data/reports/GO-2023-2376.yaml new file mode 100644 index 000000000..3658c3ff8 --- /dev/null +++ b/data/reports/GO-2023-2376.yaml @@ -0,0 +1,28 @@ +id: GO-2023-2376 +modules: + - module: github.com/traefik/traefik + vulnerable_at: 1.7.34 + - module: github.com/traefik/traefik/v2 + versions: + - fixed: 2.10.6 + vulnerable_at: 2.10.5 + - module: github.com/traefik/traefik/v3 + versions: + - fixed: 3.0.0-beta5 + vulnerable_at: 3.0.0-beta4 +summary: Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass in github.com/traefik/traefik +cves: + - CVE-2023-47106 +ghsas: + - GHSA-fvhj-4qfh-q2hm +references: + - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-fvhj-4qfh-q2hm + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-47106 + - web: https://datatracker.ietf.org/doc/html/rfc7230#section-5.3.1 + - web: https://github.com/traefik/traefik/releases/tag/v2.10.6 + - web: https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5 +source: + id: GHSA-fvhj-4qfh-q2hm + created: 2024-08-20T12:20:31.685662-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2377.yaml b/data/reports/GO-2023-2377.yaml new file mode 100644 index 000000000..b1803bb04 --- /dev/null +++ b/data/reports/GO-2023-2377.yaml @@ -0,0 +1,27 @@ +id: GO-2023-2377 +modules: + - module: github.com/traefik/traefik + vulnerable_at: 1.7.34 + - module: github.com/traefik/traefik/v2 + versions: + - fixed: 2.10.6 + vulnerable_at: 2.10.5 + - module: github.com/traefik/traefik/v3 + versions: + - fixed: 3.0.0-beta5 + vulnerable_at: 3.0.0-beta4 +summary: Traefik docker container using 100% CPU in github.com/traefik/traefik +cves: + - CVE-2023-47633 +ghsas: + - GHSA-6fwg-jrfw-ff7p +references: + - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-6fwg-jrfw-ff7p + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-47633 + - web: https://github.com/traefik/traefik/releases/tag/v2.10.6 + - web: https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5 +source: + id: GHSA-6fwg-jrfw-ff7p + created: 2024-08-20T12:20:35.798219-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2378.yaml b/data/reports/GO-2023-2378.yaml new file mode 100644 index 000000000..fdece552d --- /dev/null +++ b/data/reports/GO-2023-2378.yaml @@ -0,0 +1,19 @@ +id: GO-2023-2378 +modules: + - module: github.com/edgelesssys/marblerun + versions: + - fixed: 1.4.0 + vulnerable_at: 1.3.0 +summary: |- + Go package github.com/edgelesssys/marblerun CLI commands susceptible to MITM + attacks +ghsas: + - GHSA-j3rq-4xjw-xg63 +references: + - advisory: https://github.com/edgelesssys/marblerun/security/advisories/GHSA-j3rq-4xjw-xg63 + - web: https://github.com/edgelesssys/marblerun/releases/tag/v1.4.0 +source: + id: GHSA-j3rq-4xjw-xg63 + created: 2024-08-20T12:20:38.183163-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2381.yaml b/data/reports/GO-2023-2381.yaml new file mode 100644 index 000000000..e4c3f59b8 --- /dev/null +++ b/data/reports/GO-2023-2381.yaml @@ -0,0 +1,31 @@ +id: GO-2023-2381 +modules: + - module: github.com/traefik/traefik + vulnerable_at: 1.7.34 + - module: github.com/traefik/traefik/v2 + versions: + - fixed: 2.10.6 + vulnerable_at: 2.10.5 + - module: github.com/traefik/traefik/v3 + versions: + - fixed: 3.0.0-beta5 + vulnerable_at: 3.0.0-beta4 +summary: Traefik vulnerable to potential DDoS via ACME HTTPChallenge in github.com/traefik/traefik +cves: + - CVE-2023-47124 +ghsas: + - GHSA-8g85-whqh-cr2f +references: + - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-8g85-whqh-cr2f + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-47124 + - web: https://doc.traefik.io/traefik/https/acme/#dnschallenge + - web: https://doc.traefik.io/traefik/https/acme/#httpchallenge + - web: https://doc.traefik.io/traefik/https/acme/#tlschallenge + - web: https://github.com/traefik/traefik/releases/tag/v2.10.6 + - web: https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5 + - web: https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris +source: + id: GHSA-8g85-whqh-cr2f + created: 2024-08-20T12:20:39.972622-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2388.yaml b/data/reports/GO-2023-2388.yaml new file mode 100644 index 000000000..1f76dd3c7 --- /dev/null +++ b/data/reports/GO-2023-2388.yaml @@ -0,0 +1,22 @@ +id: GO-2023-2388 +modules: + - module: knative.dev/eventing-github + versions: + - fixed: 0.39.1 + vulnerable_at: 0.39.0 +summary: |- + eventing-github vulnerable to denial of service caused by improper enforcement + of the timeout on individual read operations in knative.dev/eventing-github +ghsas: + - GHSA-v7hc-87jc-qrrr +references: + - advisory: https://github.com/knative-extensions/eventing-github/security/advisories/GHSA-v7hc-87jc-qrrr + - web: https://github.com/knative-extensions/eventing-github/commit/ea5cb8b25fc3410dde45ce2eb95454e4cfe77c40 + - web: https://github.com/knative-extensions/eventing-github/pull/442 + - web: https://github.com/knative-extensions/eventing-github/pull/446 + - web: https://github.com/knative-extensions/eventing-github/pull/447 +source: + id: GHSA-v7hc-87jc-qrrr + created: 2024-08-20T12:20:42.735687-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2397.yaml b/data/reports/GO-2023-2397.yaml new file mode 100644 index 000000000..97029b47e --- /dev/null +++ b/data/reports/GO-2023-2397.yaml @@ -0,0 +1,18 @@ +id: GO-2023-2397 +modules: + - module: github.com/treeverse/lakefs + versions: + - fixed: 1.3.1 + vulnerable_at: 1.3.0 +summary: |- + User with permission to write actions can impersonate another user when auth + token is configured in environment variable in github.com/treeverse/lakefs +ghsas: + - GHSA-26hr-q2wp-rvc5 +references: + - advisory: https://github.com/treeverse/lakeFS/security/advisories/GHSA-26hr-q2wp-rvc5 +source: + id: GHSA-26hr-q2wp-rvc5 + created: 2024-08-20T12:22:26.133654-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2398.yaml b/data/reports/GO-2023-2398.yaml new file mode 100644 index 000000000..efa362de0 --- /dev/null +++ b/data/reports/GO-2023-2398.yaml @@ -0,0 +1,16 @@ +id: GO-2023-2398 +modules: + - module: github.com/treeverse/lakefs + versions: + - fixed: 0.101.0 + vulnerable_at: 0.100.0 +summary: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs +ghsas: + - GHSA-4rgc-5g6r-2rjf +references: + - advisory: https://github.com/treeverse/lakeFS/security/advisories/GHSA-4rgc-5g6r-2rjf +source: + id: GHSA-4rgc-5g6r-2rjf + created: 2024-08-20T12:22:27.00298-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2414.yaml b/data/reports/GO-2023-2414.yaml new file mode 100644 index 000000000..658fbe9e1 --- /dev/null +++ b/data/reports/GO-2023-2414.yaml @@ -0,0 +1,20 @@ +id: GO-2023-2414 +modules: + - module: github.com/navidrome/navidrome + versions: + - fixed: 0.50.2 + vulnerable_at: 0.50.1 +summary: Authentication bypass vulnerability in navidrome's subsonic endpoint in github.com/navidrome/navidrome +cves: + - CVE-2023-51442 +ghsas: + - GHSA-wq59-4q6r-635r +references: + - advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-wq59-4q6r-635r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-51442 + - fix: https://github.com/navidrome/navidrome/commit/1132abb0135d1ecaebc41ed97a1e908a4ae02f7c +source: + id: GHSA-wq59-4q6r-635r + created: 2024-08-20T12:22:33.088629-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2422.yaml b/data/reports/GO-2023-2422.yaml new file mode 100644 index 000000000..0d1631fb5 --- /dev/null +++ b/data/reports/GO-2023-2422.yaml @@ -0,0 +1,24 @@ +id: GO-2023-2422 +modules: + - module: github.com/deis/workflow-manager + versions: + - fixed: 2.3.3+incompatible + vulnerable_at: 2.3.2+incompatible +summary: Deis Workflow Manager race condition vulnerability in github.com/deis/workflow-manager +cves: + - CVE-2016-15036 +ghsas: + - GHSA-jpfp-xq3p-4h3r +references: + - advisory: https://github.com/advisories/GHSA-jpfp-xq3p-4h3r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-15036 + - fix: https://github.com/deis/workflow-manager/commit/31fe3bccbdde134a185752e53380330d16053f7f + - fix: https://github.com/deis/workflow-manager/pull/94 + - web: https://github.com/deis/workflow-manager/releases/tag/v2.3.3 + - web: https://vuldb.com/?ctiid.248847 + - web: https://vuldb.com/?id.248847 +source: + id: GHSA-jpfp-xq3p-4h3r + created: 2024-08-20T12:22:41.208519-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2426.yaml b/data/reports/GO-2023-2426.yaml new file mode 100644 index 000000000..e52f6e542 --- /dev/null +++ b/data/reports/GO-2023-2426.yaml @@ -0,0 +1,20 @@ +id: GO-2023-2426 +modules: + - module: github.com/ewen-lbh/ffcss + versions: + - fixed: 0.2.0 + vulnerable_at: 0.1.2 +summary: ewen-lbh/ffcss Late-Unicode normalization vulnerability in github.com/ewen-lbh/ffcss +cves: + - CVE-2023-52081 +ghsas: + - GHSA-wpmx-564x-h2mh +references: + - advisory: https://github.com/ewen-lbh/ffcss/security/advisories/GHSA-wpmx-564x-h2mh + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-52081 + - fix: https://github.com/ewen-lbh/ffcss/commit/f9c491874b858a32fcae15045f169fd7d02f90dc +source: + id: GHSA-wpmx-564x-h2mh + created: 2024-08-20T12:22:53.088096-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE