From aa5cc8a426c6191d910cd457850596b95d2e7460 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Tue, 20 Aug 2024 12:50:24 -0400 Subject: [PATCH] data/reports: unexclude 20 reports (11) - data/reports/GO-2023-2097.yaml - data/reports/GO-2023-2109.yaml - data/reports/GO-2023-2121.yaml - data/reports/GO-2023-2125.yaml - data/reports/GO-2023-2134.yaml - data/reports/GO-2023-2135.yaml - data/reports/GO-2023-2136.yaml - data/reports/GO-2023-2156.yaml - data/reports/GO-2023-2159.yaml - data/reports/GO-2023-2166.yaml - data/reports/GO-2023-2170.yaml - data/reports/GO-2023-2176.yaml - data/reports/GO-2023-2188.yaml - data/reports/GO-2023-2329.yaml - data/reports/GO-2023-2330.yaml - data/reports/GO-2023-2332.yaml - data/reports/GO-2023-2335.yaml - data/reports/GO-2023-2336.yaml - data/reports/GO-2023-2337.yaml - data/reports/GO-2023-2338.yaml Updates golang/vulndb#2097 Updates golang/vulndb#2109 Updates golang/vulndb#2121 Updates golang/vulndb#2125 Updates golang/vulndb#2134 Updates golang/vulndb#2135 Updates golang/vulndb#2136 Updates golang/vulndb#2156 Updates golang/vulndb#2159 Updates golang/vulndb#2166 Updates golang/vulndb#2170 Updates golang/vulndb#2176 Updates golang/vulndb#2188 Updates golang/vulndb#2329 Updates golang/vulndb#2330 Updates golang/vulndb#2332 Updates golang/vulndb#2335 Updates golang/vulndb#2336 Updates golang/vulndb#2337 Updates golang/vulndb#2338 Change-Id: I5fc55dacf7cdfd2512c00f07abfc0debfde9263f Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606792 LUCI-TryBot-Result: Go LUCI Commit-Queue: Tatiana Bradley Auto-Submit: Tatiana Bradley Reviewed-by: Damien Neil --- data/excluded/GO-2023-2097.yaml | 8 -- data/excluded/GO-2023-2109.yaml | 8 -- data/excluded/GO-2023-2121.yaml | 8 -- data/excluded/GO-2023-2125.yaml | 8 -- data/excluded/GO-2023-2134.yaml | 8 -- data/excluded/GO-2023-2135.yaml | 8 -- data/excluded/GO-2023-2136.yaml | 8 -- data/excluded/GO-2023-2156.yaml | 6 -- data/excluded/GO-2023-2159.yaml | 8 -- data/excluded/GO-2023-2166.yaml | 8 -- data/excluded/GO-2023-2170.yaml | 8 -- data/excluded/GO-2023-2176.yaml | 8 -- data/excluded/GO-2023-2188.yaml | 6 -- data/excluded/GO-2023-2329.yaml | 8 -- data/excluded/GO-2023-2330.yaml | 8 -- data/excluded/GO-2023-2332.yaml | 8 -- data/excluded/GO-2023-2335.yaml | 8 -- data/excluded/GO-2023-2336.yaml | 8 -- data/excluded/GO-2023-2337.yaml | 8 -- data/excluded/GO-2023-2338.yaml | 8 -- data/osv/GO-2023-2097.json | 60 +++++++++++++++ data/osv/GO-2023-2109.json | 76 +++++++++++++++++++ data/osv/GO-2023-2121.json | 52 +++++++++++++ data/osv/GO-2023-2125.json | 62 ++++++++++++++++ data/osv/GO-2023-2134.json | 60 +++++++++++++++ data/osv/GO-2023-2135.json | 52 +++++++++++++ data/osv/GO-2023-2136.json | 52 +++++++++++++ data/osv/GO-2023-2156.json | 83 +++++++++++++++++++++ data/osv/GO-2023-2159.json | 60 +++++++++++++++ data/osv/GO-2023-2166.json | 52 +++++++++++++ data/osv/GO-2023-2170.json | 124 +++++++++++++++++++++++++++++++ data/osv/GO-2023-2176.json | 88 ++++++++++++++++++++++ data/osv/GO-2023-2188.json | 76 +++++++++++++++++++ data/osv/GO-2023-2329.json | 68 +++++++++++++++++ data/osv/GO-2023-2330.json | 128 ++++++++++++++++++++++++++++++++ data/osv/GO-2023-2332.json | 60 +++++++++++++++ data/osv/GO-2023-2335.json | 60 +++++++++++++++ data/osv/GO-2023-2336.json | 60 +++++++++++++++ data/osv/GO-2023-2337.json | 60 +++++++++++++++ data/osv/GO-2023-2338.json | 60 +++++++++++++++ data/reports/GO-2023-2097.yaml | 24 ++++++ data/reports/GO-2023-2109.yaml | 27 +++++++ data/reports/GO-2023-2121.yaml | 20 +++++ data/reports/GO-2023-2125.yaml | 23 ++++++ data/reports/GO-2023-2134.yaml | 22 ++++++ data/reports/GO-2023-2135.yaml | 20 +++++ data/reports/GO-2023-2136.yaml | 20 +++++ data/reports/GO-2023-2156.yaml | 24 ++++++ data/reports/GO-2023-2159.yaml | 22 ++++++ data/reports/GO-2023-2166.yaml | 20 +++++ data/reports/GO-2023-2170.yaml | 40 ++++++++++ data/reports/GO-2023-2176.yaml | 31 ++++++++ data/reports/GO-2023-2188.yaml | 24 ++++++ data/reports/GO-2023-2329.yaml | 25 +++++++ data/reports/GO-2023-2330.yaml | 41 ++++++++++ data/reports/GO-2023-2332.yaml | 25 +++++++ data/reports/GO-2023-2335.yaml | 24 ++++++ data/reports/GO-2023-2336.yaml | 24 ++++++ data/reports/GO-2023-2337.yaml | 24 ++++++ data/reports/GO-2023-2338.yaml | 24 ++++++ 60 files changed, 1897 insertions(+), 156 deletions(-) delete mode 100644 data/excluded/GO-2023-2097.yaml delete mode 100644 data/excluded/GO-2023-2109.yaml delete mode 100644 data/excluded/GO-2023-2121.yaml delete mode 100644 data/excluded/GO-2023-2125.yaml delete mode 100644 data/excluded/GO-2023-2134.yaml delete mode 100644 data/excluded/GO-2023-2135.yaml delete mode 100644 data/excluded/GO-2023-2136.yaml delete mode 100644 data/excluded/GO-2023-2156.yaml delete mode 100644 data/excluded/GO-2023-2159.yaml delete mode 100644 data/excluded/GO-2023-2166.yaml delete mode 100644 data/excluded/GO-2023-2170.yaml delete mode 100644 data/excluded/GO-2023-2176.yaml delete mode 100644 data/excluded/GO-2023-2188.yaml delete mode 100644 data/excluded/GO-2023-2329.yaml delete mode 100644 data/excluded/GO-2023-2330.yaml delete mode 100644 data/excluded/GO-2023-2332.yaml delete mode 100644 data/excluded/GO-2023-2335.yaml delete mode 100644 data/excluded/GO-2023-2336.yaml delete mode 100644 data/excluded/GO-2023-2337.yaml delete mode 100644 data/excluded/GO-2023-2338.yaml create mode 100644 data/osv/GO-2023-2097.json create mode 100644 data/osv/GO-2023-2109.json create mode 100644 data/osv/GO-2023-2121.json create mode 100644 data/osv/GO-2023-2125.json create mode 100644 data/osv/GO-2023-2134.json create mode 100644 data/osv/GO-2023-2135.json create mode 100644 data/osv/GO-2023-2136.json create mode 100644 data/osv/GO-2023-2156.json create mode 100644 data/osv/GO-2023-2159.json create mode 100644 data/osv/GO-2023-2166.json create mode 100644 data/osv/GO-2023-2170.json create mode 100644 data/osv/GO-2023-2176.json create mode 100644 data/osv/GO-2023-2188.json create mode 100644 data/osv/GO-2023-2329.json create mode 100644 data/osv/GO-2023-2330.json create mode 100644 data/osv/GO-2023-2332.json create mode 100644 data/osv/GO-2023-2335.json create mode 100644 data/osv/GO-2023-2336.json create mode 100644 data/osv/GO-2023-2337.json create mode 100644 data/osv/GO-2023-2338.json create mode 100644 data/reports/GO-2023-2097.yaml create mode 100644 data/reports/GO-2023-2109.yaml create mode 100644 data/reports/GO-2023-2121.yaml create mode 100644 data/reports/GO-2023-2125.yaml create mode 100644 data/reports/GO-2023-2134.yaml create mode 100644 data/reports/GO-2023-2135.yaml create mode 100644 data/reports/GO-2023-2136.yaml create mode 100644 data/reports/GO-2023-2156.yaml create mode 100644 data/reports/GO-2023-2159.yaml create mode 100644 data/reports/GO-2023-2166.yaml create mode 100644 data/reports/GO-2023-2170.yaml create mode 100644 data/reports/GO-2023-2176.yaml create mode 100644 data/reports/GO-2023-2188.yaml create mode 100644 data/reports/GO-2023-2329.yaml create mode 100644 data/reports/GO-2023-2330.yaml create mode 100644 data/reports/GO-2023-2332.yaml create mode 100644 data/reports/GO-2023-2335.yaml create mode 100644 data/reports/GO-2023-2336.yaml create mode 100644 data/reports/GO-2023-2337.yaml create mode 100644 data/reports/GO-2023-2338.yaml diff --git a/data/excluded/GO-2023-2097.yaml b/data/excluded/GO-2023-2097.yaml deleted file mode 100644 index dad93e8af..000000000 --- a/data/excluded/GO-2023-2097.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2097 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/charmbracelet/soft-serve -cves: - - CVE-2023-43809 -ghsas: - - GHSA-mc97-99j4-vm2v diff --git a/data/excluded/GO-2023-2109.yaml b/data/excluded/GO-2023-2109.yaml deleted file mode 100644 index a1a450472..000000000 --- a/data/excluded/GO-2023-2109.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2109 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/goharbor/harbor -cves: - - CVE-2023-20902 -ghsas: - - GHSA-mq6f-5xh5-hgcf diff --git a/data/excluded/GO-2023-2121.yaml b/data/excluded/GO-2023-2121.yaml deleted file mode 100644 index 3e185f32b..000000000 --- a/data/excluded/GO-2023-2121.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2121 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/openfga/openfga -cves: - - CVE-2023-45810 -ghsas: - - GHSA-hr4f-6jh8-f2vq diff --git a/data/excluded/GO-2023-2125.yaml b/data/excluded/GO-2023-2125.yaml deleted file mode 100644 index 667453deb..000000000 --- a/data/excluded/GO-2023-2125.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2125 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: k8s.io/kops -cves: - - CVE-2023-1943 -ghsas: - - GHSA-8gwj-m6vh-2g6j diff --git a/data/excluded/GO-2023-2134.yaml b/data/excluded/GO-2023-2134.yaml deleted file mode 100644 index 2da81ce65..000000000 --- a/data/excluded/GO-2023-2134.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2134 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/artifacthub/hub -cves: - - CVE-2023-45822 -ghsas: - - GHSA-9pc8-m4vp-ggvf diff --git a/data/excluded/GO-2023-2135.yaml b/data/excluded/GO-2023-2135.yaml deleted file mode 100644 index fe1c90f5a..000000000 --- a/data/excluded/GO-2023-2135.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2135 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/artifacthub/hub -cves: - - CVE-2023-45821 -ghsas: - - GHSA-g6pq-x539-7w4j diff --git a/data/excluded/GO-2023-2136.yaml b/data/excluded/GO-2023-2136.yaml deleted file mode 100644 index ed09f1ee3..000000000 --- a/data/excluded/GO-2023-2136.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2136 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/artifacthub/hub -cves: - - CVE-2023-45823 -ghsas: - - GHSA-hmq4-c2r4-5q8h diff --git a/data/excluded/GO-2023-2156.yaml b/data/excluded/GO-2023-2156.yaml deleted file mode 100644 index 19700c82b..000000000 --- a/data/excluded/GO-2023-2156.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2023-2156 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v6 -ghsas: - - GHSA-w6rp-vxj2-fjhr diff --git a/data/excluded/GO-2023-2159.yaml b/data/excluded/GO-2023-2159.yaml deleted file mode 100644 index 012f185ca..000000000 --- a/data/excluded/GO-2023-2159.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2159 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/kubernetes/kubernetes -cves: - - CVE-2021-25736 -ghsas: - - GHSA-35c7-w35f-xwgh diff --git a/data/excluded/GO-2023-2166.yaml b/data/excluded/GO-2023-2166.yaml deleted file mode 100644 index 034f1ce1d..000000000 --- a/data/excluded/GO-2023-2166.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2166 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/authzed/spicedb -cves: - - CVE-2023-46255 -ghsas: - - GHSA-jg7w-cxjv-98c2 diff --git a/data/excluded/GO-2023-2170.yaml b/data/excluded/GO-2023-2170.yaml deleted file mode 100644 index eb97a177d..000000000 --- a/data/excluded/GO-2023-2170.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2170 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: k8s.io/kubernetes -cves: - - CVE-2023-3955 -ghsas: - - GHSA-q78c-gwqw-jcmc diff --git a/data/excluded/GO-2023-2176.yaml b/data/excluded/GO-2023-2176.yaml deleted file mode 100644 index f5bf809e9..000000000 --- a/data/excluded/GO-2023-2176.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2176 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/kubernetes-csi/csi-proxy -cves: - - CVE-2023-3893 -ghsas: - - GHSA-r6cc-7wj7-gfx2 diff --git a/data/excluded/GO-2023-2188.yaml b/data/excluded/GO-2023-2188.yaml deleted file mode 100644 index 4481735cd..000000000 --- a/data/excluded/GO-2023-2188.yaml +++ /dev/null @@ -1,6 +0,0 @@ -id: GO-2023-2188 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/slsa-framework/slsa-verifier -ghsas: - - GHSA-r2xv-vpr2-42m9 diff --git a/data/excluded/GO-2023-2329.yaml b/data/excluded/GO-2023-2329.yaml deleted file mode 100644 index e1f24d019..000000000 --- a/data/excluded/GO-2023-2329.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2329 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/hashicorp/vault -cves: - - CVE-2023-5954 -ghsas: - - GHSA-4qhc-v8r6-8vwm diff --git a/data/excluded/GO-2023-2330.yaml b/data/excluded/GO-2023-2330.yaml deleted file mode 100644 index 469a48f94..000000000 --- a/data/excluded/GO-2023-2330.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2330 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: k8s.io/kubernetes -cves: - - CVE-2023-3676 -ghsas: - - GHSA-7fxm-f474-hf8w diff --git a/data/excluded/GO-2023-2332.yaml b/data/excluded/GO-2023-2332.yaml deleted file mode 100644 index 72716599c..000000000 --- a/data/excluded/GO-2023-2332.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2332 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/sigstore/gitsign -cves: - - CVE-2023-47122 -ghsas: - - GHSA-xvrc-2wvh-49vc diff --git a/data/excluded/GO-2023-2335.yaml b/data/excluded/GO-2023-2335.yaml deleted file mode 100644 index 85eaad3bd..000000000 --- a/data/excluded/GO-2023-2335.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2335 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/kyverno/kyverno -cves: - - CVE-2023-42813 -ghsas: - - GHSA-wc3x-5rfv-hh5v diff --git a/data/excluded/GO-2023-2336.yaml b/data/excluded/GO-2023-2336.yaml deleted file mode 100644 index f17b8dc3b..000000000 --- a/data/excluded/GO-2023-2336.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2336 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/kyverno/kyverno -cves: - - CVE-2023-42814 -ghsas: - - GHSA-9g37-h7p2-2c6r diff --git a/data/excluded/GO-2023-2337.yaml b/data/excluded/GO-2023-2337.yaml deleted file mode 100644 index dd057a7d4..000000000 --- a/data/excluded/GO-2023-2337.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2337 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/kyverno/kyverno -cves: - - CVE-2023-42815 -ghsas: - - GHSA-hjpv-68f4-2262 diff --git a/data/excluded/GO-2023-2338.yaml b/data/excluded/GO-2023-2338.yaml deleted file mode 100644 index 3dcb04aad..000000000 --- a/data/excluded/GO-2023-2338.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2023-2338 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/kyverno/kyverno -cves: - - CVE-2023-42816 -ghsas: - - GHSA-4mp4-46gq-hv3r diff --git a/data/osv/GO-2023-2097.json b/data/osv/GO-2023-2097.json new file mode 100644 index 000000000..b10e05d1d --- /dev/null +++ b/data/osv/GO-2023-2097.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2097", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-43809", + "GHSA-mc97-99j4-vm2v" + ], + "summary": "Soft Serve Public Key Authentication Bypass Vulnerability when Keyboard-Interactive SSH Authentication is Enabled in github.com/charmbracelet/soft-serve", + "details": "Soft Serve Public Key Authentication Bypass Vulnerability when Keyboard-Interactive SSH Authentication is Enabled in github.com/charmbracelet/soft-serve", + "affected": [ + { + "package": { + "name": "github.com/charmbracelet/soft-serve", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.6.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-mc97-99j4-vm2v" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43809" + }, + { + "type": "FIX", + "url": "https://github.com/charmbracelet/soft-serve/commit/407c4ec72d1006cee1ff8c1775e5bcc091c2bc89" + }, + { + "type": "REPORT", + "url": "https://github.com/charmbracelet/soft-serve/issues/389" + }, + { + "type": "WEB", + "url": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.6.2" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2097", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2109.json b/data/osv/GO-2023-2109.json new file mode 100644 index 000000000..adc468d3d --- /dev/null +++ b/data/osv/GO-2023-2109.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2109", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-20902", + "GHSA-mq6f-5xh5-hgcf" + ], + "summary": "Harbor timing attack risk in github.com/goharbor/harbor", + "details": "Harbor timing attack risk in github.com/goharbor/harbor", + "affected": [ + { + "package": { + "name": "github.com/goharbor/harbor", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.18" + }, + { + "introduced": "2.0.0+incompatible" + }, + { + "fixed": "2.7.3+incompatible" + }, + { + "introduced": "2.8.0+incompatible" + }, + { + "fixed": "2.8.3+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20902" + }, + { + "type": "WEB", + "url": "https://github.com/goharbor/harbor/blob/aaea068cceb4063ab89313d9785f2b40f35b0d63/src/jobservice/api/authenticator.go#L69-L69" + }, + { + "type": "WEB", + "url": "https://github.com/goharbor/harbor/releases/tag/v1.10.18" + }, + { + "type": "WEB", + "url": "https://github.com/goharbor/harbor/releases/tag/v2.7.3" + }, + { + "type": "WEB", + "url": "https://github.com/goharbor/harbor/releases/tag/v2.8.3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2109", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2121.json b/data/osv/GO-2023-2121.json new file mode 100644 index 000000000..e6bf05a06 --- /dev/null +++ b/data/osv/GO-2023-2121.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2121", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-45810", + "GHSA-hr4f-6jh8-f2vq" + ], + "summary": "OpenFGA DoS vulnerability in github.com/openfga/openfga", + "details": "OpenFGA DoS vulnerability in github.com/openfga/openfga", + "affected": [ + { + "package": { + "name": "github.com/openfga/openfga", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/openfga/openfga/security/advisories/GHSA-hr4f-6jh8-f2vq" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45810" + }, + { + "type": "WEB", + "url": "https://github.com/openfga/openfga/releases/tag/v1.3.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2121", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2125.json b/data/osv/GO-2023-2125.json new file mode 100644 index 000000000..73b3734fd --- /dev/null +++ b/data/osv/GO-2023-2125.json @@ -0,0 +1,62 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2125", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-1943", + "GHSA-8gwj-m6vh-2g6j" + ], + "summary": "kOps privilege escalation vulnerability in k8s.io/kops", + "details": "kOps privilege escalation vulnerability in k8s.io/kops", + "affected": [ + { + "package": { + "name": "k8s.io/kops", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.4" + }, + { + "introduced": "1.26.0" + }, + { + "fixed": "1.26.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8gwj-m6vh-2g6j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1943" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kops/issues/15539" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/yrCE1x89oaU" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2125", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2134.json b/data/osv/GO-2023-2134.json new file mode 100644 index 000000000..70300b474 --- /dev/null +++ b/data/osv/GO-2023-2134.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2134", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-45822", + "GHSA-9pc8-m4vp-ggvf" + ], + "summary": "Artifact Hub allows unsafe rego built-in in github.com/artifacthub/hub", + "details": "Artifact Hub allows unsafe rego built-in in github.com/artifacthub/hub", + "affected": [ + { + "package": { + "name": "github.com/artifacthub/hub", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/artifacthub/hub/security/advisories/GHSA-9pc8-m4vp-ggvf" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45822" + }, + { + "type": "WEB", + "url": "https://artifacthub.io/packages/helm/artifact-hub/artifact-hub?modal=changelog\u0026version=1.16.0" + }, + { + "type": "WEB", + "url": "https://www.openpolicyagent.org" + }, + { + "type": "WEB", + "url": "https://www.openpolicyagent.org/docs/latest/#rego" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2134", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2135.json b/data/osv/GO-2023-2135.json new file mode 100644 index 000000000..e1bcdcd7f --- /dev/null +++ b/data/osv/GO-2023-2135.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2135", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-45821", + "GHSA-g6pq-x539-7w4j" + ], + "summary": "Artifact Hub has Incorrect Docker Hub registry check in github.com/artifacthub/hub", + "details": "Artifact Hub has Incorrect Docker Hub registry check in github.com/artifacthub/hub", + "affected": [ + { + "package": { + "name": "github.com/artifacthub/hub", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/artifacthub/hub/security/advisories/GHSA-g6pq-x539-7w4j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45821" + }, + { + "type": "WEB", + "url": "https://artifacthub.io/packages/helm/artifact-hub/artifact-hub?modal=changelog\u0026version=1.16.0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2135", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2136.json b/data/osv/GO-2023-2136.json new file mode 100644 index 000000000..54f60c92f --- /dev/null +++ b/data/osv/GO-2023-2136.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2136", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-45823", + "GHSA-hmq4-c2r4-5q8h" + ], + "summary": "Artifact Hub arbitrary file read vulnerability in github.com/artifacthub/hub", + "details": "Artifact Hub arbitrary file read vulnerability in github.com/artifacthub/hub", + "affected": [ + { + "package": { + "name": "github.com/artifacthub/hub", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/artifacthub/hub/security/advisories/GHSA-hmq4-c2r4-5q8h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45823" + }, + { + "type": "WEB", + "url": "https://artifacthub.io/packages/helm/artifact-hub/artifact-hub?modal=changelog\u0026version=1.16.0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2136", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2156.json b/data/osv/GO-2023-2156.json new file mode 100644 index 000000000..e60d71238 --- /dev/null +++ b/data/osv/GO-2023-2156.json @@ -0,0 +1,83 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2156", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-w6rp-vxj2-fjhr" + ], + "summary": "Cosmos packet-forward-middleware vulnerable to chain-halt in github.com/cosmos/ibc-apps/middleware/packet-forward-middleware", + "details": "Cosmos packet-forward-middleware vulnerable to chain-halt in github.com/cosmos/ibc-apps/middleware/packet-forward-middleware", + "affected": [ + { + "package": { + "name": "github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.1.1" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.2.1" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.1.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cosmos/ibc-apps/security/advisories/GHSA-w6rp-vxj2-fjhr" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2156", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2159.json b/data/osv/GO-2023-2159.json new file mode 100644 index 000000000..93b6db28d --- /dev/null +++ b/data/osv/GO-2023-2159.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2159", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-25736", + "GHSA-35c7-w35f-xwgh" + ], + "summary": "Kube-proxy may unintentionally forward traffic in k8s.io/kubernetes", + "details": "Kube-proxy may unintentionally forward traffic in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.21.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-35c7-w35f-xwgh" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25736" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/b014610de3e5cf1bb0f7844b5758d29fc18b75e6" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/99958" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJ" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2159", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2166.json b/data/osv/GO-2023-2166.json new file mode 100644 index 000000000..41d9fae51 --- /dev/null +++ b/data/osv/GO-2023-2166.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2166", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-46255", + "GHSA-jg7w-cxjv-98c2" + ], + "summary": "SpiceDB leaks information in log files when URI cannot be parsed in github.com/authzed/spicedb", + "details": "SpiceDB leaks information in log files when URI cannot be parsed in github.com/authzed/spicedb", + "affected": [ + { + "package": { + "name": "github.com/authzed/spicedb", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.27.0-rc1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46255" + }, + { + "type": "FIX", + "url": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2166", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2170.json b/data/osv/GO-2023-2170.json new file mode 100644 index 000000000..1cf496ab2 --- /dev/null +++ b/data/osv/GO-2023-2170.json @@ -0,0 +1,124 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2170", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-3955", + "GHSA-q78c-gwqw-jcmc" + ], + "summary": "Kubernetes privilege escalation vulnerability in k8s.io/kubernetes", + "details": "Kubernetes privilege escalation vulnerability in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.17" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.13" + }, + { + "introduced": "1.26.0" + }, + { + "fixed": "1.26.8" + }, + { + "introduced": "1.27.0" + }, + { + "fixed": "1.27.5" + }, + { + "introduced": "1.28.0" + }, + { + "fixed": "1.28.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-q78c-gwqw-jcmc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3955" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/38c97fa67ed35f36e730856728c9e3807f63546a" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/50334505cd27cbe7cf71865388f25a00e29b2596" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/7da6d72c05dffb3b87e62e2bc8c3228ea12ba1b9" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/b7547e28f898af37aa2f1107a49111f963250fe6" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/c4e17abb04728e3a3f9bb26e727b0f978df20ec9" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/119595" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/120128" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/120134" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/120135" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/120136" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/120137" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/120138" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/JrX4bb7d83E" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2170", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2176.json b/data/osv/GO-2023-2176.json new file mode 100644 index 000000000..48a73f4be --- /dev/null +++ b/data/osv/GO-2023-2176.json @@ -0,0 +1,88 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2176", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-3893", + "GHSA-r6cc-7wj7-gfx2" + ], + "summary": "Kubernetes csi-proxy vulnerable to privilege escalation due to improper input validation in github.com/kubernetes-csi/csi-proxy", + "details": "Kubernetes csi-proxy vulnerable to privilege escalation due to improper input validation in github.com/kubernetes-csi/csi-proxy", + "affected": [ + { + "package": { + "name": "github.com/kubernetes-csi/csi-proxy", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.3" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/kubernetes-csi/csi-proxy/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.0.0-alpha.0" + }, + { + "fixed": "2.0.0-alpha.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-r6cc-7wj7-gfx2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3893" + }, + { + "type": "FIX", + "url": "https://github.com/kubernetes-csi/csi-proxy/commit/0e83a68159111e4ee510f5aa56d47ba97bda60c7" + }, + { + "type": "FIX", + "url": "https://github.com/kubernetes-csi/csi-proxy/commit/2523e6674dedf3de27f84235efec28555da24664" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/119594" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/lWksE2BoCyQ" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20231221-0004" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2176", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2188.json b/data/osv/GO-2023-2188.json new file mode 100644 index 000000000..f1ba602ab --- /dev/null +++ b/data/osv/GO-2023-2188.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2188", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-r2xv-vpr2-42m9" + ], + "summary": "slsa-verifier vulnerable to mproper validation of npm's publish attestations in github.com/slsa-framework/slsa-verifier", + "details": "slsa-verifier vulnerable to mproper validation of npm's publish attestations in github.com/slsa-framework/slsa-verifier", + "affected": [ + { + "package": { + "name": "github.com/slsa-framework/slsa-verifier", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/slsa-framework/slsa-verifier/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.4.1-rc.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/slsa-framework/slsa-verifier/security/advisories/GHSA-r2xv-vpr2-42m9" + }, + { + "type": "FIX", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/f6ae402f458b347d2c414f1d053fc1f8257888d0" + }, + { + "type": "FIX", + "url": "https://github.com/slsa-framework/slsa-verifier/pull/705" + }, + { + "type": "WEB", + "url": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1" + }, + { + "type": "WEB", + "url": "https://openssf.slack.com/archives/C03PDLFET5W/p1695330038983179" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2188", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2329.json b/data/osv/GO-2023-2329.json new file mode 100644 index 000000000..49311977d --- /dev/null +++ b/data/osv/GO-2023-2329.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2329", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-5954", + "GHSA-4qhc-v8r6-8vwm" + ], + "summary": "HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault", + "details": "HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault", + "affected": [ + { + "package": { + "name": "github.com/hashicorp/vault", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.10" + }, + { + "introduced": "1.14.0" + }, + { + "fixed": "1.14.6" + }, + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-4qhc-v8r6-8vwm" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5954" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20231227-0001" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2329", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2330.json b/data/osv/GO-2023-2330.json new file mode 100644 index 000000000..b5b301c10 --- /dev/null +++ b/data/osv/GO-2023-2330.json @@ -0,0 +1,128 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2330", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-3676", + "GHSA-7fxm-f474-hf8w" + ], + "summary": "Kubernetes privilege escalation vulnerability in k8s.io/kubernetes", + "details": "Kubernetes privilege escalation vulnerability in k8s.io/kubernetes", + "affected": [ + { + "package": { + "name": "k8s.io/kubernetes", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.17" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.13" + }, + { + "introduced": "1.26.0" + }, + { + "fixed": "1.26.8" + }, + { + "introduced": "1.27.0" + }, + { + "fixed": "1.27.5" + }, + { + "introduced": "1.28.0" + }, + { + "fixed": "1.28.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-7fxm-f474-hf8w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3676" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/073f9ea33a93ddaecdc2e829150fb715f6387399" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/39cc101c7855341c651a943b9836b50fbace8a6b" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/74b617310c24ca84c2ec90c3858af745d65b5226" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/890483394221c8f22e88c48f86cd4eaf4de65fd6" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/commit/a53faf5e17ed0b0771a605c6401ba4cbf297b59a" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/119339" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/120127" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/120129" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/120130" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/120131" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/120132" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/120133" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/d_fvHZ9a5zc" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20231130-0007" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2330", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2332.json b/data/osv/GO-2023-2332.json new file mode 100644 index 000000000..037a0dc81 --- /dev/null +++ b/data/osv/GO-2023-2332.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2332", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-47122", + "GHSA-xvrc-2wvh-49vc" + ], + "summary": "Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. in github.com/sigstore/gitsign", + "details": "Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. in github.com/sigstore/gitsign", + "affected": [ + { + "package": { + "name": "github.com/sigstore/gitsign", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.6.0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47122" + }, + { + "type": "FIX", + "url": "https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236" + }, + { + "type": "FIX", + "url": "https://github.com/sigstore/gitsign/pull/399" + }, + { + "type": "WEB", + "url": "https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2332", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2335.json b/data/osv/GO-2023-2335.json new file mode 100644 index 000000000..eddfe685d --- /dev/null +++ b/data/osv/GO-2023-2335.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2335", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-42813", + "GHSA-wc3x-5rfv-hh5v" + ], + "summary": "Denial of service from malicious manifest in kyverno in github.com/kyverno/kyverno", + "details": "Denial of service from malicious manifest in kyverno in github.com/kyverno/kyverno", + "affected": [ + { + "package": { + "name": "github.com/kyverno/kyverno", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.0-rc1.0.20230601080528-80d139bb5d1d" + }, + { + "fixed": "1.5.0-rc1.0.20230918070231-fec2992e3f9f" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-wc3x-5rfv-hh5v" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42813" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/pull/8428" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2335", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2336.json b/data/osv/GO-2023-2336.json new file mode 100644 index 000000000..efa3e2c17 --- /dev/null +++ b/data/osv/GO-2023-2336.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2336", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-42814", + "GHSA-9g37-h7p2-2c6r" + ], + "summary": "Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno", + "details": "Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno", + "affected": [ + { + "package": { + "name": "github.com/kyverno/kyverno", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.0-rc1.0.20230601080528-80d139bb5d1d" + }, + { + "fixed": "1.5.0-rc1.0.20230918070231-fec2992e3f9f" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-9g37-h7p2-2c6r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42814" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/pull/8428" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2336", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2337.json b/data/osv/GO-2023-2337.json new file mode 100644 index 000000000..849c7d8a9 --- /dev/null +++ b/data/osv/GO-2023-2337.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2337", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-42815", + "GHSA-hjpv-68f4-2262" + ], + "summary": "Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno", + "details": "Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno", + "affected": [ + { + "package": { + "name": "github.com/kyverno/kyverno", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.0-rc1.0.20230601080528-80d139bb5d1d" + }, + { + "fixed": "1.5.0-rc1.0.20230918070231-fec2992e3f9f" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hjpv-68f4-2262" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42815" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/pull/8428" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2337", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2338.json b/data/osv/GO-2023-2338.json new file mode 100644 index 000000000..82f51f4b4 --- /dev/null +++ b/data/osv/GO-2023-2338.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2338", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-42816", + "GHSA-4mp4-46gq-hv3r" + ], + "summary": "Denial of service from malicious signature in kyverno in github.com/kyverno/kyverno", + "details": "Denial of service from malicious signature in kyverno in github.com/kyverno/kyverno", + "affected": [ + { + "package": { + "name": "github.com/kyverno/kyverno", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.0-rc1.0.20230601080528-80d139bb5d1d" + }, + { + "fixed": "1.5.0-rc1.0.20230918070231-fec2992e3f9f" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42816" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b" + }, + { + "type": "FIX", + "url": "https://github.com/kyverno/kyverno/pull/8428" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2338", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2023-2097.yaml b/data/reports/GO-2023-2097.yaml new file mode 100644 index 000000000..b17b8aa7e --- /dev/null +++ b/data/reports/GO-2023-2097.yaml @@ -0,0 +1,24 @@ +id: GO-2023-2097 +modules: + - module: github.com/charmbracelet/soft-serve + versions: + - fixed: 0.6.2 + vulnerable_at: 0.6.1 +summary: |- + Soft Serve Public Key Authentication Bypass Vulnerability when + Keyboard-Interactive SSH Authentication is Enabled in github.com/charmbracelet/soft-serve +cves: + - CVE-2023-43809 +ghsas: + - GHSA-mc97-99j4-vm2v +references: + - advisory: https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-mc97-99j4-vm2v + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-43809 + - fix: https://github.com/charmbracelet/soft-serve/commit/407c4ec72d1006cee1ff8c1775e5bcc091c2bc89 + - report: https://github.com/charmbracelet/soft-serve/issues/389 + - web: https://github.com/charmbracelet/soft-serve/releases/tag/v0.6.2 +source: + id: GHSA-mc97-99j4-vm2v + created: 2024-08-20T12:06:29.937361-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2109.yaml b/data/reports/GO-2023-2109.yaml new file mode 100644 index 000000000..0624ade8b --- /dev/null +++ b/data/reports/GO-2023-2109.yaml @@ -0,0 +1,27 @@ +id: GO-2023-2109 +modules: + - module: github.com/goharbor/harbor + versions: + - fixed: 1.10.18 + - introduced: 2.0.0+incompatible + - fixed: 2.7.3+incompatible + - introduced: 2.8.0+incompatible + - fixed: 2.8.3+incompatible + vulnerable_at: 2.8.3-rc1+incompatible +summary: Harbor timing attack risk in github.com/goharbor/harbor +cves: + - CVE-2023-20902 +ghsas: + - GHSA-mq6f-5xh5-hgcf +references: + - advisory: https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-20902 + - web: https://github.com/goharbor/harbor/blob/aaea068cceb4063ab89313d9785f2b40f35b0d63/src/jobservice/api/authenticator.go#L69-L69 + - web: https://github.com/goharbor/harbor/releases/tag/v1.10.18 + - web: https://github.com/goharbor/harbor/releases/tag/v2.7.3 + - web: https://github.com/goharbor/harbor/releases/tag/v2.8.3 +source: + id: GHSA-mq6f-5xh5-hgcf + created: 2024-08-20T12:07:00.93262-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2121.yaml b/data/reports/GO-2023-2121.yaml new file mode 100644 index 000000000..16652f93e --- /dev/null +++ b/data/reports/GO-2023-2121.yaml @@ -0,0 +1,20 @@ +id: GO-2023-2121 +modules: + - module: github.com/openfga/openfga + versions: + - fixed: 1.3.4 + vulnerable_at: 1.3.3 +summary: OpenFGA DoS vulnerability in github.com/openfga/openfga +cves: + - CVE-2023-45810 +ghsas: + - GHSA-hr4f-6jh8-f2vq +references: + - advisory: https://github.com/openfga/openfga/security/advisories/GHSA-hr4f-6jh8-f2vq + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-45810 + - web: https://github.com/openfga/openfga/releases/tag/v1.3.4 +source: + id: GHSA-hr4f-6jh8-f2vq + created: 2024-08-20T12:07:25.584212-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2125.yaml b/data/reports/GO-2023-2125.yaml new file mode 100644 index 000000000..82510cdde --- /dev/null +++ b/data/reports/GO-2023-2125.yaml @@ -0,0 +1,23 @@ +id: GO-2023-2125 +modules: + - module: k8s.io/kops + versions: + - fixed: 1.25.4 + - introduced: 1.26.0 + - fixed: 1.26.2 + vulnerable_at: 1.26.1 +summary: kOps privilege escalation vulnerability in k8s.io/kops +cves: + - CVE-2023-1943 +ghsas: + - GHSA-8gwj-m6vh-2g6j +references: + - advisory: https://github.com/advisories/GHSA-8gwj-m6vh-2g6j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-1943 + - web: https://github.com/kubernetes/kops/issues/15539 + - web: https://groups.google.com/g/kubernetes-security-announce/c/yrCE1x89oaU +source: + id: GHSA-8gwj-m6vh-2g6j + created: 2024-08-20T12:07:41.540093-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2134.yaml b/data/reports/GO-2023-2134.yaml new file mode 100644 index 000000000..cf6331c4b --- /dev/null +++ b/data/reports/GO-2023-2134.yaml @@ -0,0 +1,22 @@ +id: GO-2023-2134 +modules: + - module: github.com/artifacthub/hub + versions: + - fixed: 1.16.0 + vulnerable_at: 1.15.0 +summary: Artifact Hub allows unsafe rego built-in in github.com/artifacthub/hub +cves: + - CVE-2023-45822 +ghsas: + - GHSA-9pc8-m4vp-ggvf +references: + - advisory: https://github.com/artifacthub/hub/security/advisories/GHSA-9pc8-m4vp-ggvf + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-45822 + - web: https://artifacthub.io/packages/helm/artifact-hub/artifact-hub?modal=changelog&version=1.16.0 + - web: https://www.openpolicyagent.org + - web: https://www.openpolicyagent.org/docs/latest/#rego +source: + id: GHSA-9pc8-m4vp-ggvf + created: 2024-08-20T12:07:53.798395-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2135.yaml b/data/reports/GO-2023-2135.yaml new file mode 100644 index 000000000..389f7c0a3 --- /dev/null +++ b/data/reports/GO-2023-2135.yaml @@ -0,0 +1,20 @@ +id: GO-2023-2135 +modules: + - module: github.com/artifacthub/hub + versions: + - fixed: 1.16.0 + vulnerable_at: 1.15.0 +summary: Artifact Hub has Incorrect Docker Hub registry check in github.com/artifacthub/hub +cves: + - CVE-2023-45821 +ghsas: + - GHSA-g6pq-x539-7w4j +references: + - advisory: https://github.com/artifacthub/hub/security/advisories/GHSA-g6pq-x539-7w4j + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-45821 + - web: https://artifacthub.io/packages/helm/artifact-hub/artifact-hub?modal=changelog&version=1.16.0 +source: + id: GHSA-g6pq-x539-7w4j + created: 2024-08-20T12:07:57.236334-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2136.yaml b/data/reports/GO-2023-2136.yaml new file mode 100644 index 000000000..97601250f --- /dev/null +++ b/data/reports/GO-2023-2136.yaml @@ -0,0 +1,20 @@ +id: GO-2023-2136 +modules: + - module: github.com/artifacthub/hub + versions: + - fixed: 1.16.0 + vulnerable_at: 1.15.0 +summary: Artifact Hub arbitrary file read vulnerability in github.com/artifacthub/hub +cves: + - CVE-2023-45823 +ghsas: + - GHSA-hmq4-c2r4-5q8h +references: + - advisory: https://github.com/artifacthub/hub/security/advisories/GHSA-hmq4-c2r4-5q8h + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-45823 + - web: https://artifacthub.io/packages/helm/artifact-hub/artifact-hub?modal=changelog&version=1.16.0 +source: + id: GHSA-hmq4-c2r4-5q8h + created: 2024-08-20T12:08:00.41184-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2156.yaml b/data/reports/GO-2023-2156.yaml new file mode 100644 index 000000000..03806047b --- /dev/null +++ b/data/reports/GO-2023-2156.yaml @@ -0,0 +1,24 @@ +id: GO-2023-2156 +modules: + - module: github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v4 + versions: + - fixed: 4.1.1 + vulnerable_at: 4.1.0 + - module: github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v5 + versions: + - fixed: 5.2.1 + vulnerable_at: 5.2.0 + - module: github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v6 + versions: + - fixed: 6.1.1 + vulnerable_at: 6.1.0 +summary: Cosmos packet-forward-middleware vulnerable to chain-halt in github.com/cosmos/ibc-apps/middleware/packet-forward-middleware +ghsas: + - GHSA-w6rp-vxj2-fjhr +references: + - advisory: https://github.com/cosmos/ibc-apps/security/advisories/GHSA-w6rp-vxj2-fjhr +source: + id: GHSA-w6rp-vxj2-fjhr + created: 2024-08-20T12:08:59.301016-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2159.yaml b/data/reports/GO-2023-2159.yaml new file mode 100644 index 000000000..bd7dc86e8 --- /dev/null +++ b/data/reports/GO-2023-2159.yaml @@ -0,0 +1,22 @@ +id: GO-2023-2159 +modules: + - module: k8s.io/kubernetes + versions: + - fixed: 1.21.0 + vulnerable_at: 1.21.0-rc.0 +summary: Kube-proxy may unintentionally forward traffic in k8s.io/kubernetes +cves: + - CVE-2021-25736 +ghsas: + - GHSA-35c7-w35f-xwgh +references: + - advisory: https://github.com/advisories/GHSA-35c7-w35f-xwgh + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-25736 + - web: https://github.com/kubernetes/kubernetes/commit/b014610de3e5cf1bb0f7844b5758d29fc18b75e6 + - web: https://github.com/kubernetes/kubernetes/pull/99958 + - web: https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJ +source: + id: GHSA-35c7-w35f-xwgh + created: 2024-08-20T12:09:57.498452-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2023-2166.yaml b/data/reports/GO-2023-2166.yaml new file mode 100644 index 000000000..d2fa6b87e --- /dev/null +++ b/data/reports/GO-2023-2166.yaml @@ -0,0 +1,20 @@ +id: GO-2023-2166 +modules: + - module: github.com/authzed/spicedb + versions: + - fixed: 1.27.0-rc1 + vulnerable_at: 1.26.0 +summary: SpiceDB leaks information in log files when URI cannot be parsed in github.com/authzed/spicedb +cves: + - CVE-2023-46255 +ghsas: + - GHSA-jg7w-cxjv-98c2 +references: + - advisory: https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-46255 + - fix: https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8 +source: + id: GHSA-jg7w-cxjv-98c2 + created: 2024-08-20T12:12:09.030844-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2170.yaml b/data/reports/GO-2023-2170.yaml new file mode 100644 index 000000000..8439cb9b8 --- /dev/null +++ b/data/reports/GO-2023-2170.yaml @@ -0,0 +1,40 @@ +id: GO-2023-2170 +modules: + - module: k8s.io/kubernetes + versions: + - fixed: 1.24.17 + - introduced: 1.25.0 + - fixed: 1.25.13 + - introduced: 1.26.0 + - fixed: 1.26.8 + - introduced: 1.27.0 + - fixed: 1.27.5 + - introduced: 1.28.0 + - fixed: 1.28.1 + vulnerable_at: 1.28.0 +summary: Kubernetes privilege escalation vulnerability in k8s.io/kubernetes +cves: + - CVE-2023-3955 +ghsas: + - GHSA-q78c-gwqw-jcmc +references: + - advisory: https://github.com/advisories/GHSA-q78c-gwqw-jcmc + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-3955 + - web: https://github.com/kubernetes/kubernetes/commit/38c97fa67ed35f36e730856728c9e3807f63546a + - web: https://github.com/kubernetes/kubernetes/commit/50334505cd27cbe7cf71865388f25a00e29b2596 + - web: https://github.com/kubernetes/kubernetes/commit/7da6d72c05dffb3b87e62e2bc8c3228ea12ba1b9 + - web: https://github.com/kubernetes/kubernetes/commit/b7547e28f898af37aa2f1107a49111f963250fe6 + - web: https://github.com/kubernetes/kubernetes/commit/c4e17abb04728e3a3f9bb26e727b0f978df20ec9 + - web: https://github.com/kubernetes/kubernetes/issues/119595 + - web: https://github.com/kubernetes/kubernetes/pull/120128 + - web: https://github.com/kubernetes/kubernetes/pull/120134 + - web: https://github.com/kubernetes/kubernetes/pull/120135 + - web: https://github.com/kubernetes/kubernetes/pull/120136 + - web: https://github.com/kubernetes/kubernetes/pull/120137 + - web: https://github.com/kubernetes/kubernetes/pull/120138 + - web: https://groups.google.com/g/kubernetes-security-announce/c/JrX4bb7d83E +source: + id: GHSA-q78c-gwqw-jcmc + created: 2024-08-20T12:12:15.292286-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2176.yaml b/data/reports/GO-2023-2176.yaml new file mode 100644 index 000000000..5671cc847 --- /dev/null +++ b/data/reports/GO-2023-2176.yaml @@ -0,0 +1,31 @@ +id: GO-2023-2176 +modules: + - module: github.com/kubernetes-csi/csi-proxy + versions: + - fixed: 1.1.3 + vulnerable_at: 1.1.2 + - module: github.com/kubernetes-csi/csi-proxy/v2 + versions: + - introduced: 2.0.0-alpha.0 + - fixed: 2.0.0-alpha.1 + vulnerable_at: 2.0.0-alpha.0 +summary: |- + Kubernetes csi-proxy vulnerable to privilege escalation due to improper input + validation in github.com/kubernetes-csi/csi-proxy +cves: + - CVE-2023-3893 +ghsas: + - GHSA-r6cc-7wj7-gfx2 +references: + - advisory: https://github.com/advisories/GHSA-r6cc-7wj7-gfx2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-3893 + - fix: https://github.com/kubernetes-csi/csi-proxy/commit/0e83a68159111e4ee510f5aa56d47ba97bda60c7 + - fix: https://github.com/kubernetes-csi/csi-proxy/commit/2523e6674dedf3de27f84235efec28555da24664 + - web: https://github.com/kubernetes/kubernetes/issues/119594 + - web: https://groups.google.com/g/kubernetes-security-announce/c/lWksE2BoCyQ + - web: https://security.netapp.com/advisory/ntap-20231221-0004 +source: + id: GHSA-r6cc-7wj7-gfx2 + created: 2024-08-20T12:12:47.529416-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2188.yaml b/data/reports/GO-2023-2188.yaml new file mode 100644 index 000000000..8900ecde9 --- /dev/null +++ b/data/reports/GO-2023-2188.yaml @@ -0,0 +1,24 @@ +id: GO-2023-2188 +modules: + - module: github.com/slsa-framework/slsa-verifier + unsupported_versions: + - last_affected: 1.4.1 + vulnerable_at: 1.4.1 + - module: github.com/slsa-framework/slsa-verifier/v2 + versions: + - fixed: 2.4.1-rc.0 + vulnerable_at: 2.4.0 +summary: slsa-verifier vulnerable to mproper validation of npm's publish attestations in github.com/slsa-framework/slsa-verifier +ghsas: + - GHSA-r2xv-vpr2-42m9 +references: + - advisory: https://github.com/slsa-framework/slsa-verifier/security/advisories/GHSA-r2xv-vpr2-42m9 + - fix: https://github.com/slsa-framework/slsa-verifier/commit/f6ae402f458b347d2c414f1d053fc1f8257888d0 + - fix: https://github.com/slsa-framework/slsa-verifier/pull/705 + - web: https://github.com/npm/attestation/tree/main/specs/publish/v0.1 + - web: https://openssf.slack.com/archives/C03PDLFET5W/p1695330038983179 +source: + id: GHSA-r2xv-vpr2-42m9 + created: 2024-08-20T12:14:33.24565-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2329.yaml b/data/reports/GO-2023-2329.yaml new file mode 100644 index 000000000..cfc03726a --- /dev/null +++ b/data/reports/GO-2023-2329.yaml @@ -0,0 +1,25 @@ +id: GO-2023-2329 +modules: + - module: github.com/hashicorp/vault + versions: + - fixed: 1.13.10 + - introduced: 1.14.0 + - fixed: 1.14.6 + - introduced: 1.15.0 + - fixed: 1.15.2 + vulnerable_at: 1.15.1 +summary: HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault +cves: + - CVE-2023-5954 +ghsas: + - GHSA-4qhc-v8r6-8vwm +references: + - advisory: https://github.com/advisories/GHSA-4qhc-v8r6-8vwm + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-5954 + - web: https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926 + - web: https://security.netapp.com/advisory/ntap-20231227-0001 +source: + id: GHSA-4qhc-v8r6-8vwm + created: 2024-08-20T12:14:37.491622-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2330.yaml b/data/reports/GO-2023-2330.yaml new file mode 100644 index 000000000..daa912e7f --- /dev/null +++ b/data/reports/GO-2023-2330.yaml @@ -0,0 +1,41 @@ +id: GO-2023-2330 +modules: + - module: k8s.io/kubernetes + versions: + - fixed: 1.24.17 + - introduced: 1.25.0 + - fixed: 1.25.13 + - introduced: 1.26.0 + - fixed: 1.26.8 + - introduced: 1.27.0 + - fixed: 1.27.5 + - introduced: 1.28.0 + - fixed: 1.28.1 + vulnerable_at: 1.28.0 +summary: Kubernetes privilege escalation vulnerability in k8s.io/kubernetes +cves: + - CVE-2023-3676 +ghsas: + - GHSA-7fxm-f474-hf8w +references: + - advisory: https://github.com/advisories/GHSA-7fxm-f474-hf8w + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-3676 + - web: https://github.com/kubernetes/kubernetes/commit/073f9ea33a93ddaecdc2e829150fb715f6387399 + - web: https://github.com/kubernetes/kubernetes/commit/39cc101c7855341c651a943b9836b50fbace8a6b + - web: https://github.com/kubernetes/kubernetes/commit/74b617310c24ca84c2ec90c3858af745d65b5226 + - web: https://github.com/kubernetes/kubernetes/commit/890483394221c8f22e88c48f86cd4eaf4de65fd6 + - web: https://github.com/kubernetes/kubernetes/commit/a53faf5e17ed0b0771a605c6401ba4cbf297b59a + - web: https://github.com/kubernetes/kubernetes/issues/119339 + - web: https://github.com/kubernetes/kubernetes/pull/120127 + - web: https://github.com/kubernetes/kubernetes/pull/120129 + - web: https://github.com/kubernetes/kubernetes/pull/120130 + - web: https://github.com/kubernetes/kubernetes/pull/120131 + - web: https://github.com/kubernetes/kubernetes/pull/120132 + - web: https://github.com/kubernetes/kubernetes/pull/120133 + - web: https://groups.google.com/g/kubernetes-security-announce/c/d_fvHZ9a5zc + - web: https://security.netapp.com/advisory/ntap-20231130-0007 +source: + id: GHSA-7fxm-f474-hf8w + created: 2024-08-20T12:14:41.740115-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2332.yaml b/data/reports/GO-2023-2332.yaml new file mode 100644 index 000000000..dc81dff10 --- /dev/null +++ b/data/reports/GO-2023-2332.yaml @@ -0,0 +1,25 @@ +id: GO-2023-2332 +modules: + - module: github.com/sigstore/gitsign + versions: + - introduced: 0.6.0 + - fixed: 0.8.0 + vulnerable_at: 0.7.1 +summary: |- + Gitsign's Rekor public keys fetched from upstream API instead of local TUF + client. in github.com/sigstore/gitsign +cves: + - CVE-2023-47122 +ghsas: + - GHSA-xvrc-2wvh-49vc +references: + - advisory: https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-47122 + - fix: https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236 + - fix: https://github.com/sigstore/gitsign/pull/399 + - web: https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model +source: + id: GHSA-xvrc-2wvh-49vc + created: 2024-08-20T12:14:51.187879-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2335.yaml b/data/reports/GO-2023-2335.yaml new file mode 100644 index 000000000..686bca261 --- /dev/null +++ b/data/reports/GO-2023-2335.yaml @@ -0,0 +1,24 @@ +id: GO-2023-2335 +modules: + - module: github.com/kyverno/kyverno + versions: + - introduced: 1.5.0-rc1.0.20230601080528-80d139bb5d1d + - fixed: 1.5.0-rc1.0.20230918070231-fec2992e3f9f +summary: Denial of service from malicious manifest in kyverno in github.com/kyverno/kyverno +cves: + - CVE-2023-42813 +ghsas: + - GHSA-wc3x-5rfv-hh5v +references: + - advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-wc3x-5rfv-hh5v + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-42813 + - fix: https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2 + - fix: https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b + - fix: https://github.com/kyverno/kyverno/pull/8428 +notes: + - fix: 'github.com/kyverno/kyverno: could not add vulnerable_at: could not find tagged version between introduced and fixed' +source: + id: CVE-2023-42813 + created: 2024-08-20T12:14:55.832408-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2336.yaml b/data/reports/GO-2023-2336.yaml new file mode 100644 index 000000000..c0600fe8c --- /dev/null +++ b/data/reports/GO-2023-2336.yaml @@ -0,0 +1,24 @@ +id: GO-2023-2336 +modules: + - module: github.com/kyverno/kyverno + versions: + - introduced: 1.5.0-rc1.0.20230601080528-80d139bb5d1d + - fixed: 1.5.0-rc1.0.20230918070231-fec2992e3f9f +summary: Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno +cves: + - CVE-2023-42814 +ghsas: + - GHSA-9g37-h7p2-2c6r +references: + - advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-9g37-h7p2-2c6r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-42814 + - fix: https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2 + - fix: https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b + - fix: https://github.com/kyverno/kyverno/pull/8428 +notes: + - fix: 'github.com/kyverno/kyverno: could not add vulnerable_at: could not find tagged version between introduced and fixed' +source: + id: CVE-2023-42814 + created: 2024-08-20T12:15:36.878666-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2337.yaml b/data/reports/GO-2023-2337.yaml new file mode 100644 index 000000000..f643474f0 --- /dev/null +++ b/data/reports/GO-2023-2337.yaml @@ -0,0 +1,24 @@ +id: GO-2023-2337 +modules: + - module: github.com/kyverno/kyverno + versions: + - introduced: 1.5.0-rc1.0.20230601080528-80d139bb5d1d + - fixed: 1.5.0-rc1.0.20230918070231-fec2992e3f9f +summary: Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno +cves: + - CVE-2023-42815 +ghsas: + - GHSA-hjpv-68f4-2262 +references: + - advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-hjpv-68f4-2262 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-42815 + - fix: https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2 + - fix: https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b + - fix: https://github.com/kyverno/kyverno/pull/8428 +notes: + - fix: 'github.com/kyverno/kyverno: could not add vulnerable_at: could not find tagged version between introduced and fixed' +source: + id: CVE-2023-42815 + created: 2024-08-20T12:15:40.666824-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2023-2338.yaml b/data/reports/GO-2023-2338.yaml new file mode 100644 index 000000000..c8f54e32d --- /dev/null +++ b/data/reports/GO-2023-2338.yaml @@ -0,0 +1,24 @@ +id: GO-2023-2338 +modules: + - module: github.com/kyverno/kyverno + versions: + - introduced: 1.5.0-rc1.0.20230601080528-80d139bb5d1d + - fixed: 1.5.0-rc1.0.20230918070231-fec2992e3f9f +summary: Denial of service from malicious signature in kyverno in github.com/kyverno/kyverno +cves: + - CVE-2023-42816 +ghsas: + - GHSA-4mp4-46gq-hv3r +references: + - advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-42816 + - fix: https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2 + - fix: https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b + - fix: https://github.com/kyverno/kyverno/pull/8428 +notes: + - fix: 'github.com/kyverno/kyverno: could not add vulnerable_at: could not find tagged version between introduced and fixed' +source: + id: CVE-2023-42816 + created: 2024-08-20T12:15:43.673781-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE