data/reports: add missing/related aliases for regular reports
Quite a few missing aliases were found via the osv.dev API. In many
cases, these are derived from GHSAs which have a "repo-level" advisory
but not a "global-level" advisory, and are therefore not accessible
via the Github GraphQL API.
The osv.dev database in some cases considers two IDs to be
aliases which we would consider only "related". A best-effort
attempt was made to distinguish between false-positives (which were
placed in the "related" section), and true positives.
Change-Id: I6e0e3c790cf36ded6a0c84c2ded254f4b0f37e99
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/581716
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/data/osv/GO-2020-0019.json b/data/osv/GO-2020-0019.json
index 06e40f3..e5a40ad 100644
--- a/data/osv/GO-2020-0019.json
+++ b/data/osv/GO-2020-0019.json
@@ -5,7 +5,8 @@
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-27813",
- "GHSA-3xh2-74w9-5vxm"
+ "GHSA-3xh2-74w9-5vxm",
+ "GHSA-jf24-p9p9-4rjh"
],
"summary": "Integer overflow in github.com/gorilla/websocket",
"details": "An attacker can craft malicious WebSocket frames that cause an integer overflow in a variable which tracks the number of bytes remaining. This may cause the server or client to get stuck attempting to read frames in a loop, which can be used as a denial of service vector.",
diff --git a/data/osv/GO-2020-0050.json b/data/osv/GO-2020-0050.json
index d2b4c58..b4999b9 100644
--- a/data/osv/GO-2020-0050.json
+++ b/data/osv/GO-2020-0050.json
@@ -7,6 +7,12 @@
"CVE-2020-15216",
"GHSA-q547-gmf8-8jr7"
],
+ "related": [
+ "CVE-2020-26290",
+ "CVE-2020-27847",
+ "GHSA-2x32-jm95-2cpx",
+ "GHSA-m9hp-7r99-94h5"
+ ],
"summary": "XML digital signature validation bypass in github.com/russellhaering/goxmldsig",
"details": "Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.",
"affected": [
diff --git a/data/osv/GO-2022-0248.json b/data/osv/GO-2022-0248.json
index becd323..362dae7 100644
--- a/data/osv/GO-2022-0248.json
+++ b/data/osv/GO-2022-0248.json
@@ -8,6 +8,9 @@
"GHSA-cqh2-vc2f-q4fh",
"GHSA-8459-6rc9-8vf8"
],
+ "related": [
+ "GHSA-3jhm-87m6-x959"
+ ],
"summary": "Directory traversal in manifest path extraction in github.com/cloudflare/cfrpki",
"details": "Manifest path extraction is vulnerable to directory traversal attacks.\n\nThe ExtractPathManifest function permits file paths containing relative directory components (\"..\"), permitting files to reference arbitrary locations on the filesystem.",
"affected": [
diff --git a/data/osv/GO-2022-0322.json b/data/osv/GO-2022-0322.json
index 0598d8b..ff2b2e6 100644
--- a/data/osv/GO-2022-0322.json
+++ b/data/osv/GO-2022-0322.json
@@ -7,6 +7,12 @@
"CVE-2022-21698",
"GHSA-cg3q-j54f-5p7p"
],
+ "related": [
+ "CVE-2023-25151",
+ "CVE-2023-45142",
+ "GHSA-5r5m-65gx-7vrh",
+ "GHSA-rcjv-mgp8-qvmr"
+ ],
"summary": "Uncontrolled resource consumption in github.com/prometheus/client_golang",
"details": "The Prometheus client_golang HTTP server is vulnerable to a denial of service attack when handling requests with non-standard HTTP methods.\n\nIn order to be affected, an instrumented software must use any of the promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass a metric with a \"method\" label name to a middleware; and not have any firewall/LB/proxy that filters away requests with unknown \"method\".",
"affected": [
diff --git a/data/osv/GO-2022-0427.json b/data/osv/GO-2022-0427.json
index 70011c5..954cb5c 100644
--- a/data/osv/GO-2022-0427.json
+++ b/data/osv/GO-2022-0427.json
@@ -6,6 +6,7 @@
"aliases": [
"CVE-2022-24863",
"CVE-2024-25712",
+ "GHSA-49w7-5r33-jm9m",
"GHSA-xg75-q3q5-cqmv"
],
"summary": "Unprotected file upload in github.com/swaggo/http-swagger",
diff --git a/data/osv/GO-2022-0962.json b/data/osv/GO-2022-0962.json
index b43fc5c..a026998 100644
--- a/data/osv/GO-2022-0962.json
+++ b/data/osv/GO-2022-0962.json
@@ -7,6 +7,10 @@
"CVE-2022-36055",
"GHSA-7hfp-qfw3-5jxh"
],
+ "related": [
+ "CVE-2022-36049",
+ "GHSA-p2g7-xwvr-rrw3"
+ ],
"summary": "Denial of service through string value parsing in helm.sh/helm/v3",
"details": "Applications that use the strvals package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from.\n\nThe strvals package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like --set, --set-string, and others that enable the user to pass in strings that are merged into the values. The strvals package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic.\n\nThe Helm Client will panic with input to --set, --set-string, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.",
"affected": [
diff --git a/data/osv/GO-2022-1008.json b/data/osv/GO-2022-1008.json
index f0cb4c8..9e11772 100644
--- a/data/osv/GO-2022-1008.json
+++ b/data/osv/GO-2022-1008.json
@@ -7,6 +7,16 @@
"CVE-2022-2990",
"GHSA-fjm8-m7m6-2fjp"
],
+ "related": [
+ "CVE-2022-2989",
+ "CVE-2022-2995",
+ "CVE-2022-36109",
+ "CVE-2023-25173",
+ "GHSA-4wjj-jwc9-2x96",
+ "GHSA-hmfx-3pcx-653p",
+ "GHSA-phjr-8j92-w5v7",
+ "GHSA-rc4r-wh2q-q6c4"
+ ],
"summary": "Unauthorized file access in github.com/containers/buildah",
"details": "SGID programs executed in a container can access files that have negative group permissions for the user's primary group.\n\nConsider a file which is owned by user u1 and group g1, permits user and other read access, and does NOT permit group read access. This file is readable by u1 and all other users except for ones in group g1.\n\nA program with the set-group-ID (SGID) bit set assumes the primary group of the program's group when it executes.\n\nA user with the primary group g1 who executes an SGID program owned by group g2 should not be able to access the file described above. While the program executes with the primary group g2, the group g1 should remain in its supplementary groups, blocking access to the file.\n\nBuildah does not correctly add g1 to the supplementary groups in this scenario, permitting unauthorized access.",
"affected": [
diff --git a/data/osv/GO-2023-1546.json b/data/osv/GO-2023-1546.json
index 12a2ee4..5b1e8ab 100644
--- a/data/osv/GO-2023-1546.json
+++ b/data/osv/GO-2023-1546.json
@@ -7,6 +7,12 @@
"CVE-2023-25151",
"GHSA-5r5m-65gx-7vrh"
],
+ "related": [
+ "CVE-2022-21698",
+ "CVE-2023-45142",
+ "GHSA-cg3q-j54f-5p7p",
+ "GHSA-rcjv-mgp8-qvmr"
+ ],
"summary": "Denial of service in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",
"details": "The otelhttp package of opentelemetry-go-contrib is vulnerable to a denial-of-service attack.\n\nThe otelhttp package uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.request_content_length, http.server.response_content_length, and http.server.duration instruments. The ServerRequest function sets the http.target attribute value to be the whole request URI (including the query string). The metric instruments do not \"forget\" previous measurement attributes when \"cumulative\" temporality is used, meaning that the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack.",
"affected": [
diff --git a/data/osv/GO-2023-1574.json b/data/osv/GO-2023-1574.json
index 2f9f56d..895e517 100644
--- a/data/osv/GO-2023-1574.json
+++ b/data/osv/GO-2023-1574.json
@@ -7,6 +7,16 @@
"CVE-2023-25173",
"GHSA-hmfx-3pcx-653p"
],
+ "related": [
+ "GHSA-4wjj-jwc9-2x96",
+ "GHSA-fjm8-m7m6-2fjp",
+ "GHSA-phjr-8j92-w5v7",
+ "GHSA-rc4r-wh2q-q6c4",
+ "CVE-2022-2989",
+ "CVE-2022-2990",
+ "CVE-2022-2995",
+ "CVE-2022-36109"
+ ],
"summary": "Privilege escalation via supplementary groups in github.com/containerd/containerd",
"details": "Supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases and potentially escalate privileges in the container. Uses of the containerd client library may also have improperly setup supplementary groups.",
"affected": [
diff --git a/data/osv/GO-2023-2113.json b/data/osv/GO-2023-2113.json
index 571edd7..85b96d2 100644
--- a/data/osv/GO-2023-2113.json
+++ b/data/osv/GO-2023-2113.json
@@ -7,6 +7,12 @@
"CVE-2023-45142",
"GHSA-rcjv-mgp8-qvmr"
],
+ "related": [
+ "CVE-2022-21698",
+ "CVE-2023-25151",
+ "GHSA-5r5m-65gx-7vrh",
+ "GHSA-cg3q-j54f-5p7p"
+ ],
"summary": "Memory exhaustion in go.opentelemetry.io/contrib/instrumentation",
"details": "Memory exhaustion in go.opentelemetry.io/contrib/instrumentation",
"affected": [
diff --git a/data/reports/GO-2020-0019.yaml b/data/reports/GO-2020-0019.yaml
index 0ef1c8f..032d887 100644
--- a/data/reports/GO-2020-0019.yaml
+++ b/data/reports/GO-2020-0019.yaml
@@ -52,6 +52,7 @@
- CVE-2020-27813
ghsas:
- GHSA-3xh2-74w9-5vxm
+ - GHSA-jf24-p9p9-4rjh
credits:
- Max Justicz
references:
diff --git a/data/reports/GO-2020-0050.yaml b/data/reports/GO-2020-0050.yaml
index 1d424ec..ad0286b 100644
--- a/data/reports/GO-2020-0050.yaml
+++ b/data/reports/GO-2020-0050.yaml
@@ -20,6 +20,11 @@
- CVE-2020-15216
ghsas:
- GHSA-q547-gmf8-8jr7
+related:
+ - CVE-2020-26290
+ - CVE-2020-27847
+ - GHSA-2x32-jm95-2cpx
+ - GHSA-m9hp-7r99-94h5
credits:
- '@jupenur'
references:
diff --git a/data/reports/GO-2022-0248.yaml b/data/reports/GO-2022-0248.yaml
index 9869122..770daea 100644
--- a/data/reports/GO-2022-0248.yaml
+++ b/data/reports/GO-2022-0248.yaml
@@ -26,6 +26,8 @@
ghsas:
- GHSA-cqh2-vc2f-q4fh
- GHSA-8459-6rc9-8vf8
+related:
+ - GHSA-3jhm-87m6-x959
credits:
- Koen van Hove
references:
diff --git a/data/reports/GO-2022-0322.yaml b/data/reports/GO-2022-0322.yaml
index 8dc19c1..1508b89 100644
--- a/data/reports/GO-2022-0322.yaml
+++ b/data/reports/GO-2022-0322.yaml
@@ -38,5 +38,10 @@
- CVE-2022-21698
ghsas:
- GHSA-cg3q-j54f-5p7p
+related:
+ - CVE-2023-25151
+ - CVE-2023-45142
+ - GHSA-5r5m-65gx-7vrh
+ - GHSA-rcjv-mgp8-qvmr
references:
- fix: https://github.com/prometheus/client_golang/pull/962
diff --git a/data/reports/GO-2022-0427.yaml b/data/reports/GO-2022-0427.yaml
index 443b8e1..6875878 100644
--- a/data/reports/GO-2022-0427.yaml
+++ b/data/reports/GO-2022-0427.yaml
@@ -16,6 +16,7 @@
- CVE-2022-24863
- CVE-2024-25712
ghsas:
+ - GHSA-49w7-5r33-jm9m
- GHSA-xg75-q3q5-cqmv
references:
- web: https://cosmosofcyberspace.github.io/improper_http_method_leads_to_xss/poc.html
diff --git a/data/reports/GO-2022-0962.yaml b/data/reports/GO-2022-0962.yaml
index e58b842..a4e2390 100644
--- a/data/reports/GO-2022-0962.yaml
+++ b/data/reports/GO-2022-0962.yaml
@@ -37,6 +37,9 @@
- CVE-2022-36055
ghsas:
- GHSA-7hfp-qfw3-5jxh
+related:
+ - CVE-2022-36049
+ - GHSA-p2g7-xwvr-rrw3
credits:
- Ada Logics in a fuzzing audit sponsored by CNCF
references:
diff --git a/data/reports/GO-2022-1008.yaml b/data/reports/GO-2022-1008.yaml
index b7b0ea3..ad652d3 100644
--- a/data/reports/GO-2022-1008.yaml
+++ b/data/reports/GO-2022-1008.yaml
@@ -33,6 +33,15 @@
- CVE-2022-2990
ghsas:
- GHSA-fjm8-m7m6-2fjp
+related:
+ - CVE-2022-2989
+ - CVE-2022-2995
+ - CVE-2022-36109
+ - CVE-2023-25173
+ - GHSA-4wjj-jwc9-2x96
+ - GHSA-hmfx-3pcx-653p
+ - GHSA-phjr-8j92-w5v7
+ - GHSA-rc4r-wh2q-q6c4
references:
- article: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
- fix: https://github.com/containers/buildah/commit/4a8bf740e862f2438279c6feee2ea59ddf0cda0b
diff --git a/data/reports/GO-2023-1546.yaml b/data/reports/GO-2023-1546.yaml
index 536372e..4e8fbc2 100644
--- a/data/reports/GO-2023-1546.yaml
+++ b/data/reports/GO-2023-1546.yaml
@@ -30,5 +30,10 @@
- CVE-2023-25151
ghsas:
- GHSA-5r5m-65gx-7vrh
+related:
+ - CVE-2022-21698
+ - CVE-2023-45142
+ - GHSA-cg3q-j54f-5p7p
+ - GHSA-rcjv-mgp8-qvmr
references:
- advisory: https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh
diff --git a/data/reports/GO-2023-1574.yaml b/data/reports/GO-2023-1574.yaml
index 4045ee1..93fbcf8 100644
--- a/data/reports/GO-2023-1574.yaml
+++ b/data/reports/GO-2023-1574.yaml
@@ -52,6 +52,15 @@
- CVE-2023-25173
ghsas:
- GHSA-hmfx-3pcx-653p
+related:
+ - GHSA-4wjj-jwc9-2x96
+ - GHSA-fjm8-m7m6-2fjp
+ - GHSA-phjr-8j92-w5v7
+ - GHSA-rc4r-wh2q-q6c4
+ - CVE-2022-2989
+ - CVE-2022-2990
+ - CVE-2022-2995
+ - CVE-2022-36109
references:
- advisory: https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p
- web: https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4
diff --git a/data/reports/GO-2023-2113.yaml b/data/reports/GO-2023-2113.yaml
index 851b44f..f37fabc 100644
--- a/data/reports/GO-2023-2113.yaml
+++ b/data/reports/GO-2023-2113.yaml
@@ -91,6 +91,11 @@
- CVE-2023-45142
ghsas:
- GHSA-rcjv-mgp8-qvmr
+related:
+ - CVE-2022-21698
+ - CVE-2023-25151
+ - GHSA-5r5m-65gx-7vrh
+ - GHSA-cg3q-j54f-5p7p
references:
- advisory: https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr
- fix: https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277
