data/reports: add 6 reports
- data/reports/GO-2025-3645.yaml
- data/reports/GO-2025-3646.yaml
- data/reports/GO-2025-3647.yaml
- data/reports/GO-2025-3648.yaml
- data/reports/GO-2025-3649.yaml
- data/reports/GO-2025-3650.yaml
Fixes golang/vulndb#3645
Fixes golang/vulndb#3646
Fixes golang/vulndb#3647
Fixes golang/vulndb#3648
Fixes golang/vulndb#3649
Fixes golang/vulndb#3650
Change-Id: I92892fe49dd61cbf3d95e2f65e304a96fff4a715
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/668935
Auto-Submit: Neal Patel <nealpatel@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2025-3645.json b/data/osv/GO-2025-3645.json
new file mode 100644
index 0000000..8b7c1bc
--- /dev/null
+++ b/data/osv/GO-2025-3645.json
@@ -0,0 +1,62 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3645",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2019-11243",
+ "GHSA-gc2p-g4fg-29vh"
+ ],
+ "summary": "Kubernetes did not effectively clear service account credentials in k8s.io/kubernetes",
+ "details": "Kubernetes did not effectively clear service account credentials in k8s.io/kubernetes",
+ "affected": [
+ {
+ "package": {
+ "name": "k8s.io/kubernetes",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.12.0"
+ },
+ {
+ "fixed": "1.12.5"
+ },
+ {
+ "introduced": "1.13.0"
+ },
+ {
+ "fixed": "1.13.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-gc2p-g4fg-29vh"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11243"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/kubernetes/kubernetes/issues/76797"
+ },
+ {
+ "type": "WEB",
+ "url": "https://security.netapp.com/advisory/ntap-20190509-0002"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3645",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3646.json b/data/osv/GO-2025-3646.json
new file mode 100644
index 0000000..f828c9c
--- /dev/null
+++ b/data/osv/GO-2025-3646.json
@@ -0,0 +1,79 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3646",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-46599",
+ "GHSA-864f-7xjm-2jp2"
+ ],
+ "summary": "CNCF K3s Kubernetes kubelet configuration exposes credentials in github.com/k3s-io/k3s",
+ "details": "CNCF K3s Kubernetes kubelet configuration exposes credentials in github.com/k3s-io/k3s.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/k3s-io/k3s from v1.32.0-rc1 before v1.32.4-rc1.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/k3s-io/k3s",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.32.0-rc1"
+ },
+ {
+ "fixed": "1.32.4-rc1"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-864f-7xjm-2jp2"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46599"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/k3s-io/k3s/commit/097b63e588e3c844cdf9b967bcd0a69f4fc0aa0a"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/k3s-io/k3s/issues/12164"
+ },
+ {
+ "type": "WEB",
+ "url": "https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/f1veT/BUG/issues/2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/k3s-io/k3s/compare/v1.32.3+k3s1...v1.32.4-rc1+k3s1"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3646",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3647.json b/data/osv/GO-2025-3647.json
new file mode 100644
index 0000000..1adfca8
--- /dev/null
+++ b/data/osv/GO-2025-3647.json
@@ -0,0 +1,67 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3647",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-22031",
+ "GHSA-8h6m-wv39-239m"
+ ],
+ "summary": "Rancher users who can create Projects can gain access to arbitrary projects in github.com/rancher/rancher",
+ "details": "Rancher users who can create Projects can gain access to arbitrary projects in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/rancher/rancher from v2.8.0 before v2.9.9, from v2.10.0 before v2.10.5, from v2.11.0 before v2.11.1.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/rancher/rancher",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.8.0"
+ },
+ {
+ "fixed": "2.9.9"
+ },
+ {
+ "introduced": "2.10.0"
+ },
+ {
+ "fixed": "2.10.5"
+ },
+ {
+ "introduced": "2.11.0"
+ },
+ {
+ "fixed": "2.11.1"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/rancher/rancher/security/advisories/GHSA-8h6m-wv39-239m"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3647",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3648.json b/data/osv/GO-2025-3648.json
new file mode 100644
index 0000000..b062961
--- /dev/null
+++ b/data/osv/GO-2025-3648.json
@@ -0,0 +1,87 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3648",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2023-32198",
+ "GHSA-95fc-g4gj-mqmx"
+ ],
+ "summary": "Steve doesn’t verify a server’s certificate and is susceptible to man-in-the-middle (MitM) attacks in github.com/rancher/stev",
+ "details": "Steve doesn’t verify a server’s certificate and is susceptible to man-in-the-middle (MitM) attacks in github.com/rancher/stev.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/rancher/steve from v0.3.0 before v0.3.3.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/rancher/steve",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0.3.0"
+ },
+ {
+ "fixed": "0.3.3"
+ }
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "github.com/rancher/steve",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.2.0"
+ },
+ {
+ "fixed": "0.2.1"
+ },
+ {
+ "introduced": "0.4.0"
+ },
+ {
+ "fixed": "0.4.4"
+ },
+ {
+ "introduced": "0.5.0"
+ },
+ {
+ "fixed": "0.5.13"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/rancher/steve/security/advisories/GHSA-95fc-g4gj-mqmx"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3648",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3649.json b/data/osv/GO-2025-3649.json
new file mode 100644
index 0000000..d325d57
--- /dev/null
+++ b/data/osv/GO-2025-3649.json
@@ -0,0 +1,80 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3649",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-23390",
+ "GHSA-xgpc-q899-67p8"
+ ],
+ "summary": "Fleet doesn’t validate a server’s certificate when connecting through SSH in github.com/rancher/fleet",
+ "details": "Fleet doesn’t validate a server’s certificate when connecting through SSH in github.com/rancher/fleet",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/rancher/fleet",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.9.0-rc.1"
+ },
+ {
+ "fixed": "0.10.12"
+ },
+ {
+ "introduced": "0.11.0"
+ },
+ {
+ "fixed": "0.11.7"
+ },
+ {
+ "introduced": "0.12.0"
+ },
+ {
+ "fixed": "0.12.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/rancher/fleet/security/advisories/GHSA-xgpc-q899-67p8"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/rancher/fleet/pull/3571"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/rancher/fleet/pull/3572"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/rancher/fleet/pull/3573"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/rancher/fleet/releases/tag/v0.10.12"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/rancher/fleet/releases/tag/v0.11.7"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/rancher/fleet/releases/tag/v0.12.2"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3649",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3650.json b/data/osv/GO-2025-3650.json
new file mode 100644
index 0000000..66b85ec
--- /dev/null
+++ b/data/osv/GO-2025-3650.json
@@ -0,0 +1,63 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3650",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-46327",
+ "GHSA-6jgm-j7h2-2fqg"
+ ],
+ "summary": "Go Snowflake Driver has race condition checking access to Easy Logging config file in github.com/snowflakedb/gosnowflake",
+ "details": "Go Snowflake Driver has race condition checking access to Easy Logging config file in github.com/snowflakedb/gosnowflake",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/snowflakedb/gosnowflake",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.7.0"
+ },
+ {
+ "fixed": "1.13.3"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/snowflakedb/gosnowflake",
+ "symbols": [
+ "Connector.Connect",
+ "SnowflakeDriver.Open",
+ "SnowflakeDriver.OpenWithConfig",
+ "fileBasedSecureStorageManager.ensurePermissionsAndOwner",
+ "fileBasedSecureStorageManager.withCacheFile",
+ "parseClientConfiguration",
+ "validateCfgPerm"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/snowflakedb/gosnowflake/security/advisories/GHSA-6jgm-j7h2-2fqg"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/snowflakedb/gosnowflake/commit/ba94a4800e23621eff558ef18ce4b96ec5489ff0"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3650",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3645.yaml b/data/reports/GO-2025-3645.yaml
new file mode 100644
index 0000000..03834d6
--- /dev/null
+++ b/data/reports/GO-2025-3645.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3645
+modules:
+ - module: k8s.io/kubernetes
+ versions:
+ - introduced: 1.12.0
+ - fixed: 1.12.5
+ - introduced: 1.13.0
+ - fixed: 1.13.1
+ vulnerable_at: 1.13.1-beta.0
+summary: Kubernetes did not effectively clear service account credentials in k8s.io/kubernetes
+cves:
+ - CVE-2019-11243
+ghsas:
+ - GHSA-gc2p-g4fg-29vh
+references:
+ - advisory: https://github.com/advisories/GHSA-gc2p-g4fg-29vh
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-11243
+ - web: https://github.com/kubernetes/kubernetes/issues/76797
+ - web: https://security.netapp.com/advisory/ntap-20190509-0002
+source:
+ id: GHSA-gc2p-g4fg-29vh
+ created: 2025-04-29T12:46:26.886806-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3646.yaml b/data/reports/GO-2025-3646.yaml
new file mode 100644
index 0000000..a9b2182
--- /dev/null
+++ b/data/reports/GO-2025-3646.yaml
@@ -0,0 +1,24 @@
+id: GO-2025-3646
+modules:
+ - module: github.com/k3s-io/k3s
+ non_go_versions:
+ - introduced: 1.32.0-rc1
+ - fixed: 1.32.4-rc1
+ vulnerable_at: 1.0.1
+summary: CNCF K3s Kubernetes kubelet configuration exposes credentials in github.com/k3s-io/k3s
+cves:
+ - CVE-2025-46599
+ghsas:
+ - GHSA-864f-7xjm-2jp2
+references:
+ - advisory: https://github.com/advisories/GHSA-864f-7xjm-2jp2
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-46599
+ - fix: https://github.com/k3s-io/k3s/commit/097b63e588e3c844cdf9b967bcd0a69f4fc0aa0a
+ - report: https://github.com/k3s-io/k3s/issues/12164
+ - web: https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port
+ - web: https://github.com/f1veT/BUG/issues/2
+ - web: https://github.com/k3s-io/k3s/compare/v1.32.3+k3s1...v1.32.4-rc1+k3s1
+source:
+ id: GHSA-864f-7xjm-2jp2
+ created: 2025-04-29T12:46:32.786602-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3647.yaml b/data/reports/GO-2025-3647.yaml
new file mode 100644
index 0000000..05a1b54
--- /dev/null
+++ b/data/reports/GO-2025-3647.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-3647
+modules:
+ - module: github.com/rancher/rancher
+ non_go_versions:
+ - introduced: 2.8.0
+ - fixed: 2.9.9
+ - introduced: 2.10.0
+ - fixed: 2.10.5
+ - introduced: 2.11.0
+ - fixed: 2.11.1
+ vulnerable_at: 1.6.30
+summary: Rancher users who can create Projects can gain access to arbitrary projects in github.com/rancher/rancher
+cves:
+ - CVE-2024-22031
+ghsas:
+ - GHSA-8h6m-wv39-239m
+references:
+ - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-8h6m-wv39-239m
+source:
+ id: GHSA-8h6m-wv39-239m
+ created: 2025-04-29T12:46:40.382459-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3648.yaml b/data/reports/GO-2025-3648.yaml
new file mode 100644
index 0000000..c2652a3
--- /dev/null
+++ b/data/reports/GO-2025-3648.yaml
@@ -0,0 +1,28 @@
+id: GO-2025-3648
+modules:
+ - module: github.com/rancher/steve
+ non_go_versions:
+ - introduced: 0.3.0
+ - fixed: 0.3.3
+ - module: github.com/rancher/steve
+ versions:
+ - introduced: 0.2.0
+ - fixed: 0.2.1
+ - introduced: 0.4.0
+ - fixed: 0.4.4
+ - introduced: 0.5.0
+ - fixed: 0.5.13
+ vulnerable_at: 0.5.12
+summary: |-
+ Steve doesn’t verify a server’s certificate and is susceptible to
+ man-in-the-middle (MitM) attacks in github.com/rancher/stev
+cves:
+ - CVE-2023-32198
+ghsas:
+ - GHSA-95fc-g4gj-mqmx
+references:
+ - advisory: https://github.com/rancher/steve/security/advisories/GHSA-95fc-g4gj-mqmx
+source:
+ id: GHSA-95fc-g4gj-mqmx
+ created: 2025-04-29T12:46:44.848556-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3649.yaml b/data/reports/GO-2025-3649.yaml
new file mode 100644
index 0000000..af5f73c
--- /dev/null
+++ b/data/reports/GO-2025-3649.yaml
@@ -0,0 +1,28 @@
+id: GO-2025-3649
+modules:
+ - module: github.com/rancher/fleet
+ versions:
+ - introduced: 0.9.0-rc.1
+ - fixed: 0.10.12
+ - introduced: 0.11.0
+ - fixed: 0.11.7
+ - introduced: 0.12.0
+ - fixed: 0.12.2
+ vulnerable_at: 0.12.1
+summary: Fleet doesn’t validate a server’s certificate when connecting through SSH in github.com/rancher/fleet
+cves:
+ - CVE-2025-23390
+ghsas:
+ - GHSA-xgpc-q899-67p8
+references:
+ - advisory: https://github.com/rancher/fleet/security/advisories/GHSA-xgpc-q899-67p8
+ - fix: https://github.com/rancher/fleet/pull/3571
+ - fix: https://github.com/rancher/fleet/pull/3572
+ - fix: https://github.com/rancher/fleet/pull/3573
+ - web: https://github.com/rancher/fleet/releases/tag/v0.10.12
+ - web: https://github.com/rancher/fleet/releases/tag/v0.11.7
+ - web: https://github.com/rancher/fleet/releases/tag/v0.12.2
+source:
+ id: GHSA-xgpc-q899-67p8
+ created: 2025-04-29T12:46:49.563239-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3650.yaml b/data/reports/GO-2025-3650.yaml
new file mode 100644
index 0000000..a749a02
--- /dev/null
+++ b/data/reports/GO-2025-3650.yaml
@@ -0,0 +1,32 @@
+id: GO-2025-3650
+modules:
+ - module: github.com/snowflakedb/gosnowflake
+ versions:
+ - introduced: 1.7.0
+ - fixed: 1.13.3
+ vulnerable_at: 1.13.2
+ packages:
+ - package: github.com/snowflakedb/gosnowflake
+ symbols:
+ - fileBasedSecureStorageManager.withCacheFile
+ - parseClientConfiguration
+ - fileBasedSecureStorageManager.ensurePermissionsAndOwner
+ - validateCfgPerm
+ derived_symbols:
+ - Connector.Connect
+ - SnowflakeDriver.Open
+ - SnowflakeDriver.OpenWithConfig
+summary: |-
+ Go Snowflake Driver has race condition checking access to Easy Logging config
+ file in github.com/snowflakedb/gosnowflake
+cves:
+ - CVE-2025-46327
+ghsas:
+ - GHSA-6jgm-j7h2-2fqg
+references:
+ - advisory: https://github.com/snowflakedb/gosnowflake/security/advisories/GHSA-6jgm-j7h2-2fqg
+ - fix: https://github.com/snowflakedb/gosnowflake/commit/ba94a4800e23621eff558ef18ce4b96ec5489ff0
+source:
+ id: GHSA-6jgm-j7h2-2fqg
+ created: 2025-04-29T12:46:56.222011-04:00
+review_status: REVIEWED
