data/reports: add GO-2024-2669.yaml
Aliases: CVE-2023-3299, GHSA-9jfx-84v9-2rr2
Fixes golang/vulndb#2669
Change-Id: Ia64a7a4529f61dffa311f9c8df0d4ecc726a0eaf
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576535
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Auto-Submit: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/data/osv/GO-2024-2669.json b/data/osv/GO-2024-2669.json
new file mode 100644
index 0000000..a49c4d0
--- /dev/null
+++ b/data/osv/GO-2024-2669.json
@@ -0,0 +1,58 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2669",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2023-3299",
+ "GHSA-9jfx-84v9-2rr2"
+ ],
+ "summary": "API token secret ID leak to Sentinel in github.com/hashicorp/nomad",
+ "details": "A vulnerability exists in Nomad where the API caller's ACL token secret ID is exposed to Sentinel policies.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/hashicorp/nomad",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.2.11"
+ },
+ {
+ "fixed": "1.4.11"
+ },
+ {
+ "introduced": "1.5.0"
+ },
+ {
+ "fixed": "1.5.7"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "REPORT",
+ "url": "https://github.com/hashicorp/nomad/issues/17907"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2023-21-nomad-caller-acl-tokens-secret-id-is-exposed-to-sentinel/56271"
+ }
+ ],
+ "credits": [
+ {
+ "name": "anonymous4ACL24"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2669"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2669.yaml b/data/reports/GO-2024-2669.yaml
new file mode 100644
index 0000000..7df670f
--- /dev/null
+++ b/data/reports/GO-2024-2669.yaml
@@ -0,0 +1,22 @@
+id: GO-2024-2669
+modules:
+ - module: github.com/hashicorp/nomad
+ versions:
+ - introduced: 1.2.11
+ fixed: 1.4.11
+ - introduced: 1.5.0
+ fixed: 1.5.7
+ vulnerable_at: 1.5.6
+summary: API token secret ID leak to Sentinel in github.com/hashicorp/nomad
+description: |-
+ A vulnerability exists in Nomad where the API caller's ACL token secret
+ ID is exposed to Sentinel policies.
+cves:
+ - CVE-2023-3299
+ghsas:
+ - GHSA-9jfx-84v9-2rr2
+credits:
+ - anonymous4ACL24
+references:
+ - report: https://github.com/hashicorp/nomad/issues/17907
+ - web: https://discuss.hashicorp.com/t/hcsec-2023-21-nomad-caller-acl-tokens-secret-id-is-exposed-to-sentinel/56271
