data/reports: add 11 unreviewed reports - data/reports/GO-2024-3135.yaml - data/reports/GO-2024-3136.yaml - data/reports/GO-2024-3137.yaml - data/reports/GO-2024-3138.yaml - data/reports/GO-2024-3139.yaml - data/reports/GO-2024-3153.yaml - data/reports/GO-2024-3155.yaml - data/reports/GO-2024-3156.yaml - data/reports/GO-2024-3157.yaml - data/reports/GO-2024-3158.yaml - data/reports/GO-2024-3160.yaml Fixes golang/vulndb#3135 Fixes golang/vulndb#3136 Fixes golang/vulndb#3137 Fixes golang/vulndb#3138 Fixes golang/vulndb#3139 Fixes golang/vulndb#3153 Fixes golang/vulndb#3155 Fixes golang/vulndb#3156 Fixes golang/vulndb#3157 Fixes golang/vulndb#3158 Fixes golang/vulndb#3160 Change-Id: I35e14a6e3457549217ad4853570de94f94fc0281 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/616060 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2024-3135.json b/data/osv/GO-2024-3135.json new file mode 100644 index 0000000..e4243cb --- /dev/null +++ b/data/osv/GO-2024-3135.json
@@ -0,0 +1,97 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3135", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-45410", + "GHSA-62c8-mh53-4cqv" + ], + "summary": "HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik", + "details": "HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik", + "affected": [ + { + "package": { + "name": "github.com/traefik/traefik", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.11.9" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/traefik/traefik/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.0.0-beta3" + }, + { + "fixed": "3.1.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45410" + }, + { + "type": "FIX", + "url": "https://github.com/traefik/traefik/commit/584144100524277829f26219baaab29a53b8134f" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v2.11.9" + }, + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/releases/tag/v3.1.3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3135", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3136.json b/data/osv/GO-2024-3136.json new file mode 100644 index 0000000..1209d96 --- /dev/null +++ b/data/osv/GO-2024-3136.json
@@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3136", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-27584", + "GHSA-hpc8-7wpm-889w" + ], + "summary": "Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly", + "details": "Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly", + "affected": [ + { + "package": { + "name": "d7y.io/dragonfly/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.0-beta.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27584" + }, + { + "type": "WEB", + "url": "https://github.com/dragonflyoss/Dragonfly2/commit/e9da69dc4048bf2a18a671be94616d85e3429433" + }, + { + "type": "WEB", + "url": "https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3136", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3137.json b/data/osv/GO-2024-3137.json new file mode 100644 index 0000000..e70a1a4 --- /dev/null +++ b/data/osv/GO-2024-3137.json
@@ -0,0 +1,107 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3137", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-46999", + "GHSA-2w5j-qfvw-2hf5" + ], + "summary": "ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel", + "details": "ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.", + "affected": [ + { + "package": { + "name": "github.com/zitadel/zitadel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.54.10" + }, + { + "introduced": "2.55.0" + }, + { + "fixed": "2.55.8" + }, + { + "introduced": "2.56.0" + }, + { + "fixed": "2.56.6" + }, + { + "introduced": "2.57.0" + }, + { + "fixed": "2.57.5" + }, + { + "introduced": "2.58.0" + }, + { + "fixed": "2.58.5" + }, + { + "introduced": "2.59.0" + }, + { + "fixed": "2.59.3" + }, + { + "introduced": "2.60.0" + }, + { + "fixed": "2.60.2" + }, + { + "introduced": "2.61.0" + }, + { + "fixed": "2.61.1" + }, + { + "introduced": "2.62.0" + }, + { + "fixed": "2.62.1" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46999" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3137", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3138.json b/data/osv/GO-2024-3138.json new file mode 100644 index 0000000..097e073 --- /dev/null +++ b/data/osv/GO-2024-3138.json
@@ -0,0 +1,107 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3138", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47060", + "GHSA-jj94-6f5c-65r8" + ], + "summary": "ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel", + "details": "ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.", + "affected": [ + { + "package": { + "name": "github.com/zitadel/zitadel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.54.10" + }, + { + "introduced": "2.55.0" + }, + { + "fixed": "2.55.8" + }, + { + "introduced": "2.56.0" + }, + { + "fixed": "2.56.6" + }, + { + "introduced": "2.57.0" + }, + { + "fixed": "2.57.5" + }, + { + "introduced": "2.58.0" + }, + { + "fixed": "2.58.5" + }, + { + "introduced": "2.59.0" + }, + { + "fixed": "2.59.3" + }, + { + "introduced": "2.60.0" + }, + { + "fixed": "2.60.2" + }, + { + "introduced": "2.61.0" + }, + { + "fixed": "2.61.1" + }, + { + "introduced": "2.62.0" + }, + { + "fixed": "2.62.1" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47060" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3138", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3139.json b/data/osv/GO-2024-3139.json new file mode 100644 index 0000000..4c01dcc --- /dev/null +++ b/data/osv/GO-2024-3139.json
@@ -0,0 +1,107 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3139", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47000", + "GHSA-qr2h-7pwm-h393" + ], + "summary": "ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel", + "details": "ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.", + "affected": [ + { + "package": { + "name": "github.com/zitadel/zitadel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.54.10" + }, + { + "introduced": "2.55.0" + }, + { + "fixed": "2.55.8" + }, + { + "introduced": "2.56.0" + }, + { + "fixed": "2.56.6" + }, + { + "introduced": "2.57.0" + }, + { + "fixed": "2.57.5" + }, + { + "introduced": "2.58.0" + }, + { + "fixed": "2.58.5" + }, + { + "introduced": "2.59.0" + }, + { + "fixed": "2.59.3" + }, + { + "introduced": "2.60.0" + }, + { + "fixed": "2.60.2" + }, + { + "introduced": "2.61.0" + }, + { + "fixed": "2.61.1" + }, + { + "introduced": "2.62.0" + }, + { + "fixed": "2.62.1" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47000" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3139", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3153.json b/data/osv/GO-2024-3153.json new file mode 100644 index 0000000..f4b6002 --- /dev/null +++ b/data/osv/GO-2024-3153.json
@@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3153", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47062", + "GHSA-58vj-cv5w-v4v6" + ], + "summary": "Navidrome has Multiple SQL Injections and ORM Leak in github.com/navidrome/navidrome", + "details": "Navidrome has Multiple SQL Injections and ORM Leak in github.com/navidrome/navidrome", + "affected": [ + { + "package": { + "name": "github.com/navidrome/navidrome", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.53.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-58vj-cv5w-v4v6" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47062" + }, + { + "type": "FIX", + "url": "https://github.com/navidrome/navidrome/commit/3107170afd9f557a10f7031f23cb3c9e975a71f9" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3153", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3155.json b/data/osv/GO-2024-3155.json new file mode 100644 index 0000000..9bb118b --- /dev/null +++ b/data/osv/GO-2024-3155.json
@@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3155", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47218" + ], + "summary": "CVE-2024-47218 in github.com/vesoft-inc/nebula", + "details": "CVE-2024-47218 in github.com/vesoft-inc/nebula", + "affected": [ + { + "package": { + "name": "github.com/vesoft-inc/nebula", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47218" + }, + { + "type": "FIX", + "url": "https://github.com/vesoft-inc/nebula/pull/5936" + }, + { + "type": "FIX", + "url": "https://github.com/vesoft-inc/nebula/pull/5936/commits/cd6c5976ccfe817b2e0a2d46227cd361bfefb45c" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3155", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3156.json b/data/osv/GO-2024-3156.json new file mode 100644 index 0000000..3fddf18 --- /dev/null +++ b/data/osv/GO-2024-3156.json
@@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3156", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-47219" + ], + "summary": "CVE-2024-47219 in github.com/vesoft-inc/nebula", + "details": "CVE-2024-47219 in github.com/vesoft-inc/nebula", + "affected": [ + { + "package": { + "name": "github.com/vesoft-inc/nebula", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47219" + }, + { + "type": "FIX", + "url": "https://github.com/vesoft-inc/nebula/pull/5936" + }, + { + "type": "FIX", + "url": "https://github.com/vesoft-inc/nebula/pull/5936/commits/cd6c5976ccfe817b2e0a2d46227cd361bfefb45c" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3156", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3157.json b/data/osv/GO-2024-3157.json new file mode 100644 index 0000000..6eacb0d --- /dev/null +++ b/data/osv/GO-2024-3157.json
@@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3157", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-46957", + "GHSA-98hf-m87w-cq6h" + ], + "summary": "Mellium allows Authentication Bypass by Spoofing in mellium.im/xmpp", + "details": "Mellium allows Authentication Bypass by Spoofing in mellium.im/xmpp", + "affected": [ + { + "package": { + "name": "mellium.im/xmpp", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.22.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-98hf-m87w-cq6h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46957" + }, + { + "type": "WEB", + "url": "https://codeberg.org/mellium/xmpp/releases" + }, + { + "type": "WEB", + "url": "https://codeberg.org/mellium/xmpp/releases/tag/v0.22.0" + }, + { + "type": "WEB", + "url": "https://mellium.im/cve/cve-2024-46957" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3157", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3158.json b/data/osv/GO-2024-3158.json new file mode 100644 index 0000000..4276edf --- /dev/null +++ b/data/osv/GO-2024-3158.json
@@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3158", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-40761", + "GHSA-48cr-j2cx-mcr8" + ], + "summary": "Apache Answer: Avatar URL leaked user email addresses in github.com/apache/incubator-answer", + "details": "Apache Answer: Avatar URL leaked user email addresses in github.com/apache/incubator-answer", + "affected": [ + { + "package": { + "name": "github.com/apache/incubator-answer", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-48cr-j2cx-mcr8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40761" + }, + { + "type": "FIX", + "url": "https://github.com/apache/incubator-answer/commit/c3a17046c6c3be1cec16ba49d07d9f7742b7260f" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3158", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3160.json b/data/osv/GO-2024-3160.json new file mode 100644 index 0000000..2ceca48 --- /dev/null +++ b/data/osv/GO-2024-3160.json
@@ -0,0 +1,44 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3160", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-45042", + "GHSA-wc43-73w7-x2f5" + ], + "summary": "Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials in github.com/ory/kratos", + "details": "Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials in github.com/ory/kratos", + "affected": [ + { + "package": { + "name": "github.com/ory/kratos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/ory/kratos/security/advisories/GHSA-wc43-73w7-x2f5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3160", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/reports/GO-2024-3135.yaml b/data/reports/GO-2024-3135.yaml new file mode 100644 index 0000000..6bef63a --- /dev/null +++ b/data/reports/GO-2024-3135.yaml
@@ -0,0 +1,28 @@ +id: GO-2024-3135 +modules: + - module: github.com/traefik/traefik + vulnerable_at: 1.7.34 + - module: github.com/traefik/traefik/v2 + versions: + - fixed: 2.11.9 + vulnerable_at: 2.11.8 + - module: github.com/traefik/traefik/v3 + versions: + - introduced: 3.0.0-beta3 + - fixed: 3.1.3 + vulnerable_at: 3.1.2 +summary: HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik +cves: + - CVE-2024-45410 +ghsas: + - GHSA-62c8-mh53-4cqv +references: + - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45410 + - fix: https://github.com/traefik/traefik/commit/584144100524277829f26219baaab29a53b8134f + - web: https://github.com/traefik/traefik/releases/tag/v2.11.9 + - web: https://github.com/traefik/traefik/releases/tag/v3.1.3 +source: + id: GHSA-62c8-mh53-4cqv + created: 2024-09-26T14:14:07.271684-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3136.yaml b/data/reports/GO-2024-3136.yaml new file mode 100644 index 0000000..1cd3555 --- /dev/null +++ b/data/reports/GO-2024-3136.yaml
@@ -0,0 +1,20 @@ +id: GO-2024-3136 +modules: + - module: d7y.io/dragonfly/v2 + versions: + - fixed: 2.1.0-beta.1 + vulnerable_at: 2.1.0-beta.0 +summary: Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly +cves: + - CVE-2023-27584 +ghsas: + - GHSA-hpc8-7wpm-889w +references: + - advisory: https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-27584 + - web: https://github.com/dragonflyoss/Dragonfly2/commit/e9da69dc4048bf2a18a671be94616d85e3429433 + - web: https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9 +source: + id: GHSA-hpc8-7wpm-889w + created: 2024-09-26T14:14:02.766385-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3137.yaml b/data/reports/GO-2024-3137.yaml new file mode 100644 index 0000000..a08f216 --- /dev/null +++ b/data/reports/GO-2024-3137.yaml
@@ -0,0 +1,34 @@ +id: GO-2024-3137 +modules: + - module: github.com/zitadel/zitadel + non_go_versions: + - fixed: 2.54.10 + - introduced: 2.55.0 + - fixed: 2.55.8 + - introduced: 2.56.0 + - fixed: 2.56.6 + - introduced: 2.57.0 + - fixed: 2.57.5 + - introduced: 2.58.0 + - fixed: 2.58.5 + - introduced: 2.59.0 + - fixed: 2.59.3 + - introduced: 2.60.0 + - fixed: 2.60.2 + - introduced: 2.61.0 + - fixed: 2.61.1 + - introduced: 2.62.0 + - fixed: 2.62.1 + vulnerable_at: 1.87.5 +summary: ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel +cves: + - CVE-2024-46999 +ghsas: + - GHSA-2w5j-qfvw-2hf5 +references: + - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-46999 +source: + id: GHSA-2w5j-qfvw-2hf5 + created: 2024-09-26T14:13:58.061279-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3138.yaml b/data/reports/GO-2024-3138.yaml new file mode 100644 index 0000000..aadd2d7 --- /dev/null +++ b/data/reports/GO-2024-3138.yaml
@@ -0,0 +1,34 @@ +id: GO-2024-3138 +modules: + - module: github.com/zitadel/zitadel + non_go_versions: + - fixed: 2.54.10 + - introduced: 2.55.0 + - fixed: 2.55.8 + - introduced: 2.56.0 + - fixed: 2.56.6 + - introduced: 2.57.0 + - fixed: 2.57.5 + - introduced: 2.58.0 + - fixed: 2.58.5 + - introduced: 2.59.0 + - fixed: 2.59.3 + - introduced: 2.60.0 + - fixed: 2.60.2 + - introduced: 2.61.0 + - fixed: 2.61.1 + - introduced: 2.62.0 + - fixed: 2.62.1 + vulnerable_at: 1.87.5 +summary: ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel +cves: + - CVE-2024-47060 +ghsas: + - GHSA-jj94-6f5c-65r8 +references: + - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47060 +source: + id: GHSA-jj94-6f5c-65r8 + created: 2024-09-26T14:13:53.271528-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3139.yaml b/data/reports/GO-2024-3139.yaml new file mode 100644 index 0000000..7ee6fbb --- /dev/null +++ b/data/reports/GO-2024-3139.yaml
@@ -0,0 +1,34 @@ +id: GO-2024-3139 +modules: + - module: github.com/zitadel/zitadel + non_go_versions: + - fixed: 2.54.10 + - introduced: 2.55.0 + - fixed: 2.55.8 + - introduced: 2.56.0 + - fixed: 2.56.6 + - introduced: 2.57.0 + - fixed: 2.57.5 + - introduced: 2.58.0 + - fixed: 2.58.5 + - introduced: 2.59.0 + - fixed: 2.59.3 + - introduced: 2.60.0 + - fixed: 2.60.2 + - introduced: 2.61.0 + - fixed: 2.61.1 + - introduced: 2.62.0 + - fixed: 2.62.1 + vulnerable_at: 1.87.5 +summary: ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel +cves: + - CVE-2024-47000 +ghsas: + - GHSA-qr2h-7pwm-h393 +references: + - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47000 +source: + id: GHSA-qr2h-7pwm-h393 + created: 2024-09-26T14:13:47.784324-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3153.yaml b/data/reports/GO-2024-3153.yaml new file mode 100644 index 0000000..3abfbe4 --- /dev/null +++ b/data/reports/GO-2024-3153.yaml
@@ -0,0 +1,19 @@ +id: GO-2024-3153 +modules: + - module: github.com/navidrome/navidrome + versions: + - fixed: 0.53.0 + vulnerable_at: 0.52.5 +summary: Navidrome has Multiple SQL Injections and ORM Leak in github.com/navidrome/navidrome +cves: + - CVE-2024-47062 +ghsas: + - GHSA-58vj-cv5w-v4v6 +references: + - advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-58vj-cv5w-v4v6 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47062 + - fix: https://github.com/navidrome/navidrome/commit/3107170afd9f557a10f7031f23cb3c9e975a71f9 +source: + id: GHSA-58vj-cv5w-v4v6 + created: 2024-09-26T14:13:41.458938-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3155.yaml b/data/reports/GO-2024-3155.yaml new file mode 100644 index 0000000..c0ae1f1 --- /dev/null +++ b/data/reports/GO-2024-3155.yaml
@@ -0,0 +1,15 @@ +id: GO-2024-3155 +modules: + - module: github.com/vesoft-inc/nebula + vulnerable_at: 3.8.0+incompatible +summary: CVE-2024-47218 in github.com/vesoft-inc/nebula +cves: + - CVE-2024-47218 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47218 + - fix: https://github.com/vesoft-inc/nebula/pull/5936 + - fix: https://github.com/vesoft-inc/nebula/pull/5936/commits/cd6c5976ccfe817b2e0a2d46227cd361bfefb45c +source: + id: CVE-2024-47218 + created: 2024-09-26T14:13:38.921871-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3156.yaml b/data/reports/GO-2024-3156.yaml new file mode 100644 index 0000000..a7ed54d --- /dev/null +++ b/data/reports/GO-2024-3156.yaml
@@ -0,0 +1,15 @@ +id: GO-2024-3156 +modules: + - module: github.com/vesoft-inc/nebula + vulnerable_at: 3.8.0+incompatible +summary: CVE-2024-47219 in github.com/vesoft-inc/nebula +cves: + - CVE-2024-47219 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47219 + - fix: https://github.com/vesoft-inc/nebula/pull/5936 + - fix: https://github.com/vesoft-inc/nebula/pull/5936/commits/cd6c5976ccfe817b2e0a2d46227cd361bfefb45c +source: + id: CVE-2024-47219 + created: 2024-09-26T14:13:35.679787-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3157.yaml b/data/reports/GO-2024-3157.yaml new file mode 100644 index 0000000..06230dd --- /dev/null +++ b/data/reports/GO-2024-3157.yaml
@@ -0,0 +1,21 @@ +id: GO-2024-3157 +modules: + - module: mellium.im/xmpp + versions: + - fixed: 0.22.0 + vulnerable_at: 0.21.4 +summary: Mellium allows Authentication Bypass by Spoofing in mellium.im/xmpp +cves: + - CVE-2024-46957 +ghsas: + - GHSA-98hf-m87w-cq6h +references: + - advisory: https://github.com/advisories/GHSA-98hf-m87w-cq6h + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-46957 + - web: https://codeberg.org/mellium/xmpp/releases + - web: https://codeberg.org/mellium/xmpp/releases/tag/v0.22.0 + - web: https://mellium.im/cve/cve-2024-46957 +source: + id: GHSA-98hf-m87w-cq6h + created: 2024-09-26T14:13:29.228384-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3158.yaml b/data/reports/GO-2024-3158.yaml new file mode 100644 index 0000000..958915e --- /dev/null +++ b/data/reports/GO-2024-3158.yaml
@@ -0,0 +1,20 @@ +id: GO-2024-3158 +modules: + - module: github.com/apache/incubator-answer + versions: + - fixed: 1.4.0 + vulnerable_at: 1.4.0-RC1 +summary: 'Apache Answer: Avatar URL leaked user email addresses in github.com/apache/incubator-answer' +cves: + - CVE-2024-40761 +ghsas: + - GHSA-48cr-j2cx-mcr8 +references: + - advisory: https://github.com/advisories/GHSA-48cr-j2cx-mcr8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40761 + - fix: https://github.com/apache/incubator-answer/commit/c3a17046c6c3be1cec16ba49d07d9f7742b7260f + - web: https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x +source: + id: GHSA-48cr-j2cx-mcr8 + created: 2024-09-26T14:13:23.434349-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3160.yaml b/data/reports/GO-2024-3160.yaml new file mode 100644 index 0000000..a230401 --- /dev/null +++ b/data/reports/GO-2024-3160.yaml
@@ -0,0 +1,19 @@ +id: GO-2024-3160 +modules: + - module: github.com/ory/kratos + versions: + - fixed: 1.3.0 + vulnerable_at: 1.3.0-pre.0 +summary: |- + Ory Kratos's setting required_aal `highest_available` does not properly respect + code + mfa credentials in github.com/ory/kratos +cves: + - CVE-2024-45042 +ghsas: + - GHSA-wc43-73w7-x2f5 +references: + - advisory: https://github.com/ory/kratos/security/advisories/GHSA-wc43-73w7-x2f5 +source: + id: GHSA-wc43-73w7-x2f5 + created: 2024-09-26T14:13:19.945453-04:00 +review_status: UNREVIEWED