data/reports: add 4 reports
- data/reports/GO-2025-3704.yaml
- data/reports/GO-2025-3705.yaml
- data/reports/GO-2025-3706.yaml
- data/reports/GO-2025-3707.yaml
Fixes golang/vulndb#3704
Fixes golang/vulndb#3705
Fixes golang/vulndb#3706
Fixes golang/vulndb#3707
Change-Id: Ia34751628fee16ef932b3a3066702128a13d5abd
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/675876
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Neal Patel <nealpatel@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/data/osv/GO-2025-3704.json b/data/osv/GO-2025-3704.json
new file mode 100644
index 0000000..85a5625
--- /dev/null
+++ b/data/osv/GO-2025-3704.json
@@ -0,0 +1,67 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3704",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-4123",
+ "GHSA-q53q-gxq9-mgrj"
+ ],
+ "summary": "Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana",
+ "details": "Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/grafana/grafana before v0.0.0-20250521183405-c7a690348df7.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/grafana/grafana",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250521183405-c7a690348df7"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-q53q-gxq9-mgrj"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4123"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/grafana/grafana/commit/c7a690348df761d41b659224cbc50a46a0c0e4cc"
+ },
+ {
+ "type": "WEB",
+ "url": "https://grafana.com/security/security-advisories/cve-2025-4123"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3704",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3705.json b/data/osv/GO-2025-3705.json
new file mode 100644
index 0000000..2a11c74
--- /dev/null
+++ b/data/osv/GO-2025-3705.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3705",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-48374",
+ "GHSA-c37v-3c8w-crq8"
+ ],
+ "summary": "zot logs secrets in zotregistry.dev/zot",
+ "details": "zot logs secrets in zotregistry.dev/zot",
+ "affected": [
+ {
+ "package": {
+ "name": "zotregistry.dev/zot",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.4.4-0.20250522160828-8a99a3ed231f"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/project-zot/zot/security/advisories/GHSA-c37v-3c8w-crq8"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48374"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/project-zot/zot/commit/8a99a3ed231fdcd8467e986182b4705342b6a15e"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3705",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3706.json b/data/osv/GO-2025-3706.json
new file mode 100644
index 0000000..08476a1
--- /dev/null
+++ b/data/osv/GO-2025-3706.json
@@ -0,0 +1,74 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3706",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-48075",
+ "GHSA-hg3g-gphw-5hhm"
+ ],
+ "summary": "Fiber panics when fiber.Ctx.BodyParser parses invalid range index in github.com/gofiber/fiber",
+ "details": "Fiber panics when fiber.Ctx.BodyParser parses invalid range index in github.com/gofiber/fiber",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/gofiber/fiber",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/gofiber/fiber/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "2.52.6"
+ },
+ {
+ "fixed": "2.52.7"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/gofiber/fiber/v2/internal/schema",
+ "symbols": [
+ "Decoder.Decode"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3706",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3707.json b/data/osv/GO-2025-3707.json
new file mode 100644
index 0000000..e4ed3bd
--- /dev/null
+++ b/data/osv/GO-2025-3707.json
@@ -0,0 +1,51 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3707",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-48371"
+ ],
+ "summary": "OpenFGA Authorization Bypass in github.com/openfga/openfga",
+ "details": "OpenFGA Authorization Bypass in github.com/openfga/openfga",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openfga/openfga",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.8.0"
+ },
+ {
+ "fixed": "1.8.13"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48371"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openfga/openfga/commit/e5960d4eba92b723de8ff3a5346a07f50c1379ca"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openfga/openfga/security/advisories/GHSA-c72g-53hw-82q7"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3707",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3704.yaml b/data/reports/GO-2025-3704.yaml
new file mode 100644
index 0000000..741f6bd
--- /dev/null
+++ b/data/reports/GO-2025-3704.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3704
+modules:
+ - module: github.com/grafana/grafana
+ non_go_versions:
+ - fixed: 0.0.0-20250521183405-c7a690348df7
+ vulnerable_at: 5.4.5+incompatible
+summary: Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana
+cves:
+ - CVE-2025-4123
+ghsas:
+ - GHSA-q53q-gxq9-mgrj
+references:
+ - advisory: https://github.com/advisories/GHSA-q53q-gxq9-mgrj
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4123
+ - fix: https://github.com/grafana/grafana/commit/c7a690348df761d41b659224cbc50a46a0c0e4cc
+ - web: https://grafana.com/security/security-advisories/cve-2025-4123
+source:
+ id: GHSA-q53q-gxq9-mgrj
+ created: 2025-05-23T11:19:56.523795-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3705.yaml b/data/reports/GO-2025-3705.yaml
new file mode 100644
index 0000000..014f073
--- /dev/null
+++ b/data/reports/GO-2025-3705.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-3705
+modules:
+ - module: zotregistry.dev/zot
+ versions:
+ - fixed: 1.4.4-0.20250522160828-8a99a3ed231f
+ vulnerable_at: 1.4.3
+summary: zot logs secrets in zotregistry.dev/zot
+cves:
+ - CVE-2025-48374
+ghsas:
+ - GHSA-c37v-3c8w-crq8
+references:
+ - advisory: https://github.com/project-zot/zot/security/advisories/GHSA-c37v-3c8w-crq8
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-48374
+ - web: https://github.com/project-zot/zot/commit/8a99a3ed231fdcd8467e986182b4705342b6a15e
+source:
+ id: GHSA-c37v-3c8w-crq8
+ created: 2025-05-23T11:19:51.572769-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3706.yaml b/data/reports/GO-2025-3706.yaml
new file mode 100644
index 0000000..86a0aa7
--- /dev/null
+++ b/data/reports/GO-2025-3706.yaml
@@ -0,0 +1,27 @@
+id: GO-2025-3706
+modules:
+ - module: github.com/gofiber/fiber
+ vulnerable_at: 1.14.6
+ - module: github.com/gofiber/fiber/v2
+ versions:
+ - introduced: 2.52.6
+ - fixed: 2.52.7
+ vulnerable_at: 2.52.6
+ packages:
+ - package: github.com/gofiber/fiber/v2/internal/schema
+ symbols:
+ - Decoder.Decode
+summary: |-
+ Fiber panics when fiber.Ctx.BodyParser parses invalid range index in
+ github.com/gofiber/fiber
+cves:
+ - CVE-2025-48075
+ghsas:
+ - GHSA-hg3g-gphw-5hhm
+references:
+ - advisory: https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm
+ - fix: https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d
+source:
+ id: GHSA-hg3g-gphw-5hhm
+ created: 2025-05-23T11:19:46.453453-04:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2025-3707.yaml b/data/reports/GO-2025-3707.yaml
new file mode 100644
index 0000000..9a7745c
--- /dev/null
+++ b/data/reports/GO-2025-3707.yaml
@@ -0,0 +1,18 @@
+id: GO-2025-3707
+modules:
+ - module: github.com/openfga/openfga
+ versions:
+ - introduced: 1.8.0
+ - fixed: 1.8.13
+ vulnerable_at: 1.8.12
+summary: OpenFGA Authorization Bypass in github.com/openfga/openfga
+cves:
+ - CVE-2025-48371
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-48371
+ - fix: https://github.com/openfga/openfga/commit/e5960d4eba92b723de8ff3a5346a07f50c1379ca
+ - web: https://github.com/openfga/openfga/security/advisories/GHSA-c72g-53hw-82q7
+source:
+ id: CVE-2025-48371
+ created: 2025-05-23T11:19:40.662898-04:00
+review_status: UNREVIEWED
