data/reports: add 4 reports - data/reports/GO-2025-3527.yaml - data/reports/GO-2025-3528.yaml - data/reports/GO-2025-3529.yaml - data/reports/GO-2025-3530.yaml Fixes golang/vulndb#3527 Fixes golang/vulndb#3528 Fixes golang/vulndb#3529 Fixes golang/vulndb#3530 Change-Id: I9fecefd23b84996e5bcda75c65362327043092eb Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/658855 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Neal Patel <nealpatel@google.com>
diff --git a/data/osv/GO-2025-3527.json b/data/osv/GO-2025-3527.json new file mode 100644 index 0000000..14e0f1c --- /dev/null +++ b/data/osv/GO-2025-3527.json
@@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2025-3527", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2025-0495", + "GHSA-m4gq-fm9h-8q75" + ], + "summary": "buildx allows a possible credential leakage to telemetry endpoint in github.com/docker/buildx", + "details": "buildx allows a possible credential leakage to telemetry endpoint in github.com/docker/buildx", + "affected": [ + { + "package": { + "name": "github.com/docker/buildx", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.21.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/docker/buildx/security/advisories/GHSA-m4gq-fm9h-8q75" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0495" + }, + { + "type": "FIX", + "url": "https://github.com/docker/buildx/commit/18ccba072076ddbfb0aeedd6746d7719b0729b58" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3527", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2025-3528.json b/data/osv/GO-2025-3528.json new file mode 100644 index 0000000..daf631d --- /dev/null +++ b/data/osv/GO-2025-3528.json
@@ -0,0 +1,82 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2025-3528", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-40635", + "GHSA-265r-hfxg-fhmg" + ], + "summary": "containerd has an integer overflow in User ID handling in github.com/containerd/containerd", + "details": "containerd has an integer overflow in User ID handling in github.com/containerd/containerd", + "affected": [ + { + "package": { + "name": "github.com/containerd/containerd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.38" + }, + { + "introduced": "1.7.0-beta.0" + }, + { + "fixed": "1.7.27" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/containerd/containerd/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg" + }, + { + "type": "FIX", + "url": "https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da" + }, + { + "type": "FIX", + "url": "https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20" + }, + { + "type": "FIX", + "url": "https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3528", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2025-3529.json b/data/osv/GO-2025-3529.json new file mode 100644 index 0000000..1027cc7 --- /dev/null +++ b/data/osv/GO-2025-3529.json
@@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2025-3529", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2025-2241", + "GHSA-c339-mwfc-fmr2" + ], + "summary": "Openshift Hive Exposes VCenter Credentials via ClusterProvision in github.com/openshift/hive", + "details": "Openshift Hive Exposes VCenter Credentials via ClusterProvision in github.com/openshift/hive", + "affected": [ + { + "package": { + "name": "github.com/openshift/hive", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-c339-mwfc-fmr2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2241" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2025-2241" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351350" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3529", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2025-3530.json b/data/osv/GO-2025-3530.json new file mode 100644 index 0000000..174f1de --- /dev/null +++ b/data/osv/GO-2025-3530.json
@@ -0,0 +1,66 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2025-3530", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2025-29781", + "GHSA-c98h-7hp9-v9hq" + ], + "summary": "Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD in github.com/metal3-io/baremetal-operator/apis", + "details": "Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD in github.com/metal3-io/baremetal-operator/apis", + "affected": [ + { + "package": { + "name": "github.com/metal3-io/baremetal-operator/apis", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.8.1" + }, + { + "introduced": "0.9.0" + }, + { + "fixed": "0.9.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-c98h-7hp9-v9hq" + }, + { + "type": "WEB", + "url": "https://github.com/metal3-io/baremetal-operator/commit/19f8443b1fe182f76dd81b43122e8dd102f8b94c" + }, + { + "type": "WEB", + "url": "https://github.com/metal3-io/baremetal-operator/pull/2321" + }, + { + "type": "WEB", + "url": "https://github.com/metal3-io/baremetal-operator/pull/2322" + }, + { + "type": "WEB", + "url": "https://github.com/metal3-io/metal3-docs/blob/main/design/baremetal-operator/bmc-events.md" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3530", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/reports/GO-2025-3527.yaml b/data/reports/GO-2025-3527.yaml new file mode 100644 index 0000000..57aadc8 --- /dev/null +++ b/data/reports/GO-2025-3527.yaml
@@ -0,0 +1,19 @@ +id: GO-2025-3527 +modules: + - module: github.com/docker/buildx + versions: + - fixed: 0.21.3 + vulnerable_at: 0.21.2 +summary: buildx allows a possible credential leakage to telemetry endpoint in github.com/docker/buildx +cves: + - CVE-2025-0495 +ghsas: + - GHSA-m4gq-fm9h-8q75 +references: + - advisory: https://github.com/docker/buildx/security/advisories/GHSA-m4gq-fm9h-8q75 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-0495 + - fix: https://github.com/docker/buildx/commit/18ccba072076ddbfb0aeedd6746d7719b0729b58 +source: + id: GHSA-m4gq-fm9h-8q75 + created: 2025-03-18T12:19:18.62408-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3528.yaml b/data/reports/GO-2025-3528.yaml new file mode 100644 index 0000000..c8c371d --- /dev/null +++ b/data/reports/GO-2025-3528.yaml
@@ -0,0 +1,26 @@ +id: GO-2025-3528 +modules: + - module: github.com/containerd/containerd + versions: + - fixed: 1.6.38 + - introduced: 1.7.0-beta.0 + - fixed: 1.7.27 + vulnerable_at: 1.7.26 + - module: github.com/containerd/containerd/v2 + versions: + - fixed: 2.0.4 + vulnerable_at: 2.0.3 +summary: containerd has an integer overflow in User ID handling in github.com/containerd/containerd +cves: + - CVE-2024-40635 +ghsas: + - GHSA-265r-hfxg-fhmg +references: + - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg + - fix: https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da + - fix: https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20 + - fix: https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a +source: + id: GHSA-265r-hfxg-fhmg + created: 2025-03-18T12:19:26.864701-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3529.yaml b/data/reports/GO-2025-3529.yaml new file mode 100644 index 0000000..8293712 --- /dev/null +++ b/data/reports/GO-2025-3529.yaml
@@ -0,0 +1,20 @@ +id: GO-2025-3529 +modules: + - module: github.com/openshift/hive + unsupported_versions: + - last_affected: 1.1.16 + vulnerable_at: 1.1.16 +summary: Openshift Hive Exposes VCenter Credentials via ClusterProvision in github.com/openshift/hive +cves: + - CVE-2025-2241 +ghsas: + - GHSA-c339-mwfc-fmr2 +references: + - advisory: https://github.com/advisories/GHSA-c339-mwfc-fmr2 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-2241 + - web: https://access.redhat.com/security/cve/CVE-2025-2241 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2351350 +source: + id: GHSA-c339-mwfc-fmr2 + created: 2025-03-18T12:19:35.546967-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3530.yaml b/data/reports/GO-2025-3530.yaml new file mode 100644 index 0000000..46bdeef --- /dev/null +++ b/data/reports/GO-2025-3530.yaml
@@ -0,0 +1,25 @@ +id: GO-2025-3530 +modules: + - module: github.com/metal3-io/baremetal-operator/apis + versions: + - fixed: 0.8.1 + - introduced: 0.9.0 + - fixed: 0.9.1 + vulnerable_at: 0.9.0 +summary: |- + Bare Metal Operator (BMO) can expose any secret from other namespaces via + BMCEventSubscription CRD in github.com/metal3-io/baremetal-operator/apis +cves: + - CVE-2025-29781 +ghsas: + - GHSA-c98h-7hp9-v9hq +references: + - advisory: https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-c98h-7hp9-v9hq + - web: https://github.com/metal3-io/baremetal-operator/commit/19f8443b1fe182f76dd81b43122e8dd102f8b94c + - web: https://github.com/metal3-io/baremetal-operator/pull/2321 + - web: https://github.com/metal3-io/baremetal-operator/pull/2322 + - web: https://github.com/metal3-io/metal3-docs/blob/main/design/baremetal-operator/bmc-events.md +source: + id: GHSA-c98h-7hp9-v9hq + created: 2025-03-18T12:19:45.05457-04:00 +review_status: UNREVIEWED