data/reports: add GO-2024-2616.yaml
Aliases: CVE-2024-24765, GHSA-h5gf-cmm8-cg7c
Fixes golang/vulndb#2616
Change-Id: I2ac7765db8d0fb9e454d0eec6fb5c95f0c02d022
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/570723
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Auto-Submit: Maceo Thompson <maceothompson@google.com>
diff --git a/data/osv/GO-2024-2616.json b/data/osv/GO-2024-2616.json
new file mode 100644
index 0000000..c7da623
--- /dev/null
+++ b/data/osv/GO-2024-2616.json
@@ -0,0 +1,65 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2616",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-24765",
+ "GHSA-h5gf-cmm8-cg7c"
+ ],
+ "summary": "Path traversal and user privilege escalation in github.com/IceWhaleTech/CasaOS-UserService",
+ "details": "The UserService API contains a path traversal vulnerability that allows an attacker to obtain any file on the system, including the user database and system configuration. This can lead to privilege escalation and compromise of the system.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/IceWhaleTech/CasaOS-UserService",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.4.7"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/IceWhaleTech/CasaOS-UserService/route/v1",
+ "symbols": [
+ "GetUserImage"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7"
+ }
+ ],
+ "credits": [
+ {
+ "name": "Cp0204"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2616"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2616.yaml b/data/reports/GO-2024-2616.yaml
new file mode 100644
index 0000000..00c3ce1
--- /dev/null
+++ b/data/reports/GO-2024-2616.yaml
@@ -0,0 +1,28 @@
+id: GO-2024-2616
+modules:
+ - module: github.com/IceWhaleTech/CasaOS-UserService
+ versions:
+ - fixed: 0.4.7
+ vulnerable_at: 0.4.6-alpha3
+ packages:
+ - package: github.com/IceWhaleTech/CasaOS-UserService/route/v1
+ symbols:
+ - GetUserImage
+summary: |-
+ Path traversal and user privilege escalation in
+ github.com/IceWhaleTech/CasaOS-UserService
+description: |-
+ The UserService API contains a path traversal vulnerability that allows an
+ attacker to obtain any file on the system, including the user database and
+ system configuration. This can lead to privilege escalation and compromise of
+ the system.
+cves:
+ - CVE-2024-24765
+ghsas:
+ - GHSA-h5gf-cmm8-cg7c
+credits:
+ - Cp0204
+references:
+ - advisory: https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c
+ - fix: https://github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e
+ - web: https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7
