data/reports: add 3 reports - data/reports/GO-2025-3504.yaml - data/reports/GO-2025-3505.yaml - data/reports/GO-2025-3507.yaml Fixes golang/vulndb#3504 Fixes golang/vulndb#3505 Fixes golang/vulndb#3507 Change-Id: I8d97f8418bcc34ec5ccd164af5582c34a32b943a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/656176 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> Auto-Submit: Neal Patel <nealpatel@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2025-3504.json b/data/osv/GO-2025-3504.json new file mode 100644 index 0000000..44db83c --- /dev/null +++ b/data/osv/GO-2025-3504.json
@@ -0,0 +1,74 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2025-3504", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2025-25294", + "GHSA-mf24-chxh-hmvj" + ], + "summary": "Envoy Gateway Log Injection Vulnerability in github.com/envoyproxy/gateway", + "details": "Envoy Gateway Log Injection Vulnerability in github.com/envoyproxy/gateway", + "affected": [ + { + "package": { + "name": "github.com/envoyproxy/gateway", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.7" + }, + { + "introduced": "1.3.0-rc.1" + }, + { + "fixed": "1.3.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/envoyproxy/gateway/security/advisories/GHSA-mf24-chxh-hmvj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25294" + }, + { + "type": "FIX", + "url": "https://github.com/envoyproxy/gateway/commit/041d474a70d5921e5d65e6e14ea60e14dac70b01" + }, + { + "type": "FIX", + "url": "https://github.com/envoyproxy/gateway/commit/358bed50dcb7b32f39a2edb252fb1399c7fc65dc" + }, + { + "type": "FIX", + "url": "https://github.com/envoyproxy/gateway/commit/8f48f5199cf1bbb9a8ac0695c5171bfef6c9198a" + }, + { + "type": "WEB", + "url": "https://github.com/envoyproxy/gateway/releases/tag/v1.2.7" + }, + { + "type": "WEB", + "url": "https://github.com/envoyproxy/gateway/releases/tag/v1.3.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3504", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2025-3505.json b/data/osv/GO-2025-3505.json new file mode 100644 index 0000000..26774e2 --- /dev/null +++ b/data/osv/GO-2025-3505.json
@@ -0,0 +1,91 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2025-3505", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2025-27509", + "GHSA-52jx-g6m5-h735" + ], + "summary": "Fleet has SAML authentication vulnerability due to improper SAML response validation in github.com/fleetdm/fleet", + "details": "Fleet has SAML authentication vulnerability due to improper SAML response validation in github.com/fleetdm/fleet.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/fleetdm/fleet/v4 before v4.53.2, from v4.54.0 before v4.58.1, from v4.62.0 before v4.62.4, from v4.63.0 before v4.63.2, from v4.64.0 before v4.64.2.", + "affected": [ + { + "package": { + "name": "github.com/fleetdm/fleet/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.53.2" + }, + { + "introduced": "4.54.0" + }, + { + "fixed": "4.58.1" + }, + { + "introduced": "4.62.0" + }, + { + "fixed": "4.62.4" + }, + { + "introduced": "4.63.0" + }, + { + "fixed": "4.63.2" + }, + { + "introduced": "4.64.0" + }, + { + "fixed": "4.64.2" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-52jx-g6m5-h735" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27509" + }, + { + "type": "WEB", + "url": "https://github.com/fleetdm/fleet/commit/718c95e47ad010ad6b8ceb3f3460e921fbfc53bb" + }, + { + "type": "WEB", + "url": "https://github.com/fleetdm/fleet/releases/tag/fleet-v4.64.2" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3505", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2025-3507.json b/data/osv/GO-2025-3507.json new file mode 100644 index 0000000..cf186eb --- /dev/null +++ b/data/osv/GO-2025-3507.json
@@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2025-3507", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-6wxf-7784-62fp" + ], + "summary": "Horcrux Double Sign Possibility in github.com/strangelove-ventures/horcrux", + "details": "Horcrux Double Sign Possibility in github.com/strangelove-ventures/horcrux", + "affected": [ + { + "package": { + "name": "github.com/strangelove-ventures/horcrux", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/strangelove-ventures/horcrux/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.3.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/strangelove-ventures/horcrux/security/advisories/GHSA-6wxf-7784-62fp" + }, + { + "type": "FIX", + "url": "https://github.com/strangelove-ventures/horcrux/commit/fb49be9baed30942b81b42da2b4f7040a2a83c02" + }, + { + "type": "FIX", + "url": "https://github.com/strangelove-ventures/horcrux/pull/169" + }, + { + "type": "WEB", + "url": "https://github.com/strangelove-ventures/horcrux/releases/tag/v3.3.2" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3507", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/reports/GO-2025-3504.yaml b/data/reports/GO-2025-3504.yaml new file mode 100644 index 0000000..207c10f --- /dev/null +++ b/data/reports/GO-2025-3504.yaml
@@ -0,0 +1,25 @@ +id: GO-2025-3504 +modules: + - module: github.com/envoyproxy/gateway + versions: + - fixed: 1.2.7 + - introduced: 1.3.0-rc.1 + - fixed: 1.3.1 + vulnerable_at: 1.3.0 +summary: Envoy Gateway Log Injection Vulnerability in github.com/envoyproxy/gateway +cves: + - CVE-2025-25294 +ghsas: + - GHSA-mf24-chxh-hmvj +references: + - advisory: https://github.com/envoyproxy/gateway/security/advisories/GHSA-mf24-chxh-hmvj + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-25294 + - fix: https://github.com/envoyproxy/gateway/commit/041d474a70d5921e5d65e6e14ea60e14dac70b01 + - fix: https://github.com/envoyproxy/gateway/commit/358bed50dcb7b32f39a2edb252fb1399c7fc65dc + - fix: https://github.com/envoyproxy/gateway/commit/8f48f5199cf1bbb9a8ac0695c5171bfef6c9198a + - web: https://github.com/envoyproxy/gateway/releases/tag/v1.2.7 + - web: https://github.com/envoyproxy/gateway/releases/tag/v1.3.1 +source: + id: GHSA-mf24-chxh-hmvj + created: 2025-03-10T14:13:13.515665-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3505.yaml b/data/reports/GO-2025-3505.yaml new file mode 100644 index 0000000..3be2e83 --- /dev/null +++ b/data/reports/GO-2025-3505.yaml
@@ -0,0 +1,31 @@ +id: GO-2025-3505 +modules: + - module: github.com/fleetdm/fleet/v4 + non_go_versions: + - fixed: 4.53.2 + - introduced: 4.54.0 + - fixed: 4.58.1 + - introduced: 4.62.0 + - fixed: 4.62.4 + - introduced: 4.63.0 + - fixed: 4.63.2 + - introduced: 4.64.0 + - fixed: 4.64.2 +summary: |- + Fleet has SAML authentication vulnerability due to improper SAML response + validation in github.com/fleetdm/fleet +cves: + - CVE-2025-27509 +ghsas: + - GHSA-52jx-g6m5-h735 +references: + - advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-52jx-g6m5-h735 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-27509 + - web: https://github.com/fleetdm/fleet/commit/718c95e47ad010ad6b8ceb3f3460e921fbfc53bb + - web: https://github.com/fleetdm/fleet/releases/tag/fleet-v4.64.2 +notes: + - fix: 'github.com/fleetdm/fleet/v4: could not add vulnerable_at: no fix, but could not find latest version from proxy: HTTP GET /github.com/fleetdm/fleet/v4/@latest returned status 404 Not Found' +source: + id: GHSA-52jx-g6m5-h735 + created: 2025-03-10T14:13:27.937602-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3507.yaml b/data/reports/GO-2025-3507.yaml new file mode 100644 index 0000000..8a1e8b0 --- /dev/null +++ b/data/reports/GO-2025-3507.yaml
@@ -0,0 +1,21 @@ +id: GO-2025-3507 +modules: + - module: github.com/strangelove-ventures/horcrux + vulnerable_at: 0.1.4 + - module: github.com/strangelove-ventures/horcrux/v3 + versions: + - introduced: 3.1.0 + - fixed: 3.3.2 + vulnerable_at: 3.3.1 +summary: Horcrux Double Sign Possibility in github.com/strangelove-ventures/horcrux +ghsas: + - GHSA-6wxf-7784-62fp +references: + - advisory: https://github.com/strangelove-ventures/horcrux/security/advisories/GHSA-6wxf-7784-62fp + - fix: https://github.com/strangelove-ventures/horcrux/commit/fb49be9baed30942b81b42da2b4f7040a2a83c02 + - fix: https://github.com/strangelove-ventures/horcrux/pull/169 + - web: https://github.com/strangelove-ventures/horcrux/releases/tag/v3.3.2 +source: + id: GHSA-6wxf-7784-62fp + created: 2025-03-10T14:13:35.744193-04:00 +review_status: UNREVIEWED