internal/triage: add lots of tests for triage
To prep for a change in the triage algorithm, add 100 test cases
for real CVEs (75 Go and 25 not Go) and their triage results
with the current algorithm. (The current algorithm is copied
into a new function, AffectsGo, with no changes).
Note that the current algorithm doesn't always get it right, so
each test output file marks whether the result is correct or not.
This is OK; CVEs don't explicitly mark themselves as affecting
Go or not so we can't expect to always correctly categorize them.
However, we'd like to make sure changing the algorithm doesn't
reduce correctness.
Change-Id: I00ce8519b997d8605ab2e4693980f256d8eab7d0
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/602597
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/internal/cve4/report_test.go b/internal/cve4/report_test.go
index 70bbdba..1b0fe34 100644
--- a/internal/cve4/report_test.go
+++ b/internal/cve4/report_test.go
@@ -20,7 +20,9 @@
func TestToReport(t *testing.T) {
if *updateTxtarRepo {
- cvelistrepo.UpdateTxtar(context.Background(), t, cvelistrepo.URLv4)
+ if err := cvelistrepo.UpdateTxtar(context.Background(), cvelistrepo.URLv4, cvelistrepo.TestCVEs); err != nil {
+ t.Fatal(err)
+ }
}
if err := cvelistrepo.TestToReport[*CVE](t, *update, *realProxy); err != nil {
diff --git a/internal/cve5/report_test.go b/internal/cve5/report_test.go
index 206355f..246d261 100644
--- a/internal/cve5/report_test.go
+++ b/internal/cve5/report_test.go
@@ -535,7 +535,9 @@
func TestToReport(t *testing.T) {
if *updateTxtarRepo {
- cvelistrepo.UpdateTxtar(context.Background(), t, cvelistrepo.URLv5)
+ if err := cvelistrepo.UpdateTxtar(context.Background(), cvelistrepo.URLv5, cvelistrepo.TestCVEs); err != nil {
+ t.Fatal(err)
+ }
}
if err := cvelistrepo.TestToReport[*CVERecord](t, *update, *realProxy); err != nil {
diff --git a/internal/cvelistrepo/txtar.go b/internal/cvelistrepo/txtar.go
index 45ec2ae..1e01140 100644
--- a/internal/cvelistrepo/txtar.go
+++ b/internal/cvelistrepo/txtar.go
@@ -29,7 +29,11 @@
var (
txtarRepo = filepath.Join(testdata, "cvelist.txtar")
testdata = filepath.Join("testdata", "cve")
- testCVEs = map[string]string{
+ testTime = time.Date(1999, 1, 1, 0, 0, 0, 0, time.UTC)
+)
+
+var (
+ TestCVEsToModules = map[string]string{
// First-party CVEs not assigned by the Go CNA.
// (These were created before Go was a CNA).
"CVE-2020-9283": "golang.org/x/crypto",
@@ -43,6 +47,7 @@
"CVE-2024-2056": "github.com/gvalkov/tailon",
"CVE-2024-33522": "github.com/projectcalico/calico",
"CVE-2024-21527": "github.com/gotenberg/gotenberg",
+ "CVE-2020-7668": "github.com/unknwon/cae/tz",
// A third-party non-Go CVE that was miscategorized
// as applying to "github.com/amlweems/xzbot".
@@ -56,23 +61,15 @@
// A third-party CVE assigned by the Go CNA.
"CVE-2023-45286": "github.com/go-resty/resty/v2",
}
- testTime = time.Date(1999, 1, 1, 0, 0, 0, 0, time.UTC)
+ TestCVEs = maps.Keys(TestCVEsToModules)
)
-func UpdateTxtar(ctx context.Context, t *testing.T, url string) {
- ids := maps.Keys(testCVEs)
+func UpdateTxtar(ctx context.Context, url string, ids []string) error {
slices.Sort(ids)
- if err := writeTxtarRepo(ctx, url, txtarRepo, ids); err != nil {
- t.Fatal(err)
- }
+ return writeTxtarRepo(ctx, url, txtarRepo, ids)
}
-func TestToReport[S report.Source](t *testing.T, update, realProxy bool) error {
- pc, err := proxy.NewTestClient(t, realProxy)
- if err != nil {
- t.Fatal(err)
- }
-
+func RunTest[S report.Source](t *testing.T, update bool, wantFunc func(*testing.T, S) ([]txtar.File, error)) error {
if update {
if err := os.RemoveAll(filepath.Join(testdata, t.Name())); err != nil {
t.Fatal(err)
@@ -91,38 +88,17 @@
for _, file := range files {
id := file.ID()
t.Run(id, func(t *testing.T) {
+ tf := filepath.Join(testdata, t.Name()+".txtar")
cve, _, err := gitrepo.Parse[S](repo, &file)
if err != nil {
t.Fatalf("Parse(%s)=%s", id, err)
}
- mp, ok := testCVEs[id]
- if !ok {
- t.Fatalf("%s not found in testCVEs", id)
+ want, err := wantFunc(t, cve)
+ if err != nil {
+ t.Fatal(err)
}
- var want []txtar.File
- for _, rs := range []report.ReviewStatus{report.Unreviewed, report.Reviewed} {
- r := report.New(cve, pc,
- report.WithModulePath(mp),
- report.WithCreated(testTime),
- report.WithReviewStatus(rs),
- )
- // Keep record of what lints would apply to each generated report.
- r.LintAsNotes(pc)
- b, err := yaml.Marshal(r)
- if err != nil {
- t.Fatal(err)
- }
- want = append(want,
- txtar.File{
- Name: id + "_" + rs.String(),
- Data: b,
- })
- }
-
- tf := filepath.Join(testdata, t.Name()+".txtar")
-
if update {
if err := test.WriteTxtar(tf, want, fmt.Sprintf("Expected output of %s.", t.Name())); err != nil {
t.Fatal(err)
@@ -144,6 +120,45 @@
return nil
}
+func TestToReport[S report.Source](t *testing.T, update, realProxy bool) error {
+ pc, err := proxy.NewTestClient(t, realProxy)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ wantFunc := func(t *testing.T, cve S) ([]txtar.File, error) {
+ id := cve.SourceID()
+ mp, ok := TestCVEsToModules[id]
+ if !ok {
+ t.Fatalf("%s not found in testCVEs", id)
+ }
+
+ var want []txtar.File
+ for _, rs := range []report.ReviewStatus{report.Unreviewed, report.Reviewed} {
+ r := report.New(cve, pc,
+ report.WithModulePath(mp),
+ report.WithCreated(testTime),
+ report.WithReviewStatus(rs),
+ )
+ // Keep record of what lints would apply to each generated report.
+ r.LintAsNotes(pc)
+ b, err := yaml.Marshal(r)
+ if err != nil {
+ return nil, err
+ }
+ want = append(want,
+ txtar.File{
+ Name: id + "_" + rs.String(),
+ Data: b,
+ })
+ }
+
+ return want, nil
+ }
+
+ return RunTest[S](t, update, wantFunc)
+}
+
// writeTxtarRepo downloads the given CVEs from the CVE list (v4 or v5) in url,
// and writes them as a txtar repo to filename.
//
diff --git a/internal/pkgsite/client.go b/internal/pkgsite/client.go
index 208be62..7364f8a 100644
--- a/internal/pkgsite/client.go
+++ b/internal/pkgsite/client.go
@@ -29,7 +29,7 @@
}
func Default() *Client {
- return New(pkgsiteURL)
+ return New(URL)
}
func New(url string) *Client {
@@ -53,7 +53,7 @@
pkgsiteRateLimiter = rate.NewLimiter(rate.Every(1*time.Second/pkgsiteQPS), 3)
)
-var pkgsiteURL = "https://pkg.go.dev"
+var URL = "https://pkg.go.dev"
// KnownModule reports whether pkgsite knows that path actually refers
// to a module or package path.
diff --git a/internal/triage/by_references.go b/internal/triage/by_references.go
index 6ab1640..f556305 100644
--- a/internal/triage/by_references.go
+++ b/internal/triage/by_references.go
@@ -38,9 +38,9 @@
}
type Result struct {
- ModulePath string
- PackagePath string
- Reason string
+ ModulePath string `yaml:"module_path"`
+ PackagePath string `yaml:"package_path"`
+ Reason string `yaml:"reason"`
}
// gopkgHosts are hostnames for popular Go package websites.
diff --git a/internal/triage/cve5.go b/internal/triage/cve5.go
new file mode 100644
index 0000000..634049a
--- /dev/null
+++ b/internal/triage/cve5.go
@@ -0,0 +1,110 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package triage
+
+import (
+ "context"
+ "fmt"
+ "net/url"
+ "strings"
+
+ "golang.org/x/vulndb/internal/cve5"
+ "golang.org/x/vulndb/internal/pkgsite"
+ "golang.org/x/vulndb/internal/stdlib"
+ "golang.org/x/vulndb/internal/worker/log"
+)
+
+type CVE5Triager struct {
+ pc *pkgsite.Client
+}
+
+func (t *CVE5Triager) AffectsGo(ctx context.Context, cve *cve5.CVERecord) (result *Result, err error) {
+ v := cve
+ pc := t.pc
+ defer func() {
+ if err != nil {
+ return
+ }
+ msg := fmt.Sprintf("Triage result for %s", v.SourceID())
+ if result == nil {
+ log.Debugf(ctx, "%s: not Go vuln", msg)
+ return
+ }
+ log.Debugf(ctx, "%s: is Go vuln:\n%s", msg, result.Reason)
+ }()
+ for _, rurl := range v.ReferenceURLs() {
+ if rurl == "" {
+ continue
+ }
+ refURL, err := url.Parse(rurl)
+ if err != nil {
+ return nil, fmt.Errorf("url.Parse(%q): %v", rurl, err)
+ }
+ if strings.Contains(rurl, "golang.org/pkg") {
+ mp := strings.TrimPrefix(refURL.Path, "/pkg/")
+ return &Result{
+ PackagePath: mp,
+ ModulePath: stdlib.ModulePath,
+ Reason: fmt.Sprintf("Reference data URL %q contains path %q", rurl, mp),
+ }, nil
+ }
+ if gopkgHosts[refURL.Host] {
+ mp := strings.TrimPrefix(refURL.Path, "/")
+ if stdlib.Contains(mp) {
+ return &Result{
+ PackagePath: mp,
+ ModulePath: stdlib.ModulePath,
+ Reason: fmt.Sprintf("Reference data URL %q contains path %q", rurl, mp),
+ }, nil
+ }
+ return &Result{
+ ModulePath: mp,
+ Reason: fmt.Sprintf("Reference data URL %q contains path %q", rurl, mp),
+ }, nil
+ }
+ modpaths := candidateModulePaths(refURL.Host + refURL.Path)
+ for _, mp := range modpaths {
+ if notGoModules[mp] {
+ continue
+ }
+ known, err := pc.KnownModule(ctx, mp)
+ if err != nil {
+ return nil, err
+ }
+ if known {
+ u := pkgsite.URL + "/" + mp
+ return &Result{
+ ModulePath: mp,
+ Reason: fmt.Sprintf("Reference data URL %q contains path %q; %q returned a status 200", rurl, mp, u),
+ }, nil
+ }
+ }
+ }
+
+ // We didn't find a Go package or module path in the reference data. Check
+ // secondary heuristics to see if this is a Go related CVE.
+ for _, rurl := range v.ReferenceURLs() {
+ // Example CVE containing snyk.io URL:
+ // https://github.com/CVEProject/cvelist/blob/899bba20d62eb73e04d1841a5ff04cd6225e1618/2020/7xxx/CVE-2020-7668.json#L52.
+ if strings.Contains(rurl, snykIdentifier) {
+ return &Result{
+ ModulePath: unknownPath,
+ Reason: fmt.Sprintf("Reference data URL %q contains %q", rurl, snykIdentifier),
+ }, nil
+ }
+
+ // Check for reference data indicating that this is related to the Go
+ // project.
+ for _, k := range stdlibReferenceDataKeywords {
+ if strings.Contains(rurl, k) {
+ return &Result{
+ ModulePath: stdlib.ModulePath,
+ Reason: fmt.Sprintf("Reference data URL %q contains %q", rurl, k),
+ }, nil
+ }
+ }
+ }
+ return nil, nil
+}
diff --git a/internal/triage/cve5_test.go b/internal/triage/cve5_test.go
new file mode 100644
index 0000000..6f92f0d
--- /dev/null
+++ b/internal/triage/cve5_test.go
@@ -0,0 +1,180 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package triage
+
+import (
+ "context"
+ "flag"
+ "fmt"
+ "log"
+ "math/rand"
+ "os"
+ "path/filepath"
+ "strings"
+ "testing"
+
+ "golang.org/x/exp/maps"
+ "golang.org/x/tools/txtar"
+ "golang.org/x/vulndb/internal"
+ "golang.org/x/vulndb/internal/cve5"
+ "golang.org/x/vulndb/internal/cvelistrepo"
+ "golang.org/x/vulndb/internal/gitrepo"
+ "golang.org/x/vulndb/internal/pkgsite"
+ "golang.org/x/vulndb/internal/report"
+ "gopkg.in/yaml.v3"
+)
+
+var (
+ updateTxtarRepo = flag.Bool("update-repo", false, "update the .txtar file with real CVE data (this takes a while)")
+ update = flag.Bool("update", false, "update the golden files")
+ newCVEs = flag.Bool("new-cves", false, "pick new random CVEs and update the .txtar file")
+ testCVEs map[string]bool
+)
+
+func TestMain(m *testing.M) {
+ if err := setup(context.Background()); err != nil {
+ log.Fatal(err)
+ }
+ os.Exit(m.Run())
+}
+
+func setup(ctx context.Context) error {
+ flag.Parse()
+ goFile, notGoFile := filepath.Join("testdata", "cve", "go_cves.txt"), filepath.Join("testdata", "cve", "not_go_cves.txt")
+ if *newCVEs {
+ const n = 25
+ goCVEs, notGoCVEs, err := pickRandomCVEs(ctx, n)
+ if err != nil {
+ return err
+ }
+ if err := writeLines(goCVEs, goFile); err != nil {
+ return err
+ }
+ if err := writeLines(notGoCVEs, notGoFile); err != nil {
+ return err
+ }
+ }
+ goCVEs, err := internal.ReadFileLines(goFile)
+ if err != nil {
+ return err
+ }
+ notGoCVEs, err := internal.ReadFileLines(notGoFile)
+ if err != nil {
+ return err
+ }
+ testCVEs = make(map[string]bool)
+ for _, c := range goCVEs {
+ testCVEs[c] = true
+ }
+ for _, c := range notGoCVEs {
+ testCVEs[c] = false
+ }
+ if *updateTxtarRepo || *newCVEs {
+ return cvelistrepo.UpdateTxtar(ctx, cvelistrepo.URLv5, maps.Keys(testCVEs))
+ }
+ return nil
+}
+
+func TestAffectsGo(t *testing.T) {
+ if *usePkgsite {
+ os.RemoveAll(filepath.Join("testdata", "pkgsite", t.Name()))
+ }
+ wantFunc := func(t *testing.T, cve *cve5.CVERecord) ([]txtar.File, error) {
+ pc, err := pkgsite.TestClient(t, *usePkgsite)
+ if err != nil {
+ return nil, err
+ }
+ ctx := context.Background()
+ tr := &CVE5Triager{pc: pc}
+ r, err := tr.AffectsGo(ctx, cve)
+ if err != nil {
+ return nil, err
+ }
+ agb, err := yaml.Marshal(r)
+ if err != nil {
+ return nil, err
+ }
+ // Instead of erroring if we have a mismatch, merely store the result.
+ // The CVE triage algorithm will likely never be perfect because some
+ // CVEs simply don't have enough information to determine if they affect
+ // Go.
+ type eval struct {
+ InVulndb bool `yaml:"in_vulndb"`
+ Mismatch bool `yaml:"mismatch,omitempty"`
+ }
+ inVulndb, ok := testCVEs[cve.SourceID()]
+ if !ok {
+ return nil, fmt.Errorf("%s is not in list of test CVEs", cve.SourceID())
+ }
+ e := &eval{
+ InVulndb: inVulndb,
+ Mismatch: (inVulndb && r == nil) || (!inVulndb && r != nil),
+ }
+ eb, err := yaml.Marshal(e)
+ if err != nil {
+ return nil, err
+ }
+ return []txtar.File{
+ {Name: "affects_go_result", Data: agb},
+ {Name: "eval", Data: eb}}, nil
+ }
+
+ if err := cvelistrepo.RunTest(t, *update, wantFunc); err != nil {
+ t.Fatal(err)
+ }
+}
+
+// pickRandomCVEs chooses n*3 random CVEs that affect Go and n random CVEs
+// that do not affect Go.
+// We take a bigger sample of Go CVEs because we care more about false
+// negatives than false positives.
+func pickRandomCVEs(ctx context.Context, n int) ([]string, []string, error) {
+ repo, err := gitrepo.Clone(ctx, cvelistrepo.URLv5)
+ if err != nil {
+ return nil, nil, err
+ }
+ hc, err := gitrepo.HeadCommit(repo)
+ if err != nil {
+ return nil, nil, err
+ }
+ files, err := cvelistrepo.Files(repo, hc)
+ if err != nil {
+ return nil, nil, err
+ }
+ rc, err := report.NewDefaultClient(ctx)
+ if err != nil {
+ return nil, nil, err
+ }
+
+ var goCVEs, notGoCVEs []string
+Categorize:
+ for _, f := range files {
+ for _, r := range rc.ReportsByAlias(f.ID()) {
+ if r.Excluded != "NOT_GO_CODE" {
+ goCVEs = append(goCVEs, f.ID())
+ continue Categorize
+ }
+ }
+ notGoCVEs = append(notGoCVEs, f.ID())
+ }
+
+ numGo, numNotGo := n*3, n
+ if len(goCVEs) <= numGo || len(notGoCVEs) <= numNotGo {
+ return nil, nil, fmt.Errorf("not enough source CVEs to pick %d random values", numGo+numNotGo)
+ }
+
+ rand.Shuffle(len(goCVEs), func(i, j int) {
+ goCVEs[i], goCVEs[j] = goCVEs[j], goCVEs[i]
+ })
+ rand.Shuffle(len(notGoCVEs), func(i, j int) {
+ notGoCVEs[i], notGoCVEs[j] = notGoCVEs[j], notGoCVEs[i]
+ })
+ return goCVEs[:numGo], notGoCVEs[:numNotGo], nil
+}
+
+func writeLines(s []string, filename string) error {
+ b := []byte(strings.Join(s, "\n"))
+ return os.WriteFile(filename, b, 0666)
+}
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2002-0852.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2002-0852.txtar
new file mode 100644
index 0000000..f63d2a2
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2002-0852.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2002-0852.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2007-4762.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2007-4762.txtar
new file mode 100644
index 0000000..5d8bb6d
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2007-4762.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2007-4762.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2008-2580.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2008-2580.txtar
new file mode 100644
index 0000000..ad7b79a
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2008-2580.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2008-2580.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2008-3079.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2008-3079.txtar
new file mode 100644
index 0000000..303da2f
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2008-3079.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2008-3079.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2010-0197.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2010-0197.txtar
new file mode 100644
index 0000000..82ed0cb
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2010-0197.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2010-0197.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2010-3671.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2010-3671.txtar
new file mode 100644
index 0000000..67c100e
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2010-3671.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2010-3671.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2011-3350.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2011-3350.txtar
new file mode 100644
index 0000000..29ba8e2
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2011-3350.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2011-3350.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2014-0718.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2014-0718.txtar
new file mode 100644
index 0000000..ca7fcb3
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2014-0718.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2014-0718.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2015-1707.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2015-1707.txtar
new file mode 100644
index 0000000..b45ca45
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2015-1707.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2015-1707.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-15005.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-15005.txtar
new file mode 100644
index 0000000..bb2aef0
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-15005.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2016-15005.
+
+-- affects_go_result --
+module_path: github.com/dinever/golf
+package_path: ""
+reason: Reference data URL "https://github.com/dinever/golf/pull/24" contains path "github.com/dinever/golf"; "https://pkg.go.dev/github.com/dinever/golf" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-1544.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-1544.txtar
new file mode 100644
index 0000000..382e19a
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-1544.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2016-1544.
+
+-- affects_go_result --
+module_path: github.com/nghttp2/nghttp2
+package_path: ""
+reason: Reference data URL "https://github.com/nghttp2/nghttp2/releases/tag/v1.7.1" contains path "github.com/nghttp2/nghttp2"; "https://pkg.go.dev/github.com/nghttp2/nghttp2" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-4123.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-4123.txtar
new file mode 100644
index 0000000..def5c0c
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-4123.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2016-4123.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-7569.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-7569.txtar
new file mode 100644
index 0000000..20c43c7
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-7569.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2016-7569.
+
+-- affects_go_result --
+module_path: github.com/appc/docker2aci
+package_path: ""
+reason: Reference data URL "https://github.com/appc/docker2aci/releases/tag/v0.13.0" contains path "github.com/appc/docker2aci"; "https://pkg.go.dev/github.com/appc/docker2aci" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-9122.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-9122.txtar
new file mode 100644
index 0000000..732f8d7
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2016-9122.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2016-9122.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2017-1000070.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2017-1000070.txtar
new file mode 100644
index 0000000..8ed8a71
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2017-1000070.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2017-1000070.
+
+-- affects_go_result --
+module_path: github.com/bitly/oauth2_proxy
+package_path: ""
+reason: Reference data URL "https://github.com/bitly/oauth2_proxy/pull/359" contains path "github.com/bitly/oauth2_proxy"; "https://pkg.go.dev/github.com/bitly/oauth2_proxy" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2017-4378.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2017-4378.txtar
new file mode 100644
index 0000000..3149a8e
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2017-4378.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2017-4378.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2017-7468.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2017-7468.txtar
new file mode 100644
index 0000000..1ec4a64
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2017-7468.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2017-7468.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2017-8963.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2017-8963.txtar
new file mode 100644
index 0000000..900fd6e
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2017-8963.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2017-8963.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-1000803.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-1000803.txtar
new file mode 100644
index 0000000..8fa566a
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-1000803.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2018-1000803.
+
+-- affects_go_result --
+module_path: github.com/go-gitea/gitea
+package_path: ""
+reason: Reference data URL "https://github.com/go-gitea/gitea/pull/4664/files#diff-146e0c2b5bb1ea96c9fb73d509456e57" contains path "github.com/go-gitea/gitea"; "https://pkg.go.dev/github.com/go-gitea/gitea" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-15192.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-15192.txtar
new file mode 100644
index 0000000..3306665
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-15192.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2018-15192.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-18625.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-18625.txtar
new file mode 100644
index 0000000..9a8405e
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-18625.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2018-18625.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-18993.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-18993.txtar
new file mode 100644
index 0000000..e8c9158
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-18993.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2018-18993.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-20303.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-20303.txtar
new file mode 100644
index 0000000..fa29537
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2018-20303.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2018-20303.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-1000008.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-1000008.txtar
new file mode 100644
index 0000000..6db8ae9
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-1000008.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2019-1000008.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-11246.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-11246.txtar
new file mode 100644
index 0000000..60db866
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-11246.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2019-11246.
+
+-- affects_go_result --
+module_path: github.com/kubernetes/kubernetes
+package_path: ""
+reason: Reference data URL "https://github.com/kubernetes/kubernetes/pull/76788" contains path "github.com/kubernetes/kubernetes"; "https://pkg.go.dev/github.com/kubernetes/kubernetes" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-14944.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-14944.txtar
new file mode 100644
index 0000000..43fde8f
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-14944.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2019-14944.
+
+-- affects_go_result --
+module_path: gitlab.com/gitlab-org/gitaly
+package_path: ""
+reason: Reference data URL "https://gitlab.com/gitlab-org/gitaly/issues/1801" contains path "gitlab.com/gitlab-org/gitaly"; "https://pkg.go.dev/gitlab.com/gitlab-org/gitaly" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-16991.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-16991.txtar
new file mode 100644
index 0000000..7f5b7c1
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-16991.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2019-16991.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-19316.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-19316.txtar
new file mode 100644
index 0000000..43a4d29
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-19316.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2019-19316.
+
+-- affects_go_result --
+module_path: github.com/hashicorp/terraform
+package_path: ""
+reason: Reference data URL "https://github.com/hashicorp/terraform/security/advisories/GHSA-4rvg-555h-r626" contains path "github.com/hashicorp/terraform"; "https://pkg.go.dev/github.com/hashicorp/terraform" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-19794.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-19794.txtar
new file mode 100644
index 0000000..f2a5f4e
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-19794.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2019-19794.
+
+-- affects_go_result --
+module_path: github.com/miekg/dns
+package_path: ""
+reason: Reference data URL "https://github.com/miekg/dns/pull/1044" contains path "github.com/miekg/dns"; "https://pkg.go.dev/github.com/miekg/dns" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-2130.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-2130.txtar
new file mode 100644
index 0000000..294ec0e
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-2130.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2019-2130.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-3876.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-3876.txtar
new file mode 100644
index 0000000..fe97591
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-3876.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2019-3876.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-9379.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-9379.txtar
new file mode 100644
index 0000000..cfdb6ee
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-9379.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2019-9379.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-9741.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-9741.txtar
new file mode 100644
index 0000000..e71b7ea
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2019-9741.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2019-9741.
+
+-- affects_go_result --
+module_path: std
+package_path: ""
+reason: Reference data URL "https://github.com/golang/go/issues/30794" contains "github.com/golang"
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-10417.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-10417.txtar
new file mode 100644
index 0000000..ffe4b22
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-10417.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2020-10417.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-10661.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-10661.txtar
new file mode 100644
index 0000000..bf4a43e
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-10661.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2020-10661.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-15129.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-15129.txtar
new file mode 100644
index 0000000..34b9269
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-15129.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2020-15129.
+
+-- affects_go_result --
+module_path: github.com/containous/traefik
+package_path: ""
+reason: Reference data URL "https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp" contains path "github.com/containous/traefik"; "https://pkg.go.dev/github.com/containous/traefik" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-1764.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-1764.txtar
new file mode 100644
index 0000000..b519246
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-1764.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2020-1764.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-19957.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-19957.txtar
new file mode 100644
index 0000000..3ac5faf
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-19957.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2020-19957.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-25017.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-25017.txtar
new file mode 100644
index 0000000..c1be288
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-25017.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2020-25017.
+
+-- affects_go_result --
+module_path: github.com/envoyproxy/envoy
+package_path: ""
+reason: Reference data URL "https://github.com/envoyproxy/envoy/security/advisories/GHSA-2v25-cjjq-5f4w" contains path "github.com/envoyproxy/envoy"; "https://pkg.go.dev/github.com/envoyproxy/envoy" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-26240.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-26240.txtar
new file mode 100644
index 0000000..13ff632
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-26240.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2020-26240.
+
+-- affects_go_result --
+module_path: github.com/ethereum/go-ethereum
+package_path: ""
+reason: Reference data URL "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p" contains path "github.com/ethereum/go-ethereum"; "https://pkg.go.dev/github.com/ethereum/go-ethereum" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-26276.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-26276.txtar
new file mode 100644
index 0000000..c203dd9
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-26276.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2020-26276.
+
+-- affects_go_result --
+module_path: github.com/fleetdm/fleet
+package_path: ""
+reason: Reference data URL "https://github.com/fleetdm/fleet/security/advisories/GHSA-w3wf-cfx3-6gcx" contains path "github.com/fleetdm/fleet"; "https://pkg.go.dev/github.com/fleetdm/fleet" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-36568.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-36568.txtar
new file mode 100644
index 0000000..cbff155
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-36568.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2020-36568.
+
+-- affects_go_result --
+module_path: github.com/revel/revel
+package_path: ""
+reason: Reference data URL "https://github.com/revel/revel/pull/1427" contains path "github.com/revel/revel"; "https://pkg.go.dev/github.com/revel/revel" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-8558.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-8558.txtar
new file mode 100644
index 0000000..e9f6515
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2020-8558.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2020-8558.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-21403.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-21403.txtar
new file mode 100644
index 0000000..53c603a
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-21403.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2021-21403.
+
+-- affects_go_result --
+module_path: github.com/kongchuanhujiao/server
+package_path: ""
+reason: Reference data URL "https://github.com/kongchuanhujiao/server/security/advisories/GHSA-8wrg-m8vm-5fvj" contains path "github.com/kongchuanhujiao/server"; "https://pkg.go.dev/github.com/kongchuanhujiao/server" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-29499.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-29499.txtar
new file mode 100644
index 0000000..99d1ed4
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-29499.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2021-29499.
+
+-- affects_go_result --
+module_path: github.com/sylabs/sif
+package_path: ""
+reason: Reference data URL "https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg" contains path "github.com/sylabs/sif"; "https://pkg.go.dev/github.com/sylabs/sif" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-30962.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-30962.txtar
new file mode 100644
index 0000000..3743077
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-30962.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2021-30962.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-3495.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-3495.txtar
new file mode 100644
index 0000000..676cc1e
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-3495.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2021-3495.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-39391.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-39391.txtar
new file mode 100644
index 0000000..9b439b1
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-39391.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2021-39391.
+
+-- affects_go_result --
+module_path: github.com/beego/beego
+package_path: ""
+reason: Reference data URL "https://github.com/beego/beego" contains path "github.com/beego/beego"; "https://pkg.go.dev/github.com/beego/beego" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-42135.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-42135.txtar
new file mode 100644
index 0000000..d32811e
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-42135.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2021-42135.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-42583.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-42583.txtar
new file mode 100644
index 0000000..3638e60
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2021-42583.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2021-42583.
+
+-- affects_go_result --
+module_path: github.com/foxcpp/maddy
+package_path: ""
+reason: Reference data URL "https://github.com/foxcpp/maddy/releases/tag/v0.5.2" contains path "github.com/foxcpp/maddy"; "https://pkg.go.dev/github.com/foxcpp/maddy" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-21713.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-21713.txtar
new file mode 100644
index 0000000..715de2c
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-21713.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-21713.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-2385.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-2385.txtar
new file mode 100644
index 0000000..04c9abf
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-2385.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-2385.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-24826.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-24826.txtar
new file mode 100644
index 0000000..b56d1d1
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-24826.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-24826.
+
+-- affects_go_result --
+module_path: github.com/git-lfs/git-lfs
+package_path: ""
+reason: Reference data URL "https://github.com/git-lfs/git-lfs/releases" contains path "github.com/git-lfs/git-lfs"; "https://pkg.go.dev/github.com/git-lfs/git-lfs" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-24905.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-24905.txtar
new file mode 100644
index 0000000..7dd064d
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-24905.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-24905.
+
+-- affects_go_result --
+module_path: github.com/argoproj/argo-cd
+package_path: ""
+reason: Reference data URL "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15" contains path "github.com/argoproj/argo-cd"; "https://pkg.go.dev/github.com/argoproj/argo-cd" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-25327.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-25327.txtar
new file mode 100644
index 0000000..261d84f
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-25327.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-25327.
+
+-- affects_go_result --
+module_path: github.com/google/fscrypt
+package_path: ""
+reason: Reference data URL "https://github.com/google/fscrypt/pull/346" contains path "github.com/google/fscrypt"; "https://pkg.go.dev/github.com/google/fscrypt" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-27649.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-27649.txtar
new file mode 100644
index 0000000..c8a75e2
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-27649.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-27649.
+
+-- affects_go_result --
+module_path: github.com/containers/podman
+package_path: ""
+reason: Reference data URL "https://github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j" contains path "github.com/containers/podman"; "https://pkg.go.dev/github.com/containers/podman" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-2880.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-2880.txtar
new file mode 100644
index 0000000..90dbe88
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-2880.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-2880.
+
+-- affects_go_result --
+module_path: std
+package_path: vuln/GO-2022-1038
+reason: Reference data URL "https://pkg.go.dev/vuln/GO-2022-1038" contains path "vuln/GO-2022-1038"
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-31097.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-31097.txtar
new file mode 100644
index 0000000..5c06142
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-31097.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-31097.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-34800.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-34800.txtar
new file mode 100644
index 0000000..ebb2497
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-34800.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-34800.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-36309.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-36309.txtar
new file mode 100644
index 0000000..502fe6e
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-36309.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-36309.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-38638.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-38638.txtar
new file mode 100644
index 0000000..2d389e0
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-38638.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-38638.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-39238.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-39238.txtar
new file mode 100644
index 0000000..0bdc0c5
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-39238.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-39238.
+
+-- affects_go_result --
+module_path: github.com/arvados/arvados
+package_path: ""
+reason: Reference data URL "https://github.com/arvados/arvados/security/advisories/GHSA-87jr-xwhg-cxjv" contains path "github.com/arvados/arvados"; "https://pkg.go.dev/github.com/arvados/arvados" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-40083.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-40083.txtar
new file mode 100644
index 0000000..b1fd940
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-40083.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-40083.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-4045.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-4045.txtar
new file mode 100644
index 0000000..b1efeac
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-4045.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-4045.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-41912.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-41912.txtar
new file mode 100644
index 0000000..d13a90b
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-41912.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-41912.
+
+-- affects_go_result --
+module_path: github.com/crewjam/saml
+package_path: ""
+reason: Reference data URL "https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g" contains path "github.com/crewjam/saml"; "https://pkg.go.dev/github.com/crewjam/saml" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-44797.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-44797.txtar
new file mode 100644
index 0000000..7236a76
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-44797.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-44797.
+
+-- affects_go_result --
+module_path: github.com/lightningnetwork/lnd
+package_path: ""
+reason: Reference data URL "https://github.com/lightningnetwork/lnd/releases/tag/v0.15.2-beta" contains path "github.com/lightningnetwork/lnd"; "https://pkg.go.dev/github.com/lightningnetwork/lnd" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-44942.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-44942.txtar
new file mode 100644
index 0000000..303a062
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-44942.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-44942.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-46167.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-46167.txtar
new file mode 100644
index 0000000..fb6784d
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-46167.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-46167.
+
+-- affects_go_result --
+module_path: github.com/clastix/capsule
+package_path: ""
+reason: Reference data URL "https://github.com/clastix/capsule/security/advisories/GHSA-x45c-cvp8-q4fm" contains path "github.com/clastix/capsule"; "https://pkg.go.dev/github.com/clastix/capsule" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-4813.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-4813.txtar
new file mode 100644
index 0000000..03aa318
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-4813.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-4813.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-4850.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-4850.txtar
new file mode 100644
index 0000000..ff5a35b
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2022-4850.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2022-4850.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-1238.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-1238.txtar
new file mode 100644
index 0000000..9fe6505
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-1238.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-1238.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-28436.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-28436.txtar
new file mode 100644
index 0000000..940d4e8
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-28436.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-28436.
+
+-- affects_go_result --
+module_path: github.com/tailscale/tailscale
+package_path: ""
+reason: Reference data URL "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595" contains path "github.com/tailscale/tailscale"; "https://pkg.go.dev/github.com/tailscale/tailscale" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-32758.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-32758.txtar
new file mode 100644
index 0000000..77f0474
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-32758.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-32758.
+
+-- affects_go_result --
+module_path: github.com/returntocorp/semgrep
+package_path: ""
+reason: Reference data URL "https://github.com/returntocorp/semgrep/pull/7611" contains path "github.com/returntocorp/semgrep"; "https://pkg.go.dev/github.com/returntocorp/semgrep" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-34091.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-34091.txtar
new file mode 100644
index 0000000..705967c
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-34091.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-34091.
+
+-- affects_go_result --
+module_path: github.com/kyverno/kyverno
+package_path: ""
+reason: Reference data URL "https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc" contains path "github.com/kyverno/kyverno"; "https://pkg.go.dev/github.com/kyverno/kyverno" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-35993.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-35993.txtar
new file mode 100644
index 0000000..50a70ac
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-35993.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-35993.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-37265.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-37265.txtar
new file mode 100644
index 0000000..b25e6fc
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-37265.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-37265.
+
+-- affects_go_result --
+module_path: github.com/IceWhaleTech/CasaOS-Gateway
+package_path: ""
+reason: Reference data URL "https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6g" contains path "github.com/IceWhaleTech/CasaOS-Gateway"; "https://pkg.go.dev/github.com/IceWhaleTech/CasaOS-Gateway" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-39964.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-39964.txtar
new file mode 100644
index 0000000..60505a6
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-39964.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-39964.
+
+-- affects_go_result --
+module_path: github.com/1Panel-dev/1Panel
+package_path: ""
+reason: Reference data URL "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-pv7q-v9mv-9mh5" contains path "github.com/1Panel-dev/1Panel"; "https://pkg.go.dev/github.com/1Panel-dev/1Panel" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-42816.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-42816.txtar
new file mode 100644
index 0000000..bca13dc
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-42816.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-42816.
+
+-- affects_go_result --
+module_path: github.com/kyverno/kyverno
+package_path: ""
+reason: Reference data URL "https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r" contains path "github.com/kyverno/kyverno"; "https://pkg.go.dev/github.com/kyverno/kyverno" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-43620.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-43620.txtar
new file mode 100644
index 0000000..b19d16d
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-43620.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-43620.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-43884.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-43884.txtar
new file mode 100644
index 0000000..d5738c0
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-43884.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-43884.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-45142.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-45142.txtar
new file mode 100644
index 0000000..02488fb
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-45142.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-45142.
+
+-- affects_go_result --
+module_path: github.com/open-telemetry/opentelemetry-go-contrib
+package_path: ""
+reason: Reference data URL "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr" contains path "github.com/open-telemetry/opentelemetry-go-contrib"; "https://pkg.go.dev/github.com/open-telemetry/opentelemetry-go-contrib" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-45223.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-45223.txtar
new file mode 100644
index 0000000..3854d23
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-45223.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-45223.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-45284.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-45284.txtar
new file mode 100644
index 0000000..83381ab
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-45284.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-45284.
+
+-- affects_go_result --
+module_path: std
+package_path: vuln/GO-2023-2186
+reason: Reference data URL "https://pkg.go.dev/vuln/GO-2023-2186" contains path "vuln/GO-2023-2186"
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-45825.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-45825.txtar
new file mode 100644
index 0000000..061ca40
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-45825.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-45825.
+
+-- affects_go_result --
+module_path: github.com/ydb-platform/ydb-go-sdk
+package_path: ""
+reason: Reference data URL "https://github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8" contains path "github.com/ydb-platform/ydb-go-sdk"; "https://pkg.go.dev/github.com/ydb-platform/ydb-go-sdk" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-46740.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-46740.txtar
new file mode 100644
index 0000000..1333af7
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-46740.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-46740.
+
+-- affects_go_result --
+module_path: github.com/cubefs/cubefs
+package_path: ""
+reason: Reference data URL "https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm" contains path "github.com/cubefs/cubefs"; "https://pkg.go.dev/github.com/cubefs/cubefs" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-47108.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-47108.txtar
new file mode 100644
index 0000000..e6adbbd
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-47108.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-47108.
+
+-- affects_go_result --
+module_path: github.com/open-telemetry/opentelemetry-go-contrib
+package_path: ""
+reason: Reference data URL "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw" contains path "github.com/open-telemetry/opentelemetry-go-contrib"; "https://pkg.go.dev/github.com/open-telemetry/opentelemetry-go-contrib" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-48312.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-48312.txtar
new file mode 100644
index 0000000..a638d34
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-48312.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-48312.
+
+-- affects_go_result --
+module_path: github.com/projectcapsule/capsule-proxy
+package_path: ""
+reason: Reference data URL "https://github.com/projectcapsule/capsule-proxy/security/advisories/GHSA-fpvw-6m5v-hqfp" contains path "github.com/projectcapsule/capsule-proxy"; "https://pkg.go.dev/github.com/projectcapsule/capsule-proxy" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-48795.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-48795.txtar
new file mode 100644
index 0000000..ac9c54f
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-48795.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-48795.
+
+-- affects_go_result --
+module_path: github.com/drakkan/sftpgo
+package_path: ""
+reason: Reference data URL "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6" contains path "github.com/drakkan/sftpgo"; "https://pkg.go.dev/github.com/drakkan/sftpgo" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-49946.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-49946.txtar
new file mode 100644
index 0000000..df5ff3b
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-49946.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-49946.
+
+-- affects_go_result --
+module_path: codeberg.org/forgejo/forgejo
+package_path: ""
+reason: Reference data URL "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md" contains path "codeberg.org/forgejo/forgejo"; "https://pkg.go.dev/codeberg.org/forgejo/forgejo" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-52430.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-52430.txtar
new file mode 100644
index 0000000..488f4b4
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2023-52430.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2023-52430.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-21848.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-21848.txtar
new file mode 100644
index 0000000..8d31982
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-21848.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2024-21848.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-24774.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-24774.txtar
new file mode 100644
index 0000000..78f9758
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-24774.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2024-24774.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-24988.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-24988.txtar
new file mode 100644
index 0000000..a8e97e0
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-24988.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2024-24988.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-27304.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-27304.txtar
new file mode 100644
index 0000000..383efb2
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-27304.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2024-27304.
+
+-- affects_go_result --
+module_path: github.com/jackc/pgx
+package_path: ""
+reason: Reference data URL "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv" contains path "github.com/jackc/pgx"; "https://pkg.go.dev/github.com/jackc/pgx" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-28860.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-28860.txtar
new file mode 100644
index 0000000..1626279
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-28860.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2024-28860.
+
+-- affects_go_result --
+module_path: github.com/cilium/cilium
+package_path: ""
+reason: Reference data URL "https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586" contains path "github.com/cilium/cilium"; "https://pkg.go.dev/github.com/cilium/cilium" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-30623.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-30623.txtar
new file mode 100644
index 0000000..b9fe3bc
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-30623.txtar
@@ -0,0 +1,10 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2024-30623.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: false
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-37032.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-37032.txtar
new file mode 100644
index 0000000..3e3c24e
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-37032.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2024-37032.
+
+-- affects_go_result --
+module_path: github.com/ollama/ollama
+package_path: ""
+reason: Reference data URL "https://github.com/ollama/ollama/pull/4175" contains path "github.com/ollama/ollama"; "https://pkg.go.dev/github.com/ollama/ollama" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-37153.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-37153.txtar
new file mode 100644
index 0000000..29fb409
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-37153.txtar
@@ -0,0 +1,12 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2024-37153.
+
+-- affects_go_result --
+module_path: github.com/evmos/evmos
+package_path: ""
+reason: Reference data URL "https://github.com/evmos/evmos/security/advisories/GHSA-xgr7-jgq3-mhmc" contains path "github.com/evmos/evmos"; "https://pkg.go.dev/github.com/evmos/evmos" returned a status 200
+-- eval --
+in_vulndb: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-5798.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-5798.txtar
new file mode 100644
index 0000000..b1ca204
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-5798.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2024-5798.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-6104.txtar b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-6104.txtar
new file mode 100644
index 0000000..143fd2d
--- /dev/null
+++ b/internal/triage/testdata/cve/TestAffectsGo/CVE-2024-6104.txtar
@@ -0,0 +1,11 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Expected output of TestAffectsGo/CVE-2024-6104.
+
+-- affects_go_result --
+null
+-- eval --
+in_vulndb: true
+mismatch: true
diff --git a/internal/triage/testdata/cve/cvelist.txtar b/internal/triage/testdata/cve/cvelist.txtar
new file mode 100644
index 0000000..3bde4cd
--- /dev/null
+++ b/internal/triage/testdata/cve/cvelist.txtar
@@ -0,0 +1,14848 @@
+Copyright 2024 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+Repo in the shape of "https://github.com/CVEProject/cvelistV5".
+Updated with real data 2024-08-01T20:00:00-04:00.
+Auto-generated; do not edit directly.
+
+-- README.md --
+ignore me please
+
+-- cves/2002/0xxx/CVE-2002-0852.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2002-08-12T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Buffer overflows in Cisco Virtual Private Network (VPN) Client 3.5.4 and earlier allows remote attackers to cause a denial of service via (1) an Internet Key Exchange (IKE) with a large Security Parameter Index (SPI) payload, or (2) an IKE packet with a large number of valid payloads."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2002-08-31T09:00:00",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "name": "20020812 Cisco VPN Client Multiple Vulnerabilities",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_CISCO"
+ ],
+ "url": "http://www.cisco.com/warp/public/707/vpnclient-multiple-vuln-pub.shtml"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2002-0852",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Buffer overflows in Cisco Virtual Private Network (VPN) Client 3.5.4 and earlier allows remote attackers to cause a denial of service via (1) an Internet Key Exchange (IKE) with a large Security Parameter Index (SPI) payload, or (2) an IKE packet with a large number of valid payloads."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "20020812 Cisco VPN Client Multiple Vulnerabilities",
+ "refsource": "CISCO",
+ "url": "http://www.cisco.com/warp/public/707/vpnclient-multiple-vuln-pub.shtml"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2002-0852",
+ "datePublished": "2002-08-14T04:00:00",
+ "dateReserved": "2002-08-12T00:00:00",
+ "dateUpdated": "2002-08-31T09:00:00",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2007/4xxx/CVE-2007-4762.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2007-09-02T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Multiple SQL injection vulnerabilities in embadmin/login.asp in E-SMARTCART 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) user and (2) pass fields, different vectors than CVE-2007-0092."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2018-10-15T20:57:01",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "name": "esmartcart-login-sql-injection(39988)",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_XF"
+ ],
+ "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39988"
+ },
+ {
+ "name": "20080124 E-SMART CART bypass",
+ "tags": [
+ "mailing-list",
+ "x_refsource_BUGTRAQ"
+ ],
+ "url": "http://www.securityfocus.com/archive/1/487055/100/200/threaded"
+ },
+ {
+ "name": "38419",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_OSVDB"
+ ],
+ "url": "http://osvdb.org/38419"
+ },
+ {
+ "name": "27452",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_BID"
+ ],
+ "url": "http://www.securityfocus.com/bid/27452"
+ },
+ {
+ "name": "25532",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_BID"
+ ],
+ "url": "http://www.securityfocus.com/bid/25532"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "http://14house.blogspot.com/2007/09/e-smart-cart-sql-injection.html"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2007-4762",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Multiple SQL injection vulnerabilities in embadmin/login.asp in E-SMARTCART 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) user and (2) pass fields, different vectors than CVE-2007-0092."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "esmartcart-login-sql-injection(39988)",
+ "refsource": "XF",
+ "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39988"
+ },
+ {
+ "name": "20080124 E-SMART CART bypass",
+ "refsource": "BUGTRAQ",
+ "url": "http://www.securityfocus.com/archive/1/487055/100/200/threaded"
+ },
+ {
+ "name": "38419",
+ "refsource": "OSVDB",
+ "url": "http://osvdb.org/38419"
+ },
+ {
+ "name": "27452",
+ "refsource": "BID",
+ "url": "http://www.securityfocus.com/bid/27452"
+ },
+ {
+ "name": "25532",
+ "refsource": "BID",
+ "url": "http://www.securityfocus.com/bid/25532"
+ },
+ {
+ "name": "http://14house.blogspot.com/2007/09/e-smart-cart-sql-injection.html",
+ "refsource": "MISC",
+ "url": "http://14house.blogspot.com/2007/09/e-smart-cart-sql-injection.html"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2007-4762",
+ "datePublished": "2007-09-08T10:00:00",
+ "dateReserved": "2007-09-07T00:00:00",
+ "dateUpdated": "2018-10-15T20:57:01",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2008/2xxx/CVE-2008-2580.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2008-07-15T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, and 9.0 has unknown impact and remote attack vectors."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2017-08-07T12:57:01",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html"
+ },
+ {
+ "name": "ADV-2008-2115",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_VUPEN"
+ ],
+ "url": "http://www.vupen.com/english/advisories/2008/2115"
+ },
+ {
+ "name": "SSRT061201",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_HP"
+ ],
+ "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00727143"
+ },
+ {
+ "name": "HPSBMA02133",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_HP"
+ ],
+ "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00727143"
+ },
+ {
+ "name": "ADV-2008-2109",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_VUPEN"
+ ],
+ "url": "http://www.vupen.com/english/advisories/2008/2109/references"
+ },
+ {
+ "name": "31087",
+ "tags": [
+ "third-party-advisory",
+ "x_refsource_SECUNIA"
+ ],
+ "url": "http://secunia.com/advisories/31087"
+ },
+ {
+ "name": "31113",
+ "tags": [
+ "third-party-advisory",
+ "x_refsource_SECUNIA"
+ ],
+ "url": "http://secunia.com/advisories/31113"
+ },
+ {
+ "name": "oracle-weblogic-jsp-info-disclosure(43829)",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_XF"
+ ],
+ "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43829"
+ },
+ {
+ "name": "1020498",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_SECTRACK"
+ ],
+ "url": "http://www.securitytracker.com/id?1020498"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2008-2580",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, and 9.0 has unknown impact and remote attack vectors."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html",
+ "refsource": "CONFIRM",
+ "url": "http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html"
+ },
+ {
+ "name": "ADV-2008-2115",
+ "refsource": "VUPEN",
+ "url": "http://www.vupen.com/english/advisories/2008/2115"
+ },
+ {
+ "name": "SSRT061201",
+ "refsource": "HP",
+ "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00727143"
+ },
+ {
+ "name": "HPSBMA02133",
+ "refsource": "HP",
+ "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00727143"
+ },
+ {
+ "name": "ADV-2008-2109",
+ "refsource": "VUPEN",
+ "url": "http://www.vupen.com/english/advisories/2008/2109/references"
+ },
+ {
+ "name": "31087",
+ "refsource": "SECUNIA",
+ "url": "http://secunia.com/advisories/31087"
+ },
+ {
+ "name": "31113",
+ "refsource": "SECUNIA",
+ "url": "http://secunia.com/advisories/31113"
+ },
+ {
+ "name": "oracle-weblogic-jsp-info-disclosure(43829)",
+ "refsource": "XF",
+ "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43829"
+ },
+ {
+ "name": "1020498",
+ "refsource": "SECTRACK",
+ "url": "http://www.securitytracker.com/id?1020498"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2008-2580",
+ "datePublished": "2008-07-15T23:00:00",
+ "dateReserved": "2008-06-09T00:00:00",
+ "dateUpdated": "2017-08-07T12:57:01",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2008/3xxx/CVE-2008-3079.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2008-07-03T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Unspecified vulnerability in Opera before 9.51 on Windows allows attackers to execute arbitrary code via unknown vectors."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2017-08-07T12:57:01",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "http://www.opera.com/docs/changelogs/windows/951/"
+ },
+ {
+ "name": "30937",
+ "tags": [
+ "third-party-advisory",
+ "x_refsource_SECUNIA"
+ ],
+ "url": "http://secunia.com/advisories/30937"
+ },
+ {
+ "name": "ADV-2008-1998",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_VUPEN"
+ ],
+ "url": "http://www.vupen.com/english/advisories/2008/1998/references"
+ },
+ {
+ "name": "opera-unspec-code-execution(43576)",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_XF"
+ ],
+ "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43576"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2008-3079",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Unspecified vulnerability in Opera before 9.51 on Windows allows attackers to execute arbitrary code via unknown vectors."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "http://www.opera.com/docs/changelogs/windows/951/",
+ "refsource": "CONFIRM",
+ "url": "http://www.opera.com/docs/changelogs/windows/951/"
+ },
+ {
+ "name": "30937",
+ "refsource": "SECUNIA",
+ "url": "http://secunia.com/advisories/30937"
+ },
+ {
+ "name": "ADV-2008-1998",
+ "refsource": "VUPEN",
+ "url": "http://www.vupen.com/english/advisories/2008/1998/references"
+ },
+ {
+ "name": "opera-unspec-code-execution(43576)",
+ "refsource": "XF",
+ "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43576"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2008-3079",
+ "datePublished": "2008-07-09T00:00:00",
+ "dateReserved": "2008-07-08T00:00:00",
+ "dateUpdated": "2017-08-07T12:57:01",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2010/0xxx/CVE-2010-0197.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2010-04-13T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allow attackers to cause a denial of service (memory corruption) or execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0194, CVE-2010-0201, and CVE-2010-0204."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2017-09-18T12:57:01",
+ "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
+ "shortName": "adobe"
+ },
+ "references": [
+ {
+ "name": "oval:org.mitre.oval:def:7298",
+ "tags": [
+ "vdb-entry",
+ "signature",
+ "x_refsource_OVAL"
+ ],
+ "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7298"
+ },
+ {
+ "name": "ADV-2010-0873",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_VUPEN"
+ ],
+ "url": "http://www.vupen.com/english/advisories/2010/0873"
+ },
+ {
+ "name": "TA10-103C",
+ "tags": [
+ "third-party-advisory",
+ "x_refsource_CERT"
+ ],
+ "url": "http://www.us-cert.gov/cas/techalerts/TA10-103C.html"
+ },
+ {
+ "name": "39329",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_BID"
+ ],
+ "url": "http://www.securityfocus.com/bid/39329"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "http://www.adobe.com/support/security/bulletins/apsb10-09.html"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "psirt@adobe.com",
+ "ID": "CVE-2010-0197",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allow attackers to cause a denial of service (memory corruption) or execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0194, CVE-2010-0201, and CVE-2010-0204."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "oval:org.mitre.oval:def:7298",
+ "refsource": "OVAL",
+ "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7298"
+ },
+ {
+ "name": "ADV-2010-0873",
+ "refsource": "VUPEN",
+ "url": "http://www.vupen.com/english/advisories/2010/0873"
+ },
+ {
+ "name": "TA10-103C",
+ "refsource": "CERT",
+ "url": "http://www.us-cert.gov/cas/techalerts/TA10-103C.html"
+ },
+ {
+ "name": "39329",
+ "refsource": "BID",
+ "url": "http://www.securityfocus.com/bid/39329"
+ },
+ {
+ "name": "http://www.adobe.com/support/security/bulletins/apsb10-09.html",
+ "refsource": "CONFIRM",
+ "url": "http://www.adobe.com/support/security/bulletins/apsb10-09.html"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
+ "assignerShortName": "adobe",
+ "cveId": "CVE-2010-0197",
+ "datePublished": "2010-04-14T15:44:00",
+ "dateReserved": "2010-01-06T00:00:00",
+ "dateUpdated": "2017-09-18T12:57:01",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2010/3xxx/CVE-2010-3671.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2010-07-28T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2019-11-05T19:19:02",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://security-tracker.debian.org/tracker/CVE-2010-3671"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Broken_Authentication_and_Session_Management"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2010-3671",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://security-tracker.debian.org/tracker/CVE-2010-3671",
+ "refsource": "MISC",
+ "url": "https://security-tracker.debian.org/tracker/CVE-2010-3671"
+ },
+ {
+ "name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719",
+ "refsource": "MISC",
+ "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719"
+ },
+ {
+ "name": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Broken_Authentication_and_Session_Management",
+ "refsource": "CONFIRM",
+ "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Broken_Authentication_and_Session_Management"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2010-3671",
+ "datePublished": "2019-11-05T19:19:02",
+ "dateReserved": "2010-09-28T00:00:00",
+ "dateUpdated": "2019-11-05T19:19:02",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2011/3xxx/CVE-2011-3350.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "masqmail",
+ "vendor": "masqmail",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "0.2.21 through 0.2.30"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "masqmail 0.2.21 through 0.2.30 improperly calls seteuid() in src/log.c and src/masqmail.c that results in improper privilege dropping."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "Other",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2019-11-19T22:16:23",
+ "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
+ "shortName": "redhat"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://security-tracker.debian.org/tracker/CVE-2011-3350"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://access.redhat.com/security/cve/cve-2011-3350"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638002"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "secalert@redhat.com",
+ "ID": "CVE-2011-3350",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "masqmail",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "0.2.21 through 0.2.30"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "masqmail"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "masqmail 0.2.21 through 0.2.30 improperly calls seteuid() in src/log.c and src/masqmail.c that results in improper privilege dropping."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "Other"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://security-tracker.debian.org/tracker/CVE-2011-3350",
+ "refsource": "MISC",
+ "url": "https://security-tracker.debian.org/tracker/CVE-2011-3350"
+ },
+ {
+ "name": "https://access.redhat.com/security/cve/cve-2011-3350",
+ "refsource": "MISC",
+ "url": "https://access.redhat.com/security/cve/cve-2011-3350"
+ },
+ {
+ "name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638002",
+ "refsource": "MISC",
+ "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638002"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
+ "assignerShortName": "redhat",
+ "cveId": "CVE-2011-3350",
+ "datePublished": "2019-11-19T22:16:23",
+ "dateReserved": "2011-08-30T00:00:00",
+ "dateUpdated": "2019-11-19T22:16:23",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2014/0xxx/CVE-2014-0718.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2014-02-19T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The produce-verbose-alert feature in Cisco IPS Software 7.1 before 7.1(8)E4 and 7.2 before 7.2(2)E4 allows remote attackers to cause a denial of service (Analysis Engine process outage) via fragmented packets, aka Bug ID CSCui91266."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2014-02-24T05:57:03",
+ "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
+ "shortName": "cisco"
+ },
+ "references": [
+ {
+ "name": "20140219 Multiple Vulnerabilities in Cisco IPS Software",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_CISCO"
+ ],
+ "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ips"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "psirt@cisco.com",
+ "ID": "CVE-2014-0718",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "The produce-verbose-alert feature in Cisco IPS Software 7.1 before 7.1(8)E4 and 7.2 before 7.2(2)E4 allows remote attackers to cause a denial of service (Analysis Engine process outage) via fragmented packets, aka Bug ID CSCui91266."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "20140219 Multiple Vulnerabilities in Cisco IPS Software",
+ "refsource": "CISCO",
+ "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ips"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
+ "assignerShortName": "cisco",
+ "cveId": "CVE-2014-0718",
+ "datePublished": "2014-02-22T21:00:00",
+ "dateReserved": "2014-01-02T00:00:00",
+ "dateUpdated": "2014-02-24T05:57:03",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2015/1xxx/CVE-2015-1707.json --
+{
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "dateUpdated": "2017-05-11T13:57:01",
+ "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
+ "shortName": "microsoft"
+ },
+ "rejectedReasons": [
+ {
+ "lang": "en",
+ "value": "DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2015. Notes: none"
+ }
+ ]
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
+ "assignerShortName": "microsoft",
+ "cveId": "CVE-2015-1707",
+ "datePublished": "2017-05-11T14:01:00",
+ "dateRejected": "2017-05-11T13:57:01",
+ "dateReserved": "2015-02-17T00:00:00",
+ "dateUpdated": "2017-05-11T13:57:01",
+ "state": "REJECTED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2016/15xxx/CVE-2016-15005.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2016-15005",
+ "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
+ "state": "PUBLISHED",
+ "assignerShortName": "Go",
+ "dateReserved": "2022-07-29T18:33:03.456Z",
+ "datePublished": "2022-12-27T21:13:27.393Z",
+ "dateUpdated": "2023-06-12T19:04:00.986Z"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
+ "shortName": "Go",
+ "dateUpdated": "2023-06-12T19:04:00.986Z"
+ },
+ "title": "Cryptographically weak random number generation in github.com/dinever/golf",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "github.com/dinever/golf",
+ "product": "github.com/dinever/golf",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/dinever/golf",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.3.0",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "randomBytes"
+ },
+ {
+ "name": "Context.Render"
+ },
+ {
+ "name": "Context.RenderFromString"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/dinever/golf/pull/24"
+ },
+ {
+ "url": "https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe"
+ },
+ {
+ "url": "https://github.com/dinever/golf/issues/20"
+ },
+ {
+ "url": "https://pkg.go.dev/vuln/GO-2020-0045"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@elithrar"
+ }
+ ]
+ }
+ }
+}
+-- cves/2016/1xxx/CVE-2016-1544.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "nghttp2",
+ "vendor": "nghttp2",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "before 1.7.1"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2016-02-15T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion)."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "Other",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2020-02-06T14:20:29",
+ "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
+ "shortName": "certcc"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1308461"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.7.1"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/nghttp2/nghttp2/compare/v1.7.0...v1.7.1"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://security.gentoo.org/glsa/201612-13"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177666.html"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177308.html"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cert@cert.org",
+ "ID": "CVE-2016-1544",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "nghttp2",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "before 1.7.1"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "nghttp2"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion)."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "Other"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1308461",
+ "refsource": "CONFIRM",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1308461"
+ },
+ {
+ "name": "https://github.com/nghttp2/nghttp2/releases/tag/v1.7.1",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.7.1"
+ },
+ {
+ "name": "https://github.com/nghttp2/nghttp2/compare/v1.7.0...v1.7.1",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/nghttp2/nghttp2/compare/v1.7.0...v1.7.1"
+ },
+ {
+ "name": "https://security.gentoo.org/glsa/201612-13",
+ "refsource": "CONFIRM",
+ "url": "https://security.gentoo.org/glsa/201612-13"
+ },
+ {
+ "name": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177666.html",
+ "refsource": "CONFIRM",
+ "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177666.html"
+ },
+ {
+ "name": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177308.html",
+ "refsource": "CONFIRM",
+ "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177308.html"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
+ "assignerShortName": "certcc",
+ "cveId": "CVE-2016-1544",
+ "datePublished": "2020-02-06T14:20:29",
+ "dateReserved": "2016-01-07T00:00:00",
+ "dateUpdated": "2020-02-06T14:20:29",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2016/4xxx/CVE-2016-4123.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2016-06-14T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2018-10-12T19:57:01",
+ "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
+ "shortName": "adobe"
+ },
+ "references": [
+ {
+ "name": "1036117",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_SECTRACK"
+ ],
+ "url": "http://www.securitytracker.com/id/1036117"
+ },
+ {
+ "name": "MS16-083",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_MS"
+ ],
+ "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-083"
+ },
+ {
+ "name": "openSUSE-SU-2016:1625",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_SUSE"
+ ],
+ "url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00038.html"
+ },
+ {
+ "name": "RHSA-2016:1238",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_REDHAT"
+ ],
+ "url": "https://access.redhat.com/errata/RHSA-2016:1238"
+ },
+ {
+ "name": "openSUSE-SU-2016:1621",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_SUSE"
+ ],
+ "url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00035.html"
+ },
+ {
+ "name": "SUSE-SU-2016:1613",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_SUSE"
+ ],
+ "url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00031.html"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://helpx.adobe.com/security/products/flash-player/apsb16-18.html"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "psirt@adobe.com",
+ "ID": "CVE-2016-4123",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "1036117",
+ "refsource": "SECTRACK",
+ "url": "http://www.securitytracker.com/id/1036117"
+ },
+ {
+ "name": "MS16-083",
+ "refsource": "MS",
+ "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-083"
+ },
+ {
+ "name": "openSUSE-SU-2016:1625",
+ "refsource": "SUSE",
+ "url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00038.html"
+ },
+ {
+ "name": "RHSA-2016:1238",
+ "refsource": "REDHAT",
+ "url": "https://access.redhat.com/errata/RHSA-2016:1238"
+ },
+ {
+ "name": "openSUSE-SU-2016:1621",
+ "refsource": "SUSE",
+ "url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00035.html"
+ },
+ {
+ "name": "SUSE-SU-2016:1613",
+ "refsource": "SUSE",
+ "url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00031.html"
+ },
+ {
+ "name": "https://helpx.adobe.com/security/products/flash-player/apsb16-18.html",
+ "refsource": "CONFIRM",
+ "url": "https://helpx.adobe.com/security/products/flash-player/apsb16-18.html"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
+ "assignerShortName": "adobe",
+ "cveId": "CVE-2016-4123",
+ "datePublished": "2016-06-16T14:00:00",
+ "dateReserved": "2016-04-27T00:00:00",
+ "dateUpdated": "2018-10-12T19:57:01",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2016/7xxx/CVE-2016-7569.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2016-09-27T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Directory traversal vulnerability in docker2aci before 0.13.0 allows remote attackers to write to arbitrary files via a .. (dot dot) in the embedded layer data in an image."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2017-01-30T10:57:01",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/appc/docker2aci/issues/201"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/appc/docker2aci/releases/tag/v0.13.0"
+ },
+ {
+ "name": "[oss-security] 20160928 CVE Request: docker2aci: Path traversals present in image converting",
+ "tags": [
+ "mailing-list",
+ "x_refsource_MLIST"
+ ],
+ "url": "http://www.openwall.com/lists/oss-security/2016/09/28/2"
+ },
+ {
+ "name": "[oss-security] 20160928 Re: CVE Request: docker2aci: Path traversals present in image converting",
+ "tags": [
+ "mailing-list",
+ "x_refsource_MLIST"
+ ],
+ "url": "http://www.openwall.com/lists/oss-security/2016/09/28/4"
+ },
+ {
+ "name": "93194",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_BID"
+ ],
+ "url": "http://www.securityfocus.com/bid/93194"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2016-7569",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Directory traversal vulnerability in docker2aci before 0.13.0 allows remote attackers to write to arbitrary files via a .. (dot dot) in the embedded layer data in an image."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/appc/docker2aci/issues/201",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/appc/docker2aci/issues/201"
+ },
+ {
+ "name": "https://github.com/appc/docker2aci/releases/tag/v0.13.0",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/appc/docker2aci/releases/tag/v0.13.0"
+ },
+ {
+ "name": "[oss-security] 20160928 CVE Request: docker2aci: Path traversals present in image converting",
+ "refsource": "MLIST",
+ "url": "http://www.openwall.com/lists/oss-security/2016/09/28/2"
+ },
+ {
+ "name": "[oss-security] 20160928 Re: CVE Request: docker2aci: Path traversals present in image converting",
+ "refsource": "MLIST",
+ "url": "http://www.openwall.com/lists/oss-security/2016/09/28/4"
+ },
+ {
+ "name": "93194",
+ "refsource": "BID",
+ "url": "http://www.securityfocus.com/bid/93194"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2016-7569",
+ "datePublished": "2017-01-27T22:01:00",
+ "dateReserved": "2016-09-09T00:00:00",
+ "dateUpdated": "2017-01-30T10:57:01",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2016/9xxx/CVE-2016-9122.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "Go JOSE All versions before 1.0.4",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "Go JOSE All versions before 1.0.4"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2017-03-27T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "Cryptographic Issue",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2017-03-28T02:57:01",
+ "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
+ "shortName": "hackerone"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://hackerone.com/reports/169629"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "http://www.openwall.com/lists/oss-security/2016/11/03/1"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "support@hackerone.com",
+ "ID": "CVE-2016-9122",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Go JOSE All versions before 1.0.4",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "Go JOSE All versions before 1.0.4"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "Cryptographic Issue"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://hackerone.com/reports/169629",
+ "refsource": "MISC",
+ "url": "https://hackerone.com/reports/169629"
+ },
+ {
+ "name": "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6",
+ "refsource": "MISC",
+ "url": "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6"
+ },
+ {
+ "name": "http://www.openwall.com/lists/oss-security/2016/11/03/1",
+ "refsource": "MISC",
+ "url": "http://www.openwall.com/lists/oss-security/2016/11/03/1"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
+ "assignerShortName": "hackerone",
+ "cveId": "CVE-2016-9122",
+ "datePublished": "2017-03-28T02:46:00",
+ "dateReserved": "2016-10-31T00:00:00",
+ "dateUpdated": "2017-03-28T02:57:01",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2017/1000xxx/CVE-2017-1000070.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "dateAssigned": "2017-05-06T00:00:00",
+ "datePublic": "2017-07-13T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2017-07-13T19:57:01",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/bitly/oauth2_proxy/pull/359"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://tools.ietf.org/html/rfc6819#section-5.2.3.5"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "DATE_ASSIGNED": "2017-05-06T20:43:28.320846",
+ "ID": "CVE-2017-1000070",
+ "REQUESTER": "mbrooks@snap.com",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819"
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/bitly/oauth2_proxy/pull/359",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/bitly/oauth2_proxy/pull/359"
+ },
+ {
+ "name": "https://tools.ietf.org/html/rfc6819#section-5.2.3.5",
+ "refsource": "MISC",
+ "url": "https://tools.ietf.org/html/rfc6819#section-5.2.3.5"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2017-1000070",
+ "datePublished": "2017-07-13T20:00:00",
+ "dateReserved": "2017-07-10T00:00:00",
+ "dateUpdated": "2017-07-13T19:57:01",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2017/4xxx/CVE-2017-4378.json --
+{
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "dateUpdated": "2018-03-16T13:57:01",
+ "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
+ "shortName": "intel"
+ },
+ "rejectedReasons": [
+ {
+ "lang": "en",
+ "value": "DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none"
+ }
+ ]
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
+ "assignerShortName": "intel",
+ "cveId": "CVE-2017-4378",
+ "datePublished": "2018-03-16T14:04:00",
+ "dateRejected": "2018-03-16T13:57:01",
+ "dateReserved": "2016-12-26T00:00:00",
+ "dateUpdated": "2018-03-16T13:57:01",
+ "state": "REJECTED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2017/7xxx/CVE-2017-7468.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "curl",
+ "vendor": "[UNKNOWN]",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "curl 7.54.0"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2017-04-19T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_0": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 4.8,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+ "version": "3.0"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-295",
+ "description": "CWE-295",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2018-07-17T09:57:01",
+ "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
+ "shortName": "redhat"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7468"
+ },
+ {
+ "name": "GLSA-201709-14",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_GENTOO"
+ ],
+ "url": "https://security.gentoo.org/glsa/201709-14"
+ },
+ {
+ "name": "1038341",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_SECTRACK"
+ ],
+ "url": "http://www.securitytracker.com/id/1038341"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://curl.haxx.se/docs/adv_20170419.html"
+ },
+ {
+ "name": "97962",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_BID"
+ ],
+ "url": "http://www.securityfocus.com/bid/97962"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "secalert@redhat.com",
+ "ID": "CVE-2017-7468",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "curl",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "curl 7.54.0"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "[UNKNOWN]"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range."
+ }
+ ]
+ },
+ "impact": {
+ "cvss": [
+ [
+ {
+ "vectorString": "4.8/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+ "version": "3.0"
+ }
+ ]
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-295"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7468",
+ "refsource": "CONFIRM",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7468"
+ },
+ {
+ "name": "GLSA-201709-14",
+ "refsource": "GENTOO",
+ "url": "https://security.gentoo.org/glsa/201709-14"
+ },
+ {
+ "name": "1038341",
+ "refsource": "SECTRACK",
+ "url": "http://www.securitytracker.com/id/1038341"
+ },
+ {
+ "name": "https://curl.haxx.se/docs/adv_20170419.html",
+ "refsource": "CONFIRM",
+ "url": "https://curl.haxx.se/docs/adv_20170419.html"
+ },
+ {
+ "name": "97962",
+ "refsource": "BID",
+ "url": "http://www.securityfocus.com/bid/97962"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
+ "assignerShortName": "redhat",
+ "cveId": "CVE-2017-7468",
+ "datePublished": "2018-07-16T13:00:00",
+ "dateReserved": "2017-04-05T00:00:00",
+ "dateUpdated": "2018-07-17T09:57:01",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2017/8xxx/CVE-2017-8963.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "Intelligent Management Center (iMC) PLAT",
+ "vendor": "Hewlett Packard Enterprise",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "7.3 E0504P2"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2017-10-27T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A Deserialization of Untrusted Data vulnerability in Hewlett Packard Enterprise Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "Deserialization of Untrusted Data",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2018-02-16T10:57:01",
+ "orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
+ "shortName": "hpe"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03787en_us"
+ },
+ {
+ "name": "1039684",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_SECTRACK"
+ ],
+ "url": "http://www.securitytracker.com/id/1039684"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security-alert@hpe.com",
+ "DATE_PUBLIC": "2017-10-27T00:00:00",
+ "ID": "CVE-2017-8963",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Intelligent Management Center (iMC) PLAT",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "7.3 E0504P2"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Hewlett Packard Enterprise"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A Deserialization of Untrusted Data vulnerability in Hewlett Packard Enterprise Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "Deserialization of Untrusted Data"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03787en_us",
+ "refsource": "CONFIRM",
+ "url": "https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03787en_us"
+ },
+ {
+ "name": "1039684",
+ "refsource": "SECTRACK",
+ "url": "http://www.securitytracker.com/id/1039684"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
+ "assignerShortName": "hpe",
+ "cveId": "CVE-2017-8963",
+ "datePublished": "2017-10-27T00:00:00",
+ "dateReserved": "2017-05-15T00:00:00",
+ "dateUpdated": "2018-02-16T10:57:01",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2018/1000xxx/CVE-2018-1000803.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "dateAssigned": "2018-10-05T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability that can result in Exposure of users private email addresses. This attack appear to be exploitable via Watch a repository to receive email notifications. Emails received contain the other recipients even if they have the email set as private. This vulnerability appears to have been fixed in 1.5.1."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-10-03T16:21:59",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/go-gitea/gitea/pull/4664/files#diff-146e0c2b5bb1ea96c9fb73d509456e57"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/go-gitea/gitea/pull/4664"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "DATE_ASSIGNED": "2018-10-05T22:22:07.607365",
+ "DATE_REQUESTED": "2018-09-27T19:54:51",
+ "ID": "CVE-2018-1000803",
+ "REQUESTER": "cezar97@protonmail.com",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability that can result in Exposure of users private email addresses. This attack appear to be exploitable via Watch a repository to receive email notifications. Emails received contain the other recipients even if they have the email set as private. This vulnerability appears to have been fixed in 1.5.1."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/go-gitea/gitea/pull/4664/files#diff-146e0c2b5bb1ea96c9fb73d509456e57",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/go-gitea/gitea/pull/4664/files#diff-146e0c2b5bb1ea96c9fb73d509456e57"
+ },
+ {
+ "name": "https://github.com/go-gitea/gitea/pull/4664",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/go-gitea/gitea/pull/4664"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2018-1000803",
+ "datePublished": "2022-10-03T16:21:59",
+ "dateReserved": "2018-09-27T00:00:00",
+ "dateUpdated": "2022-10-03T16:21:59",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2018/15xxx/CVE-2018-15192.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-10-03T16:22:24",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/gogs/gogs/issues/5366"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/go-gitea/gitea/issues/4624"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2018-15192",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/gogs/gogs/issues/5366",
+ "refsource": "MISC",
+ "url": "https://github.com/gogs/gogs/issues/5366"
+ },
+ {
+ "name": "https://github.com/go-gitea/gitea/issues/4624",
+ "refsource": "MISC",
+ "url": "https://github.com/go-gitea/gitea/issues/4624"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2018-15192",
+ "datePublished": "2022-10-03T16:22:24",
+ "dateReserved": "2022-10-03T00:00:00",
+ "dateUpdated": "2022-10-03T16:22:24",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2018/18xxx/CVE-2018-18625.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Grafana 5.3.1 has XSS via a link on the \"Dashboard > All Panels > General\" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2020-06-08T12:06:03",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/grafana/grafana/pull/11813"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://security.netapp.com/advisory/ntap-20200608-0008/"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2018-18625",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Grafana 5.3.1 has XSS via a link on the \"Dashboard > All Panels > General\" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/grafana/grafana/pull/11813",
+ "refsource": "MISC",
+ "url": "https://github.com/grafana/grafana/pull/11813"
+ },
+ {
+ "name": "https://security.netapp.com/advisory/ntap-20200608-0008/",
+ "refsource": "CONFIRM",
+ "url": "https://security.netapp.com/advisory/ntap-20200608-0008/"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2018-18625",
+ "datePublished": "2020-06-02T16:41:00",
+ "dateReserved": "2018-10-23T00:00:00",
+ "dateUpdated": "2020-06-08T12:06:03",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2018/18xxx/CVE-2018-18993.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "CX-One (CX-Programmer and CX-Server)",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "CX-One Versions 4.42 and prior (CX-Programmer Versions 9.66 and prior and CX-Server Versions 5.0.23 and prior)"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2018-12-04T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Two stack-based buffer overflow vulnerabilities have been discovered in CX-One Versions 4.42 and prior (CX-Programmer Versions 9.66 and prior and CX-Server Versions 5.0.23 and prior). When processing project files, the application allows input data to exceed the buffer. An attacker could use a specially crafted project file to overflow the buffer and execute code under the privileges of the application."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-121",
+ "description": "STACK-BASED BUFFER OVERFLOW CWE-121",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2018-12-06T10:57:01",
+ "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
+ "shortName": "icscert"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-338-01"
+ },
+ {
+ "name": "106106",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_BID"
+ ],
+ "url": "http://www.securityfocus.com/bid/106106"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "ics-cert@hq.dhs.gov",
+ "ID": "CVE-2018-18993",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "CX-One (CX-Programmer and CX-Server)",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "CX-One Versions 4.42 and prior (CX-Programmer Versions 9.66 and prior and CX-Server Versions 5.0.23 and prior)"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Two stack-based buffer overflow vulnerabilities have been discovered in CX-One Versions 4.42 and prior (CX-Programmer Versions 9.66 and prior and CX-Server Versions 5.0.23 and prior). When processing project files, the application allows input data to exceed the buffer. An attacker could use a specially crafted project file to overflow the buffer and execute code under the privileges of the application."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "STACK-BASED BUFFER OVERFLOW CWE-121"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-338-01",
+ "refsource": "MISC",
+ "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-338-01"
+ },
+ {
+ "name": "106106",
+ "refsource": "BID",
+ "url": "http://www.securityfocus.com/bid/106106"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
+ "assignerShortName": "icscert",
+ "cveId": "CVE-2018-18993",
+ "datePublished": "2018-12-04T22:00:00",
+ "dateReserved": "2018-11-06T00:00:00",
+ "dateUpdated": "2018-12-06T10:57:01",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2018/20xxx/CVE-2018-20303.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2018-12-19T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2018-12-20T00:57:01",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/gogs/gogs/commit/ff93d9dbda5cebe90d86e4b7dfb2c6b8642970ce"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://pentesterlab.com/exercises/cve-2018-18925/"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/gogs/gogs/issues/5558"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2018-20303",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/gogs/gogs/commit/ff93d9dbda5cebe90d86e4b7dfb2c6b8642970ce",
+ "refsource": "MISC",
+ "url": "https://github.com/gogs/gogs/commit/ff93d9dbda5cebe90d86e4b7dfb2c6b8642970ce"
+ },
+ {
+ "name": "https://pentesterlab.com/exercises/cve-2018-18925/",
+ "refsource": "MISC",
+ "url": "https://pentesterlab.com/exercises/cve-2018-18925/"
+ },
+ {
+ "name": "https://github.com/gogs/gogs/issues/5558",
+ "refsource": "MISC",
+ "url": "https://github.com/gogs/gogs/issues/5558"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2018-20303",
+ "datePublished": "2018-12-20T00:00:00",
+ "dateReserved": "2018-12-19T00:00:00",
+ "dateUpdated": "2018-12-20T00:57:01",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2019/1000xxx/CVE-2019-1000008.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "dateAssigned": "2019-01-22T00:00:00",
+ "datePublic": "2019-02-04T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The commands `helm fetch --untar` and `helm lint some.tgz` that can result when chart archive files are unpacked a file may be unpacked outside of the target directory. This attack appears to be exploitable via a victim must run a helm command on a specially crafted chart archive. This vulnerability appears to have been fixed in 2.12.2."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2019-02-04T20:57:01",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://helm.sh/blog/helm-security-notice-2019/index.html"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "DATE_ASSIGNED": "2019-01-22T21:21:10.016652",
+ "DATE_REQUESTED": "2019-01-14T20:30:06",
+ "ID": "CVE-2019-1000008",
+ "REQUESTER": "matt@mattfarina.com",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The commands `helm fetch --untar` and `helm lint some.tgz` that can result when chart archive files are unpacked a file may be unpacked outside of the target directory. This attack appears to be exploitable via a victim must run a helm command on a specially crafted chart archive. This vulnerability appears to have been fixed in 2.12.2."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://helm.sh/blog/helm-security-notice-2019/index.html",
+ "refsource": "MISC",
+ "url": "https://helm.sh/blog/helm-security-notice-2019/index.html"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2019-1000008",
+ "datePublished": "2019-02-04T21:00:00",
+ "dateReserved": "2019-01-14T00:00:00",
+ "dateUpdated": "2019-02-04T20:57:01",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2019/11xxx/CVE-2019-11246.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "Kubernetes",
+ "vendor": "Kubernetes",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "prior to 1.12.9"
+ },
+ {
+ "status": "affected",
+ "version": "prior to 1.13.6"
+ },
+ {
+ "status": "affected",
+ "version": "prior to 1.14.2"
+ },
+ {
+ "status": "affected",
+ "version": "1.1"
+ },
+ {
+ "status": "affected",
+ "version": "1.2"
+ },
+ {
+ "status": "affected",
+ "version": "1.4"
+ },
+ {
+ "status": "affected",
+ "version": "1.5"
+ },
+ {
+ "status": "affected",
+ "version": "1.6"
+ },
+ {
+ "status": "affected",
+ "version": "1.7"
+ },
+ {
+ "status": "affected",
+ "version": "1.8"
+ },
+ {
+ "status": "affected",
+ "version": "1.9"
+ },
+ {
+ "status": "affected",
+ "version": "1.10"
+ },
+ {
+ "status": "affected",
+ "version": "1.11"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Charles Holmes, Atredis Partners"
+ }
+ ],
+ "datePublic": "2019-06-21T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.12.9, versions prior to 1.13.6, versions prior to 1.14.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_0": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 6.4,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "HIGH",
+ "scope": "UNCHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
+ "version": "3.0"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-61",
+ "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2019-09-19T16:06:08",
+ "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
+ "shortName": "kubernetes"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/kubernetes/kubernetes/pull/76788"
+ },
+ {
+ "name": "[ANNOUNCE] Incomplete fixes for CVE-2019-1002101, kubectl cp potential directory traversal - CVE-2019-11246",
+ "tags": [
+ "mailing-list",
+ "x_refsource_MLIST"
+ ],
+ "url": "https://groups.google.com/forum/#%21topic/kubernetes-security-announce/NLs2TGbfPdo"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"
+ }
+ ],
+ "source": {
+ "defect": [
+ "https://github.com/kubernetes/kubernetes/pull/76788"
+ ],
+ "discovery": "USER"
+ },
+ "title": "kubectl cp allows symlink directory traversal",
+ "x_generator": {
+ "engine": "Vulnogram 0.0.7"
+ },
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "AKA": "",
+ "ASSIGNER": "security@kubernetes.io",
+ "DATE_PUBLIC": "2019-06-21",
+ "ID": "CVE-2019-11246",
+ "STATE": "PUBLIC",
+ "TITLE": "kubectl cp allows symlink directory traversal"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Kubernetes",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "prior to 1.12.9"
+ },
+ {
+ "version_value": "prior to 1.13.6"
+ },
+ {
+ "version_value": "prior to 1.14.2"
+ },
+ {
+ "version_value": "1.1"
+ },
+ {
+ "version_value": "1.2"
+ },
+ {
+ "version_value": "1.4"
+ },
+ {
+ "version_value": "1.4"
+ },
+ {
+ "version_value": "1.5"
+ },
+ {
+ "version_value": "1.6"
+ },
+ {
+ "version_value": "1.7"
+ },
+ {
+ "version_value": "1.8"
+ },
+ {
+ "version_value": "1.9"
+ },
+ {
+ "version_value": "1.10"
+ },
+ {
+ "version_value": "1.11"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Kubernetes"
+ }
+ ]
+ }
+ },
+ "configuration": [],
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "Charles Holmes, Atredis Partners"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.12.9, versions prior to 1.13.6, versions prior to 1.14.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11."
+ }
+ ]
+ },
+ "exploit": [],
+ "generator": {
+ "engine": "Vulnogram 0.0.7"
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 6.4,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "HIGH",
+ "scope": "UNCHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
+ "version": "3.0"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-61: UNIX Symbolic Link (Symlink) Following"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/kubernetes/kubernetes/pull/76788",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/kubernetes/kubernetes/pull/76788"
+ },
+ {
+ "name": "[ANNOUNCE] Incomplete fixes for CVE-2019-1002101, kubectl cp potential directory traversal - CVE-2019-11246",
+ "refsource": "MLIST",
+ "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/NLs2TGbfPdo"
+ },
+ {
+ "name": "https://security.netapp.com/advisory/ntap-20190919-0003/",
+ "refsource": "CONFIRM",
+ "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"
+ }
+ ]
+ },
+ "solution": [],
+ "source": {
+ "advisory": "",
+ "defect": [
+ "https://github.com/kubernetes/kubernetes/pull/76788"
+ ],
+ "discovery": "USER"
+ },
+ "work_around": []
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
+ "assignerShortName": "kubernetes",
+ "cveId": "CVE-2019-11246",
+ "datePublished": "2019-06-21T00:00:00",
+ "dateReserved": "2019-04-17T00:00:00",
+ "dateUpdated": "2019-09-19T16:06:08",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2019/14xxx/CVE-2019-14944.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2019-14944",
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "dateUpdated": "2023-04-15T00:00:00",
+ "dateReserved": "2019-08-11T00:00:00",
+ "datePublished": "2023-04-15T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre",
+ "dateUpdated": "2023-04-15T00:00:00"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Gitaly allows injection of command-line flags. This sometimes leads to privilege escalation or remote code execution."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "n/a",
+ "product": "n/a",
+ "versions": [
+ {
+ "version": "n/a",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://about.gitlab.com/blog/categories/releases/"
+ },
+ {
+ "url": "https://gitlab.com/gitlab-org/gitaly/issues/1801"
+ },
+ {
+ "url": "https://gitlab.com/gitlab-org/gitaly/issues/1802"
+ },
+ {
+ "url": "https://about.gitlab.com/releases/2019/08/12/critical-security-release-gitlab-12-dot-1-dot-6-released/"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "text",
+ "lang": "en",
+ "description": "n/a"
+ }
+ ]
+ }
+ ]
+ }
+ }
+}
+-- cves/2019/16xxx/CVE-2019-16991.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "In FusionPBX up to v4.5.7, the file app\\edit\\filedelete.php uses an unsanitized \"file\" variable coming from the URL, which is reflected in HTML, leading to XSS."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2019-10-23T14:53:25",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/fusionpbx/fusionpbx/commit/cd4632b46c62855f7e1c1c93d20ffd64edcb476e"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-20/"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2019-16991",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "In FusionPBX up to v4.5.7, the file app\\edit\\filedelete.php uses an unsanitized \"file\" variable coming from the URL, which is reflected in HTML, leading to XSS."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/fusionpbx/fusionpbx/commit/cd4632b46c62855f7e1c1c93d20ffd64edcb476e",
+ "refsource": "MISC",
+ "url": "https://github.com/fusionpbx/fusionpbx/commit/cd4632b46c62855f7e1c1c93d20ffd64edcb476e"
+ },
+ {
+ "name": "https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-20/",
+ "refsource": "MISC",
+ "url": "https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-20/"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2019-16991",
+ "datePublished": "2019-10-21T15:45:12",
+ "dateReserved": "2019-09-29T00:00:00",
+ "dateUpdated": "2019-10-23T14:53:25",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2019/19xxx/CVE-2019-19316.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartext HTTP."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2019-12-02T20:50:44",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/hashicorp/terraform/security/advisories/GHSA-4rvg-555h-r626"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2019-19316",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartext HTTP."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/hashicorp/terraform/security/advisories/GHSA-4rvg-555h-r626",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/hashicorp/terraform/security/advisories/GHSA-4rvg-555h-r626"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2019-19316",
+ "datePublished": "2019-12-02T20:50:44",
+ "dateReserved": "2019-11-26T00:00:00",
+ "dateUpdated": "2019-12-02T20:50:44",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2019/19xxx/CVE-2019-19794.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2019-12-18T04:01:37",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/miekg/dns/issues/1043"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/coredns/coredns/issues/3519"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/miekg/dns/pull/1044"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/miekg/dns/compare/v1.1.24...v1.1.25"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/coredns/coredns/issues/3547"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2019-19794",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/miekg/dns/issues/1043",
+ "refsource": "MISC",
+ "url": "https://github.com/miekg/dns/issues/1043"
+ },
+ {
+ "name": "https://github.com/coredns/coredns/issues/3519",
+ "refsource": "MISC",
+ "url": "https://github.com/coredns/coredns/issues/3519"
+ },
+ {
+ "name": "https://github.com/miekg/dns/pull/1044",
+ "refsource": "MISC",
+ "url": "https://github.com/miekg/dns/pull/1044"
+ },
+ {
+ "name": "https://github.com/miekg/dns/compare/v1.1.24...v1.1.25",
+ "refsource": "MISC",
+ "url": "https://github.com/miekg/dns/compare/v1.1.24...v1.1.25"
+ },
+ {
+ "name": "https://github.com/coredns/coredns/issues/3547",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/coredns/coredns/issues/3547"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2019-19794",
+ "datePublished": "2019-12-13T21:46:59",
+ "dateReserved": "2019-12-13T00:00:00",
+ "dateUpdated": "2019-12-18T04:01:37",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2019/2xxx/CVE-2019-2130.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "Android",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "In CompilationJob::FinalizeJob of compiler.cc, there is a possible remote code execution due to type confusion. This could lead to escalation of privilege from a malicious proxy configuration with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-132073833."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "Remote code execution",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2019-08-20T19:50:37",
+ "orgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6",
+ "shortName": "google_android"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://source.android.com/security/bulletin/2019-08-01"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security@android.com",
+ "ID": "CVE-2019-2130",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Android",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "In CompilationJob::FinalizeJob of compiler.cc, there is a possible remote code execution due to type confusion. This could lead to escalation of privilege from a malicious proxy configuration with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-132073833."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "Remote code execution"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://source.android.com/security/bulletin/2019-08-01",
+ "refsource": "CONFIRM",
+ "url": "https://source.android.com/security/bulletin/2019-08-01"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6",
+ "assignerShortName": "google_android",
+ "cveId": "CVE-2019-2130",
+ "datePublished": "2019-08-20T19:50:37",
+ "dateReserved": "2018-12-10T00:00:00",
+ "dateUpdated": "2019-08-20T19:50:37",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2019/3xxx/CVE-2019-3876.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "web-console",
+ "vendor": "Red Hat",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "affects OpenShift Container Platform version v3.0 through v3.11"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A flaw was found in the /oauth/token/request custom endpoint of the OpenShift OAuth server allowing for XSS generation of CLI tokens due to missing X-Frame-Options and CSRF protections. If not otherwise prevented, a separate XSS vulnerability via JavaScript could further allow for the extraction of these tokens."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_0": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "LOW",
+ "baseScore": 5,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
+ "version": "3.0"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-352",
+ "description": "CWE-352",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2020-12-04T18:00:59",
+ "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
+ "shortName": "redhat"
+ },
+ "references": [
+ {
+ "name": "107664",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_BID"
+ ],
+ "url": "http://www.securityfocus.com/bid/107664"
+ },
+ {
+ "name": "RHSA-2019:1851",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_REDHAT"
+ ],
+ "url": "https://access.redhat.com/errata/RHSA-2019:1851"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3876"
+ }
+ ]
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
+ "assignerShortName": "redhat",
+ "cveId": "CVE-2019-3876",
+ "datePublished": "2019-04-01T14:15:42",
+ "dateReserved": "2019-01-03T00:00:00",
+ "dateUpdated": "2020-12-04T18:00:59",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2019/9xxx/CVE-2019-9379.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "Android",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "Android-10"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "In libstagefright, there is a possible resource exhaustion due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-124329638"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "Denial of service",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2019-09-27T18:05:17",
+ "orgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6",
+ "shortName": "google_android"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://source.android.com/security/bulletin/android-10"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security@android.com",
+ "ID": "CVE-2019-9379",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Android",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "Android-10"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "In libstagefright, there is a possible resource exhaustion due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-124329638"
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "Denial of service"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://source.android.com/security/bulletin/android-10",
+ "refsource": "MISC",
+ "url": "https://source.android.com/security/bulletin/android-10"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6",
+ "assignerShortName": "google_android",
+ "cveId": "CVE-2019-9379",
+ "datePublished": "2019-09-27T18:05:17",
+ "dateReserved": "2019-02-28T00:00:00",
+ "dateUpdated": "2019-09-27T18:05:17",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2019/9xxx/CVE-2019-9741.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "datePublic": "2019-03-13T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \\r\\n followed by an HTTP header or a Redis command."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2021-03-13T20:06:33",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/golang/go/issues/30794"
+ },
+ {
+ "name": "107432",
+ "tags": [
+ "vdb-entry",
+ "x_refsource_BID"
+ ],
+ "url": "http://www.securityfocus.com/bid/107432"
+ },
+ {
+ "name": "[debian-lts-announce] 20190403 [SECURITY] [DLA 1749-1] golang security update",
+ "tags": [
+ "mailing-list",
+ "x_refsource_MLIST"
+ ],
+ "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00007.html"
+ },
+ {
+ "name": "FEDORA-2019-d05bc7e3df",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_FEDORA"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOOVCEPQM7TZA6VEZEEB7QZABXNHQEHH/"
+ },
+ {
+ "name": "RHSA-2019:1300",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_REDHAT"
+ ],
+ "url": "https://access.redhat.com/errata/RHSA-2019:1300"
+ },
+ {
+ "name": "RHSA-2019:1519",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_REDHAT"
+ ],
+ "url": "https://access.redhat.com/errata/RHSA-2019:1519"
+ },
+ {
+ "name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update",
+ "tags": [
+ "mailing-list",
+ "x_refsource_MLIST"
+ ],
+ "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
+ },
+ {
+ "name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update",
+ "tags": [
+ "mailing-list",
+ "x_refsource_MLIST"
+ ],
+ "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2019-9741",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \\r\\n followed by an HTTP header or a Redis command."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/golang/go/issues/30794",
+ "refsource": "MISC",
+ "url": "https://github.com/golang/go/issues/30794"
+ },
+ {
+ "name": "107432",
+ "refsource": "BID",
+ "url": "http://www.securityfocus.com/bid/107432"
+ },
+ {
+ "name": "[debian-lts-announce] 20190403 [SECURITY] [DLA 1749-1] golang security update",
+ "refsource": "MLIST",
+ "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00007.html"
+ },
+ {
+ "name": "FEDORA-2019-d05bc7e3df",
+ "refsource": "FEDORA",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TOOVCEPQM7TZA6VEZEEB7QZABXNHQEHH/"
+ },
+ {
+ "name": "RHSA-2019:1300",
+ "refsource": "REDHAT",
+ "url": "https://access.redhat.com/errata/RHSA-2019:1300"
+ },
+ {
+ "name": "RHSA-2019:1519",
+ "refsource": "REDHAT",
+ "url": "https://access.redhat.com/errata/RHSA-2019:1519"
+ },
+ {
+ "name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update",
+ "refsource": "MLIST",
+ "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
+ },
+ {
+ "name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update",
+ "refsource": "MLIST",
+ "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2019-9741",
+ "datePublished": "2019-03-13T06:00:00",
+ "dateReserved": "2019-03-13T00:00:00",
+ "dateUpdated": "2021-03-13T20:06:33",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2020/10xxx/CVE-2020-10417.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/manage-articles.php by adding a question mark (?) followed by the payload."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2020-03-26T05:16:41",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "http://antoniocannito.it/?p=137#uxss"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://antoniocannito.it/phpkb1#reflected-cross-site-scripting-in-every-admin-page-cve-block-going-from-cve-2020-10391-to-cve-2020-10456"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2020-10417",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/manage-articles.php by adding a question mark (?) followed by the payload."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "http://antoniocannito.it/?p=137#uxss",
+ "refsource": "MISC",
+ "url": "http://antoniocannito.it/?p=137#uxss"
+ },
+ {
+ "name": "https://antoniocannito.it/phpkb1#reflected-cross-site-scripting-in-every-admin-page-cve-block-going-from-cve-2020-10391-to-cve-2020-10456",
+ "refsource": "MISC",
+ "url": "https://antoniocannito.it/phpkb1#reflected-cross-site-scripting-in-every-admin-page-cve-block-going-from-cve-2020-10391-to-cve-2020-10456"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2020-10417",
+ "datePublished": "2020-03-12T13:04:19",
+ "dateReserved": "2020-03-12T00:00:00",
+ "dateUpdated": "2020-03-26T05:16:41",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2020/10xxx/CVE-2020-10661.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2020-03-23T12:57:03",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://www.hashicorp.com/blog/category/vault/"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2020-10661",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://www.hashicorp.com/blog/category/vault/",
+ "refsource": "MISC",
+ "url": "https://www.hashicorp.com/blog/category/vault/"
+ },
+ {
+ "name": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2020-10661",
+ "datePublished": "2020-03-23T12:57:03",
+ "dateReserved": "2020-03-18T00:00:00",
+ "dateUpdated": "2020-03-23T12:57:03",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2020/15xxx/CVE-2020-15129.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "traefik",
+ "vendor": "containous",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "< 1.7.26"
+ },
+ {
+ "status": "affected",
+ "version": ">= 2.0.0, < 2.2.8"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the \"X-Forwarded-Prefix\" header. The Traefik API dashboard component doesn't validate that the value of the header \"X-Forwarded-Prefix\" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 6.1,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-601",
+ "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2020-07-30T15:20:15",
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/containous/traefik/releases/tag/v1.7.26"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/containous/traefik/releases/tag/v2.2.8"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/containous/traefik/releases/tag/v2.3.0-rc3"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/containous/traefik/pull/7109"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/containous/traefik/commit/e63db782c11c7b8bfce30be4c902e7ef8f9f33d2"
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-6qq8-5wq3-86rp",
+ "discovery": "UNKNOWN"
+ },
+ "title": "Open redirect in Traefik",
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security-advisories@github.com",
+ "ID": "CVE-2020-15129",
+ "STATE": "PUBLIC",
+ "TITLE": "Open redirect in Traefik"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "traefik",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "< 1.7.26"
+ },
+ {
+ "version_value": ">= 2.0.0, < 2.2.8"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "containous"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the \"X-Forwarded-Prefix\" header. The Traefik API dashboard component doesn't validate that the value of the header \"X-Forwarded-Prefix\" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios."
+ }
+ ]
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 6.1,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp"
+ },
+ {
+ "name": "https://github.com/containous/traefik/releases/tag/v1.7.26",
+ "refsource": "MISC",
+ "url": "https://github.com/containous/traefik/releases/tag/v1.7.26"
+ },
+ {
+ "name": "https://github.com/containous/traefik/releases/tag/v2.2.8",
+ "refsource": "MISC",
+ "url": "https://github.com/containous/traefik/releases/tag/v2.2.8"
+ },
+ {
+ "name": "https://github.com/containous/traefik/releases/tag/v2.3.0-rc3",
+ "refsource": "MISC",
+ "url": "https://github.com/containous/traefik/releases/tag/v2.3.0-rc3"
+ },
+ {
+ "name": "https://github.com/containous/traefik/pull/7109",
+ "refsource": "MISC",
+ "url": "https://github.com/containous/traefik/pull/7109"
+ },
+ {
+ "name": "https://github.com/containous/traefik/commit/e63db782c11c7b8bfce30be4c902e7ef8f9f33d2",
+ "refsource": "MISC",
+ "url": "https://github.com/containous/traefik/commit/e63db782c11c7b8bfce30be4c902e7ef8f9f33d2"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-6qq8-5wq3-86rp",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "assignerShortName": "GitHub_M",
+ "cveId": "CVE-2020-15129",
+ "datePublished": "2020-07-30T15:20:15",
+ "dateReserved": "2020-06-25T00:00:00",
+ "dateUpdated": "2020-07-30T15:20:15",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2020/1xxx/CVE-2020-1764.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "kiali",
+ "vendor": "Red Hat",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "all Kiali versions prior to 1.15.1"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 8.6,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-321",
+ "description": "CWE-321",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2020-03-26T11:16:09",
+ "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
+ "shortName": "redhat"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "secalert@redhat.com",
+ "ID": "CVE-2020-1764",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "kiali",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "all Kiali versions prior to 1.15.1"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Red Hat"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration."
+ }
+ ]
+ },
+ "impact": {
+ "cvss": [
+ [
+ {
+ "vectorString": "8.6/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
+ "version": "3.0"
+ }
+ ]
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-321"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://kiali.io/news/security-bulletins/kiali-security-001/",
+ "refsource": "MISC",
+ "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
+ },
+ {
+ "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764",
+ "refsource": "CONFIRM",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
+ "assignerShortName": "redhat",
+ "cveId": "CVE-2020-1764",
+ "datePublished": "2020-03-26T11:16:09",
+ "dateReserved": "2019-11-27T00:00:00",
+ "dateUpdated": "2020-03-26T11:16:09",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2020/19xxx/CVE-2020-19957.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the id parameter on the /dl/dl_print.php page."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2021-10-14T14:17:34",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/zhuxianjin/vuln_repo/blob/master/zzcms2019%20SQL%20injection%20vulnerability%20in%20dl_print.php.md"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2020-19957",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the id parameter on the /dl/dl_print.php page."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/zhuxianjin/vuln_repo/blob/master/zzcms2019%20SQL%20injection%20vulnerability%20in%20dl_print.php.md",
+ "refsource": "MISC",
+ "url": "https://github.com/zhuxianjin/vuln_repo/blob/master/zzcms2019%20SQL%20injection%20vulnerability%20in%20dl_print.php.md"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2020-19957",
+ "datePublished": "2021-10-14T14:17:34",
+ "dateReserved": "2020-08-13T00:00:00",
+ "dateUpdated": "2021-10-14T14:17:34",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2020/25xxx/CVE-2020-25017.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2020-10-01T16:39:40",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://groups.google.com/forum/#%21forum/envoy-security-announce"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-2v25-cjjq-5f4w"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2020-25017",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://groups.google.com/forum/#!forum/envoy-security-announce",
+ "refsource": "MISC",
+ "url": "https://groups.google.com/forum/#!forum/envoy-security-announce"
+ },
+ {
+ "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-2v25-cjjq-5f4w",
+ "refsource": "MISC",
+ "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-2v25-cjjq-5f4w"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2020-25017",
+ "datePublished": "2020-10-01T16:39:40",
+ "dateReserved": "2020-08-29T00:00:00",
+ "dateUpdated": "2020-10-01T16:39:40",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2020/26xxx/CVE-2020-26240.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "go-ethereum",
+ "vendor": "ethereum",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "< 1.9.24"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24"
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 5.3,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-682",
+ "description": "CWE-682: Incorrect Calculation",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2020-11-25T01:25:27",
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/ethereum/go-ethereum/pull/21793"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0"
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-v592-xf75-856p",
+ "discovery": "UNKNOWN"
+ },
+ "title": "Erroneous Proof of Work calculation in geth",
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security-advisories@github.com",
+ "ID": "CVE-2020-26240",
+ "STATE": "PUBLIC",
+ "TITLE": "Erroneous Proof of Work calculation in geth"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "go-ethereum",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "< 1.9.24"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "ethereum"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24"
+ }
+ ]
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 5.3,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-682: Incorrect Calculation"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://blog.ethereum.org/2020/11/12/geth_security_release/",
+ "refsource": "MISC",
+ "url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
+ },
+ {
+ "name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p"
+ },
+ {
+ "name": "https://github.com/ethereum/go-ethereum/pull/21793",
+ "refsource": "MISC",
+ "url": "https://github.com/ethereum/go-ethereum/pull/21793"
+ },
+ {
+ "name": "https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0",
+ "refsource": "MISC",
+ "url": "https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-v592-xf75-856p",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "assignerShortName": "GitHub_M",
+ "cveId": "CVE-2020-26240",
+ "datePublished": "2020-11-25T01:25:27",
+ "dateReserved": "2020-10-01T00:00:00",
+ "dateUpdated": "2020-11-25T01:25:27",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2020/26xxx/CVE-2020-26276.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "fleet",
+ "vendor": "fleetdm",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "< 3.5.1"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users that configure Fleet with SSO login may be vulnerable to this issue. This issue is patched in 3.5.1. The fix was made using https://github.com/mattermost/xml-roundtrip-validator If upgrade to 3.5.1 is not possible, users should disable SSO authentication in Fleet."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-290",
+ "description": "CWE-290: Authentication Bypass by Spoofing",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2020-12-17T19:40:14",
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-w3wf-cfx3-6gcx"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/fleetdm/fleet/commit/57812a532e5f749c8e18c6f6a652eca65c083607"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/fleetdm/fleet/blob/master/CHANGELOG.md#fleet-351-dec-14-2020"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/mattermost/xml-roundtrip-validator"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities"
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-w3wf-cfx3-6gcx",
+ "discovery": "UNKNOWN"
+ },
+ "title": "SAML authentication vulnerability in Fleet",
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security-advisories@github.com",
+ "ID": "CVE-2020-26276",
+ "STATE": "PUBLIC",
+ "TITLE": "SAML authentication vulnerability in Fleet"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "fleet",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "< 3.5.1"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "fleetdm"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users that configure Fleet with SSO login may be vulnerable to this issue. This issue is patched in 3.5.1. The fix was made using https://github.com/mattermost/xml-roundtrip-validator If upgrade to 3.5.1 is not possible, users should disable SSO authentication in Fleet."
+ }
+ ]
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-290: Authentication Bypass by Spoofing"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/fleetdm/fleet/security/advisories/GHSA-w3wf-cfx3-6gcx",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-w3wf-cfx3-6gcx"
+ },
+ {
+ "name": "https://github.com/fleetdm/fleet/commit/57812a532e5f749c8e18c6f6a652eca65c083607",
+ "refsource": "MISC",
+ "url": "https://github.com/fleetdm/fleet/commit/57812a532e5f749c8e18c6f6a652eca65c083607"
+ },
+ {
+ "name": "https://github.com/fleetdm/fleet/blob/master/CHANGELOG.md#fleet-351-dec-14-2020",
+ "refsource": "MISC",
+ "url": "https://github.com/fleetdm/fleet/blob/master/CHANGELOG.md#fleet-351-dec-14-2020"
+ },
+ {
+ "name": "https://github.com/mattermost/xml-roundtrip-validator",
+ "refsource": "MISC",
+ "url": "https://github.com/mattermost/xml-roundtrip-validator"
+ },
+ {
+ "name": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities",
+ "refsource": "MISC",
+ "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-w3wf-cfx3-6gcx",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "assignerShortName": "GitHub_M",
+ "cveId": "CVE-2020-26276",
+ "datePublished": "2020-12-17T19:40:14",
+ "dateReserved": "2020-10-01T00:00:00",
+ "dateUpdated": "2020-12-17T19:40:14",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2020/36xxx/CVE-2020-36568.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2020-36568",
+ "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
+ "state": "PUBLISHED",
+ "assignerShortName": "Go",
+ "dateReserved": "2022-07-29T19:14:10.903Z",
+ "datePublished": "2022-12-27T21:12:40.154Z",
+ "dateUpdated": "2023-06-12T19:03:17.506Z"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
+ "shortName": "Go",
+ "dateUpdated": "2023-06-12T19:03:17.506Z"
+ },
+ "title": "Resource exhaustion in github.com/revel/revel",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Unsanitized input in the query parser in github.com/revel/revel before v1.0.0 allows remote attackers to cause resource exhaustion via memory allocation."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "github.com/revel/revel",
+ "product": "github.com/revel/revel",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "github.com/revel/revel",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.0.0",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/revel/revel/pull/1427"
+ },
+ {
+ "url": "https://github.com/revel/revel/commit/d160ecb72207824005b19778594cbdc272e8a605"
+ },
+ {
+ "url": "https://github.com/revel/revel/issues/1424"
+ },
+ {
+ "url": "https://pkg.go.dev/vuln/GO-2020-0003"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@SYM01"
+ }
+ ]
+ }
+ }
+}
+-- cves/2020/8xxx/CVE-2020-8558.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "Kubernetes",
+ "vendor": "Kubernetes",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "prior to 1.18.4"
+ },
+ {
+ "status": "affected",
+ "version": "prior to 1.17.7"
+ },
+ {
+ "status": "affected",
+ "version": "prior to 1.16.11"
+ },
+ {
+ "status": "affected",
+ "version": "1.15"
+ },
+ {
+ "status": "affected",
+ "version": "1.14"
+ },
+ {
+ "status": "affected",
+ "version": "1.13"
+ },
+ {
+ "status": "affected",
+ "version": "1.12"
+ },
+ {
+ "status": "affected",
+ "version": "1.11"
+ },
+ {
+ "status": "affected",
+ "version": "1.10"
+ },
+ {
+ "status": "affected",
+ "version": "1.9"
+ },
+ {
+ "status": "affected",
+ "version": "1.8"
+ },
+ {
+ "status": "affected",
+ "version": "1.7"
+ },
+ {
+ "status": "affected",
+ "version": "1.6"
+ },
+ {
+ "status": "affected",
+ "version": "1.5"
+ },
+ {
+ "status": "affected",
+ "version": "1.4"
+ },
+ {
+ "status": "affected",
+ "version": "1.3"
+ },
+ {
+ "status": "affected",
+ "version": "1.2"
+ },
+ {
+ "status": "affected",
+ "version": "1.1"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "János Kövér, Ericsson"
+ },
+ {
+ "lang": "en",
+ "value": "Additional impacts reported by Rory McCune, NCC Group and Yuval Avrahami and Ariel Zelivansky, Palo Alto Networks"
+ }
+ ],
+ "datePublic": "2020-04-18T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 5.4,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-420",
+ "description": "CWE-420 Unprotected Alternate Channel",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2020-08-21T09:06:15",
+ "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
+ "shortName": "kubernetes"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/kubernetes/kubernetes/issues/92315"
+ },
+ {
+ "name": "[Security Advisory] CVE-2020-8558: Kubernetes: Node setting allows for neighboring hosts to bypass localhost boundary",
+ "tags": [
+ "mailing-list",
+ "x_refsource_MLIST"
+ ],
+ "url": "https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://security.netapp.com/advisory/ntap-20200821-0001/"
+ }
+ ],
+ "source": {
+ "defect": [
+ "https://github.com/kubernetes/kubernetes/issues/90259"
+ ],
+ "discovery": "USER"
+ },
+ "title": "Kubernetes node setting allows for neighboring hosts to bypass localhost boundary",
+ "x_generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security@kubernetes.io",
+ "DATE_PUBLIC": "2020-04-18T00:00:00.000Z",
+ "ID": "CVE-2020-8558",
+ "STATE": "PUBLIC",
+ "TITLE": "Kubernetes node setting allows for neighboring hosts to bypass localhost boundary"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Kubernetes",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "prior to 1.18.4"
+ },
+ {
+ "version_value": "prior to 1.17.7"
+ },
+ {
+ "version_value": "prior to 1.16.11"
+ },
+ {
+ "version_value": "1.15"
+ },
+ {
+ "version_value": "1.14"
+ },
+ {
+ "version_value": "1.13"
+ },
+ {
+ "version_value": "1.12"
+ },
+ {
+ "version_value": "1.11"
+ },
+ {
+ "version_value": "1.10"
+ },
+ {
+ "version_value": "1.9"
+ },
+ {
+ "version_value": "1.8"
+ },
+ {
+ "version_value": "1.7"
+ },
+ {
+ "version_value": "1.6"
+ },
+ {
+ "version_value": "1.5"
+ },
+ {
+ "version_value": "1.4"
+ },
+ {
+ "version_value": "1.3"
+ },
+ {
+ "version_value": "1.2"
+ },
+ {
+ "version_value": "1.1"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Kubernetes"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "János Kövér, Ericsson"
+ },
+ {
+ "lang": "eng",
+ "value": "Additional impacts reported by Rory McCune, NCC Group and Yuval Avrahami and Ariel Zelivansky, Palo Alto Networks"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 5.4,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-420 Unprotected Alternate Channel"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/kubernetes/kubernetes/issues/92315",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/kubernetes/kubernetes/issues/92315"
+ },
+ {
+ "name": "[Security Advisory] CVE-2020-8558: Kubernetes: Node setting allows for neighboring hosts to bypass localhost boundary",
+ "refsource": "MLIST",
+ "url": "https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ"
+ },
+ {
+ "name": "https://security.netapp.com/advisory/ntap-20200821-0001/",
+ "refsource": "CONFIRM",
+ "url": "https://security.netapp.com/advisory/ntap-20200821-0001/"
+ }
+ ]
+ },
+ "source": {
+ "defect": [
+ "https://github.com/kubernetes/kubernetes/issues/90259"
+ ],
+ "discovery": "USER"
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
+ "assignerShortName": "kubernetes",
+ "cveId": "CVE-2020-8558",
+ "datePublished": "2020-04-18T00:00:00",
+ "dateReserved": "2020-02-03T00:00:00",
+ "dateUpdated": "2020-08-21T09:06:15",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2021/21xxx/CVE-2021-21403.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "server",
+ "vendor": "kongchuanhujiao",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "< 1.3.21"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "In github.com/kongchuanhujiao/server before version 1.3.21 there is an authentication Bypass by Primary Weakness vulnerability. All users are impacted. This is fixed in version 1.3.21."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 7.5,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-305",
+ "description": "CWE-305 Authentication Bypass by Primary Weakness",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2021-03-26T17:15:15",
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/kongchuanhujiao/server/security/advisories/GHSA-8wrg-m8vm-5fvj"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/kongchuanhujiao/server/commit/9a125624f219e496bdf4b07b404816d5a309bdc1"
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-8wrg-m8vm-5fvj",
+ "discovery": "UNKNOWN"
+ },
+ "title": "Authentication Bypass by Primary Weakness in github.com/kongchuanhujiao/server",
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security-advisories@github.com",
+ "ID": "CVE-2021-21403",
+ "STATE": "PUBLIC",
+ "TITLE": "Authentication Bypass by Primary Weakness in github.com/kongchuanhujiao/server"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "server",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "< 1.3.21"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "kongchuanhujiao"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "In github.com/kongchuanhujiao/server before version 1.3.21 there is an authentication Bypass by Primary Weakness vulnerability. All users are impacted. This is fixed in version 1.3.21."
+ }
+ ]
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 7.5,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-305 Authentication Bypass by Primary Weakness"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/kongchuanhujiao/server/security/advisories/GHSA-8wrg-m8vm-5fvj",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/kongchuanhujiao/server/security/advisories/GHSA-8wrg-m8vm-5fvj"
+ },
+ {
+ "name": "https://github.com/kongchuanhujiao/server/commit/9a125624f219e496bdf4b07b404816d5a309bdc1",
+ "refsource": "MISC",
+ "url": "https://github.com/kongchuanhujiao/server/commit/9a125624f219e496bdf4b07b404816d5a309bdc1"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-8wrg-m8vm-5fvj",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "assignerShortName": "GitHub_M",
+ "cveId": "CVE-2021-21403",
+ "datePublished": "2021-03-26T17:15:15",
+ "dateReserved": "2020-12-22T00:00:00",
+ "dateUpdated": "2021-03-26T17:15:15",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2021/29xxx/CVE-2021-29499.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "sif",
+ "vendor": "sylabs",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "<= 1.2.2"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 7.5,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-330",
+ "description": "CWE-330 Use of Insufficiently Random Values",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2021-05-07T20:50:09",
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg"
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-4gh8-x3vv-phhg",
+ "discovery": "UNKNOWN"
+ },
+ "title": "Predictable SIF UUID Identifiers",
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security-advisories@github.com",
+ "ID": "CVE-2021-29499",
+ "STATE": "PUBLIC",
+ "TITLE": "Predictable SIF UUID Identifiers"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "sif",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "<= 1.2.2"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "sylabs"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue."
+ }
+ ]
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 7.5,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-330 Use of Insufficiently Random Values"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-4gh8-x3vv-phhg",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "assignerShortName": "GitHub_M",
+ "cveId": "CVE-2021-29499",
+ "datePublished": "2021-05-07T20:50:09",
+ "dateReserved": "2021-03-30T00:00:00",
+ "dateUpdated": "2021-05-07T20:50:09",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2021/30xxx/CVE-2021-30962.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "macOS",
+ "vendor": "Apple",
+ "versions": [
+ {
+ "lessThan": "11.6",
+ "status": "affected",
+ "version": "unspecified",
+ "versionType": "custom"
+ }
+ ]
+ },
+ {
+ "product": "tvOS",
+ "vendor": "Apple",
+ "versions": [
+ {
+ "lessThan": "15.2",
+ "status": "affected",
+ "version": "unspecified",
+ "versionType": "custom"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 15.2, macOS Big Sur 11.6.2. Parsing a maliciously crafted audio file may lead to disclosure of user information."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "Parsing a maliciously crafted audio file may lead to disclosure of user information",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-05-26T16:54:40",
+ "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
+ "shortName": "apple"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://support.apple.com/en-us/HT212979"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://support.apple.com/en-us/HT212980"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "product-security@apple.com",
+ "ID": "CVE-2021-30962",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "macOS",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<",
+ "version_value": "11.6"
+ }
+ ]
+ }
+ },
+ {
+ "product_name": "tvOS",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<",
+ "version_value": "15.2"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apple"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 15.2, macOS Big Sur 11.6.2. Parsing a maliciously crafted audio file may lead to disclosure of user information."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "Parsing a maliciously crafted audio file may lead to disclosure of user information"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://support.apple.com/en-us/HT212979",
+ "refsource": "MISC",
+ "url": "https://support.apple.com/en-us/HT212979"
+ },
+ {
+ "name": "https://support.apple.com/en-us/HT212980",
+ "refsource": "MISC",
+ "url": "https://support.apple.com/en-us/HT212980"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
+ "assignerShortName": "apple",
+ "cveId": "CVE-2021-30962",
+ "datePublished": "2021-08-24T18:51:02",
+ "dateReserved": "2021-04-13T00:00:00",
+ "dateUpdated": "2022-05-26T16:54:40",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2021/3xxx/CVE-2021-3495.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "kiali/kiali-operator",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-281",
+ "description": "CWE-281",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2021-06-01T13:31:32",
+ "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
+ "shortName": "redhat"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://kiali.io/news/security-bulletins/kiali-security-003/"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "secalert@redhat.com",
+ "ID": "CVE-2021-3495",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "kiali/kiali-operator",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-281"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361",
+ "refsource": "MISC",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"
+ },
+ {
+ "name": "https://kiali.io/news/security-bulletins/kiali-security-003/",
+ "refsource": "MISC",
+ "url": "https://kiali.io/news/security-bulletins/kiali-security-003/"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
+ "assignerShortName": "redhat",
+ "cveId": "CVE-2021-3495",
+ "datePublished": "2021-06-01T13:31:32",
+ "dateReserved": "2021-04-12T00:00:00",
+ "dateUpdated": "2021-06-01T13:31:32",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2021/39xxx/CVE-2021-39391.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Cross Site Scripting (XSS) vulnerability exists in the admin panel in Beego v2.0.1 via the URI path in an HTTP request, which is activated by administrators viewing the \"Request Statistics\" page."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2021-09-14T17:27:23",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/beego/beego"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/beego/beego/issues/4727"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2021-39391",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Cross Site Scripting (XSS) vulnerability exists in the admin panel in Beego v2.0.1 via the URI path in an HTTP request, which is activated by administrators viewing the \"Request Statistics\" page."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/beego/beego",
+ "refsource": "MISC",
+ "url": "https://github.com/beego/beego"
+ },
+ {
+ "name": "https://github.com/beego/beego/issues/4727",
+ "refsource": "MISC",
+ "url": "https://github.com/beego/beego/issues/4727"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2021-39391",
+ "datePublished": "2021-09-14T17:27:23",
+ "dateReserved": "2021-08-23T00:00:00",
+ "dateUpdated": "2021-09-14T17:27:23",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2021/42xxx/CVE-2021-42135.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2021-10-11T02:52:59",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards/"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2021-42135",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards/",
+ "refsource": "MISC",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards/"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2021-42135",
+ "datePublished": "2021-10-11T02:52:59",
+ "dateReserved": "2021-10-11T00:00:00",
+ "dateUpdated": "2021-10-11T02:52:59",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2021/42xxx/CVE-2021-42583.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2021-12-28T18:12:42",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/foxcpp/maddy/blob/df40dce1284cd0fd0a9e8e7894029553d653d0a5/internal/auth/shadow/verify.go"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/foxcpp/maddy/releases/tag/v0.5.2"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2021-42583",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/foxcpp/maddy/blob/df40dce1284cd0fd0a9e8e7894029553d653d0a5/internal/auth/shadow/verify.go",
+ "refsource": "MISC",
+ "url": "https://github.com/foxcpp/maddy/blob/df40dce1284cd0fd0a9e8e7894029553d653d0a5/internal/auth/shadow/verify.go"
+ },
+ {
+ "name": "https://github.com/foxcpp/maddy/releases/tag/v0.5.2",
+ "refsource": "MISC",
+ "url": "https://github.com/foxcpp/maddy/releases/tag/v0.5.2"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2021-42583",
+ "datePublished": "2021-12-28T18:12:42",
+ "dateReserved": "2021-10-18T00:00:00",
+ "dateUpdated": "2021-12-28T18:12:42",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2022/21xxx/CVE-2022-21713.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "grafana",
+ "vendor": "grafana",
+ "versions": [
+ {
+ "status": "affected",
+ "version": ">= 5.0.0-beta1, < 7.5.15"
+ },
+ {
+ "status": "affected",
+ "version": ">= 8.0.0, < 8.3.5"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 4.3,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-863",
+ "description": "CWE-863: Incorrect Authorization",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-05-07T07:06:33",
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/grafana/grafana/pull/45083"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://security.netapp.com/advisory/ntap-20220303-0005/"
+ },
+ {
+ "name": "FEDORA-2022-83405f9d5b",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_FEDORA"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
+ },
+ {
+ "name": "FEDORA-2022-9dd03cab55",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_FEDORA"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
+ },
+ {
+ "name": "FEDORA-2022-c5383675d9",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_FEDORA"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-63g3-9jq3-mccv",
+ "discovery": "UNKNOWN"
+ },
+ "title": "Exposure of Sensitive Information in Grafana",
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security-advisories@github.com",
+ "ID": "CVE-2022-21713",
+ "STATE": "PUBLIC",
+ "TITLE": "Exposure of Sensitive Information in Grafana"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "grafana",
+ "version": {
+ "version_data": [
+ {
+ "version_value": ">= 5.0.0-beta1, < 7.5.15"
+ },
+ {
+ "version_value": ">= 8.0.0, < 8.3.5"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "grafana"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
+ }
+ ]
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 4.3,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-863: Incorrect Authorization"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/",
+ "refsource": "MISC",
+ "url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/"
+ },
+ {
+ "name": "https://github.com/grafana/grafana/pull/45083",
+ "refsource": "MISC",
+ "url": "https://github.com/grafana/grafana/pull/45083"
+ },
+ {
+ "name": "https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv"
+ },
+ {
+ "name": "https://security.netapp.com/advisory/ntap-20220303-0005/",
+ "refsource": "CONFIRM",
+ "url": "https://security.netapp.com/advisory/ntap-20220303-0005/"
+ },
+ {
+ "name": "FEDORA-2022-83405f9d5b",
+ "refsource": "FEDORA",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
+ },
+ {
+ "name": "FEDORA-2022-9dd03cab55",
+ "refsource": "FEDORA",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
+ },
+ {
+ "name": "FEDORA-2022-c5383675d9",
+ "refsource": "FEDORA",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-63g3-9jq3-mccv",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "assignerShortName": "GitHub_M",
+ "cveId": "CVE-2022-21713",
+ "datePublished": "2022-02-08T20:50:17",
+ "dateReserved": "2021-11-16T00:00:00",
+ "dateUpdated": "2022-05-07T07:06:33",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2022/2xxx/CVE-2022-2385.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "aws-iam-authenticator",
+ "vendor": "Kubernetes",
+ "versions": [
+ {
+ "lessThan": "unspecified",
+ "status": "affected",
+ "version": "v0.5.2",
+ "versionType": "custom"
+ },
+ {
+ "lessThan": "v0.5.9",
+ "status": "affected",
+ "version": "unspecified",
+ "versionType": "custom"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Gafnit Amiga"
+ }
+ ],
+ "datePublic": "2022-07-11T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 8.1,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-20",
+ "description": "CWE-20 Improper Input Validation",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-07-12T14:25:10",
+ "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
+ "shortName": "kubernetes"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://groups.google.com/a/kubernetes.io/g/dev/c/EMxHpU-1ZYs"
+ }
+ ],
+ "source": {
+ "defect": [
+ "https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472"
+ ],
+ "discovery": "EXTERNAL"
+ },
+ "title": "AccessKeyID validation bypass",
+ "workarounds": [
+ {
+ "lang": "en",
+ "value": "Prior to upgrading, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames."
+ }
+ ],
+ "x_generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security@kubernetes.io",
+ "DATE_PUBLIC": "2022-07-11T16:00:00.000Z",
+ "ID": "CVE-2022-2385",
+ "STATE": "PUBLIC",
+ "TITLE": "AccessKeyID validation bypass"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "aws-iam-authenticator",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": ">=",
+ "version_value": "v0.5.2"
+ },
+ {
+ "version_affected": "<",
+ "version_value": "v0.5.9"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Kubernetes"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "Gafnit Amiga"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 8.1,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-20 Improper Input Validation"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472",
+ "refsource": "MISC",
+ "url": "https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472"
+ },
+ {
+ "name": "https://groups.google.com/a/kubernetes.io/g/dev/c/EMxHpU-1ZYs",
+ "refsource": "MISC",
+ "url": "https://groups.google.com/a/kubernetes.io/g/dev/c/EMxHpU-1ZYs"
+ }
+ ]
+ },
+ "source": {
+ "defect": [
+ "https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472"
+ ],
+ "discovery": "EXTERNAL"
+ },
+ "work_around": [
+ {
+ "lang": "en",
+ "value": "Prior to upgrading, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames."
+ }
+ ]
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
+ "assignerShortName": "kubernetes",
+ "cveId": "CVE-2022-2385",
+ "datePublished": "2022-07-11T00:00:00",
+ "dateReserved": "2022-07-11T00:00:00",
+ "dateUpdated": "2022-07-12T14:25:10",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2022/24xxx/CVE-2022-24826.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "git-lfs",
+ "vendor": "git-lfs",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "3.1.3"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. Similarly, if the malicious repository contains files named `..exe` and `cygpath.exe`, and `cygpath.exe` is not found in `PATH`, the `..exe` program will be executed when certain Git LFS commands are run. More generally, if the current working directory contains any file with a base name of `.` and a file extension from `PATHEXT` (except `.bat` and `.cmd`), and also contains another file with the same base name as a program Git LFS intends to execute (such as `git`, `cygpath`, or `uname`) and any file extension from `PATHEXT` (including `.bat` and `.cmd`), then, on Windows, when Git LFS attempts to execute the intended program the `..exe`, `..com`, etc., file will be executed instead, but only if the intended program is not found in any directory listed in `PATH`. The vulnerability occurs because when Git LFS detects that the program it intends to run does not exist in any directory listed in `PATH` then Git LFS passes an empty string as the executable file path to the Go `os/exec` package, which contains a bug such that, on Windows, it prepends the name of the current working directory (i.e., `.`) to the empty string without adding a path separator, and as a result searches in that directory for a file with the base name `.` combined with any file extension from `PATHEXT`, executing the first one it finds. (The reason `..bat` and `..cmd` files are not executed in the same manner is that, although the Go `os/exec` package tries to execute them just as it does a `..exe` file, the Microsoft Win32 API `CreateProcess()` family of functions have an undocumented feature in that they apparently recognize when a caller is attempting to execute a batch script file and instead run the `cmd.exe` command interpreter, passing the full set of command line arguments as parameters. These are unchanged from the command line arguments set by Git LFS, and as such, the intended program's name is the first, resulting in a command line like `cmd.exe /c git`, which then fails.) Git LFS has resolved this vulnerability by always reporting an error when a program is not found in any directory listed in `PATH` rather than passing an empty string to the Go `os/exec` package in this case. The bug in the Go `os/exec` package has been reported to the Go project and is expected to be patched after this security advisory is published. The problem was introduced in version 2.12.1 and is patched in version 3.1.3. Users of affected versions should upgrade to version 3.1.3. There are currently no known workarounds at this time."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.8,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-426",
+ "description": "CWE-426: Untrusted Search Path",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-04-19T23:35:10",
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/git-lfs/git-lfs/releases"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6rw3-3whw-jvjj"
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-6rw3-3whw-jvjj",
+ "discovery": "UNKNOWN"
+ },
+ "title": "Git LFS can execute a binary from the current directory on Windows",
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security-advisories@github.com",
+ "ID": "CVE-2022-24826",
+ "STATE": "PUBLIC",
+ "TITLE": "Git LFS can execute a binary from the current directory on Windows"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "git-lfs",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "3.1.3"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "git-lfs"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. Similarly, if the malicious repository contains files named `..exe` and `cygpath.exe`, and `cygpath.exe` is not found in `PATH`, the `..exe` program will be executed when certain Git LFS commands are run. More generally, if the current working directory contains any file with a base name of `.` and a file extension from `PATHEXT` (except `.bat` and `.cmd`), and also contains another file with the same base name as a program Git LFS intends to execute (such as `git`, `cygpath`, or `uname`) and any file extension from `PATHEXT` (including `.bat` and `.cmd`), then, on Windows, when Git LFS attempts to execute the intended program the `..exe`, `..com`, etc., file will be executed instead, but only if the intended program is not found in any directory listed in `PATH`. The vulnerability occurs because when Git LFS detects that the program it intends to run does not exist in any directory listed in `PATH` then Git LFS passes an empty string as the executable file path to the Go `os/exec` package, which contains a bug such that, on Windows, it prepends the name of the current working directory (i.e., `.`) to the empty string without adding a path separator, and as a result searches in that directory for a file with the base name `.` combined with any file extension from `PATHEXT`, executing the first one it finds. (The reason `..bat` and `..cmd` files are not executed in the same manner is that, although the Go `os/exec` package tries to execute them just as it does a `..exe` file, the Microsoft Win32 API `CreateProcess()` family of functions have an undocumented feature in that they apparently recognize when a caller is attempting to execute a batch script file and instead run the `cmd.exe` command interpreter, passing the full set of command line arguments as parameters. These are unchanged from the command line arguments set by Git LFS, and as such, the intended program's name is the first, resulting in a command line like `cmd.exe /c git`, which then fails.) Git LFS has resolved this vulnerability by always reporting an error when a program is not found in any directory listed in `PATH` rather than passing an empty string to the Go `os/exec` package in this case. The bug in the Go `os/exec` package has been reported to the Go project and is expected to be patched after this security advisory is published. The problem was introduced in version 2.12.1 and is patched in version 3.1.3. Users of affected versions should upgrade to version 3.1.3. There are currently no known workarounds at this time."
+ }
+ ]
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.8,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-426: Untrusted Search Path"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/git-lfs/git-lfs/releases",
+ "refsource": "MISC",
+ "url": "https://github.com/git-lfs/git-lfs/releases"
+ },
+ {
+ "name": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6rw3-3whw-jvjj",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6rw3-3whw-jvjj"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-6rw3-3whw-jvjj",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "assignerShortName": "GitHub_M",
+ "cveId": "CVE-2022-24826",
+ "datePublished": "2022-04-19T23:35:11",
+ "dateReserved": "2022-02-10T00:00:00",
+ "dateUpdated": "2022-04-19T23:35:10",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2022/24xxx/CVE-2022-24905.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "argo-cd",
+ "vendor": "argoproj",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "< 2.1.15"
+ },
+ {
+ "status": "affected",
+ "version": ">= 2.2.0, < 2.2.9"
+ },
+ {
+ "status": "affected",
+ "version": ">= 2.3.0, < 2.3.4"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 4.3,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-20",
+ "description": "CWE-20: Improper Input Validation",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-05-20T14:05:11",
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j"
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-xmg8-99r8-jc2j",
+ "discovery": "UNKNOWN"
+ },
+ "title": "Argo CD login screen allows message spoofing if SSO is enabled",
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security-advisories@github.com",
+ "ID": "CVE-2022-24905",
+ "STATE": "PUBLIC",
+ "TITLE": "Argo CD login screen allows message spoofing if SSO is enabled"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "argo-cd",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "< 2.1.15"
+ },
+ {
+ "version_value": ">= 2.2.0, < 2.2.9"
+ },
+ {
+ "version_value": ">= 2.3.0, < 2.3.4"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "argoproj"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds."
+ }
+ ]
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 4.3,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-20: Improper Input Validation"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15",
+ "refsource": "MISC",
+ "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15"
+ },
+ {
+ "name": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9",
+ "refsource": "MISC",
+ "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9"
+ },
+ {
+ "name": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4",
+ "refsource": "MISC",
+ "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4"
+ },
+ {
+ "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-xmg8-99r8-jc2j",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "assignerShortName": "GitHub_M",
+ "cveId": "CVE-2022-24905",
+ "datePublished": "2022-05-20T14:05:11",
+ "dateReserved": "2022-02-10T00:00:00",
+ "dateUpdated": "2022-05-20T14:05:11",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2022/25xxx/CVE-2022-25327.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "fscrypt",
+ "vendor": "Google LLC",
+ "versions": [
+ {
+ "lessThanOrEqual": "0.3.2",
+ "status": "affected",
+ "version": "unspecified",
+ "versionType": "custom"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Matthias Gerstner of SUSE"
+ }
+ ],
+ "datePublic": "2022-02-16T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above"
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "LOCAL",
+ "availabilityImpact": "HIGH",
+ "baseScore": 5.5,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-255",
+ "description": "CWE-255 Credentials Management",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-02-25T11:00:14",
+ "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
+ "shortName": "Google"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/google/fscrypt/pull/346"
+ }
+ ],
+ "source": {
+ "discovery": "EXTERNAL"
+ },
+ "title": "Local Denial of Service in fscrypt PAM module",
+ "x_generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security@google.com",
+ "DATE_PUBLIC": "2022-02-16T11:00:00.000Z",
+ "ID": "CVE-2022-25327",
+ "STATE": "PUBLIC",
+ "TITLE": "Local Denial of Service in fscrypt PAM module"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "fscrypt",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_value": "0.3.2"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Google LLC"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "Matthias Gerstner of SUSE"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "LOW",
+ "attackVector": "LOCAL",
+ "availabilityImpact": "HIGH",
+ "baseScore": 5.5,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-255 Credentials Management"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/google/fscrypt/pull/346",
+ "refsource": "MISC",
+ "url": "https://github.com/google/fscrypt/pull/346"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "EXTERNAL"
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
+ "assignerShortName": "Google",
+ "cveId": "CVE-2022-25327",
+ "datePublished": "2022-02-16T00:00:00",
+ "dateReserved": "2022-02-18T00:00:00",
+ "dateUpdated": "2022-02-25T11:00:14",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2022/27xxx/CVE-2022-27649.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "podman",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "Affects all versions before v4.0.3, Fixed in - v4.0.3"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-276",
+ "description": "CWE-276 - Incorrect Default Permissions",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-05-14T02:06:11",
+ "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
+ "shortName": "redhat"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066568"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0"
+ },
+ {
+ "name": "FEDORA-2022-c87047f163",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_FEDORA"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/"
+ },
+ {
+ "name": "FEDORA-2022-2067702f06",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_FEDORA"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3/"
+ },
+ {
+ "name": "FEDORA-2022-5e637f6cc6",
+ "tags": [
+ "vendor-advisory",
+ "x_refsource_FEDORA"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "secalert@redhat.com",
+ "ID": "CVE-2022-27649",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "podman",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "Affects all versions before v4.0.3, Fixed in - v4.0.3"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-276 - Incorrect Default Permissions"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2066568",
+ "refsource": "MISC",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066568"
+ },
+ {
+ "name": "https://github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j",
+ "refsource": "MISC",
+ "url": "https://github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j"
+ },
+ {
+ "name": "https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0",
+ "refsource": "MISC",
+ "url": "https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0"
+ },
+ {
+ "name": "FEDORA-2022-c87047f163",
+ "refsource": "FEDORA",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/"
+ },
+ {
+ "name": "FEDORA-2022-2067702f06",
+ "refsource": "FEDORA",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3/"
+ },
+ {
+ "name": "FEDORA-2022-5e637f6cc6",
+ "refsource": "FEDORA",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
+ "assignerShortName": "redhat",
+ "cveId": "CVE-2022-27649",
+ "datePublished": "2022-04-04T19:45:43",
+ "dateReserved": "2022-03-22T00:00:00",
+ "dateUpdated": "2022-05-14T02:06:11",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2022/2xxx/CVE-2022-2880.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2022-2880",
+ "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
+ "assignerShortName": "Go",
+ "dateUpdated": "2023-06-12T19:12:40.079Z",
+ "dateReserved": "2022-08-17T00:00:00",
+ "datePublished": "2022-10-14T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
+ "shortName": "Go",
+ "dateUpdated": "2023-06-12T19:12:40.079Z"
+ },
+ "title": "Incorrect sanitization of forwarded query parameters in net/http/httputil",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "Go standard library",
+ "product": "net/http/httputil",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "net/http/httputil",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.18.7",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.19.0-0",
+ "lessThan": "1.19.2",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "ReverseProxy.ServeHTTP"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-444: Inconsistent Interpretation of HTTP Requests"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/issue/54663"
+ },
+ {
+ "url": "https://go.dev/cl/432976"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
+ },
+ {
+ "url": "https://pkg.go.dev/vuln/GO-2022-1038"
+ },
+ {
+ "url": "https://security.gentoo.org/glsa/202311-09"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Gal Goldstein (Security Researcher, Oxeye)"
+ },
+ {
+ "lang": "en",
+ "value": "Daniel Abeles (Head of Research, Oxeye)"
+ }
+ ]
+ }
+ }
+}
+-- cves/2022/31xxx/CVE-2022-31097.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "grafana",
+ "vendor": "grafana",
+ "versions": [
+ {
+ "status": "affected",
+ "version": ">= 9.0.0, < 9.0.3"
+ },
+ {
+ "status": "affected",
+ "version": ">= 8.5.0, < 8.5.9"
+ },
+ {
+ "status": "affected",
+ "version": ">= 8.4.0, < 8.4.10"
+ },
+ {
+ "status": "affected",
+ "version": ">= 8.0.0, < 8.3.10"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 7.3,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-79",
+ "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-09-01T13:06:34",
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/"
+ },
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://security.netapp.com/advisory/ntap-20220901-0010/"
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-vw7q-p2qg-4m5f",
+ "discovery": "UNKNOWN"
+ },
+ "title": "Stored XSS in Grafana's Unified Alerting",
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security-advisories@github.com",
+ "ID": "CVE-2022-31097",
+ "STATE": "PUBLIC",
+ "TITLE": "Stored XSS in Grafana's Unified Alerting"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "grafana",
+ "version": {
+ "version_data": [
+ {
+ "version_value": ">= 9.0.0, < 9.0.3"
+ },
+ {
+ "version_value": ">= 8.5.0, < 8.5.9"
+ },
+ {
+ "version_value": ">= 8.4.0, < 8.4.10"
+ },
+ {
+ "version_value": ">= 8.0.0, < 8.3.10"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "grafana"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting."
+ }
+ ]
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 7.3,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f"
+ },
+ {
+ "name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/",
+ "refsource": "MISC",
+ "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/"
+ },
+ {
+ "name": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/",
+ "refsource": "MISC",
+ "url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/"
+ },
+ {
+ "name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/",
+ "refsource": "MISC",
+ "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/"
+ },
+ {
+ "name": "https://security.netapp.com/advisory/ntap-20220901-0010/",
+ "refsource": "CONFIRM",
+ "url": "https://security.netapp.com/advisory/ntap-20220901-0010/"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-vw7q-p2qg-4m5f",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "assignerShortName": "GitHub_M",
+ "cveId": "CVE-2022-31097",
+ "datePublished": "2022-07-15T12:10:10",
+ "dateReserved": "2022-05-18T00:00:00",
+ "dateUpdated": "2022-09-01T13:06:34",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2022/34xxx/CVE-2022-34800.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "Jenkins Build Notifications Plugin",
+ "vendor": "Jenkins project",
+ "versions": [
+ {
+ "lessThanOrEqual": "1.5.0",
+ "status": "affected",
+ "version": "unspecified",
+ "versionType": "custom"
+ },
+ {
+ "lessThan": "unspecified",
+ "status": "unknown",
+ "version": "next of 1.5.0",
+ "versionType": "custom"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system."
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
+ "shortName": "jenkins",
+ "dateUpdated": "2023-10-24T14:23:31.492Z"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2056"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "jenkinsci-cert@googlegroups.com",
+ "ID": "CVE-2022-34800",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Jenkins Build Notifications Plugin",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_value": "1.5.0"
+ },
+ {
+ "version_affected": "?>",
+ "version_value": "1.5.0"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Jenkins project"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-256: Plaintext Storage of a Password"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2056",
+ "refsource": "CONFIRM",
+ "url": "https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2056"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
+ "assignerShortName": "jenkins",
+ "cveId": "CVE-2022-34800",
+ "datePublished": "2022-06-30T17:48:04",
+ "dateReserved": "2022-06-29T00:00:00",
+ "dateUpdated": "2023-10-24T14:23:31.492Z",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2022/36xxx/CVE-2022-36309.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "AirVelocity",
+ "vendor": "Airspan",
+ "versions": [
+ {
+ "lessThan": "15.18.00.2511",
+ "status": "affected",
+ "version": "unspecified",
+ "versionType": "custom"
+ }
+ ]
+ }
+ ],
+ "dateAssigned": "2022-07-19T00:00:00",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Airspan AirVelocity 1500 software versions prior to 15.18.00.2511 have a root command injection vulnerability in the ActiveBank parameter of the recoverySubmit.cgi script running on the eNodeB's web management UI. This issue may affect other AirVelocity and AirSpeed models."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-78",
+ "description": "CWE-78",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-08-16T00:33:24",
+ "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
+ "shortName": "facebook"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://helpdesk.airspan.com/browse/TRN3-1690"
+ },
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-p295-2jh6-g6g4"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve-assign@fb.com",
+ "DATE_ASSIGNED": "2022-07-19",
+ "ID": "CVE-2022-36309",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "AirVelocity",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<",
+ "version_value": "15.18.00.2511"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Airspan"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Airspan AirVelocity 1500 software versions prior to 15.18.00.2511 have a root command injection vulnerability in the ActiveBank parameter of the recoverySubmit.cgi script running on the eNodeB's web management UI. This issue may affect other AirVelocity and AirSpeed models."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-78"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://helpdesk.airspan.com/browse/TRN3-1690",
+ "refsource": "CONFIRM",
+ "url": "https://helpdesk.airspan.com/browse/TRN3-1690"
+ },
+ {
+ "name": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-p295-2jh6-g6g4",
+ "refsource": "MISC",
+ "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-p295-2jh6-g6g4"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
+ "assignerShortName": "facebook",
+ "cveId": "CVE-2022-36309",
+ "datePublished": "2022-08-16T00:33:24",
+ "dateReserved": "2022-07-19T00:00:00",
+ "dateUpdated": "2022-08-16T00:33:24",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2022/38xxx/CVE-2022-38638.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-09-09T19:40:29",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/casdoor/casdoor/issues/1035"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2022-38638",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/casdoor/casdoor/issues/1035",
+ "refsource": "MISC",
+ "url": "https://github.com/casdoor/casdoor/issues/1035"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2022-38638",
+ "datePublished": "2022-09-09T19:40:29",
+ "dateReserved": "2022-08-22T00:00:00",
+ "dateUpdated": "2022-09-09T19:40:29",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2022/39xxx/CVE-2022-39238.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "arvados",
+ "vendor": "arvados",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "< 2.4.3"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Arvados is an open source platform for managing and analyzing biomedical big data. In versions prior to 2.4.3, when using Portable Authentication Modules (PAM) for user authentication, if a user presented valid credentials but the account is disabled or otherwise not allowed to access the host (such as an expired password), it would still be accepted for access to Arvados. Other authentication methods (LDAP, OpenID Connect) supported by Arvados are not affected by this flaw. This issue is patched in version 2.4.3. Workaround for this issue is to migrate to a different authentication method supported by Arvados, such as LDAP."
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 4.2,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-287",
+ "description": "CWE-287: Improper Authentication",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-09-23T08:05:08",
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/arvados/arvados/security/advisories/GHSA-87jr-xwhg-cxjv"
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-87jr-xwhg-cxjv",
+ "discovery": "UNKNOWN"
+ },
+ "title": "Improper Authentication in Arvados when using PAM as identity provider",
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "security-advisories@github.com",
+ "ID": "CVE-2022-39238",
+ "STATE": "PUBLIC",
+ "TITLE": "Improper Authentication in Arvados when using PAM as identity provider"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "arvados",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "< 2.4.3"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "arvados"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Arvados is an open source platform for managing and analyzing biomedical big data. In versions prior to 2.4.3, when using Portable Authentication Modules (PAM) for user authentication, if a user presented valid credentials but the account is disabled or otherwise not allowed to access the host (such as an expired password), it would still be accepted for access to Arvados. Other authentication methods (LDAP, OpenID Connect) supported by Arvados are not affected by this flaw. This issue is patched in version 2.4.3. Workaround for this issue is to migrate to a different authentication method supported by Arvados, such as LDAP."
+ }
+ ]
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 4.2,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-287: Improper Authentication"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/arvados/arvados/security/advisories/GHSA-87jr-xwhg-cxjv",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/arvados/arvados/security/advisories/GHSA-87jr-xwhg-cxjv"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-87jr-xwhg-cxjv",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "assignerShortName": "GitHub_M",
+ "cveId": "CVE-2022-39238",
+ "datePublished": "2022-09-23T08:05:08",
+ "dateReserved": "2022-09-02T00:00:00",
+ "dateUpdated": "2022-09-23T08:05:08",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2022/40xxx/CVE-2022-40083.json --
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "product": "n/a",
+ "vendor": "n/a",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "n/a"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF)."
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "n/a",
+ "lang": "en",
+ "type": "text"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "dateUpdated": "2022-09-28T13:34:03",
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre"
+ },
+ "references": [
+ {
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/labstack/echo/issues/2259"
+ }
+ ],
+ "x_legacyV4Record": {
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2022-40083",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF)."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/labstack/echo/issues/2259",
+ "refsource": "MISC",
+ "url": "https://github.com/labstack/echo/issues/2259"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "cveId": "CVE-2022-40083",
+ "datePublished": "2022-09-28T13:34:03",
+ "dateReserved": "2022-09-06T00:00:00",
+ "dateUpdated": "2022-09-28T13:34:03",
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
+-- cves/2022/4xxx/CVE-2022-4045.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-4045",
+ "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
+ "state": "PUBLISHED",
+ "assignerShortName": "Mattermost",
+ "requesterUserId": "0a729610-c22f-40e3-9816-673e47743f12",
+ "dateReserved": "2022-11-17T05:22:41.207Z",
+ "datePublished": "2022-11-23T06:14:19.131Z"
+ },
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "defaultStatus": "unaffected",
+ "product": "Mattermost",
+ "vendor": "Mattermost",
+ "versions": [
+ {
+ "lessThan": "7.3.*",
+ "status": "affected",
+ "version": "0",
+ "versionType": "semver"
+ },
+ {
+ "status": "unaffected",
+ "version": "7.4.0"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "type": "finder",
+ "user": "00000000-0000-4000-9000-000000000000",
+ "value": "DummyThatMatters"
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "<span style=\"background-color: rgb(255, 255, 255);\">A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data. </span><br>"
+ }
+ ],
+ "value": "A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data. \n"
+ }
+ ],
+ "impacts": [
+ {
+ "capecId": "CAPEC-130",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "CAPEC-130 Excessive Allocation"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "LOW",
+ "baseScore": 3.1,
+ "baseSeverity": "LOW",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
+ "version": "3.1"
+ },
+ "format": "CVSS",
+ "scenarios": [
+ {
+ "lang": "en",
+ "value": "GENERAL"
+ }
+ ]
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-770",
+ "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
+ "shortName": "Mattermost",
+ "dateUpdated": "2022-11-23T06:14:19.131Z"
+ },
+ "references": [
+ {
+ "url": "https://mattermost.com/security-updates/"
+ }
+ ],
+ "solutions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Update Mattermost to version v7.4.0 or higher."
+ }
+ ],
+ "value": "Update Mattermost to version v7.4.0 or higher."
+ }
+ ],
+ "source": {
+ "advisory": "MMSA-2022-00124",
+ "defect": [
+ "https://mattermost.atlassian.net/browse/MM-45800"
+ ],
+ "discovery": "EXTERNAL"
+ },
+ "title": "Authenticated user could send multiple requests containing a parameter which could fetch a large amount of data and can crash a Mattermost server",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ }
+}
+-- cves/2022/41xxx/CVE-2022-41912.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2022-41912",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "assignerShortName": "GitHub_M",
+ "dateUpdated": "2023-01-02T00:00:00",
+ "dateReserved": "2022-09-30T00:00:00",
+ "datePublished": "2022-11-28T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "title": "crewjam/saml go library is vulnerable to signature bypass via multiple Assertion elements",
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2023-01-02T00:00:00"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "crewjam",
+ "product": "saml",
+ "versions": [
+ {
+ "version": "< 0.4.9",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g"
+ },
+ {
+ "url": "https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b"
+ },
+ {
+ "url": "http://packetstormsecurity.com/files/170356/crewjam-saml-Signature-Bypass.html"
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
+ "attackVector": "NETWORK",
+ "attackComplexity": "LOW",
+ "privilegesRequired": "NONE",
+ "userInteraction": "NONE",
+ "scope": "UNCHANGED",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "availabilityImpact": "NONE",
+ "baseScore": 9.1,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "CWE",
+ "lang": "en",
+ "description": "CWE-287: Improper Authentication",
+ "cweId": "CWE-287"
+ }
+ ]
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-j2jp-wvqg-wc2g",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+}
+-- cves/2022/44xxx/CVE-2022-44797.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2022-44797",
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "dateUpdated": "2022-11-07T00:00:00",
+ "dateReserved": "2022-11-07T00:00:00",
+ "datePublished": "2022-11-07T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre",
+ "dateUpdated": "2022-11-07T00:00:00"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "btcd before 0.23.2, as used in Lightning Labs lnd before 0.15.2-beta and other Bitcoin-related products, mishandles witness size checking."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "n/a",
+ "product": "n/a",
+ "versions": [
+ {
+ "version": "n/a",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/lightningnetwork/lnd/issues/7002"
+ },
+ {
+ "url": "https://github.com/lightningnetwork/lnd/releases/tag/v0.15.2-beta"
+ },
+ {
+ "url": "https://github.com/btcsuite/btcd/pull/1896"
+ },
+ {
+ "url": "https://github.com/btcsuite/btcd/releases/tag/v0.23.2"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "text",
+ "lang": "en",
+ "description": "n/a"
+ }
+ ]
+ }
+ ]
+ }
+ }
+}
+-- cves/2022/44xxx/CVE-2022-44942.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2022-44942",
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "dateUpdated": "2022-12-07T00:00:00",
+ "dateReserved": "2022-11-07T00:00:00",
+ "datePublished": "2022-12-07T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre",
+ "dateUpdated": "2022-12-07T00:00:00"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "n/a",
+ "product": "n/a",
+ "versions": [
+ {
+ "version": "n/a",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/casdoor/casdoor/issues/1171"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "text",
+ "lang": "en",
+ "description": "n/a"
+ }
+ ]
+ }
+ ]
+ }
+ }
+}
+-- cves/2022/46xxx/CVE-2022-46167.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-46167",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
+ "dateReserved": "2022-11-28T17:27:19.998Z",
+ "datePublished": "2022-12-02T18:22:21.817Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "Capsule vulnerable to privilege escalation by ServiceAccount deployed in a Tenant Namespace",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-863",
+ "lang": "en",
+ "description": "CWE-863: Incorrect Authorization",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 8.8,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/clastix/capsule/security/advisories/GHSA-x45c-cvp8-q4fm",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/clastix/capsule/security/advisories/GHSA-x45c-cvp8-q4fm"
+ },
+ {
+ "name": "https://github.com/clastix/capsule/commit/1df430e71be8c4778c82eca3459978ad7d0b4b7b",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/clastix/capsule/commit/1df430e71be8c4778c82eca3459978ad7d0b4b7b"
+ },
+ {
+ "name": "https://github.com/clastix/capsule/commit/75525ac19254b0c5111e34d7985e2be7bc8b1ac1",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/clastix/capsule/commit/75525ac19254b0c5111e34d7985e2be7bc8b1ac1"
+ },
+ {
+ "name": "https://github.com/clastix/capsule/releases/tag/v0.1.3",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/clastix/capsule/releases/tag/v0.1.3"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "clastix",
+ "product": "capsule",
+ "versions": [
+ {
+ "version": "< 0.1.3",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2022-12-02T18:22:21.817Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Capsule is a multi-tenancy and policy-based framework for Kubernetes. Prior to version 0.1.3, a ServiceAccount deployed in a Tenant Namespace, when granted with `PATCH` capabilities on its own Namespace, is able to edit it and remove the Owner Reference, breaking the reconciliation of the Capsule Operator and removing all the enforcement like Pod Security annotations, Network Policies, Limit Range and Resource Quota items. An attacker could detach the Namespace from a Tenant that is forbidding starting privileged Pods using the Pod Security labels by removing the OwnerReference, removing the enforcement labels, and being able to start privileged containers that would be able to start a generic Kubernetes privilege escalation. Patches have been released for version 0.1.3. No known workarounds are available.\n"
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-x45c-cvp8-q4fm",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+}
+-- cves/2022/4xxx/CVE-2022-4813.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2022-4813",
+ "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
+ "assignerShortName": "@huntrdev",
+ "dateUpdated": "2022-12-28T00:00:00",
+ "dateReserved": "2022-12-28T00:00:00",
+ "datePublished": "2022-12-28T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "title": "Insufficient Granularity of Access Control in usememos/memos",
+ "providerMetadata": {
+ "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
+ "shortName": "@huntrdev",
+ "dateUpdated": "2022-12-28T00:00:00"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "usememos",
+ "product": "usememos/memos",
+ "versions": [
+ {
+ "version": "unspecified",
+ "lessThan": "0.9.1",
+ "status": "affected",
+ "versionType": "custom"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
+ },
+ {
+ "url": "https://huntr.dev/bounties/a24b45d8-554b-4131-8ce1-f33bf8cdbacc"
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_0": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
+ "attackVector": "NETWORK",
+ "attackComplexity": "LOW",
+ "privilegesRequired": "NONE",
+ "userInteraction": "NONE",
+ "scope": "UNCHANGED",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "HIGH",
+ "availabilityImpact": "LOW",
+ "baseScore": 8.6,
+ "baseSeverity": "HIGH"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "CWE",
+ "lang": "en",
+ "description": "CWE-1220 Insufficient Granularity of Access Control",
+ "cweId": "CWE-1220"
+ }
+ ]
+ }
+ ],
+ "source": {
+ "advisory": "a24b45d8-554b-4131-8ce1-f33bf8cdbacc",
+ "discovery": "EXTERNAL"
+ }
+ }
+ }
+}
+-- cves/2022/4xxx/CVE-2022-4850.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2022-4850",
+ "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
+ "assignerShortName": "@huntrdev",
+ "dateUpdated": "2022-12-29T00:00:00",
+ "dateReserved": "2022-12-29T00:00:00",
+ "datePublished": "2022-12-29T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "title": "Cross-Site Request Forgery (CSRF) in usememos/memos",
+ "providerMetadata": {
+ "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
+ "shortName": "@huntrdev",
+ "dateUpdated": "2022-12-29T00:00:00"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "usememos",
+ "product": "usememos/memos",
+ "versions": [
+ {
+ "version": "unspecified",
+ "lessThan": "0.9.1",
+ "status": "affected",
+ "versionType": "custom"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/usememos/memos/commit/c9bb2b785dc5852655405d5c9ab127a2d5aa3948"
+ },
+ {
+ "url": "https://huntr.dev/bounties/46dc4728-eacc-43f5-9831-c203fdbcc346"
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_0": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
+ "attackVector": "NETWORK",
+ "attackComplexity": "LOW",
+ "privilegesRequired": "NONE",
+ "userInteraction": "REQUIRED",
+ "scope": "UNCHANGED",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "HIGH",
+ "availabilityImpact": "NONE",
+ "baseScore": 6.5,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "CWE",
+ "lang": "en",
+ "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
+ "cweId": "CWE-352"
+ }
+ ]
+ }
+ ],
+ "source": {
+ "advisory": "46dc4728-eacc-43f5-9831-c203fdbcc346",
+ "discovery": "EXTERNAL"
+ }
+ }
+ }
+}
+-- cves/2023/1xxx/CVE-2023-1238.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2023-1238",
+ "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
+ "assignerShortName": "@huntrdev",
+ "dateUpdated": "2024-08-02T05:40:59.748Z",
+ "dateReserved": "2023-03-07T00:00:00",
+ "datePublished": "2023-03-07T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "title": "Cross-site Scripting (XSS) - Stored in answerdev/answer",
+ "providerMetadata": {
+ "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
+ "shortName": "@huntrdev",
+ "dateUpdated": "2023-03-07T00:00:00"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "answerdev",
+ "product": "answerdev/answer",
+ "versions": [
+ {
+ "version": "unspecified",
+ "lessThan": "1.0.6",
+ "status": "affected",
+ "versionType": "custom"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://huntr.dev/bounties/52f97267-1439-4bb6-862b-89b8fafce50d"
+ },
+ {
+ "url": "https://github.com/answerdev/answer/commit/0566894a2c0e13cf07d877f41467e2e21529fee8"
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_0": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
+ "attackVector": "NETWORK",
+ "attackComplexity": "LOW",
+ "privilegesRequired": "LOW",
+ "userInteraction": "NONE",
+ "scope": "UNCHANGED",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "availabilityImpact": "HIGH",
+ "baseScore": 7.6,
+ "baseSeverity": "HIGH"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "CWE",
+ "lang": "en",
+ "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
+ "cweId": "CWE-79"
+ }
+ ]
+ }
+ ],
+ "source": {
+ "advisory": "52f97267-1439-4bb6-862b-89b8fafce50d",
+ "discovery": "EXTERNAL"
+ }
+ },
+ "adp": [
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-02T05:40:59.748Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "url": "https://huntr.dev/bounties/52f97267-1439-4bb6-862b-89b8fafce50d",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://github.com/answerdev/answer/commit/0566894a2c0e13cf07d877f41467e2e21529fee8",
+ "tags": [
+ "x_transferred"
+ ]
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2023/28xxx/CVE-2023-28436.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "cveId": "CVE-2023-28436",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "dateReserved": "2023-03-15T15:59:10.053Z",
+ "datePublished": "2023-03-23T19:27:48.051Z",
+ "dateUpdated": "2024-08-02T12:38:25.336Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "Non-interactive Tailscale SSH sessions on FreeBSD may use the effective group ID of the tailscaled process",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-269",
+ "lang": "en",
+ "description": "CWE-269: Improper Privilege Management",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 5.7,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "HIGH",
+ "scope": "CHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595"
+ },
+ {
+ "name": "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d"
+ },
+ {
+ "name": "https://github.com/tailscale/tailscale/releases/tag/v1.38.2",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/tailscale/tailscale/releases/tag/v1.38.2"
+ },
+ {
+ "name": "https://tailscale.com/security-bulletins/#ts-2023-003",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://tailscale.com/security-bulletins/#ts-2023-003"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "tailscale",
+ "product": "tailscale",
+ "versions": [
+ {
+ "version": ">= 1.34.0, < 1.38.2",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2023-03-23T19:27:48.051Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Tailscale is software for using Wireguard and multi-factor authentication (MFA). A vulnerability identified in the implementation of Tailscale SSH starting in version 1.34.0 and prior to prior to 1.38.2 in FreeBSD allows commands to be run with a higher privilege group ID than that specified in Tailscale SSH access rules. A difference in the behavior of the FreeBSD `setgroups` system call from POSIX meant that the Tailscale client running on a FreeBSD-based operating system did not appropriately restrict groups on the host when using Tailscale SSH. When accessing a FreeBSD host over Tailscale SSH, the egid of the tailscaled process was used instead of that of the user specified in Tailscale SSH access rules.\n\nTailscale SSH commands may have been run with a higher privilege group ID than that specified in Tailscale SSH access rules if they met all of the following criteria: the destination node was a FreeBSD device with Tailscale SSH enabled; Tailscale SSH access rules permitted access for non-root users; and a non-interactive SSH session was used.\n\nAffected users should upgrade to version 1.38.2 to remediate the issue.\n\n"
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-vfgq-g5x8-g595",
+ "discovery": "UNKNOWN"
+ }
+ },
+ "adp": [
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-02T12:38:25.336Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "name": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595",
+ "tags": [
+ "x_refsource_CONFIRM",
+ "x_transferred"
+ ],
+ "url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595"
+ },
+ {
+ "name": "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d"
+ },
+ {
+ "name": "https://github.com/tailscale/tailscale/releases/tag/v1.38.2",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://github.com/tailscale/tailscale/releases/tag/v1.38.2"
+ },
+ {
+ "name": "https://tailscale.com/security-bulletins/#ts-2023-003",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://tailscale.com/security-bulletins/#ts-2023-003"
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2023/32xxx/CVE-2023-32758.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2023-32758",
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "dateUpdated": "2024-08-02T15:25:37.050Z",
+ "dateReserved": "2023-05-15T00:00:00",
+ "datePublished": "2023-05-15T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre",
+ "dateUpdated": "2023-06-09T00:00:00"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "n/a",
+ "product": "n/a",
+ "versions": [
+ {
+ "version": "n/a",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53"
+ },
+ {
+ "url": "https://pypi.org/project/git-url-parse"
+ },
+ {
+ "url": "https://github.com/returntocorp/semgrep/pull/7611"
+ },
+ {
+ "url": "https://github.com/returntocorp/semgrep/pull/7955"
+ },
+ {
+ "url": "https://github.com/returntocorp/semgrep/pull/7943"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "text",
+ "lang": "en",
+ "description": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "adp": [
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-02T15:25:37.050Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "url": "https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://pypi.org/project/git-url-parse",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://github.com/returntocorp/semgrep/pull/7611",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://github.com/returntocorp/semgrep/pull/7955",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://github.com/returntocorp/semgrep/pull/7943",
+ "tags": [
+ "x_transferred"
+ ]
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2023/34xxx/CVE-2023-34091.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "cveId": "CVE-2023-34091",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "dateReserved": "2023-05-25T21:56:51.244Z",
+ "datePublished": "2023-06-01T16:24:53.920Z",
+ "dateUpdated": "2024-08-02T16:01:53.601Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "Kyverno resource with a deletionTimestamp may allow policy circumvention",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-285",
+ "lang": "en",
+ "description": "CWE-285: Improper Authorization",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 6.5,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc"
+ },
+ {
+ "name": "https://github.com/kyverno/kyverno/releases/tag/v1.10.0",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/kyverno/kyverno/releases/tag/v1.10.0"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "kyverno",
+ "product": "kyverno",
+ "versions": [
+ {
+ "version": "< 1.10.0",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2023-06-01T16:24:53.920Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by setting a finalizer which causes the Kubernetes API server to set the `deletionTimestamp` and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This is resolved in Kyverno 1.10.0. There is no known workaround."
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-hq4m-4948-64cc",
+ "discovery": "UNKNOWN"
+ }
+ },
+ "adp": [
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-02T16:01:53.601Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc",
+ "tags": [
+ "x_refsource_CONFIRM",
+ "x_transferred"
+ ],
+ "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc"
+ },
+ {
+ "name": "https://github.com/kyverno/kyverno/releases/tag/v1.10.0",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://github.com/kyverno/kyverno/releases/tag/v1.10.0"
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2023/35xxx/CVE-2023-35993.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "cveId": "CVE-2023-35993",
+ "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
+ "state": "PUBLISHED",
+ "assignerShortName": "apple",
+ "dateReserved": "2023-07-20T15:03:50.136Z",
+ "datePublished": "2023-07-27T00:22:30.186Z",
+ "dateUpdated": "2024-08-02T16:37:40.667Z"
+ },
+ "containers": {
+ "cna": {
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "An app may be able to execute arbitrary code with kernel privileges"
+ }
+ ]
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "Apple",
+ "product": "tvOS",
+ "versions": [
+ {
+ "version": "unspecified",
+ "status": "affected",
+ "lessThan": "16.6",
+ "versionType": "custom"
+ }
+ ]
+ },
+ {
+ "vendor": "Apple",
+ "product": "iOS and iPadOS",
+ "versions": [
+ {
+ "version": "unspecified",
+ "status": "affected",
+ "lessThan": "16.6",
+ "versionType": "custom"
+ }
+ ]
+ },
+ {
+ "vendor": "Apple",
+ "product": "macOS",
+ "versions": [
+ {
+ "version": "unspecified",
+ "status": "affected",
+ "lessThan": "13.5",
+ "versionType": "custom"
+ }
+ ]
+ },
+ {
+ "vendor": "Apple",
+ "product": "iOS and iPadOS",
+ "versions": [
+ {
+ "version": "unspecified",
+ "status": "affected",
+ "lessThan": "15.7",
+ "versionType": "custom"
+ }
+ ]
+ },
+ {
+ "vendor": "Apple",
+ "product": "macOS",
+ "versions": [
+ {
+ "version": "unspecified",
+ "status": "affected",
+ "lessThan": "11.7",
+ "versionType": "custom"
+ }
+ ]
+ },
+ {
+ "vendor": "Apple",
+ "product": "macOS",
+ "versions": [
+ {
+ "version": "unspecified",
+ "status": "affected",
+ "lessThan": "12.6",
+ "versionType": "custom"
+ }
+ ]
+ },
+ {
+ "vendor": "Apple",
+ "product": "watchOS",
+ "versions": [
+ {
+ "version": "unspecified",
+ "status": "affected",
+ "lessThan": "9.6",
+ "versionType": "custom"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.6.8, iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5, watchOS 9.6. An app may be able to execute arbitrary code with kernel privileges."
+ }
+ ],
+ "references": [
+ {
+ "url": "https://support.apple.com/en-us/HT213846"
+ },
+ {
+ "url": "https://support.apple.com/en-us/HT213841"
+ },
+ {
+ "url": "https://support.apple.com/en-us/HT213843"
+ },
+ {
+ "url": "https://support.apple.com/en-us/HT213842"
+ },
+ {
+ "url": "https://support.apple.com/en-us/HT213845"
+ },
+ {
+ "url": "https://support.apple.com/en-us/HT213844"
+ },
+ {
+ "url": "https://support.apple.com/en-us/HT213848"
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
+ "shortName": "apple",
+ "dateUpdated": "2023-07-27T03:45:48.399Z"
+ }
+ },
+ "adp": [
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-02T16:37:40.667Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "url": "https://support.apple.com/en-us/HT213846",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://support.apple.com/en-us/HT213841",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://support.apple.com/en-us/HT213843",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://support.apple.com/en-us/HT213842",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://support.apple.com/en-us/HT213845",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://support.apple.com/en-us/HT213844",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://support.apple.com/en-us/HT213848",
+ "tags": [
+ "x_transferred"
+ ]
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2023/37xxx/CVE-2023-37265.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "cveId": "CVE-2023-37265",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "dateReserved": "2023-06-29T19:35:26.438Z",
+ "datePublished": "2023-07-17T20:59:25.498Z",
+ "dateUpdated": "2024-08-02T17:09:34.076Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "Incorrect identification of source IP addresses in CasaOS",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-306",
+ "lang": "en",
+ "description": "CWE-306: Missing Authentication for Critical Function",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.8,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6g",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6g"
+ },
+ {
+ "name": "https://github.com/IceWhaleTech/CasaOS-Gateway/commit/391dd7f0f239020c46bf057cfa25f82031fc15f7",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/IceWhaleTech/CasaOS-Gateway/commit/391dd7f0f239020c46bf057cfa25f82031fc15f7"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "IceWhaleTech",
+ "product": "CasaOS-Gateway",
+ "versions": [
+ {
+ "version": "< 0.4.4",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2023-07-17T20:59:25.498Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly. "
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-vjh7-5r6x-xh6g",
+ "discovery": "UNKNOWN"
+ }
+ },
+ "adp": [
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-02T17:09:34.076Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "name": "https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6g",
+ "tags": [
+ "x_refsource_CONFIRM",
+ "x_transferred"
+ ],
+ "url": "https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6g"
+ },
+ {
+ "name": "https://github.com/IceWhaleTech/CasaOS-Gateway/commit/391dd7f0f239020c46bf057cfa25f82031fc15f7",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://github.com/IceWhaleTech/CasaOS-Gateway/commit/391dd7f0f239020c46bf057cfa25f82031fc15f7"
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2023/39xxx/CVE-2023-39964.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2023-39964",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "dateReserved": "2023-08-07T16:27:27.076Z",
+ "datePublished": "2023-08-10T17:39:11.768Z",
+ "dateUpdated": "2023-08-10T17:39:11.768Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "1Panel O&M management panel has a background arbitrary file reading vulnerability",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-22",
+ "lang": "en",
+ "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 7.5,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-pv7q-v9mv-9mh5",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-pv7q-v9mv-9mh5"
+ },
+ {
+ "name": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "1Panel-dev",
+ "product": "1Panel",
+ "versions": [
+ {
+ "version": "= 1.4.3",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2023-08-10T17:39:11.768Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, arbitrary file reads allow an attacker to read arbitrary important configuration files on the server. In the `api/v1/file.go` file, there is a function called `LoadFromFile`, which directly reads the file by obtaining the requested path `parameter[path]`. The request parameters are not filtered, resulting in a background arbitrary file reading vulnerability. Version 1.5.0 has a patch for this issue."
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-pv7q-v9mv-9mh5",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+}
+-- cves/2023/42xxx/CVE-2023-42816.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2023-42816",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "dateReserved": "2023-09-14T16:13:33.308Z",
+ "datePublished": "2023-11-13T20:23:16.248Z",
+ "dateUpdated": "2023-11-14T18:54:09.977Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "Denial of service from malicious signature in kyverno",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-345",
+ "lang": "en",
+ "description": "CWE-345: Insufficient Verification of Data Authenticity",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 6.1,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r"
+ },
+ {
+ "name": "https://github.com/kyverno/kyverno/pull/8428",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/kyverno/kyverno/pull/8428"
+ },
+ {
+ "name": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2"
+ },
+ {
+ "name": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "kyverno",
+ "product": "kyverno",
+ "versions": [
+ {
+ "version": ">= 80d139bb5d1d9d7e907abe851b97dc73821a5be2, < fec2992e3f9fcd6b9c62267522c09b182e7df73b",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2023-11-14T18:54:09.977Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users' admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild."
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-4mp4-46gq-hv3r",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+}
+-- cves/2023/43xxx/CVE-2023-43620.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2023-43620",
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "dateUpdated": "2023-09-21T23:06:17.199374",
+ "dateReserved": "2023-09-20T00:00:00",
+ "datePublished": "2023-09-20T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre",
+ "dateUpdated": "2023-09-21T23:06:17.199374"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "An issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "n/a",
+ "product": "n/a",
+ "versions": [
+ {
+ "version": "n/a",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://www.openwall.com/lists/oss-security/2023/09/08/2"
+ },
+ {
+ "url": "https://github.com/schollz/croc/issues/595"
+ },
+ {
+ "name": "[oss-security] 20230921 Re: croc: multiple issues in file sharing utility",
+ "tags": [
+ "mailing-list"
+ ],
+ "url": "http://www.openwall.com/lists/oss-security/2023/09/21/5"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "text",
+ "lang": "en",
+ "description": "n/a"
+ }
+ ]
+ }
+ ]
+ }
+ }
+}
+-- cves/2023/43xxx/CVE-2023-43884.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2023-43884",
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "dateUpdated": "2023-09-28T14:16:27.402934",
+ "dateReserved": "2023-09-25T00:00:00",
+ "datePublished": "2023-09-28T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre",
+ "dateUpdated": "2023-09-28T14:16:27.402934"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A Cross-site scripting (XSS) vulnerability in Reference ID from the panel Transactions, of Subrion v4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into 'Reference ID' parameter."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "n/a",
+ "product": "n/a",
+ "versions": [
+ {
+ "version": "n/a",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/dpuenteramirez/XSS-ReferenceID-Subrion_4.2.1"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "text",
+ "lang": "en",
+ "description": "n/a"
+ }
+ ]
+ }
+ ]
+ }
+ }
+}
+-- cves/2023/45xxx/CVE-2023-45142.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2023-45142",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "dateReserved": "2023-10-04T16:02:46.330Z",
+ "datePublished": "2023-10-12T16:33:21.435Z",
+ "dateUpdated": "2023-10-12T16:33:21.435Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-770",
+ "lang": "en",
+ "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 7.5,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr"
+ },
+ {
+ "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh"
+ },
+ {
+ "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277"
+ },
+ {
+ "name": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p"
+ },
+ {
+ "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65"
+ },
+ {
+ "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0"
+ },
+ {
+ "name": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223"
+ },
+ {
+ "name": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159"
+ },
+ {
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "open-telemetry",
+ "product": "opentelemetry-go-contrib",
+ "versions": [
+ {
+ "version": "< 0.44.0",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2023-10-12T16:33:21.435Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it."
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-rcjv-mgp8-qvmr",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+}
+-- cves/2023/45xxx/CVE-2023-45223.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2023-45223",
+ "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
+ "state": "PUBLISHED",
+ "assignerShortName": "Mattermost",
+ "dateReserved": "2023-11-20T12:06:31.664Z",
+ "datePublished": "2023-11-27T09:06:34.489Z",
+ "dateUpdated": "2023-11-27T09:06:34.489Z"
+ },
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "defaultStatus": "unaffected",
+ "product": "Mattermost",
+ "vendor": "Mattermost",
+ "versions": [
+ {
+ "lessThanOrEqual": "7.8.12",
+ "status": "affected",
+ "version": "0",
+ "versionType": "semver"
+ },
+ {
+ "lessThanOrEqual": "8.1.3",
+ "status": "affected",
+ "version": "0",
+ "versionType": "semver"
+ },
+ {
+ "status": "unaffected",
+ "version": "7.8.13"
+ },
+ {
+ "status": "unaffected",
+ "version": "8.1.4"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "type": "finder",
+ "user": "00000000-0000-4000-9000-000000000000",
+ "value": "Pyae Phyo (pyae_phyo)"
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "<p>Mattermost fails to properly validate the \"Show Full Name\" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled. </p>"
+ }
+ ],
+ "value": "Mattermost fails to properly validate the \"Show Full Name\" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled. \n\n"
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 4.3,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
+ "version": "3.1"
+ },
+ "format": "CVSS",
+ "scenarios": [
+ {
+ "lang": "en",
+ "value": "GENERAL"
+ }
+ ]
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-200",
+ "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
+ "shortName": "Mattermost",
+ "dateUpdated": "2023-11-27T09:06:34.489Z"
+ },
+ "references": [
+ {
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "solutions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "<p>Update Mattermost Server to versions 7.8.13, 8.1.4 or higher.</p>"
+ }
+ ],
+ "value": "Update Mattermost Server to versions 7.8.13, 8.1.4 or higher.\n\n"
+ }
+ ],
+ "source": {
+ "advisory": "MMSA-2023-00216",
+ "defect": [
+ "https://mattermost.atlassian.net/browse/MM-53189"
+ ],
+ "discovery": "EXTERNAL"
+ },
+ "title": "Users full name disclosure through Mattermost Boards with Show Full Name Option disabled",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ }
+}
+-- cves/2023/45xxx/CVE-2023-45284.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2023-45284",
+ "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
+ "state": "PUBLISHED",
+ "assignerShortName": "Go",
+ "dateReserved": "2023-10-06T17:06:26.220Z",
+ "datePublished": "2023-11-09T16:30:15.250Z",
+ "dateUpdated": "2023-11-09T16:30:15.250Z"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
+ "shortName": "Go",
+ "dateUpdated": "2023-11-09T16:30:15.250Z"
+ },
+ "title": "Incorrect detection of reserved device names on Windows in path/filepath",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as \"COM1 \", and reserved names \"COM\" and \"LPT\" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "Go standard library",
+ "product": "path/filepath",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "path/filepath",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.20.11",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.21.0-0",
+ "lessThan": "1.21.4",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "IsLocal"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-41: Improper Resolution of Path Equivalence"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/issue/63713"
+ },
+ {
+ "url": "https://go.dev/cl/540277"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY"
+ },
+ {
+ "url": "https://pkg.go.dev/vuln/GO-2023-2186"
+ }
+ ]
+ }
+ }
+}
+-- cves/2023/45xxx/CVE-2023-45825.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2023-45825",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "dateReserved": "2023-10-13T12:00:50.438Z",
+ "datePublished": "2023-10-19T18:22:31.034Z",
+ "dateUpdated": "2023-10-19T18:22:31.034Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "Token in custom credentials object can leak through logs in ydb-go-sdk",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-532",
+ "lang": "en",
+ "description": "CWE-532: Insertion of Sensitive Information into Log File",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "LOCAL",
+ "availabilityImpact": "NONE",
+ "baseScore": 5.5,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8"
+ },
+ {
+ "name": "https://github.com/ydb-platform/ydb-go-sdk/pull/859",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/ydb-platform/ydb-go-sdk/pull/859"
+ },
+ {
+ "name": "https://github.com/ydb-platform/ydb-go-sdk/blob/master/credentials/credentials.go#L10",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/ydb-platform/ydb-go-sdk/blob/master/credentials/credentials.go#L10"
+ },
+ {
+ "name": "https://github.com/ydb-platform/ydb-go-sdk/blob/v3.48.6/internal/balancer/balancer.go#L71",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/ydb-platform/ydb-go-sdk/blob/v3.48.6/internal/balancer/balancer.go#L71"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "ydb-platform",
+ "product": "ydb-go-sdk",
+ "versions": [
+ {
+ "version": ">= 3.48.6, < 3.53.3",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2023-10-19T18:22:31.034Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "ydb-go-sdk is a pure Go native and database/sql driver for the YDB platform. Since ydb-go-sdk v3.48.6 if you use a custom credentials object (implementation of interface Credentials it may leak into logs. This happens because this object could be serialized into an error message using `fmt.Errorf(\"something went wrong (credentials: %q)\", credentials)` during connection to the YDB server. If such logging occurred, a malicious user with access to logs could read sensitive information (i.e. credentials) information and use it to get access to the database. ydb-go-sdk contains this problem in versions from v3.48.6 to v3.53.2. The fix for this problem has been released in version v3.53.3. Users are advised to upgrade. Users unable to upgrade should implement the `fmt.Stringer` interface in your custom credentials type with explicit stringify of object state."
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-q24m-6h38-5xj8",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+}
+-- cves/2023/46xxx/CVE-2023-46740.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2023-46740",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "dateReserved": "2023-10-25T14:30:33.753Z",
+ "datePublished": "2024-01-03T16:20:18.619Z",
+ "dateUpdated": "2024-01-03T16:20:18.619Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "Insecure random string generator used for sensitive data",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-330",
+ "lang": "en",
+ "description": "CWE-330: Use of Insufficiently Random Values",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "LOW",
+ "baseScore": 6.5,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm"
+ },
+ {
+ "name": "https://github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07ba",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07ba"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "cubefs",
+ "product": "cubefs",
+ "versions": [
+ {
+ "version": "< 3.3.1",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2024-01-03T16:20:18.619Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the “accessKey”. To create the \"accesKey\", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. An attacker could leverage the predictable random string generator and guess a users access key and impersonate the user to obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to upgrade."
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-4248-p65p-hcrm",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+}
+-- cves/2023/47xxx/CVE-2023-47108.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2023-47108",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "dateReserved": "2023-10-30T19:57:51.673Z",
+ "datePublished": "2023-11-10T18:31:33.730Z",
+ "dateUpdated": "2023-11-10T18:31:33.730Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics ",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-770",
+ "lang": "en",
+ "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 7.5,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw"
+ },
+ {
+ "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322"
+ },
+ {
+ "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b"
+ },
+ {
+ "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327"
+ },
+ {
+ "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138"
+ },
+ {
+ "name": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "open-telemetry",
+ "product": "opentelemetry-go-contrib",
+ "versions": [
+ {
+ "version": "< 0.46.0",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2023-11-10T18:31:33.730Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`."
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-8pgv-569h-w5rw",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+}
+-- cves/2023/48xxx/CVE-2023-48312.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2023-48312",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "dateReserved": "2023-11-14T17:41:15.573Z",
+ "datePublished": "2023-11-24T17:12:39.652Z",
+ "dateUpdated": "2023-11-24T17:12:39.652Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "Authentication bypass using an empty token in capsule-proxy",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-287",
+ "lang": "en",
+ "description": "CWE-287: Improper Authentication",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.8,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/projectcapsule/capsule-proxy/security/advisories/GHSA-fpvw-6m5v-hqfp",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/projectcapsule/capsule-proxy/security/advisories/GHSA-fpvw-6m5v-hqfp"
+ },
+ {
+ "name": "https://github.com/projectcapsule/capsule-proxy/commit/472404f7006a4152e4eec76dee07324dd1e6e823",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/projectcapsule/capsule-proxy/commit/472404f7006a4152e4eec76dee07324dd1e6e823"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "projectcapsule",
+ "product": "capsule-proxy",
+ "versions": [
+ {
+ "version": "< 0.4.6",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2023-11-24T17:12:39.652Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "capsule-proxy is a reverse proxy for the capsule operator project. Affected versions are subject to a privilege escalation vulnerability which is based on a missing check if the user is authenticated based on the `TokenReview` result. All the clusters running with the `anonymous-auth` Kubernetes API Server setting disable (set to `false`) are affected since it would be possible to bypass the token review mechanism, interacting with the upper Kubernetes API Server. This privilege escalation cannot be exploited if you're relying only on client certificates (SSL/TLS). This vulnerability has been addressed in version 0.4.6. Users are advised to upgrade."
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-fpvw-6m5v-hqfp",
+ "discovery": "UNKNOWN"
+ }
+ }
+ }
+}
+-- cves/2023/48xxx/CVE-2023-48795.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2023-48795",
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "dateUpdated": "2024-05-01T18:06:23.972272",
+ "dateReserved": "2023-11-20T00:00:00",
+ "datePublished": "2023-12-18T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre",
+ "dateUpdated": "2024-05-01T18:06:23.972272"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "n/a",
+ "product": "n/a",
+ "versions": [
+ {
+ "version": "n/a",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html"
+ },
+ {
+ "url": "https://matt.ucc.asn.au/dropbear/CHANGES"
+ },
+ {
+ "url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES"
+ },
+ {
+ "url": "https://www.netsarang.com/en/xshell-update-history/"
+ },
+ {
+ "url": "https://www.paramiko.org/changelog.html"
+ },
+ {
+ "url": "https://www.openssh.com/openbsd.html"
+ },
+ {
+ "url": "https://github.com/openssh/openssh-portable/commits/master"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ"
+ },
+ {
+ "url": "https://www.bitvise.com/ssh-server-version-history"
+ },
+ {
+ "url": "https://github.com/ronf/asyncssh/tags"
+ },
+ {
+ "url": "https://gitlab.com/libssh/libssh-mirror/-/tags"
+ },
+ {
+ "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/"
+ },
+ {
+ "url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42"
+ },
+ {
+ "url": "https://www.openssh.com/txt/release-9.6"
+ },
+ {
+ "url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/"
+ },
+ {
+ "url": "https://www.terrapin-attack.com"
+ },
+ {
+ "url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25"
+ },
+ {
+ "url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst"
+ },
+ {
+ "url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/"
+ },
+ {
+ "url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2"
+ },
+ {
+ "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0"
+ },
+ {
+ "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2"
+ },
+ {
+ "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005"
+ },
+ {
+ "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d"
+ },
+ {
+ "url": "https://github.com/paramiko/paramiko/issues/2337"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg"
+ },
+ {
+ "url": "https://news.ycombinator.com/item?id=38684904"
+ },
+ {
+ "url": "https://news.ycombinator.com/item?id=38685286"
+ },
+ {
+ "name": "[oss-security] 20231218 CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)",
+ "tags": [
+ "mailing-list"
+ ],
+ "url": "http://www.openwall.com/lists/oss-security/2023/12/18/3"
+ },
+ {
+ "url": "https://github.com/mwiede/jsch/issues/457"
+ },
+ {
+ "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
+ },
+ {
+ "url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1"
+ },
+ {
+ "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8"
+ },
+ {
+ "url": "https://security-tracker.debian.org/tracker/source-package/libssh2"
+ },
+ {
+ "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg"
+ },
+ {
+ "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795"
+ },
+ {
+ "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950"
+ },
+ {
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210"
+ },
+ {
+ "url": "https://bugs.gentoo.org/920280"
+ },
+ {
+ "url": "https://ubuntu.com/security/CVE-2023-48795"
+ },
+ {
+ "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/"
+ },
+ {
+ "url": "https://access.redhat.com/security/cve/cve-2023-48795"
+ },
+ {
+ "url": "https://github.com/mwiede/jsch/pull/461"
+ },
+ {
+ "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6"
+ },
+ {
+ "url": "https://github.com/libssh2/libssh2/pull/1291"
+ },
+ {
+ "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack"
+ },
+ {
+ "url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5"
+ },
+ {
+ "url": "https://github.com/rapier1/hpn-ssh/releases"
+ },
+ {
+ "url": "https://github.com/proftpd/proftpd/issues/456"
+ },
+ {
+ "url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1"
+ },
+ {
+ "url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15"
+ },
+ {
+ "url": "https://oryx-embedded.com/download/#changelog"
+ },
+ {
+ "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update"
+ },
+ {
+ "url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22"
+ },
+ {
+ "url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab"
+ },
+ {
+ "url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3"
+ },
+ {
+ "url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC"
+ },
+ {
+ "url": "https://crates.io/crates/thrussh/versions"
+ },
+ {
+ "url": "https://github.com/NixOS/nixpkgs/pull/275249"
+ },
+ {
+ "name": "[oss-security] 20231219 Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)",
+ "tags": [
+ "mailing-list"
+ ],
+ "url": "http://www.openwall.com/lists/oss-security/2023/12/19/5"
+ },
+ {
+ "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc"
+ },
+ {
+ "url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/"
+ },
+ {
+ "name": "[oss-security] 20231220 Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)",
+ "tags": [
+ "mailing-list"
+ ],
+ "url": "http://www.openwall.com/lists/oss-security/2023/12/20/3"
+ },
+ {
+ "url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html"
+ },
+ {
+ "url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES"
+ },
+ {
+ "url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES"
+ },
+ {
+ "url": "https://github.com/apache/mina-sshd/issues/445"
+ },
+ {
+ "url": "https://github.com/hierynomus/sshj/issues/916"
+ },
+ {
+ "url": "https://github.com/janmojzis/tinyssh/issues/81"
+ },
+ {
+ "url": "https://www.openwall.com/lists/oss-security/2023/12/20/3"
+ },
+ {
+ "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2"
+ },
+ {
+ "url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16"
+ },
+ {
+ "name": "FEDORA-2023-0733306be9",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/"
+ },
+ {
+ "name": "DSA-5586",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://www.debian.org/security/2023/dsa-5586"
+ },
+ {
+ "url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508"
+ },
+ {
+ "url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh"
+ },
+ {
+ "url": "https://filezilla-project.org/versions.php"
+ },
+ {
+ "url": "https://nova.app/releases/#v11.8"
+ },
+ {
+ "url": "https://roumenpetrov.info/secsh/#news20231220"
+ },
+ {
+ "url": "https://www.vandyke.com/products/securecrt/history.txt"
+ },
+ {
+ "url": "https://help.panic.com/releasenotes/transmit5/"
+ },
+ {
+ "url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta"
+ },
+ {
+ "url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189"
+ },
+ {
+ "url": "https://winscp.net/eng/docs/history#6.2.2"
+ },
+ {
+ "url": "https://www.bitvise.com/ssh-client-version-history#933"
+ },
+ {
+ "url": "https://github.com/cyd01/KiTTY/issues/520"
+ },
+ {
+ "name": "DSA-5588",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://www.debian.org/security/2023/dsa-5588"
+ },
+ {
+ "url": "https://github.com/ssh-mitm/ssh-mitm/issues/165"
+ },
+ {
+ "url": "https://news.ycombinator.com/item?id=38732005"
+ },
+ {
+ "name": "[debian-lts-announce] 20231226 [SECURITY] [DLA 3694-1] openssh security update",
+ "tags": [
+ "mailing-list"
+ ],
+ "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html"
+ },
+ {
+ "name": "GLSA-202312-16",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://security.gentoo.org/glsa/202312-16"
+ },
+ {
+ "name": "GLSA-202312-17",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://security.gentoo.org/glsa/202312-17"
+ },
+ {
+ "name": "FEDORA-2023-20feb865d8",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/"
+ },
+ {
+ "name": "FEDORA-2023-cb8c606fbb",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/"
+ },
+ {
+ "name": "FEDORA-2023-e77300e4b5",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/"
+ },
+ {
+ "name": "FEDORA-2023-b87ec6cf47",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/"
+ },
+ {
+ "name": "FEDORA-2023-153404713b",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/"
+ },
+ {
+ "url": "https://security.netapp.com/advisory/ntap-20240105-0004/"
+ },
+ {
+ "name": "FEDORA-2024-3bb23c77f3",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/"
+ },
+ {
+ "name": "FEDORA-2023-55800423a8",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/"
+ },
+ {
+ "name": "FEDORA-2024-d946b9ad25",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/"
+ },
+ {
+ "name": "FEDORA-2024-71c2c6526c",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/"
+ },
+ {
+ "name": "FEDORA-2024-39a8c72ea9",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/"
+ },
+ {
+ "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002"
+ },
+ {
+ "name": "FEDORA-2024-ae653fb07b",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
+ },
+ {
+ "name": "FEDORA-2024-2705241461",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/"
+ },
+ {
+ "name": "FEDORA-2024-fb32950d11",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
+ },
+ {
+ "name": "FEDORA-2024-7b08207cdb",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/"
+ },
+ {
+ "name": "FEDORA-2024-06ebb70bdd",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/"
+ },
+ {
+ "name": "[debian-lts-announce] 20240125 [SECURITY] [DLA 3718-1] php-phpseclib security update",
+ "tags": [
+ "mailing-list"
+ ],
+ "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html"
+ },
+ {
+ "name": "[debian-lts-announce] 20240125 [SECURITY] [DLA 3719-1] phpseclib security update",
+ "tags": [
+ "mailing-list"
+ ],
+ "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html"
+ },
+ {
+ "name": "FEDORA-2024-a53b24023d",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/"
+ },
+ {
+ "name": "FEDORA-2024-3fd1bc9276",
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/"
+ },
+ {
+ "url": "https://support.apple.com/kb/HT214084"
+ },
+ {
+ "name": "20240313 APPLE-SA-03-07-2024-2 macOS Sonoma 14.4",
+ "tags": [
+ "mailing-list"
+ ],
+ "url": "http://seclists.org/fulldisclosure/2024/Mar/21"
+ },
+ {
+ "name": "[debian-lts-announce] 20240425 [SECURITY] [DLA 3794-1] putty security update",
+ "tags": [
+ "mailing-list"
+ ],
+ "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html"
+ },
+ {
+ "name": "[oss-security] 20240417 Terrapin vulnerability in Jenkins CLI client",
+ "tags": [
+ "mailing-list"
+ ],
+ "url": "http://www.openwall.com/lists/oss-security/2024/04/17/8"
+ },
+ {
+ "name": "[oss-security] 20240306 Multiple vulnerabilities in Jenkins plugins",
+ "tags": [
+ "mailing-list"
+ ],
+ "url": "http://www.openwall.com/lists/oss-security/2024/03/06/3"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "text",
+ "lang": "en",
+ "description": "n/a"
+ }
+ ]
+ }
+ ]
+ }
+ }
+}
+-- cves/2023/49xxx/CVE-2023-49946.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2023-49946",
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "dateUpdated": "2023-12-03T18:56:04.385022",
+ "dateReserved": "2023-12-03T00:00:00",
+ "datePublished": "2023-12-03T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre",
+ "dateUpdated": "2023-12-03T18:56:04.385022"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "n/a",
+ "product": "n/a",
+ "versions": [
+ {
+ "version": "n/a",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://forgejo.org/2023-11-release-v1-20-5-1/"
+ },
+ {
+ "url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md"
+ },
+ {
+ "url": "https://about.gitea.com/security"
+ },
+ {
+ "url": "https://github.com/gogs/gogs/security"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "text",
+ "lang": "en",
+ "description": "n/a"
+ }
+ ]
+ }
+ ]
+ }
+ }
+}
+-- cves/2023/52xxx/CVE-2023-52430.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2023-52430",
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "dateUpdated": "2024-02-12T22:22:51.059241",
+ "dateReserved": "2024-02-12T00:00:00",
+ "datePublished": "2024-02-12T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre",
+ "dateUpdated": "2024-02-12T22:22:51.059241"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The caddy-security plugin 1.1.20 for Caddy allows reflected XSS via a GET request to a URL that contains an XSS payload and begins with either a /admin or /settings/mfa/delete/ substring."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "n/a",
+ "product": "n/a",
+ "versions": [
+ {
+ "version": "n/a",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/"
+ },
+ {
+ "url": "https://github.com/greenpau/caddy-security/issues/264"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "text",
+ "lang": "en",
+ "description": "n/a"
+ }
+ ]
+ }
+ ]
+ }
+ }
+}
+-- cves/2024/21xxx/CVE-2024-21848.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "cveId": "CVE-2024-21848",
+ "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
+ "state": "PUBLISHED",
+ "assignerShortName": "Mattermost",
+ "dateReserved": "2024-04-03T10:03:48.279Z",
+ "datePublished": "2024-04-05T08:13:01.713Z",
+ "dateUpdated": "2024-08-01T22:27:36.465Z"
+ },
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "defaultStatus": "unaffected",
+ "product": "Mattermost",
+ "vendor": "Mattermost",
+ "versions": [
+ {
+ "lessThanOrEqual": "8.1.10",
+ "status": "affected",
+ "version": "8.1.0",
+ "versionType": "semver"
+ },
+ {
+ "status": "unaffected",
+ "version": "9.5.0"
+ },
+ {
+ "status": "unaffected",
+ "version": "8.1.11"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "Leandro Chaves (brdoors3)"
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "<p>Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel</p>"
+ }
+ ],
+ "value": "Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel\n\n"
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 3.1,
+ "baseSeverity": "LOW",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
+ "version": "3.1"
+ },
+ "format": "CVSS",
+ "scenarios": [
+ {
+ "lang": "en",
+ "value": "GENERAL"
+ }
+ ]
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-284",
+ "description": "CWE-284: Improper Access Control",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
+ "shortName": "Mattermost",
+ "dateUpdated": "2024-04-05T08:13:01.713Z"
+ },
+ "references": [
+ {
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "solutions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "<p>Update Mattermost Server to versions 9.5.0, 8.1.11 or higher.</p>"
+ }
+ ],
+ "value": "Update Mattermost Server to versions 9.5.0, 8.1.11 or higher.\n\n"
+ }
+ ],
+ "source": {
+ "advisory": "MMSA-2023-00256",
+ "defect": [
+ "https://mattermost.atlassian.net/browse/MM-54545"
+ ],
+ "discovery": "EXTERNAL"
+ },
+ "title": "Users maintain access to active call after being removed from a channel",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ },
+ "adp": [
+ {
+ "metrics": [
+ {
+ "other": {
+ "type": "ssvc",
+ "content": {
+ "timestamp": "2024-07-15T15:46:42.823620Z",
+ "id": "CVE-2024-21848",
+ "options": [
+ {
+ "Exploitation": "none"
+ },
+ {
+ "Automatable": "no"
+ },
+ {
+ "Technical Impact": "partial"
+ }
+ ],
+ "role": "CISA Coordinator",
+ "version": "2.0.3"
+ }
+ }
+ }
+ ],
+ "title": "CISA ADP Vulnrichment",
+ "providerMetadata": {
+ "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
+ "shortName": "CISA-ADP",
+ "dateUpdated": "2024-07-15T15:46:54.574Z"
+ }
+ },
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-01T22:27:36.465Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "url": "https://mattermost.com/security-updates",
+ "tags": [
+ "x_transferred"
+ ]
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2024/24xxx/CVE-2024-24774.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "cveId": "CVE-2024-24774",
+ "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
+ "state": "PUBLISHED",
+ "assignerShortName": "Mattermost",
+ "dateReserved": "2024-01-30T10:23:06.701Z",
+ "datePublished": "2024-02-09T14:46:58.777Z",
+ "dateUpdated": "2024-08-01T23:28:12.325Z"
+ },
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "defaultStatus": "unaffected",
+ "product": "Mattermost",
+ "vendor": "Mattermost",
+ "versions": [
+ {
+ "lessThanOrEqual": "8.1.7",
+ "status": "affected",
+ "version": "0",
+ "versionType": "semver"
+ },
+ {
+ "status": "unaffected",
+ "version": "8.1.8"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "type": "finder",
+ "user": "00000000-0000-4000-9000-000000000000",
+ "value": "Michael Kochell"
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "<p>Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in registered users on Jira being able to create webhooks that give them access to all Jira issues.</p>"
+ }
+ ],
+ "value": "Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in registered users on Jira being able to create webhooks that give them access to all Jira issues.\n\n"
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 3.4,
+ "baseSeverity": "LOW",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "HIGH",
+ "scope": "CHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N",
+ "version": "3.1"
+ },
+ "format": "CVSS",
+ "scenarios": [
+ {
+ "lang": "en",
+ "value": "GENERAL"
+ }
+ ]
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-863",
+ "description": "CWE-863 Incorrect Authorization",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
+ "shortName": "Mattermost",
+ "dateUpdated": "2024-02-09T14:46:58.777Z"
+ },
+ "references": [
+ {
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "solutions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "<p>Update Mattermost Server to versions 8.1.8 or higher. Alternatively, update the Mattermost Jira Plugin to version <span style=\"background-color: rgb(255, 255, 255);\">4.0.1 or higher. </span></p>"
+ }
+ ],
+ "value": "Update Mattermost Server to versions 8.1.8 or higher. Alternatively, update the Mattermost Jira Plugin to version 4.0.1 or higher. \n\n"
+ }
+ ],
+ "source": {
+ "advisory": "MMSA-2023-00187",
+ "defect": [
+ "https://mattermost.atlassian.net/browse/MM-44212"
+ ],
+ "discovery": "EXTERNAL"
+ },
+ "title": "Missing authorization allows users to access arbitrary security levels on Jira through webhooks (Jira Plugin)",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ },
+ "adp": [
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-01T23:28:12.325Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "url": "https://mattermost.com/security-updates",
+ "tags": [
+ "x_transferred"
+ ]
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2024/24xxx/CVE-2024-24988.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "cveId": "CVE-2024-24988",
+ "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
+ "state": "PUBLISHED",
+ "assignerShortName": "Mattermost",
+ "dateReserved": "2024-02-26T08:14:42.970Z",
+ "datePublished": "2024-02-29T08:06:28.334Z",
+ "dateUpdated": "2024-08-01T23:36:21.288Z"
+ },
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "defaultStatus": "unaffected",
+ "product": "Mattermost",
+ "vendor": "Mattermost",
+ "versions": [
+ {
+ "lessThanOrEqual": "9.2.4",
+ "status": "affected",
+ "version": "0",
+ "versionType": "semver"
+ },
+ {
+ "lessThanOrEqual": "8.1.8",
+ "status": "affected",
+ "version": "0",
+ "versionType": "semver"
+ },
+ {
+ "lessThanOrEqual": "9.3.0",
+ "status": "affected",
+ "version": "0",
+ "versionType": "semver"
+ },
+ {
+ "status": "unaffected",
+ "version": "9.4.0"
+ },
+ {
+ "status": "unaffected",
+ "version": "9.3.1"
+ },
+ {
+ "status": "unaffected",
+ "version": "9.2.5"
+ },
+ {
+ "status": "unaffected",
+ "version": "8.1.9"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "type": "finder",
+ "user": "00000000-0000-4000-9000-000000000000",
+ "value": "Gian Klug (coderion)"
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "<p>Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.</p>"
+ }
+ ],
+ "value": "Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.\n\n"
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "LOW",
+ "baseScore": 4.3,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
+ "version": "3.1"
+ },
+ "format": "CVSS",
+ "scenarios": [
+ {
+ "lang": "en",
+ "value": "GENERAL"
+ }
+ ]
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-400",
+ "description": "CWE-400: Uncontrolled Resource Consumption",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
+ "shortName": "Mattermost",
+ "dateUpdated": "2024-02-29T08:06:28.334Z"
+ },
+ "references": [
+ {
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "solutions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "<p>Update Mattermost Server to versions 9.4.0, 9.3.1, 9.2.5, 8.1.9 or higher.</p>"
+ }
+ ],
+ "value": "Update Mattermost Server to versions 9.4.0, 9.3.1, 9.2.5, 8.1.9 or higher.\n\n"
+ }
+ ],
+ "source": {
+ "advisory": "MMSA-2023-00281",
+ "defect": [
+ "https://mattermost.atlassian.net/browse/MM-55467"
+ ],
+ "discovery": "EXTERNAL"
+ },
+ "title": "Excessive resource consumption when sending long emoji names in user custom status",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ },
+ "adp": [
+ {
+ "title": "CISA ADP Vulnrichment",
+ "metrics": [
+ {
+ "other": {
+ "type": "ssvc",
+ "content": {
+ "id": "CVE-2024-24988",
+ "role": "CISA Coordinator",
+ "options": [
+ {
+ "Exploitation": "none"
+ },
+ {
+ "Automatable": "no"
+ },
+ {
+ "Technical Impact": "partial"
+ }
+ ],
+ "version": "2.0.3",
+ "timestamp": "2024-03-01T18:32:28.384741Z"
+ }
+ }
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
+ "shortName": "CISA-ADP",
+ "dateUpdated": "2024-06-04T17:43:03.157Z"
+ }
+ },
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-01T23:36:21.288Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "url": "https://mattermost.com/security-updates",
+ "tags": [
+ "x_transferred"
+ ]
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2024/27xxx/CVE-2024-27304.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "cveId": "CVE-2024-27304",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "dateReserved": "2024-02-22T18:08:38.875Z",
+ "datePublished": "2024-03-06T19:07:08.491Z",
+ "dateUpdated": "2024-08-02T00:27:59.959Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "pgx SQL Injection via Protocol Message Size Overflow",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-89",
+ "lang": "en",
+ "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
+ "type": "CWE"
+ }
+ ]
+ },
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-190",
+ "lang": "en",
+ "description": "CWE-190: Integer Overflow or Wraparound",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.8,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv"
+ },
+ {
+ "name": "https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8"
+ },
+ {
+ "name": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007"
+ },
+ {
+ "name": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4"
+ },
+ {
+ "name": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8"
+ },
+ {
+ "name": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "jackc",
+ "product": "pgx",
+ "versions": [
+ {
+ "version": "< 4.18.2",
+ "status": "affected"
+ },
+ {
+ "version": ">= 5.0.0, < 5.5.4",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2024-03-06T19:07:08.491Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size."
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-mrww-27vc-gghv",
+ "discovery": "UNKNOWN"
+ }
+ },
+ "adp": [
+ {
+ "affected": [
+ {
+ "vendor": "jackc",
+ "product": "pgx",
+ "cpes": [
+ "cpe:2.3:a:jackc:pgx:*:*:*:*:*:*:*:*"
+ ],
+ "defaultStatus": "unknown",
+ "versions": [
+ {
+ "version": "0",
+ "status": "affected",
+ "lessThan": "4.18.2",
+ "versionType": "custom"
+ }
+ ]
+ },
+ {
+ "vendor": "jackc",
+ "product": "pgx",
+ "cpes": [
+ "cpe:2.3:a:jackc:pgx:5.0.0:*:*:*:*:*:*:*"
+ ],
+ "defaultStatus": "unknown",
+ "versions": [
+ {
+ "version": "5.0.0",
+ "status": "affected",
+ "lessThan": "5.5.4",
+ "versionType": "custom"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "other": {
+ "type": "ssvc",
+ "content": {
+ "timestamp": "2024-03-06T20:31:57.168692Z",
+ "id": "CVE-2024-27304",
+ "options": [
+ {
+ "Exploitation": "none"
+ },
+ {
+ "Automatable": "yes"
+ },
+ {
+ "Technical Impact": "partial"
+ }
+ ],
+ "role": "CISA Coordinator",
+ "version": "2.0.3"
+ }
+ }
+ }
+ ],
+ "title": "CISA ADP Vulnrichment",
+ "providerMetadata": {
+ "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
+ "shortName": "CISA-ADP",
+ "dateUpdated": "2024-07-25T16:31:36.133Z"
+ }
+ },
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-02T00:27:59.959Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "name": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv",
+ "tags": [
+ "x_refsource_CONFIRM",
+ "x_transferred"
+ ],
+ "url": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv"
+ },
+ {
+ "name": "https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8"
+ },
+ {
+ "name": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007"
+ },
+ {
+ "name": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4"
+ },
+ {
+ "name": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8"
+ },
+ {
+ "name": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2024/28xxx/CVE-2024-28860.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "cveId": "CVE-2024-28860",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "dateReserved": "2024-03-11T22:45:07.686Z",
+ "datePublished": "2024-03-27T18:34:23.105Z",
+ "dateUpdated": "2024-08-02T00:56:58.123Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "Insecure IPsec transport encryption in Cilium",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-326",
+ "lang": "en",
+ "description": "CWE-326: Inadequate Encryption Strength",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "HIGH",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 8,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586"
+ },
+ {
+ "name": "https://github.com/cilium/cilium/commit/311fbce5280491cddceab178d83b06fa23688c72",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/cilium/cilium/commit/311fbce5280491cddceab178d83b06fa23688c72"
+ },
+ {
+ "name": "https://github.com/cilium/cilium/commit/a1742b478306fa256cd27df1039dfae0537b4149",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/cilium/cilium/commit/a1742b478306fa256cd27df1039dfae0537b4149"
+ },
+ {
+ "name": "https://github.com/cilium/cilium/commit/a652c123331852cca90c74202f993d4170fd37fa",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/cilium/cilium/commit/a652c123331852cca90c74202f993d4170fd37fa"
+ },
+ {
+ "name": "https://docs.cilium.io/en/stable/security/network/encryption-ipsec",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://docs.cilium.io/en/stable/security/network/encryption-ipsec"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "cilium",
+ "product": "cilium",
+ "versions": [
+ {
+ "version": ">= 1.4.0, <= 1.13.14",
+ "status": "affected"
+ },
+ {
+ "version": ">= 1.14.0, < 1.14.9",
+ "status": "affected"
+ },
+ {
+ "version": ">= 1.15.0, < 1.15.3",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2024-03-27T18:34:23.105Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to chosen plaintext, key recovery, replay attacks by a man-in-the-middle attacker. These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique keys for each IPsec tunnel established between nodes, resolving all of the above attacks. This vulnerability is fixed in 1.13.13, 1.14.9, and 1.15.3."
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-pwqm-x5x6-5586",
+ "discovery": "UNKNOWN"
+ }
+ },
+ "adp": [
+ {
+ "affected": [
+ {
+ "vendor": "cilium",
+ "product": "cilium",
+ "cpes": [
+ "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*"
+ ],
+ "defaultStatus": "unknown",
+ "versions": [
+ {
+ "version": "0",
+ "status": "affected",
+ "lessThanOrEqual": "1.4.0",
+ "versionType": "custom"
+ },
+ {
+ "version": "0",
+ "status": "affected",
+ "lessThanOrEqual": "1.13.14",
+ "versionType": "custom"
+ },
+ {
+ "version": "0",
+ "status": "affected",
+ "lessThanOrEqual": "1.14.0",
+ "versionType": "custom"
+ },
+ {
+ "version": "0",
+ "status": "affected",
+ "lessThanOrEqual": "1.14.9",
+ "versionType": "custom"
+ },
+ {
+ "version": "0",
+ "status": "affected",
+ "lessThanOrEqual": "1.15.0",
+ "versionType": "custom"
+ },
+ {
+ "version": "0",
+ "status": "affected",
+ "lessThanOrEqual": "1.15.3",
+ "versionType": "custom"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "other": {
+ "type": "ssvc",
+ "content": {
+ "timestamp": "2024-03-28T18:47:43.987847Z",
+ "id": "CVE-2024-28860",
+ "options": [
+ {
+ "Exploitation": "none"
+ },
+ {
+ "Automatable": "no"
+ },
+ {
+ "Technical Impact": "total"
+ }
+ ],
+ "role": "CISA Coordinator",
+ "version": "2.0.3"
+ }
+ }
+ }
+ ],
+ "title": "CISA ADP Vulnrichment",
+ "providerMetadata": {
+ "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
+ "shortName": "CISA-ADP",
+ "dateUpdated": "2024-07-17T17:10:17.414Z"
+ }
+ },
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-02T00:56:58.123Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "name": "https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586",
+ "tags": [
+ "x_refsource_CONFIRM",
+ "x_transferred"
+ ],
+ "url": "https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586"
+ },
+ {
+ "name": "https://github.com/cilium/cilium/commit/311fbce5280491cddceab178d83b06fa23688c72",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://github.com/cilium/cilium/commit/311fbce5280491cddceab178d83b06fa23688c72"
+ },
+ {
+ "name": "https://github.com/cilium/cilium/commit/a1742b478306fa256cd27df1039dfae0537b4149",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://github.com/cilium/cilium/commit/a1742b478306fa256cd27df1039dfae0537b4149"
+ },
+ {
+ "name": "https://github.com/cilium/cilium/commit/a652c123331852cca90c74202f993d4170fd37fa",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://github.com/cilium/cilium/commit/a652c123331852cca90c74202f993d4170fd37fa"
+ },
+ {
+ "name": "https://docs.cilium.io/en/stable/security/network/encryption-ipsec",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://docs.cilium.io/en/stable/security/network/encryption-ipsec"
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2024/30xxx/CVE-2024-30623.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2024-30623",
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "dateUpdated": "2024-08-02T01:39:00.661Z",
+ "dateReserved": "2024-03-27T00:00:00",
+ "datePublished": "2024-03-29T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre",
+ "dateUpdated": "2024-03-29T12:37:31.943969"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Tenda FH1205 v2.0.0.7(775) has a stack overflow vulnerability in the page parameter from fromDhcpListClient function."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "n/a",
+ "product": "n/a",
+ "versions": [
+ {
+ "version": "n/a",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/FH/FH1205/fromDhcpListClient_page.md"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "text",
+ "lang": "en",
+ "description": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "adp": [
+ {
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "CWE",
+ "cweId": "CWE-121",
+ "lang": "en",
+ "description": "CWE-121 Stack-based Buffer Overflow"
+ }
+ ]
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "tenda",
+ "product": "fh1205_firmware",
+ "cpes": [
+ "cpe:2.3:o:tenda:fh1205_firmware:2.0.0.7\\(775\\):*:*:*:*:*:*:*"
+ ],
+ "defaultStatus": "unknown",
+ "versions": [
+ {
+ "version": "2.0.0.7\\(775\\)",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "scope": "UNCHANGED",
+ "version": "3.1",
+ "baseScore": 6.5,
+ "attackVector": "ADJACENT_NETWORK",
+ "baseSeverity": "MEDIUM",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "integrityImpact": "NONE",
+ "userInteraction": "NONE",
+ "attackComplexity": "LOW",
+ "availabilityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "confidentialityImpact": "NONE"
+ }
+ },
+ {
+ "other": {
+ "type": "ssvc",
+ "content": {
+ "timestamp": "2024-03-29T15:19:19.788629Z",
+ "id": "CVE-2024-30623",
+ "options": [
+ {
+ "Exploitation": "poc"
+ },
+ {
+ "Automatable": "no"
+ },
+ {
+ "Technical Impact": "partial"
+ }
+ ],
+ "role": "CISA Coordinator",
+ "version": "2.0.3"
+ }
+ }
+ }
+ ],
+ "title": "CISA ADP Vulnrichment",
+ "providerMetadata": {
+ "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
+ "shortName": "CISA-ADP",
+ "dateUpdated": "2024-06-20T18:14:27.546Z"
+ }
+ },
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-02T01:39:00.661Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "url": "https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/FH/FH1205/fromDhcpListClient_page.md",
+ "tags": [
+ "x_transferred"
+ ]
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2024/37xxx/CVE-2024-37032.json --
+{
+ "dataType": "CVE_RECORD",
+ "cveMetadata": {
+ "state": "PUBLISHED",
+ "cveId": "CVE-2024-37032",
+ "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "assignerShortName": "mitre",
+ "dateUpdated": "2024-08-02T03:43:50.887Z",
+ "dateReserved": "2024-05-31T00:00:00",
+ "datePublished": "2024-05-31T00:00:00"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
+ "shortName": "mitre",
+ "dateUpdated": "2024-07-15T21:43:05.974743"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "n/a",
+ "product": "n/a",
+ "versions": [
+ {
+ "version": "n/a",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://github.com/ollama/ollama/pull/4175"
+ },
+ {
+ "url": "https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34"
+ },
+ {
+ "url": "https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58"
+ },
+ {
+ "url": "https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "type": "text",
+ "lang": "en",
+ "description": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "adp": [
+ {
+ "metrics": [
+ {
+ "other": {
+ "type": "ssvc",
+ "content": {
+ "timestamp": "2024-06-06T17:30:12.570473Z",
+ "id": "CVE-2024-37032",
+ "options": [
+ {
+ "Exploitation": "none"
+ },
+ {
+ "Automatable": "no"
+ },
+ {
+ "Technical Impact": "partial"
+ }
+ ],
+ "role": "CISA Coordinator",
+ "version": "2.0.3"
+ }
+ }
+ }
+ ],
+ "title": "CISA ADP Vulnrichment",
+ "providerMetadata": {
+ "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
+ "shortName": "CISA-ADP",
+ "dateUpdated": "2024-06-06T17:30:47.123Z"
+ }
+ },
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-02T03:43:50.887Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "url": "https://github.com/ollama/ollama/pull/4175",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58",
+ "tags": [
+ "x_transferred"
+ ]
+ },
+ {
+ "url": "https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032",
+ "tags": [
+ "x_transferred"
+ ]
+ }
+ ]
+ }
+ ]
+ },
+ "dataVersion": "5.1"
+}
+-- cves/2024/37xxx/CVE-2024-37153.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "cveId": "CVE-2024-37153",
+ "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "state": "PUBLISHED",
+ "assignerShortName": "GitHub_M",
+ "dateReserved": "2024-06-03T17:29:38.328Z",
+ "datePublished": "2024-06-06T18:51:30.638Z",
+ "dateUpdated": "2024-08-02T03:50:54.784Z"
+ },
+ "containers": {
+ "cna": {
+ "title": "Evmos's contract balance not updating correctly after interchain transaction",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-670",
+ "lang": "en",
+ "description": "CWE-670: Always-Incorrect Control Flow Implementation",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 7.5,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
+ "version": "3.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "name": "https://github.com/evmos/evmos/security/advisories/GHSA-xgr7-jgq3-mhmc",
+ "tags": [
+ "x_refsource_CONFIRM"
+ ],
+ "url": "https://github.com/evmos/evmos/security/advisories/GHSA-xgr7-jgq3-mhmc"
+ },
+ {
+ "name": "https://github.com/evmos/evmos/commit/478b7a62e7af57a70cf3a01126c7f5a89bee69d7",
+ "tags": [
+ "x_refsource_MISC"
+ ],
+ "url": "https://github.com/evmos/evmos/commit/478b7a62e7af57a70cf3a01126c7f5a89bee69d7"
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "evmos",
+ "product": "evmos",
+ "versions": [
+ {
+ "version": "<= 18.0.0",
+ "status": "affected"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
+ "shortName": "GitHub_M",
+ "dateUpdated": "2024-06-06T18:51:30.638Z"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. There is an issue with how to liquid stake using Safe which itself is a contract. The bug only appears when there is a local state change together with an ICS20 transfer in the same function and uses the contract's balance, that is using the contract address as the sender parameter in an ICS20 transfer using the ICS20 precompile. This is in essence the \"infinite money glitch\" allowing contracts to double the supply of Evmos after each transaction.The issue has been patched in versions >=V18.1.0. "
+ }
+ ],
+ "source": {
+ "advisory": "GHSA-xgr7-jgq3-mhmc",
+ "discovery": "UNKNOWN"
+ }
+ },
+ "adp": [
+ {
+ "affected": [
+ {
+ "vendor": "evmos",
+ "product": "evmos",
+ "cpes": [
+ "cpe:2.3:a:evmos:evmos:*:*:*:*:*:*:*:*"
+ ],
+ "defaultStatus": "unknown",
+ "versions": [
+ {
+ "version": "0",
+ "status": "affected",
+ "lessThanOrEqual": "18.0.0",
+ "versionType": "custom"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "other": {
+ "type": "ssvc",
+ "content": {
+ "timestamp": "2024-06-06T19:43:28.332952Z",
+ "id": "CVE-2024-37153",
+ "options": [
+ {
+ "Exploitation": "poc"
+ },
+ {
+ "Automatable": "yes"
+ },
+ {
+ "Technical Impact": "partial"
+ }
+ ],
+ "role": "CISA Coordinator",
+ "version": "2.0.3"
+ }
+ }
+ }
+ ],
+ "title": "CISA ADP Vulnrichment",
+ "providerMetadata": {
+ "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
+ "shortName": "CISA-ADP",
+ "dateUpdated": "2024-06-06T19:45:46.180Z"
+ }
+ },
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-02T03:50:54.784Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "name": "https://github.com/evmos/evmos/security/advisories/GHSA-xgr7-jgq3-mhmc",
+ "tags": [
+ "x_refsource_CONFIRM",
+ "x_transferred"
+ ],
+ "url": "https://github.com/evmos/evmos/security/advisories/GHSA-xgr7-jgq3-mhmc"
+ },
+ {
+ "name": "https://github.com/evmos/evmos/commit/478b7a62e7af57a70cf3a01126c7f5a89bee69d7",
+ "tags": [
+ "x_refsource_MISC",
+ "x_transferred"
+ ],
+ "url": "https://github.com/evmos/evmos/commit/478b7a62e7af57a70cf3a01126c7f5a89bee69d7"
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2024/5xxx/CVE-2024-5798.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "cveId": "CVE-2024-5798",
+ "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
+ "state": "PUBLISHED",
+ "assignerShortName": "HashiCorp",
+ "dateReserved": "2024-06-10T15:46:30.387Z",
+ "datePublished": "2024-06-12T18:55:24.788Z",
+ "dateUpdated": "2024-08-01T21:25:02.659Z"
+ },
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "defaultStatus": "unaffected",
+ "platforms": [
+ "64 bit",
+ "32 bit",
+ "x86",
+ "ARM",
+ "MacOS",
+ "Windows",
+ "Linux"
+ ],
+ "product": "Vault",
+ "repo": "https://github.com/hashicorp/vault",
+ "vendor": "HashiCorp",
+ "versions": [
+ {
+ "changes": [
+ {
+ "at": "1.15.9",
+ "status": "unaffected"
+ },
+ {
+ "at": "1.14.13",
+ "status": "unaffected"
+ }
+ ],
+ "lessThan": "1.16.2",
+ "status": "affected",
+ "version": "0.11.0",
+ "versionType": "semver"
+ }
+ ]
+ },
+ {
+ "defaultStatus": "unaffected",
+ "platforms": [
+ "64 bit",
+ "32 bit",
+ "x86",
+ "ARM",
+ "MacOS",
+ "Windows",
+ "Linux"
+ ],
+ "product": "Vault Enterprise",
+ "repo": "https://github.com/hashicorp/vault",
+ "vendor": "HashiCorp",
+ "versions": [
+ {
+ "changes": [
+ {
+ "at": "1.15.9",
+ "status": "unaffected"
+ },
+ {
+ "at": "1.14.13",
+ "status": "unaffected"
+ }
+ ],
+ "lessThan": "1.16.2",
+ "status": "affected",
+ "version": "0.11.0",
+ "versionType": "semver"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "<p>Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected.\n\nThis vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9</p><br/>"
+ }
+ ],
+ "value": "Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected.\n\nThis vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9"
+ }
+ ],
+ "impacts": [
+ {
+ "capecId": "CAPEC-1",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "baseScore": 2.6,
+ "baseSeverity": "LOW",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N",
+ "version": "3.1"
+ },
+ "format": "CVSS",
+ "scenarios": [
+ {
+ "lang": "en",
+ "value": "GENERAL"
+ }
+ ]
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-285",
+ "description": "CWE-285: Improper Authorization",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
+ "shortName": "HashiCorp",
+ "dateUpdated": "2024-06-12T18:55:24.788Z"
+ },
+ "references": [
+ {
+ "url": "https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770"
+ }
+ ],
+ "source": {
+ "advisory": "HCSEC-2024-HCSEC-2024-11",
+ "discovery": "EXTERNAL"
+ },
+ "title": "Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims"
+ },
+ "adp": [
+ {
+ "metrics": [
+ {
+ "other": {
+ "type": "ssvc",
+ "content": {
+ "timestamp": "2024-06-13T19:32:41.996739Z",
+ "id": "CVE-2024-5798",
+ "options": [
+ {
+ "Exploitation": "none"
+ },
+ {
+ "Automatable": "no"
+ },
+ {
+ "Technical Impact": "partial"
+ }
+ ],
+ "role": "CISA Coordinator",
+ "version": "2.0.3"
+ }
+ }
+ }
+ ],
+ "title": "CISA ADP Vulnrichment",
+ "providerMetadata": {
+ "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
+ "shortName": "CISA-ADP",
+ "dateUpdated": "2024-06-13T19:32:53.402Z"
+ }
+ },
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-01T21:25:02.659Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "url": "https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770",
+ "tags": [
+ "x_transferred"
+ ]
+ }
+ ]
+ }
+ ]
+ }
+}
+-- cves/2024/6xxx/CVE-2024-6104.json --
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "cveId": "CVE-2024-6104",
+ "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
+ "state": "PUBLISHED",
+ "assignerShortName": "HashiCorp",
+ "dateReserved": "2024-06-17T22:19:58.680Z",
+ "datePublished": "2024-06-24T17:06:21.150Z",
+ "dateUpdated": "2024-08-01T21:33:04.395Z"
+ },
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "defaultStatus": "unaffected",
+ "platforms": [
+ "64 bit",
+ "32 bit",
+ "x86",
+ "ARM",
+ "MacOS",
+ "Windows",
+ "Linux"
+ ],
+ "product": "Shared library",
+ "repo": "https://github.com/hashicorp/go-retryablehttp",
+ "vendor": "HashiCorp",
+ "versions": [
+ {
+ "lessThan": "0.7.7",
+ "status": "affected",
+ "version": "0",
+ "versionType": "semver"
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "<p>go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.</p><br/>"
+ }
+ ],
+ "value": "go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7."
+ }
+ ],
+ "impacts": [
+ {
+ "capecId": "CAPEC-118",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "CAPEC-118: Collect and Analyze Information"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "cvssV3_1": {
+ "baseScore": 6,
+ "baseSeverity": "MEDIUM",
+ "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
+ "version": "3.1"
+ },
+ "format": "CVSS",
+ "scenarios": [
+ {
+ "lang": "en",
+ "value": "GENERAL"
+ }
+ ]
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-532",
+ "description": "CWE-532: Insertion of Sensitive Information into Log File",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
+ "shortName": "HashiCorp",
+ "dateUpdated": "2024-06-24T17:06:21.150Z"
+ },
+ "references": [
+ {
+ "url": "https://discuss.hashicorp.com/c/security"
+ }
+ ],
+ "source": {
+ "advisory": "HCSEC-2024-12",
+ "discovery": "EXTERNAL"
+ },
+ "title": "go-retryablehttp can leak basic auth credentials to log files"
+ },
+ "adp": [
+ {
+ "metrics": [
+ {
+ "other": {
+ "type": "ssvc",
+ "content": {
+ "timestamp": "2024-06-24T19:19:22.878144Z",
+ "id": "CVE-2024-6104",
+ "options": [
+ {
+ "Exploitation": "none"
+ },
+ {
+ "Automatable": "no"
+ },
+ {
+ "Technical Impact": "partial"
+ }
+ ],
+ "role": "CISA Coordinator",
+ "version": "2.0.3"
+ }
+ }
+ }
+ ],
+ "title": "CISA ADP Vulnrichment",
+ "providerMetadata": {
+ "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
+ "shortName": "CISA-ADP",
+ "dateUpdated": "2024-06-24T19:19:28.773Z"
+ }
+ },
+ {
+ "providerMetadata": {
+ "orgId": "af854a3a-2127-422b-91ae-364da2661108",
+ "shortName": "CVE",
+ "dateUpdated": "2024-08-01T21:33:04.395Z"
+ },
+ "title": "CVE Program Container",
+ "references": [
+ {
+ "url": "https://discuss.hashicorp.com/c/security",
+ "tags": [
+ "x_transferred"
+ ]
+ }
+ ]
+ }
+ ]
+ }
+}
diff --git a/internal/triage/testdata/cve/go_cves.txt b/internal/triage/testdata/cve/go_cves.txt
new file mode 100644
index 0000000..bb86743
--- /dev/null
+++ b/internal/triage/testdata/cve/go_cves.txt
@@ -0,0 +1,75 @@
+CVE-2019-9741
+CVE-2023-28436
+CVE-2023-46740
+CVE-2023-48312
+CVE-2022-27649
+CVE-2016-7569
+CVE-2023-39964
+CVE-2022-21713
+CVE-2022-41912
+CVE-2021-21403
+CVE-2023-45142
+CVE-2022-44797
+CVE-2023-32758
+CVE-2023-43620
+CVE-2023-45284
+CVE-2024-24988
+CVE-2024-37032
+CVE-2023-45825
+CVE-2022-24826
+CVE-2023-47108
+CVE-2023-49946
+CVE-2020-8558
+CVE-2024-37153
+CVE-2022-46167
+CVE-2024-6104
+CVE-2019-1000008
+CVE-2024-21848
+CVE-2024-27304
+CVE-2022-2880
+CVE-2023-45223
+CVE-2022-2385
+CVE-2020-15129
+CVE-2019-3876
+CVE-2020-36568
+CVE-2023-42816
+CVE-2020-1764
+CVE-2021-39391
+CVE-2022-44942
+CVE-2021-42583
+CVE-2023-1238
+CVE-2018-20303
+CVE-2018-1000803
+CVE-2021-42135
+CVE-2018-15192
+CVE-2020-26276
+CVE-2022-25327
+CVE-2022-40083
+CVE-2024-28860
+CVE-2023-48795
+CVE-2020-25017
+CVE-2022-4813
+CVE-2017-1000070
+CVE-2020-26240
+CVE-2023-34091
+CVE-2023-52430
+CVE-2021-3495
+CVE-2022-39238
+CVE-2022-4850
+CVE-2019-19794
+CVE-2024-5798
+CVE-2020-10661
+CVE-2016-1544
+CVE-2019-19316
+CVE-2022-31097
+CVE-2018-18625
+CVE-2019-11246
+CVE-2022-4045
+CVE-2019-14944
+CVE-2024-24774
+CVE-2022-24905
+CVE-2021-29499
+CVE-2016-15005
+CVE-2016-9122
+CVE-2023-37265
+CVE-2022-38638
\ No newline at end of file
diff --git a/internal/triage/testdata/cve/not_go_cves.txt b/internal/triage/testdata/cve/not_go_cves.txt
new file mode 100644
index 0000000..3c89a53
--- /dev/null
+++ b/internal/triage/testdata/cve/not_go_cves.txt
@@ -0,0 +1,25 @@
+CVE-2014-0718
+CVE-2023-35993
+CVE-2008-2580
+CVE-2019-2130
+CVE-2020-19957
+CVE-2011-3350
+CVE-2002-0852
+CVE-2021-30962
+CVE-2019-16991
+CVE-2015-1707
+CVE-2007-4762
+CVE-2022-36309
+CVE-2016-4123
+CVE-2010-3671
+CVE-2017-8963
+CVE-2022-34800
+CVE-2017-4378
+CVE-2020-10417
+CVE-2023-43884
+CVE-2017-7468
+CVE-2010-0197
+CVE-2018-18993
+CVE-2024-30623
+CVE-2008-3079
+CVE-2019-9379
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2002-0852.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2002-0852.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2002-0852.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2007-4762.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2007-4762.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2007-4762.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2008-2580.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2008-2580.json
new file mode 100644
index 0000000..32071f8
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2008-2580.json
@@ -0,0 +1,6 @@
+{
+ "/mod/h20000.www2.hp.com": false,
+ "/mod/h20000.www2.hp.com/bizsupport": false,
+ "/mod/h20000.www2.hp.com/bizsupport/TechSupport": false,
+ "/mod/h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2008-3079.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2008-3079.json
new file mode 100644
index 0000000..32ff8b3
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2008-3079.json
@@ -0,0 +1,7 @@
+{
+ "/mod/www.opera.com": false,
+ "/mod/www.opera.com/docs": false,
+ "/mod/www.opera.com/docs/changelogs": false,
+ "/mod/www.opera.com/docs/changelogs/windows": false,
+ "/mod/www.opera.com/docs/changelogs/windows/951": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2010-0197.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2010-0197.json
new file mode 100644
index 0000000..081fc36
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2010-0197.json
@@ -0,0 +1,6 @@
+{
+ "/mod/oval.cisecurity.org": false,
+ "/mod/oval.cisecurity.org/repository": false,
+ "/mod/oval.cisecurity.org/repository/search": false,
+ "/mod/oval.cisecurity.org/repository/search/definition": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2010-3671.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2010-3671.json
new file mode 100644
index 0000000..37a21b7
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2010-3671.json
@@ -0,0 +1,9 @@
+{
+ "/mod/security-tracker.debian.org": false,
+ "/mod/security-tracker.debian.org/tracker": false,
+ "/mod/security-tracker.debian.org/tracker/CVE-2010-3671": false,
+ "/mod/typo3.org": false,
+ "/mod/typo3.org/security": false,
+ "/mod/typo3.org/security/advisory": false,
+ "/mod/typo3.org/security/advisory/typo3-sa-2010-012": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2011-3350.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2011-3350.json
new file mode 100644
index 0000000..766cef7
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2011-3350.json
@@ -0,0 +1,9 @@
+{
+ "/mod/access.redhat.com": false,
+ "/mod/access.redhat.com/security": false,
+ "/mod/access.redhat.com/security/cve": false,
+ "/mod/access.redhat.com/security/cve/cve-2011-3350": false,
+ "/mod/security-tracker.debian.org": false,
+ "/mod/security-tracker.debian.org/tracker": false,
+ "/mod/security-tracker.debian.org/tracker/CVE-2011-3350": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2014-0718.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2014-0718.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2014-0718.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2015-1707.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2015-1707.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2015-1707.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-15005.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-15005.json
new file mode 100644
index 0000000..f76bb86
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-15005.json
@@ -0,0 +1,5 @@
+{
+ "/mod/github.com/dinever/golf": true,
+ "/mod/github.com/dinever/golf/pull": false,
+ "/mod/github.com/dinever/golf/pull/24": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-1544.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-1544.json
new file mode 100644
index 0000000..b65780c
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-1544.json
@@ -0,0 +1,5 @@
+{
+ "/mod/github.com/nghttp2/nghttp2": true,
+ "/mod/github.com/nghttp2/nghttp2/releases": false,
+ "/mod/github.com/nghttp2/nghttp2/releases/tag": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-4123.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-4123.json
new file mode 100644
index 0000000..be6b35d
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-4123.json
@@ -0,0 +1,4 @@
+{
+ "/mod/access.redhat.com": false,
+ "/mod/access.redhat.com/errata": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-7569.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-7569.json
new file mode 100644
index 0000000..ee67c11
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-7569.json
@@ -0,0 +1,5 @@
+{
+ "/mod/github.com/appc/docker2aci": true,
+ "/mod/github.com/appc/docker2aci/releases": false,
+ "/mod/github.com/appc/docker2aci/releases/tag": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-9122.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-9122.json
new file mode 100644
index 0000000..e1f9297
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2016-9122.json
@@ -0,0 +1,5 @@
+{
+ "/mod/hackerone.com": false,
+ "/mod/hackerone.com/reports": false,
+ "/mod/hackerone.com/reports/169629": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2017-1000070.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2017-1000070.json
new file mode 100644
index 0000000..1a236bb
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2017-1000070.json
@@ -0,0 +1,5 @@
+{
+ "/mod/github.com/bitly/oauth2_proxy": true,
+ "/mod/github.com/bitly/oauth2_proxy/pull": false,
+ "/mod/github.com/bitly/oauth2_proxy/pull/359": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2017-4378.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2017-4378.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2017-4378.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2017-7468.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2017-7468.json
new file mode 100644
index 0000000..c3bc696
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2017-7468.json
@@ -0,0 +1,5 @@
+{
+ "/mod/curl.haxx.se": false,
+ "/mod/curl.haxx.se/docs": false,
+ "/mod/curl.haxx.se/docs/adv_20170419.html": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2017-8963.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2017-8963.json
new file mode 100644
index 0000000..d50d7ae
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2017-8963.json
@@ -0,0 +1,7 @@
+{
+ "/mod/support.hpe.com": false,
+ "/mod/support.hpe.com/hpsc": false,
+ "/mod/support.hpe.com/hpsc/doc": false,
+ "/mod/support.hpe.com/hpsc/doc/public": false,
+ "/mod/support.hpe.com/hpsc/doc/public/display": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-1000803.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-1000803.json
new file mode 100644
index 0000000..a4c9c95
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-1000803.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/go-gitea/gitea": true,
+ "/mod/github.com/go-gitea/gitea/pull": false,
+ "/mod/github.com/go-gitea/gitea/pull/4664": false,
+ "/mod/github.com/go-gitea/gitea/pull/4664/files": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-15192.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-15192.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-15192.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-18625.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-18625.json
new file mode 100644
index 0000000..848a7cb
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-18625.json
@@ -0,0 +1,7 @@
+{
+ "/mod/github.com/grafana/grafana/pull": false,
+ "/mod/github.com/grafana/grafana/pull/11813": false,
+ "/mod/security.netapp.com": false,
+ "/mod/security.netapp.com/advisory": false,
+ "/mod/security.netapp.com/advisory/ntap-20200608-0008": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-18993.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-18993.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-18993.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-20303.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-20303.json
new file mode 100644
index 0000000..2d4d4e8
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2018-20303.json
@@ -0,0 +1,5 @@
+{
+ "/mod/pentesterlab.com": false,
+ "/mod/pentesterlab.com/exercises": false,
+ "/mod/pentesterlab.com/exercises/cve-2018-18925": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-1000008.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-1000008.json
new file mode 100644
index 0000000..bcaea73
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-1000008.json
@@ -0,0 +1,6 @@
+{
+ "/mod/helm.sh": false,
+ "/mod/helm.sh/blog": false,
+ "/mod/helm.sh/blog/helm-security-notice-2019": false,
+ "/mod/helm.sh/blog/helm-security-notice-2019/index.html": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-11246.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-11246.json
new file mode 100644
index 0000000..29701eb
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-11246.json
@@ -0,0 +1,5 @@
+{
+ "/mod/github.com/kubernetes/kubernetes": true,
+ "/mod/github.com/kubernetes/kubernetes/pull": false,
+ "/mod/github.com/kubernetes/kubernetes/pull/76788": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-14944.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-14944.json
new file mode 100644
index 0000000..b8c6ab7
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-14944.json
@@ -0,0 +1,9 @@
+{
+ "/mod/about.gitlab.com": false,
+ "/mod/about.gitlab.com/blog": false,
+ "/mod/about.gitlab.com/blog/categories": false,
+ "/mod/about.gitlab.com/blog/categories/releases": false,
+ "/mod/gitlab.com/gitlab-org/gitaly": true,
+ "/mod/gitlab.com/gitlab-org/gitaly/issues": false,
+ "/mod/gitlab.com/gitlab-org/gitaly/issues/1801": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-16991.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-16991.json
new file mode 100644
index 0000000..5d998b2
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-16991.json
@@ -0,0 +1,7 @@
+{
+ "/mod/resp3ctblog.wordpress.com": false,
+ "/mod/resp3ctblog.wordpress.com/2019": false,
+ "/mod/resp3ctblog.wordpress.com/2019/10": false,
+ "/mod/resp3ctblog.wordpress.com/2019/10/19": false,
+ "/mod/resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-20": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-19316.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-19316.json
new file mode 100644
index 0000000..c63fd14
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-19316.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/hashicorp/terraform": true,
+ "/mod/github.com/hashicorp/terraform/security": false,
+ "/mod/github.com/hashicorp/terraform/security/advisories": false,
+ "/mod/github.com/hashicorp/terraform/security/advisories/GHSA-4rvg-555h-r626": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-19794.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-19794.json
new file mode 100644
index 0000000..dde0260
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-19794.json
@@ -0,0 +1,5 @@
+{
+ "/mod/github.com/miekg/dns": true,
+ "/mod/github.com/miekg/dns/pull": false,
+ "/mod/github.com/miekg/dns/pull/1044": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-2130.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-2130.json
new file mode 100644
index 0000000..064fa72
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-2130.json
@@ -0,0 +1,6 @@
+{
+ "/mod/source.android.com": false,
+ "/mod/source.android.com/security": false,
+ "/mod/source.android.com/security/bulletin": false,
+ "/mod/source.android.com/security/bulletin/2019-08-01": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-3876.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-3876.json
new file mode 100644
index 0000000..be6b35d
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-3876.json
@@ -0,0 +1,4 @@
+{
+ "/mod/access.redhat.com": false,
+ "/mod/access.redhat.com/errata": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-9379.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-9379.json
new file mode 100644
index 0000000..1fdbf58
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-9379.json
@@ -0,0 +1,6 @@
+{
+ "/mod/source.android.com": false,
+ "/mod/source.android.com/security": false,
+ "/mod/source.android.com/security/bulletin": false,
+ "/mod/source.android.com/security/bulletin/android-10": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-9741.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-9741.json
new file mode 100644
index 0000000..be6b35d
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2019-9741.json
@@ -0,0 +1,4 @@
+{
+ "/mod/access.redhat.com": false,
+ "/mod/access.redhat.com/errata": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-10417.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-10417.json
new file mode 100644
index 0000000..d2598c3
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-10417.json
@@ -0,0 +1,4 @@
+{
+ "/mod/antoniocannito.it": false,
+ "/mod/antoniocannito.it/phpkb1": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-10661.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-10661.json
new file mode 100644
index 0000000..ef37607
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-10661.json
@@ -0,0 +1,6 @@
+{
+ "/mod/www.hashicorp.com": false,
+ "/mod/www.hashicorp.com/blog": false,
+ "/mod/www.hashicorp.com/blog/category": false,
+ "/mod/www.hashicorp.com/blog/category/vault": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-15129.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-15129.json
new file mode 100644
index 0000000..267b0a8
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-15129.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/containous/traefik": true,
+ "/mod/github.com/containous/traefik/security": false,
+ "/mod/github.com/containous/traefik/security/advisories": false,
+ "/mod/github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-1764.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-1764.json
new file mode 100644
index 0000000..2354260
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-1764.json
@@ -0,0 +1,6 @@
+{
+ "/mod/kiali.io": false,
+ "/mod/kiali.io/news": false,
+ "/mod/kiali.io/news/security-bulletins": false,
+ "/mod/kiali.io/news/security-bulletins/kiali-security-001": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-19957.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-19957.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-19957.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-25017.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-25017.json
new file mode 100644
index 0000000..3f3ad2a
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-25017.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/envoyproxy/envoy": true,
+ "/mod/github.com/envoyproxy/envoy/security": false,
+ "/mod/github.com/envoyproxy/envoy/security/advisories": false,
+ "/mod/github.com/envoyproxy/envoy/security/advisories/GHSA-2v25-cjjq-5f4w": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-26240.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-26240.json
new file mode 100644
index 0000000..77952c5
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-26240.json
@@ -0,0 +1,11 @@
+{
+ "/mod/blog.ethereum.org": false,
+ "/mod/blog.ethereum.org/2020": false,
+ "/mod/blog.ethereum.org/2020/11": false,
+ "/mod/blog.ethereum.org/2020/11/12": false,
+ "/mod/blog.ethereum.org/2020/11/12/geth_security_release": false,
+ "/mod/github.com/ethereum/go-ethereum": true,
+ "/mod/github.com/ethereum/go-ethereum/security": false,
+ "/mod/github.com/ethereum/go-ethereum/security/advisories": false,
+ "/mod/github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-26276.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-26276.json
new file mode 100644
index 0000000..560a8a1
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-26276.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/fleetdm/fleet": true,
+ "/mod/github.com/fleetdm/fleet/security": false,
+ "/mod/github.com/fleetdm/fleet/security/advisories": false,
+ "/mod/github.com/fleetdm/fleet/security/advisories/GHSA-w3wf-cfx3-6gcx": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-36568.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-36568.json
new file mode 100644
index 0000000..7c9f459
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-36568.json
@@ -0,0 +1,5 @@
+{
+ "/mod/github.com/revel/revel": true,
+ "/mod/github.com/revel/revel/pull": false,
+ "/mod/github.com/revel/revel/pull/1427": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-8558.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-8558.json
new file mode 100644
index 0000000..2d2a5e6
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2020-8558.json
@@ -0,0 +1,5 @@
+{
+ "/mod/security.netapp.com": false,
+ "/mod/security.netapp.com/advisory": false,
+ "/mod/security.netapp.com/advisory/ntap-20200821-0001": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-21403.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-21403.json
new file mode 100644
index 0000000..e45b3c0
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-21403.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/kongchuanhujiao/server": true,
+ "/mod/github.com/kongchuanhujiao/server/security": false,
+ "/mod/github.com/kongchuanhujiao/server/security/advisories": false,
+ "/mod/github.com/kongchuanhujiao/server/security/advisories/GHSA-8wrg-m8vm-5fvj": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-29499.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-29499.json
new file mode 100644
index 0000000..851bc5d
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-29499.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/sylabs/sif": true,
+ "/mod/github.com/sylabs/sif/security": false,
+ "/mod/github.com/sylabs/sif/security/advisories": false,
+ "/mod/github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-30962.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-30962.json
new file mode 100644
index 0000000..471d6a5
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-30962.json
@@ -0,0 +1,6 @@
+{
+ "/mod/support.apple.com": false,
+ "/mod/support.apple.com/en-us": false,
+ "/mod/support.apple.com/en-us/HT212979": false,
+ "/mod/support.apple.com/en-us/HT212980": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-3495.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-3495.json
new file mode 100644
index 0000000..f4373ae
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-3495.json
@@ -0,0 +1,6 @@
+{
+ "/mod/kiali.io": false,
+ "/mod/kiali.io/news": false,
+ "/mod/kiali.io/news/security-bulletins": false,
+ "/mod/kiali.io/news/security-bulletins/kiali-security-003": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-39391.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-39391.json
new file mode 100644
index 0000000..c89a772
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-39391.json
@@ -0,0 +1,3 @@
+{
+ "/mod/github.com/beego/beego": true
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-42135.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-42135.json
new file mode 100644
index 0000000..f016cd0
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-42135.json
@@ -0,0 +1,5 @@
+{
+ "/mod/discuss.hashicorp.com": false,
+ "/mod/discuss.hashicorp.com/t": false,
+ "/mod/discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-42583.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-42583.json
new file mode 100644
index 0000000..f2ac143
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2021-42583.json
@@ -0,0 +1,5 @@
+{
+ "/mod/github.com/foxcpp/maddy": true,
+ "/mod/github.com/foxcpp/maddy/releases": false,
+ "/mod/github.com/foxcpp/maddy/releases/tag": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-21713.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-21713.json
new file mode 100644
index 0000000..adceaa9
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-21713.json
@@ -0,0 +1,16 @@
+{
+ "/mod/github.com/grafana/grafana/pull": false,
+ "/mod/github.com/grafana/grafana/pull/45083": false,
+ "/mod/github.com/grafana/grafana/security": false,
+ "/mod/github.com/grafana/grafana/security/advisories": false,
+ "/mod/github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv": false,
+ "/mod/grafana.com": false,
+ "/mod/grafana.com/blog": false,
+ "/mod/grafana.com/blog/2022": false,
+ "/mod/grafana.com/blog/2022/02": false,
+ "/mod/grafana.com/blog/2022/02/08": false,
+ "/mod/grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes": false,
+ "/mod/security.netapp.com": false,
+ "/mod/security.netapp.com/advisory": false,
+ "/mod/security.netapp.com/advisory/ntap-20220303-0005": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-2385.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-2385.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-2385.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-24826.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-24826.json
new file mode 100644
index 0000000..33602ad
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-24826.json
@@ -0,0 +1,4 @@
+{
+ "/mod/github.com/git-lfs/git-lfs": true,
+ "/mod/github.com/git-lfs/git-lfs/releases": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-24905.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-24905.json
new file mode 100644
index 0000000..43ae90f
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-24905.json
@@ -0,0 +1,5 @@
+{
+ "/mod/github.com/argoproj/argo-cd": true,
+ "/mod/github.com/argoproj/argo-cd/releases": false,
+ "/mod/github.com/argoproj/argo-cd/releases/tag": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-25327.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-25327.json
new file mode 100644
index 0000000..62061ae
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-25327.json
@@ -0,0 +1,5 @@
+{
+ "/mod/github.com/google/fscrypt": true,
+ "/mod/github.com/google/fscrypt/pull": false,
+ "/mod/github.com/google/fscrypt/pull/346": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-27649.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-27649.json
new file mode 100644
index 0000000..6550a5a
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-27649.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/containers/podman": true,
+ "/mod/github.com/containers/podman/security": false,
+ "/mod/github.com/containers/podman/security/advisories": false,
+ "/mod/github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-2880.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-2880.json
new file mode 100644
index 0000000..4658b70
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-2880.json
@@ -0,0 +1,7 @@
+{
+ "/mod/go.dev": false,
+ "/mod/go.dev/cl": false,
+ "/mod/go.dev/cl/432976": false,
+ "/mod/go.dev/issue": false,
+ "/mod/go.dev/issue/54663": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-31097.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-31097.json
new file mode 100644
index 0000000..39a4e63
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-31097.json
@@ -0,0 +1,18 @@
+{
+ "/mod/github.com/grafana/grafana/security": false,
+ "/mod/github.com/grafana/grafana/security/advisories": false,
+ "/mod/github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f": false,
+ "/mod/grafana.com": false,
+ "/mod/grafana.com/docs": false,
+ "/mod/grafana.com/docs/grafana": false,
+ "/mod/grafana.com/docs/grafana/latest": false,
+ "/mod/grafana.com/docs/grafana/latest/release-notes": false,
+ "/mod/grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9": false,
+ "/mod/grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3": false,
+ "/mod/grafana.com/docs/grafana/next": false,
+ "/mod/grafana.com/docs/grafana/next/release-notes": false,
+ "/mod/grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10": false,
+ "/mod/security.netapp.com": false,
+ "/mod/security.netapp.com/advisory": false,
+ "/mod/security.netapp.com/advisory/ntap-20220901-0010": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-34800.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-34800.json
new file mode 100644
index 0000000..a48b97f
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-34800.json
@@ -0,0 +1,6 @@
+{
+ "/mod/www.jenkins.io": false,
+ "/mod/www.jenkins.io/security": false,
+ "/mod/www.jenkins.io/security/advisory": false,
+ "/mod/www.jenkins.io/security/advisory/2022-06-30": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-36309.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-36309.json
new file mode 100644
index 0000000..0ee4e5e
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-36309.json
@@ -0,0 +1,9 @@
+{
+ "/mod/github.com/metaredteam/external-disclosures": false,
+ "/mod/github.com/metaredteam/external-disclosures/security": false,
+ "/mod/github.com/metaredteam/external-disclosures/security/advisories": false,
+ "/mod/github.com/metaredteam/external-disclosures/security/advisories/GHSA-p295-2jh6-g6g4": false,
+ "/mod/helpdesk.airspan.com": false,
+ "/mod/helpdesk.airspan.com/browse": false,
+ "/mod/helpdesk.airspan.com/browse/TRN3-1690": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-38638.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-38638.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-38638.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-39238.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-39238.json
new file mode 100644
index 0000000..cae4010
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-39238.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/arvados/arvados": true,
+ "/mod/github.com/arvados/arvados/security": false,
+ "/mod/github.com/arvados/arvados/security/advisories": false,
+ "/mod/github.com/arvados/arvados/security/advisories/GHSA-87jr-xwhg-cxjv": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-40083.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-40083.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-40083.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-4045.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-4045.json
new file mode 100644
index 0000000..41c693a
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-4045.json
@@ -0,0 +1,4 @@
+{
+ "/mod/mattermost.com": false,
+ "/mod/mattermost.com/security-updates": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-41912.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-41912.json
new file mode 100644
index 0000000..64da124
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-41912.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/crewjam/saml": true,
+ "/mod/github.com/crewjam/saml/security": false,
+ "/mod/github.com/crewjam/saml/security/advisories": false,
+ "/mod/github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-44797.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-44797.json
new file mode 100644
index 0000000..304a9dc
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-44797.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/lightningnetwork/lnd": true,
+ "/mod/github.com/lightningnetwork/lnd/releases": false,
+ "/mod/github.com/lightningnetwork/lnd/releases/tag": false,
+ "/mod/github.com/lightningnetwork/lnd/releases/tag/v0.15.2-beta": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-44942.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-44942.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-44942.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-46167.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-46167.json
new file mode 100644
index 0000000..219aeb3
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-46167.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/clastix/capsule": true,
+ "/mod/github.com/clastix/capsule/security": false,
+ "/mod/github.com/clastix/capsule/security/advisories": false,
+ "/mod/github.com/clastix/capsule/security/advisories/GHSA-x45c-cvp8-q4fm": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-4813.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-4813.json
new file mode 100644
index 0000000..b904a07
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-4813.json
@@ -0,0 +1,5 @@
+{
+ "/mod/huntr.dev": false,
+ "/mod/huntr.dev/bounties": false,
+ "/mod/huntr.dev/bounties/a24b45d8-554b-4131-8ce1-f33bf8cdbacc": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-4850.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-4850.json
new file mode 100644
index 0000000..5fe4137
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2022-4850.json
@@ -0,0 +1,5 @@
+{
+ "/mod/huntr.dev": false,
+ "/mod/huntr.dev/bounties": false,
+ "/mod/huntr.dev/bounties/46dc4728-eacc-43f5-9831-c203fdbcc346": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-1238.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-1238.json
new file mode 100644
index 0000000..2845e89
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-1238.json
@@ -0,0 +1,5 @@
+{
+ "/mod/huntr.dev": false,
+ "/mod/huntr.dev/bounties": false,
+ "/mod/huntr.dev/bounties/52f97267-1439-4bb6-862b-89b8fafce50d": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-28436.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-28436.json
new file mode 100644
index 0000000..6d86837
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-28436.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/tailscale/tailscale": true,
+ "/mod/github.com/tailscale/tailscale/security": false,
+ "/mod/github.com/tailscale/tailscale/security/advisories": false,
+ "/mod/github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-32758.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-32758.json
new file mode 100644
index 0000000..f7a9ec3
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-32758.json
@@ -0,0 +1,8 @@
+{
+ "/mod/github.com/returntocorp/semgrep": true,
+ "/mod/github.com/returntocorp/semgrep/pull": false,
+ "/mod/github.com/returntocorp/semgrep/pull/7611": false,
+ "/mod/pypi.org": false,
+ "/mod/pypi.org/project": false,
+ "/mod/pypi.org/project/git-url-parse": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-34091.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-34091.json
new file mode 100644
index 0000000..734782d
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-34091.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/kyverno/kyverno": true,
+ "/mod/github.com/kyverno/kyverno/security": false,
+ "/mod/github.com/kyverno/kyverno/security/advisories": false,
+ "/mod/github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-35993.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-35993.json
new file mode 100644
index 0000000..d64e631
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-35993.json
@@ -0,0 +1,11 @@
+{
+ "/mod/support.apple.com": false,
+ "/mod/support.apple.com/en-us": false,
+ "/mod/support.apple.com/en-us/HT213841": false,
+ "/mod/support.apple.com/en-us/HT213842": false,
+ "/mod/support.apple.com/en-us/HT213843": false,
+ "/mod/support.apple.com/en-us/HT213844": false,
+ "/mod/support.apple.com/en-us/HT213845": false,
+ "/mod/support.apple.com/en-us/HT213846": false,
+ "/mod/support.apple.com/en-us/HT213848": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-37265.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-37265.json
new file mode 100644
index 0000000..d2a7528
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-37265.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/IceWhaleTech/CasaOS-Gateway": true,
+ "/mod/github.com/IceWhaleTech/CasaOS-Gateway/security": false,
+ "/mod/github.com/IceWhaleTech/CasaOS-Gateway/security/advisories": false,
+ "/mod/github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6g": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-39964.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-39964.json
new file mode 100644
index 0000000..2832157
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-39964.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/1Panel-dev/1Panel": true,
+ "/mod/github.com/1Panel-dev/1Panel/security": false,
+ "/mod/github.com/1Panel-dev/1Panel/security/advisories": false,
+ "/mod/github.com/1Panel-dev/1Panel/security/advisories/GHSA-pv7q-v9mv-9mh5": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-42816.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-42816.json
new file mode 100644
index 0000000..78d8b88
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-42816.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/kyverno/kyverno": true,
+ "/mod/github.com/kyverno/kyverno/security": false,
+ "/mod/github.com/kyverno/kyverno/security/advisories": false,
+ "/mod/github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-43620.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-43620.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-43620.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-43884.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-43884.json
new file mode 100644
index 0000000..621a740
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-43884.json
@@ -0,0 +1,3 @@
+{
+ "/mod/github.com/dpuenteramirez/XSS-ReferenceID-Subrion_4.2.1": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-45142.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-45142.json
new file mode 100644
index 0000000..a4cfea5
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-45142.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/open-telemetry/opentelemetry-go-contrib": true,
+ "/mod/github.com/open-telemetry/opentelemetry-go-contrib/security": false,
+ "/mod/github.com/open-telemetry/opentelemetry-go-contrib/security/advisories": false,
+ "/mod/github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-45223.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-45223.json
new file mode 100644
index 0000000..41c693a
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-45223.json
@@ -0,0 +1,4 @@
+{
+ "/mod/mattermost.com": false,
+ "/mod/mattermost.com/security-updates": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-45284.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-45284.json
new file mode 100644
index 0000000..aea9994
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-45284.json
@@ -0,0 +1,7 @@
+{
+ "/mod/go.dev": false,
+ "/mod/go.dev/cl": false,
+ "/mod/go.dev/cl/540277": false,
+ "/mod/go.dev/issue": false,
+ "/mod/go.dev/issue/63713": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-45825.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-45825.json
new file mode 100644
index 0000000..7ad1f53
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-45825.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/ydb-platform/ydb-go-sdk": true,
+ "/mod/github.com/ydb-platform/ydb-go-sdk/security": false,
+ "/mod/github.com/ydb-platform/ydb-go-sdk/security/advisories": false,
+ "/mod/github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-46740.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-46740.json
new file mode 100644
index 0000000..5a1b7b2
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-46740.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/cubefs/cubefs": true,
+ "/mod/github.com/cubefs/cubefs/security": false,
+ "/mod/github.com/cubefs/cubefs/security/advisories": false,
+ "/mod/github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-47108.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-47108.json
new file mode 100644
index 0000000..30d6d59
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-47108.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/open-telemetry/opentelemetry-go-contrib": true,
+ "/mod/github.com/open-telemetry/opentelemetry-go-contrib/security": false,
+ "/mod/github.com/open-telemetry/opentelemetry-go-contrib/security/advisories": false,
+ "/mod/github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-48312.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-48312.json
new file mode 100644
index 0000000..c23bd4f
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-48312.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/projectcapsule/capsule-proxy": true,
+ "/mod/github.com/projectcapsule/capsule-proxy/security": false,
+ "/mod/github.com/projectcapsule/capsule-proxy/security/advisories": false,
+ "/mod/github.com/projectcapsule/capsule-proxy/security/advisories/GHSA-fpvw-6m5v-hqfp": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-48795.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-48795.json
new file mode 100644
index 0000000..ed67ce5
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-48795.json
@@ -0,0 +1,75 @@
+{
+ "/mod/access.redhat.com": false,
+ "/mod/access.redhat.com/security": false,
+ "/mod/access.redhat.com/security/cve": false,
+ "/mod/access.redhat.com/security/cve/cve-2023-48795": false,
+ "/mod/git.libssh.org": false,
+ "/mod/git.libssh.org/projects": false,
+ "/mod/git.libssh.org/projects/libssh.git": false,
+ "/mod/git.libssh.org/projects/libssh.git/commit": false,
+ "/mod/github.com/advisories/GHSA-45x7-px36-x8w8": false,
+ "/mod/github.com/drakkan/sftpgo": true,
+ "/mod/github.com/drakkan/sftpgo/releases": false,
+ "/mod/github.com/drakkan/sftpgo/releases/tag": false,
+ "/mod/github.com/erlang/otp": false,
+ "/mod/github.com/erlang/otp/releases": false,
+ "/mod/github.com/erlang/otp/releases/tag": false,
+ "/mod/github.com/erlang/otp/releases/tag/OTP-26.2.1": false,
+ "/mod/github.com/mwiede/jsch": false,
+ "/mod/github.com/mwiede/jsch/pull": false,
+ "/mod/github.com/mwiede/jsch/pull/461": false,
+ "/mod/github.com/openssh/openssh-portable": false,
+ "/mod/github.com/openssh/openssh-portable/commits": false,
+ "/mod/github.com/openssh/openssh-portable/commits/master": false,
+ "/mod/github.com/ronf/asyncssh": false,
+ "/mod/github.com/ronf/asyncssh/tags": false,
+ "/mod/github.com/warp-tech/russh": false,
+ "/mod/github.com/warp-tech/russh/releases": false,
+ "/mod/github.com/warp-tech/russh/releases/tag": false,
+ "/mod/gitlab.com/libssh/libssh-mirror": false,
+ "/mod/gitlab.com/libssh/libssh-mirror/-": false,
+ "/mod/gitlab.com/libssh/libssh-mirror/-/tags": false,
+ "/mod/jadaptive.com": false,
+ "/mod/jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795": false,
+ "/mod/matt.ucc.asn.au": false,
+ "/mod/matt.ucc.asn.au/dropbear": false,
+ "/mod/matt.ucc.asn.au/dropbear/CHANGES": false,
+ "/mod/news.ycombinator.com": false,
+ "/mod/news.ycombinator.com/item": false,
+ "/mod/security-tracker.debian.org": false,
+ "/mod/security-tracker.debian.org/tracker": false,
+ "/mod/security-tracker.debian.org/tracker/CVE-2023-48795": false,
+ "/mod/security-tracker.debian.org/tracker/source-package": false,
+ "/mod/security-tracker.debian.org/tracker/source-package/libssh2": false,
+ "/mod/security-tracker.debian.org/tracker/source-package/proftpd-dfsg": false,
+ "/mod/thorntech.com": false,
+ "/mod/thorntech.com/cve-2023-48795-and-sftp-gateway": false,
+ "/mod/ubuntu.com": false,
+ "/mod/ubuntu.com/security": false,
+ "/mod/ubuntu.com/security/CVE-2023-48795": false,
+ "/mod/www.bitvise.com": false,
+ "/mod/www.bitvise.com/ssh-server-version-history": false,
+ "/mod/www.chiark.greenend.org.uk": false,
+ "/mod/www.chiark.greenend.org.uk/~sgtatham": false,
+ "/mod/www.chiark.greenend.org.uk/~sgtatham/putty": false,
+ "/mod/www.chiark.greenend.org.uk/~sgtatham/putty/changes.html": false,
+ "/mod/www.netsarang.com": false,
+ "/mod/www.netsarang.com/en": false,
+ "/mod/www.netsarang.com/en/xshell-update-history": false,
+ "/mod/www.openssh.com": false,
+ "/mod/www.openssh.com/openbsd.html": false,
+ "/mod/www.openssh.com/txt": false,
+ "/mod/www.openssh.com/txt/release-9.6": false,
+ "/mod/www.paramiko.org": false,
+ "/mod/www.paramiko.org/changelog.html": false,
+ "/mod/www.reddit.com": false,
+ "/mod/www.reddit.com/r": false,
+ "/mod/www.reddit.com/r/sysadmin": false,
+ "/mod/www.reddit.com/r/sysadmin/comments": false,
+ "/mod/www.reddit.com/r/sysadmin/comments/18idv52": false,
+ "/mod/www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed": false,
+ "/mod/www.suse.com": false,
+ "/mod/www.suse.com/c": false,
+ "/mod/www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795": false,
+ "/mod/www.terrapin-attack.com": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-49946.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-49946.json
new file mode 100644
index 0000000..d530f50
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-49946.json
@@ -0,0 +1,9 @@
+{
+ "/mod/codeberg.org/forgejo/forgejo": true,
+ "/mod/codeberg.org/forgejo/forgejo/src": false,
+ "/mod/codeberg.org/forgejo/forgejo/src/branch": false,
+ "/mod/codeberg.org/forgejo/forgejo/src/branch/forgejo": false,
+ "/mod/codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md": false,
+ "/mod/forgejo.org": false,
+ "/mod/forgejo.org/2023-11-release-v1-20-5-1": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-52430.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-52430.json
new file mode 100644
index 0000000..866e851
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2023-52430.json
@@ -0,0 +1,7 @@
+{
+ "/mod/blog.trailofbits.com": false,
+ "/mod/blog.trailofbits.com/2023": false,
+ "/mod/blog.trailofbits.com/2023/09": false,
+ "/mod/blog.trailofbits.com/2023/09/18": false,
+ "/mod/blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-21848.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-21848.json
new file mode 100644
index 0000000..41c693a
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-21848.json
@@ -0,0 +1,4 @@
+{
+ "/mod/mattermost.com": false,
+ "/mod/mattermost.com/security-updates": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-24774.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-24774.json
new file mode 100644
index 0000000..41c693a
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-24774.json
@@ -0,0 +1,4 @@
+{
+ "/mod/mattermost.com": false,
+ "/mod/mattermost.com/security-updates": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-24988.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-24988.json
new file mode 100644
index 0000000..41c693a
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-24988.json
@@ -0,0 +1,4 @@
+{
+ "/mod/mattermost.com": false,
+ "/mod/mattermost.com/security-updates": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-27304.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-27304.json
new file mode 100644
index 0000000..4608527
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-27304.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/jackc/pgx": true,
+ "/mod/github.com/jackc/pgx/security": false,
+ "/mod/github.com/jackc/pgx/security/advisories": false,
+ "/mod/github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-28860.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-28860.json
new file mode 100644
index 0000000..94ffdbf
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-28860.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/cilium/cilium": true,
+ "/mod/github.com/cilium/cilium/security": false,
+ "/mod/github.com/cilium/cilium/security/advisories": false,
+ "/mod/github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-30623.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-30623.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-30623.json
@@ -0,0 +1 @@
+{}
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-37032.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-37032.json
new file mode 100644
index 0000000..d877758
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-37032.json
@@ -0,0 +1,5 @@
+{
+ "/mod/github.com/ollama/ollama": true,
+ "/mod/github.com/ollama/ollama/pull": false,
+ "/mod/github.com/ollama/ollama/pull/4175": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-37153.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-37153.json
new file mode 100644
index 0000000..0d0d8f2
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-37153.json
@@ -0,0 +1,6 @@
+{
+ "/mod/github.com/evmos/evmos": true,
+ "/mod/github.com/evmos/evmos/security": false,
+ "/mod/github.com/evmos/evmos/security/advisories": false,
+ "/mod/github.com/evmos/evmos/security/advisories/GHSA-xgr7-jgq3-mhmc": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-5798.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-5798.json
new file mode 100644
index 0000000..223a26e
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-5798.json
@@ -0,0 +1,6 @@
+{
+ "/mod/discuss.hashicorp.com": false,
+ "/mod/discuss.hashicorp.com/t": false,
+ "/mod/discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims": false,
+ "/mod/discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770": false
+}
\ No newline at end of file
diff --git a/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-6104.json b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-6104.json
new file mode 100644
index 0000000..2af857e
--- /dev/null
+++ b/internal/triage/testdata/pkgsite/TestAffectsGo/CVE-2024-6104.json
@@ -0,0 +1,5 @@
+{
+ "/mod/discuss.hashicorp.com": false,
+ "/mod/discuss.hashicorp.com/c": false,
+ "/mod/discuss.hashicorp.com/c/security": false
+}
\ No newline at end of file
