data/reports: add 5 reports
- data/reports/GO-2025-3656.yaml
- data/reports/GO-2025-3661.yaml
- data/reports/GO-2025-3662.yaml
- data/reports/GO-2025-3663.yaml
- data/reports/GO-2025-3665.yaml
Fixes golang/vulndb#3656
Fixes golang/vulndb#3661
Fixes golang/vulndb#3662
Fixes golang/vulndb#3663
Fixes golang/vulndb#3665
Change-Id: Iadf94f7511240c2675cc0582d6d8acdac8165e36
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/670315
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Neal Patel <nealpatel@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/data/osv/GO-2025-3656.json b/data/osv/GO-2025-3656.json
new file mode 100644
index 0000000..cae1b3a
--- /dev/null
+++ b/data/osv/GO-2025-3656.json
@@ -0,0 +1,112 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3656",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-32777",
+ "GHSA-hg79-fw4p-25p8"
+ ],
+ "summary": "Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin in volcano.sh/volcano",
+ "details": "Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin in volcano.sh/volcano",
+ "affected": [
+ {
+ "package": {
+ "name": "volcano.sh/volcano",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.9.1"
+ },
+ {
+ "introduced": "1.10.0-alpha.0"
+ },
+ {
+ "fixed": "1.10.2"
+ },
+ {
+ "introduced": "1.11.0-network-topology-preview.0"
+ },
+ {
+ "fixed": "1.11.0-network-topology-preview.3"
+ },
+ {
+ "introduced": "1.11.0"
+ },
+ {
+ "fixed": "1.11.2"
+ },
+ {
+ "introduced": "1.12.0-alpha.0"
+ },
+ {
+ "fixed": "1.12.0-alpha.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/volcano-sh/volcano/security/advisories/GHSA-hg79-fw4p-25p8"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32777"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/volcano-sh/volcano/commit/45a4347471a5254121d10afef04c6732095fa398"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/volcano-sh/volcano/commit/7103c18de19821cd278f949fa24c13da350a8c5d"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/volcano-sh/volcano/commit/735842af59b9be0da5090677db7693c98a798b2a"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/volcano-sh/volcano/commit/7c0ea53fa3cfa7a05b5fba7a8af7bfe88adc41c3"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/volcano-sh/volcano/commit/d687f75a11fa36f37b54e4b6ff8e49bc0a3ca6b4"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.10.2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.0-network-topology-preview.3"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.12.0-alpha.2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.9.1"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3656",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3661.json b/data/osv/GO-2025-3661.json
new file mode 100644
index 0000000..7cdd65c
--- /dev/null
+++ b/data/osv/GO-2025-3661.json
@@ -0,0 +1,65 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3661",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-4210"
+ ],
+ "summary": "Casdoor SCIM User Creation Endpoint scim.go HandleScim authorization in github.com/casdoor/casdoor",
+ "details": "Casdoor SCIM User Creation Endpoint scim.go HandleScim authorization in github.com/casdoor/casdoor",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/casdoor/casdoor",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4210"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/casdoor/casdoor/commit/3d12ac8dc2282369296c3386815c00a06c6a92fe"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/casdoor/casdoor/releases/tag/v1.812.0"
+ },
+ {
+ "type": "WEB",
+ "url": "https://vuldb.com/?ctiid.307180"
+ },
+ {
+ "type": "WEB",
+ "url": "https://vuldb.com/?id.307180"
+ },
+ {
+ "type": "WEB",
+ "url": "https://vuldb.com/?submit.556201"
+ }
+ ],
+ "credits": [
+ {
+ "name": "krav (VulDB User)"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3661",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3662.json b/data/osv/GO-2025-3662.json
new file mode 100644
index 0000000..b409e3a
--- /dev/null
+++ b/data/osv/GO-2025-3662.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3662",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-3879",
+ "GHSA-f9ch-h8j7-8jwg"
+ ],
+ "summary": "Hashicorp Vault Community vulnerable to Incorrect Authorization in github.com/hashicorp/vault",
+ "details": "Hashicorp Vault Community vulnerable to Incorrect Authorization in github.com/hashicorp/vault",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/hashicorp/vault",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.10.0"
+ },
+ {
+ "fixed": "1.19.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-f9ch-h8j7-8jwg"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3879"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-07-vault-s-azure-authentication-method-bound-location-restriction-could-be-bypassed-on-login/74716"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3662",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3663.json b/data/osv/GO-2025-3663.json
new file mode 100644
index 0000000..bcecc1e
--- /dev/null
+++ b/data/osv/GO-2025-3663.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3663",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-4166",
+ "GHSA-gcqf-f89c-68hv"
+ ],
+ "summary": "Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information in github.com/hashicorp/vault",
+ "details": "Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information in github.com/hashicorp/vault",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/hashicorp/vault",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.3.0"
+ },
+ {
+ "fixed": "1.19.3"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-gcqf-f89c-68hv"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4166"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3663",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3665.json b/data/osv/GO-2025-3665.json
new file mode 100644
index 0000000..42c5f7b
--- /dev/null
+++ b/data/osv/GO-2025-3665.json
@@ -0,0 +1,47 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3665",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-pv22-fqcj-7xwh"
+ ],
+ "summary": "Inspektor Gadget Security Policies Can be Bypassed in github.com/inspektor-gadget/inspektor-gadget",
+ "details": "Inspektor Gadget Security Policies Can be Bypassed in github.com/inspektor-gadget/inspektor-gadget",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/inspektor-gadget/inspektor-gadget",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.31.0"
+ },
+ {
+ "fixed": "0.40.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-pv22-fqcj-7xwh"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/inspektor-gadget/inspektor-gadget/commit/c51d419964f5b6f9344fcad4faba70e2e025212b"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3665",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3656.yaml b/data/reports/GO-2025-3656.yaml
new file mode 100644
index 0000000..476c94f
--- /dev/null
+++ b/data/reports/GO-2025-3656.yaml
@@ -0,0 +1,38 @@
+id: GO-2025-3656
+modules:
+ - module: volcano.sh/volcano
+ versions:
+ - fixed: 1.9.1
+ - introduced: 1.10.0-alpha.0
+ - fixed: 1.10.2
+ - introduced: 1.11.0-network-topology-preview.0
+ - fixed: 1.11.0-network-topology-preview.3
+ - introduced: 1.11.0
+ - fixed: 1.11.2
+ - introduced: 1.12.0-alpha.0
+ - fixed: 1.12.0-alpha.2
+ vulnerable_at: 1.12.0-alpha.1
+summary: |-
+ Volcano Scheduler Denial of Service via Unbounded Response from Elastic
+ Service/extender Plugin in volcano.sh/volcano
+cves:
+ - CVE-2025-32777
+ghsas:
+ - GHSA-hg79-fw4p-25p8
+references:
+ - advisory: https://github.com/volcano-sh/volcano/security/advisories/GHSA-hg79-fw4p-25p8
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-32777
+ - web: https://github.com/volcano-sh/volcano/commit/45a4347471a5254121d10afef04c6732095fa398
+ - web: https://github.com/volcano-sh/volcano/commit/7103c18de19821cd278f949fa24c13da350a8c5d
+ - web: https://github.com/volcano-sh/volcano/commit/735842af59b9be0da5090677db7693c98a798b2a
+ - web: https://github.com/volcano-sh/volcano/commit/7c0ea53fa3cfa7a05b5fba7a8af7bfe88adc41c3
+ - web: https://github.com/volcano-sh/volcano/commit/d687f75a11fa36f37b54e4b6ff8e49bc0a3ca6b4
+ - web: https://github.com/volcano-sh/volcano/releases/tag/v1.10.2
+ - web: https://github.com/volcano-sh/volcano/releases/tag/v1.11.0-network-topology-preview.3
+ - web: https://github.com/volcano-sh/volcano/releases/tag/v1.11.2
+ - web: https://github.com/volcano-sh/volcano/releases/tag/v1.12.0-alpha.2
+ - web: https://github.com/volcano-sh/volcano/releases/tag/v1.9.1
+source:
+ id: GHSA-hg79-fw4p-25p8
+ created: 2025-05-05T12:55:57.305718-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3661.yaml b/data/reports/GO-2025-3661.yaml
new file mode 100644
index 0000000..cb09c08
--- /dev/null
+++ b/data/reports/GO-2025-3661.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-3661
+modules:
+ - module: github.com/casdoor/casdoor
+ unsupported_versions:
+ - cve_version_range: affected at 1.811
+ vulnerable_at: 1.904.0
+summary: Casdoor SCIM User Creation Endpoint scim.go HandleScim authorization in github.com/casdoor/casdoor
+cves:
+ - CVE-2025-4210
+credits:
+ - krav (VulDB User)
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4210
+ - fix: https://github.com/casdoor/casdoor/commit/3d12ac8dc2282369296c3386815c00a06c6a92fe
+ - fix: https://github.com/casdoor/casdoor/releases/tag/v1.812.0
+ - web: https://vuldb.com/?ctiid.307180
+ - web: https://vuldb.com/?id.307180
+ - web: https://vuldb.com/?submit.556201
+source:
+ id: CVE-2025-4210
+ created: 2025-05-05T12:56:06.268616-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3662.yaml b/data/reports/GO-2025-3662.yaml
new file mode 100644
index 0000000..1bdd6e4
--- /dev/null
+++ b/data/reports/GO-2025-3662.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3662
+modules:
+ - module: github.com/hashicorp/vault
+ versions:
+ - introduced: 1.10.0
+ - fixed: 1.19.1
+ vulnerable_at: 1.19.0
+summary: Hashicorp Vault Community vulnerable to Incorrect Authorization in github.com/hashicorp/vault
+cves:
+ - CVE-2025-3879
+ghsas:
+ - GHSA-f9ch-h8j7-8jwg
+references:
+ - advisory: https://github.com/advisories/GHSA-f9ch-h8j7-8jwg
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-3879
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-07-vault-s-azure-authentication-method-bound-location-restriction-could-be-bypassed-on-login/74716
+source:
+ id: GHSA-f9ch-h8j7-8jwg
+ created: 2025-05-05T12:57:08.78106-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3663.yaml b/data/reports/GO-2025-3663.yaml
new file mode 100644
index 0000000..a11290a
--- /dev/null
+++ b/data/reports/GO-2025-3663.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-3663
+modules:
+ - module: github.com/hashicorp/vault
+ versions:
+ - introduced: 0.3.0
+ - fixed: 1.19.3
+ vulnerable_at: 1.19.2
+summary: |-
+ Hashicorp Vault Community vulnerable to Generation of Error Message Containing
+ Sensitive Information in github.com/hashicorp/vault
+cves:
+ - CVE-2025-4166
+ghsas:
+ - GHSA-gcqf-f89c-68hv
+references:
+ - advisory: https://github.com/advisories/GHSA-gcqf-f89c-68hv
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4166
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin
+source:
+ id: GHSA-gcqf-f89c-68hv
+ created: 2025-05-05T12:57:13.785057-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3665.yaml b/data/reports/GO-2025-3665.yaml
new file mode 100644
index 0000000..00295da
--- /dev/null
+++ b/data/reports/GO-2025-3665.yaml
@@ -0,0 +1,17 @@
+id: GO-2025-3665
+modules:
+ - module: github.com/inspektor-gadget/inspektor-gadget
+ versions:
+ - introduced: 0.31.0
+ - fixed: 0.40.0
+ vulnerable_at: 0.39.0
+summary: Inspektor Gadget Security Policies Can be Bypassed in github.com/inspektor-gadget/inspektor-gadget
+ghsas:
+ - GHSA-pv22-fqcj-7xwh
+references:
+ - advisory: https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-pv22-fqcj-7xwh
+ - fix: https://github.com/inspektor-gadget/inspektor-gadget/commit/c51d419964f5b6f9344fcad4faba70e2e025212b
+source:
+ id: GHSA-pv22-fqcj-7xwh
+ created: 2025-05-06T09:26:53.444582-04:00
+review_status: UNREVIEWED
