data/reports: add 5 reports
- data/reports/GO-2025-3717.yaml
- data/reports/GO-2025-3718.yaml
- data/reports/GO-2025-3719.yaml
- data/reports/GO-2025-3720.yaml
- data/reports/GO-2025-3721.yaml
Fixes golang/vulndb#3717
Fixes golang/vulndb#3718
Fixes golang/vulndb#3719
Fixes golang/vulndb#3720
Fixes golang/vulndb#3721
Change-Id: I7ea692417ac0d0adfd3aaedb4c7983414e4e2737
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/677139
Auto-Submit: Neal Patel <nealpatel@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2025-3717.json b/data/osv/GO-2025-3717.json
new file mode 100644
index 0000000..d693ee4
--- /dev/null
+++ b/data/osv/GO-2025-3717.json
@@ -0,0 +1,57 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3717",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-4057",
+ "GHSA-q5q7-8x6x-hcg2"
+ ],
+ "summary": "ActiveMQ Artemis AMQ Broker Operator Starting Credentials Reuse in github.com/arkmq-org/activemq-artemis-operator",
+ "details": "ActiveMQ Artemis AMQ Broker Operator Starting Credentials Reuse in github.com/arkmq-org/activemq-artemis-operator",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/arkmq-org/activemq-artemis-operator",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-q5q7-8x6x-hcg2"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4057"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2025:8147"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/security/cve/CVE-2025-4057"
+ },
+ {
+ "type": "WEB",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362827"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3717",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3718.json b/data/osv/GO-2025-3718.json
new file mode 100644
index 0000000..5086777
--- /dev/null
+++ b/data/osv/GO-2025-3718.json
@@ -0,0 +1,43 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3718",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-h5f8-crrq-4pw8"
+ ],
+ "summary": "Contrast workload secrets leak to logs on INFO level in github.com/edgelesssys/contrast",
+ "details": "Contrast workload secrets leak to logs on INFO level in github.com/edgelesssys/contrast",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/edgelesssys/contrast",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.8.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3718",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3719.json b/data/osv/GO-2025-3719.json
new file mode 100644
index 0000000..c48b8a7
--- /dev/null
+++ b/data/osv/GO-2025-3719.json
@@ -0,0 +1,93 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3719",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-47952",
+ "GHSA-vrch-868g-9jx5"
+ ],
+ "summary": "Traefik allows path traversal using url encoding in github.com/traefik/traefik",
+ "details": "Traefik allows path traversal using url encoding in github.com/traefik/traefik",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/traefik/traefik",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/traefik/traefik/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.11.25"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/traefik/traefik/v3",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.4.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/traefik/traefik/commit/08d5dfee0164aa54dd44a467870042e18e8d3f00"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/traefik/traefik/releases/tag/v2.11.25"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/traefik/traefik/releases/tag/v3.4.1"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3719",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3720.json b/data/osv/GO-2025-3720.json
new file mode 100644
index 0000000..01f5b15
--- /dev/null
+++ b/data/osv/GO-2025-3720.json
@@ -0,0 +1,91 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3720",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-47933",
+ "GHSA-2hj5-g64g-fp6p"
+ ],
+ "summary": "Argo CD allows cross-site scripting on repositories page in github.com/argoproj/argo-cd",
+ "details": "Argo CD allows cross-site scripting on repositories page in github.com/argoproj/argo-cd",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/argoproj/argo-cd",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.2.0-rc1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/argoproj/argo-cd/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "2.0.0-rc3"
+ },
+ {
+ "fixed": "2.13.8"
+ },
+ {
+ "introduced": "2.14.0-rc1"
+ },
+ {
+ "fixed": "2.14.13"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/argoproj/argo-cd/v3",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.0.4"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3720",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3721.json b/data/osv/GO-2025-3721.json
new file mode 100644
index 0000000..1c39918
--- /dev/null
+++ b/data/osv/GO-2025-3721.json
@@ -0,0 +1,73 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3721",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-93m4-mfpg-c3xf"
+ ],
+ "summary": "ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection in github.com/zitadel/zitadel",
+ "details": "ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/zitadel/zitadel from v2.38.3 before v2.70.12, from v2.71.0 before v2.71.11, from v3.0.0-rc1 before v3.2.2.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/zitadel/zitadel",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250528081227-c097887bc5f6"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.38.3"
+ },
+ {
+ "fixed": "2.70.12"
+ },
+ {
+ "introduced": "2.71.0"
+ },
+ {
+ "fixed": "2.71.11"
+ },
+ {
+ "introduced": "3.0.0-rc1"
+ },
+ {
+ "fixed": "3.2.2"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-93m4-mfpg-c3xf"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/zitadel/zitadel/commit/c097887bc5f680e12c998580fb56d98a15758f53"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3721",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3717.yaml b/data/reports/GO-2025-3717.yaml
new file mode 100644
index 0000000..5c63d41
--- /dev/null
+++ b/data/reports/GO-2025-3717.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3717
+modules:
+ - module: github.com/arkmq-org/activemq-artemis-operator
+ unsupported_versions:
+ - last_affected: 0.0.0-20250418141202-b262048e6a75
+ vulnerable_at: 1.0.16
+summary: ActiveMQ Artemis AMQ Broker Operator Starting Credentials Reuse in github.com/arkmq-org/activemq-artemis-operator
+cves:
+ - CVE-2025-4057
+ghsas:
+ - GHSA-q5q7-8x6x-hcg2
+references:
+ - advisory: https://github.com/advisories/GHSA-q5q7-8x6x-hcg2
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4057
+ - web: https://access.redhat.com/errata/RHSA-2025:8147
+ - web: https://access.redhat.com/security/cve/CVE-2025-4057
+ - web: https://bugzilla.redhat.com/show_bug.cgi?id=2362827
+source:
+ id: GHSA-q5q7-8x6x-hcg2
+ created: 2025-05-29T12:53:22.860723-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3718.yaml b/data/reports/GO-2025-3718.yaml
new file mode 100644
index 0000000..f47644a
--- /dev/null
+++ b/data/reports/GO-2025-3718.yaml
@@ -0,0 +1,15 @@
+id: GO-2025-3718
+modules:
+ - module: github.com/edgelesssys/contrast
+ versions:
+ - fixed: 1.8.1
+ vulnerable_at: 1.8.0
+summary: Contrast workload secrets leak to logs on INFO level in github.com/edgelesssys/contrast
+ghsas:
+ - GHSA-h5f8-crrq-4pw8
+references:
+ - advisory: https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8
+source:
+ id: GHSA-h5f8-crrq-4pw8
+ created: 2025-05-29T12:53:20.603427-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3719.yaml b/data/reports/GO-2025-3719.yaml
new file mode 100644
index 0000000..ad68a97
--- /dev/null
+++ b/data/reports/GO-2025-3719.yaml
@@ -0,0 +1,28 @@
+id: GO-2025-3719
+modules:
+ - module: github.com/traefik/traefik
+ unsupported_versions:
+ - last_affected: 1.7.34
+ vulnerable_at: 1.7.34
+ - module: github.com/traefik/traefik/v2
+ versions:
+ - fixed: 2.11.25
+ vulnerable_at: 2.11.24
+ - module: github.com/traefik/traefik/v3
+ versions:
+ - fixed: 3.4.1
+ vulnerable_at: 3.4.0
+summary: Traefik allows path traversal using url encoding in github.com/traefik/traefik
+cves:
+ - CVE-2025-47952
+ghsas:
+ - GHSA-vrch-868g-9jx5
+references:
+ - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5
+ - fix: https://github.com/traefik/traefik/commit/08d5dfee0164aa54dd44a467870042e18e8d3f00
+ - web: https://github.com/traefik/traefik/releases/tag/v2.11.25
+ - web: https://github.com/traefik/traefik/releases/tag/v3.4.1
+source:
+ id: GHSA-vrch-868g-9jx5
+ created: 2025-05-29T12:53:15.54652-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3720.yaml b/data/reports/GO-2025-3720.yaml
new file mode 100644
index 0000000..dcef5bc
--- /dev/null
+++ b/data/reports/GO-2025-3720.yaml
@@ -0,0 +1,31 @@
+id: GO-2025-3720
+modules:
+ - module: github.com/argoproj/argo-cd
+ versions:
+ - introduced: 1.2.0-rc1
+ unsupported_versions:
+ - last_affected: 1.8.7
+ vulnerable_at: 1.8.6
+ - module: github.com/argoproj/argo-cd/v2
+ versions:
+ - introduced: 2.0.0-rc3
+ - fixed: 2.13.8
+ - introduced: 2.14.0-rc1
+ - fixed: 2.14.13
+ vulnerable_at: 2.14.12
+ - module: github.com/argoproj/argo-cd/v3
+ versions:
+ - fixed: 3.0.4
+ vulnerable_at: 3.0.3
+summary: Argo CD allows cross-site scripting on repositories page in github.com/argoproj/argo-cd
+cves:
+ - CVE-2025-47933
+ghsas:
+ - GHSA-2hj5-g64g-fp6p
+references:
+ - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p
+ - fix: https://github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1
+source:
+ id: GHSA-2hj5-g64g-fp6p
+ created: 2025-05-29T12:53:10.183603-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3721.yaml b/data/reports/GO-2025-3721.yaml
new file mode 100644
index 0000000..a45db1c
--- /dev/null
+++ b/data/reports/GO-2025-3721.yaml
@@ -0,0 +1,24 @@
+id: GO-2025-3721
+modules:
+ - module: github.com/zitadel/zitadel
+ versions:
+ - fixed: 0.0.0-20250528081227-c097887bc5f6
+ non_go_versions:
+ - introduced: 2.38.3
+ - fixed: 2.70.12
+ - introduced: 2.71.0
+ - fixed: 2.71.11
+ - introduced: 3.0.0-rc1
+ - fixed: 3.2.2
+summary: ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection in github.com/zitadel/zitadel
+ghsas:
+ - GHSA-93m4-mfpg-c3xf
+references:
+ - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-93m4-mfpg-c3xf
+ - fix: https://github.com/zitadel/zitadel/commit/c097887bc5f680e12c998580fb56d98a15758f53
+notes:
+ - fix: 'github.com/zitadel/zitadel: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+ id: GHSA-93m4-mfpg-c3xf
+ created: 2025-05-29T12:52:59.445805-04:00
+review_status: UNREVIEWED
