data/reports: add 5 unreviewed reports
- data/reports/GO-2024-3294.yaml
- data/reports/GO-2024-3296.yaml
- data/reports/GO-2024-3299.yaml
- data/reports/GO-2024-3300.yaml
- data/reports/GO-2024-3303.yaml
Fixes golang/vulndb#3294
Fixes golang/vulndb#3296
Fixes golang/vulndb#3299
Fixes golang/vulndb#3300
Fixes golang/vulndb#3303
Change-Id: I0f474a123c1df553293cac4ab062b4cdb1011ec1
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/632976
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2024-3294.json b/data/osv/GO-2024-3294.json
new file mode 100644
index 0000000..ee8de84
--- /dev/null
+++ b/data/osv/GO-2024-3294.json
@@ -0,0 +1,47 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3294",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-53264"
+ ],
+ "summary": "Open Redirect Vulnerability in Loading Page in bunkerweb in github.com/bunkerity/bunkerweb",
+ "details": "Open Redirect Vulnerability in Loading Page in bunkerweb in github.com/bunkerity/bunkerweb",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/bunkerity/bunkerweb",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.5.11"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53264"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/bunkerity/bunkerweb/security/advisories/GHSA-q9rr-h3hx-m87g"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3294",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3296.json b/data/osv/GO-2024-3296.json
new file mode 100644
index 0000000..2e1395d
--- /dev/null
+++ b/data/osv/GO-2024-3296.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3296",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-53858",
+ "GHSA-jwcm-9g39-pmcw"
+ ],
+ "summary": "Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in github.com/cli/cli",
+ "details": "Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in github.com/cli/cli",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/cli/cli",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/cli/cli/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.63.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/cli/cli/security/advisories/GHSA-jwcm-9g39-pmcw"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53858"
+ },
+ {
+ "type": "WEB",
+ "url": "https://git-scm.com/docs/gitcredentials"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3296",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3299.json b/data/osv/GO-2024-3299.json
new file mode 100644
index 0000000..0840622
--- /dev/null
+++ b/data/osv/GO-2024-3299.json
@@ -0,0 +1,97 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3299",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-52003",
+ "GHSA-h924-8g65-j9wg"
+ ],
+ "summary": "Traefik's X-Forwarded-Prefix Header still allows for Open Redirect in github.com/traefik/traefik",
+ "details": "Traefik's X-Forwarded-Prefix Header still allows for Open Redirect in github.com/traefik/traefik",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/traefik/traefik",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/traefik/traefik/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.11.14"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/traefik/traefik/v3",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.2.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52003"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/traefik/traefik/pull/11253"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/traefik/traefik/releases/tag/v2.11.14"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/traefik/traefik/releases/tag/v3.2.1"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3299",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3300.json b/data/osv/GO-2024-3300.json
new file mode 100644
index 0000000..2b48834
--- /dev/null
+++ b/data/osv/GO-2024-3300.json
@@ -0,0 +1,73 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3300",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-52801",
+ "GHSA-6943-qr24-82vx"
+ ],
+ "summary": "sftpgo vulnerable to brute force takeover of OpenID Connect session cookies in github.com/drakkan/sftpgo",
+ "details": "sftpgo vulnerable to brute force takeover of OpenID Connect session cookies in github.com/drakkan/sftpgo",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/drakkan/sftpgo",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/drakkan/sftpgo/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "2.3.0"
+ },
+ {
+ "fixed": "2.6.4"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-6943-qr24-82vx"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52801"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/drakkan/sftpgo/commit/f30a9a2095bf90c0661b04fe038e3b7efc788bc6"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/rs/xid"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3300",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3303.json b/data/osv/GO-2024-3303.json
new file mode 100644
index 0000000..6c36f51
--- /dev/null
+++ b/data/osv/GO-2024-3303.json
@@ -0,0 +1,91 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3303",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-53862"
+ ],
+ "summary": "Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` mode in github.com/argoproj/argo-workflows",
+ "details": "Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` mode in github.com/argoproj/argo-workflows",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/argoproj/argo-workflows",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/argoproj/argo-workflows/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/argoproj/argo-workflows/v3",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "3.5.7"
+ },
+ {
+ "fixed": "3.5.13"
+ },
+ {
+ "introduced": "3.6.0-rc1"
+ },
+ {
+ "fixed": "3.6.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53862"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3303",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-3294.yaml b/data/reports/GO-2024-3294.yaml
new file mode 100644
index 0000000..8bdd359
--- /dev/null
+++ b/data/reports/GO-2024-3294.yaml
@@ -0,0 +1,16 @@
+id: GO-2024-3294
+modules:
+ - module: github.com/bunkerity/bunkerweb
+ versions:
+ - fixed: 1.5.11
+ vulnerable_at: 1.5.10
+summary: Open Redirect Vulnerability in Loading Page in bunkerweb in github.com/bunkerity/bunkerweb
+cves:
+ - CVE-2024-53264
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-53264
+ - web: https://github.com/bunkerity/bunkerweb/security/advisories/GHSA-q9rr-h3hx-m87g
+source:
+ id: CVE-2024-53264
+ created: 2024-12-02T14:56:38.107508-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3296.yaml b/data/reports/GO-2024-3296.yaml
new file mode 100644
index 0000000..3913b65
--- /dev/null
+++ b/data/reports/GO-2024-3296.yaml
@@ -0,0 +1,23 @@
+id: GO-2024-3296
+modules:
+ - module: github.com/cli/cli
+ vulnerable_at: 1.14.0
+ - module: github.com/cli/cli/v2
+ versions:
+ - fixed: 2.63.0
+ vulnerable_at: 2.62.0
+summary: |-
+ Recursive repository cloning can leak authentication tokens to non-GitHub
+ submodule hosts in github.com/cli/cli
+cves:
+ - CVE-2024-53858
+ghsas:
+ - GHSA-jwcm-9g39-pmcw
+references:
+ - advisory: https://github.com/cli/cli/security/advisories/GHSA-jwcm-9g39-pmcw
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-53858
+ - web: https://git-scm.com/docs/gitcredentials
+source:
+ id: GHSA-jwcm-9g39-pmcw
+ created: 2024-12-02T14:56:29.536126-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3299.yaml b/data/reports/GO-2024-3299.yaml
new file mode 100644
index 0000000..35f1be9
--- /dev/null
+++ b/data/reports/GO-2024-3299.yaml
@@ -0,0 +1,27 @@
+id: GO-2024-3299
+modules:
+ - module: github.com/traefik/traefik
+ vulnerable_at: 1.7.34
+ - module: github.com/traefik/traefik/v2
+ versions:
+ - fixed: 2.11.14
+ vulnerable_at: 2.11.13
+ - module: github.com/traefik/traefik/v3
+ versions:
+ - fixed: 3.2.1
+ vulnerable_at: 3.2.0
+summary: Traefik's X-Forwarded-Prefix Header still allows for Open Redirect in github.com/traefik/traefik
+cves:
+ - CVE-2024-52003
+ghsas:
+ - GHSA-h924-8g65-j9wg
+references:
+ - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52003
+ - fix: https://github.com/traefik/traefik/pull/11253
+ - web: https://github.com/traefik/traefik/releases/tag/v2.11.14
+ - web: https://github.com/traefik/traefik/releases/tag/v3.2.1
+source:
+ id: GHSA-h924-8g65-j9wg
+ created: 2024-12-02T14:56:24.090371-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3300.yaml b/data/reports/GO-2024-3300.yaml
new file mode 100644
index 0000000..2e43eab
--- /dev/null
+++ b/data/reports/GO-2024-3300.yaml
@@ -0,0 +1,23 @@
+id: GO-2024-3300
+modules:
+ - module: github.com/drakkan/sftpgo
+ vulnerable_at: 1.2.2
+ - module: github.com/drakkan/sftpgo/v2
+ versions:
+ - introduced: 2.3.0
+ - fixed: 2.6.4
+ vulnerable_at: 2.6.3
+summary: sftpgo vulnerable to brute force takeover of OpenID Connect session cookies in github.com/drakkan/sftpgo
+cves:
+ - CVE-2024-52801
+ghsas:
+ - GHSA-6943-qr24-82vx
+references:
+ - advisory: https://github.com/drakkan/sftpgo/security/advisories/GHSA-6943-qr24-82vx
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52801
+ - fix: https://github.com/drakkan/sftpgo/commit/f30a9a2095bf90c0661b04fe038e3b7efc788bc6
+ - web: https://github.com/rs/xid
+source:
+ id: GHSA-6943-qr24-82vx
+ created: 2024-12-02T14:56:19.561793-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3303.yaml b/data/reports/GO-2024-3303.yaml
new file mode 100644
index 0000000..d1b5bde
--- /dev/null
+++ b/data/reports/GO-2024-3303.yaml
@@ -0,0 +1,26 @@
+id: GO-2024-3303
+modules:
+ - module: github.com/argoproj/argo-workflows
+ vulnerable_at: 0.4.7
+ - module: github.com/argoproj/argo-workflows/v2
+ vulnerable_at: 2.12.13
+ - module: github.com/argoproj/argo-workflows/v3
+ versions:
+ - introduced: 3.5.7
+ - fixed: 3.5.13
+ - introduced: 3.6.0-rc1
+ - fixed: 3.6.2
+ vulnerable_at: 3.6.1
+summary: |-
+ Argo Workflows Allows Access to Archived Workflows with Fake Token in `client`
+ mode in github.com/argoproj/argo-workflows
+cves:
+ - CVE-2024-53862
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-53862
+ - fix: https://github.com/argoproj/argo-workflows/pull/13021/files#diff-a5b255abaceddc9cc20bf6da6ae92c3a5d3605d94366af503ed754c079a1171aL668-R715
+ - web: https://github.com/argoproj/argo-workflows/security/advisories/GHSA-h36c-m3rf-34h9
+source:
+ id: CVE-2024-53862
+ created: 2024-12-02T14:56:09.920859-05:00
+review_status: UNREVIEWED
