data/reports: add 21 unreviewed reports
- data/reports/GO-2024-3081.yaml
- data/reports/GO-2024-3082.yaml
- data/reports/GO-2024-3083.yaml
- data/reports/GO-2024-3085.yaml
- data/reports/GO-2024-3086.yaml
- data/reports/GO-2024-3087.yaml
- data/reports/GO-2024-3088.yaml
- data/reports/GO-2024-3089.yaml
- data/reports/GO-2024-3090.yaml
- data/reports/GO-2024-3091.yaml
- data/reports/GO-2024-3092.yaml
- data/reports/GO-2024-3093.yaml
- data/reports/GO-2024-3094.yaml
- data/reports/GO-2024-3095.yaml
- data/reports/GO-2024-3096.yaml
- data/reports/GO-2024-3097.yaml
- data/reports/GO-2024-3099.yaml
- data/reports/GO-2024-3100.yaml
- data/reports/GO-2024-3102.yaml
- data/reports/GO-2024-3103.yaml
- data/reports/GO-2024-3104.yaml
Fixes golang/vulndb#3081
Fixes golang/vulndb#3082
Fixes golang/vulndb#3083
Fixes golang/vulndb#3085
Fixes golang/vulndb#3086
Fixes golang/vulndb#3087
Fixes golang/vulndb#3088
Fixes golang/vulndb#3089
Fixes golang/vulndb#3090
Fixes golang/vulndb#3091
Fixes golang/vulndb#3092
Fixes golang/vulndb#3093
Fixes golang/vulndb#3094
Fixes golang/vulndb#3095
Fixes golang/vulndb#3096
Fixes golang/vulndb#3097
Fixes golang/vulndb#3099
Fixes golang/vulndb#3100
Fixes golang/vulndb#3102
Fixes golang/vulndb#3103
Fixes golang/vulndb#3104
Change-Id: If55f3ff19b07f49b6477d5c0d3eb5f5b6f3adbd0
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/609141
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/data/osv/GO-2024-3081.json b/data/osv/GO-2024-3081.json
new file mode 100644
index 0000000..af65c20
--- /dev/null
+++ b/data/osv/GO-2024-3081.json
@@ -0,0 +1,51 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3081",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-fpgj-cr28-fvpx"
+ ],
+ "summary": "CWA-2024-006: wasmd non-deterministic module_query_safe query in github.com/CosmWasm/wasmd",
+ "details": "CWA-2024-006: wasmd non-deterministic module_query_safe query in github.com/CosmWasm/wasmd",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/CosmWasm/wasmd",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.52.0"
+ },
+ {
+ "fixed": "0.53.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/CosmWasm/wasmd/security/advisories/GHSA-fpgj-cr28-fvpx"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/CosmWasm/wasmd/commit/db8981db8419fc4daa042ce04e279efb53c4ff29"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-006.md"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3081",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3082.json b/data/osv/GO-2024-3082.json
new file mode 100644
index 0000000..024b2bb
--- /dev/null
+++ b/data/osv/GO-2024-3082.json
@@ -0,0 +1,61 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3082",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-g8w7-7vgg-x7xg"
+ ],
+ "summary": "CWA-2024-005: Stackoverflow in wasmd in github.com/CosmWasm/wasmd",
+ "details": "CWA-2024-005: Stackoverflow in wasmd in github.com/CosmWasm/wasmd",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/CosmWasm/wasmd",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.46.0"
+ },
+ {
+ "introduced": "0.50.0"
+ },
+ {
+ "fixed": "0.53.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/CosmWasm/wasmd/security/advisories/GHSA-g8w7-7vgg-x7xg"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/CosmWasm/wasmd/commit/71cf6a8145426b82ed6249ecc86ddd281af9f97b"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/CosmWasm/wasmd/commit/db8981db8419fc4daa042ce04e279efb53c4ff29"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-005.md"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3082",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3083.json b/data/osv/GO-2024-3083.json
new file mode 100644
index 0000000..c5d2197
--- /dev/null
+++ b/data/osv/GO-2024-3083.json
@@ -0,0 +1,53 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3083",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-6508",
+ "GHSA-4crf-28c7-v4gr"
+ ],
+ "summary": "Openshift Console insufficient entropy vulnerability in github.com/openshift/console",
+ "details": "Openshift Console insufficient entropy vulnerability in github.com/openshift/console",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openshift/console",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-4crf-28c7-v4gr"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6508"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/security/cve/CVE-2024-6508"
+ },
+ {
+ "type": "WEB",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295777"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3083",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3085.json b/data/osv/GO-2024-3085.json
new file mode 100644
index 0000000..05c329d
--- /dev/null
+++ b/data/osv/GO-2024-3085.json
@@ -0,0 +1,73 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3085",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-42490",
+ "GHSA-qxqc-27pr-wgc8"
+ ],
+ "summary": "GoAuthentik vulnerable to Insufficient Authorization for several API endpoints in goauthentik.io",
+ "details": "GoAuthentik vulnerable to Insufficient Authorization for several API endpoints in goauthentik.io.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: goauthentik.io before v2024.4.4, from v2024.6.0-rc1 before v2024.6.4.",
+ "affected": [
+ {
+ "package": {
+ "name": "goauthentik.io",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2024.4.4"
+ },
+ {
+ "introduced": "2024.6.0-rc1"
+ },
+ {
+ "fixed": "2024.6.4"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qxqc-27pr-wgc8"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42490"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/goauthentik/authentik/commit/19318d4c00bb02c4ec3c4f8f15ac2e1dbe8d846c"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/goauthentik/authentik/commit/359b343f51524342a5ca03828e7c975a1d654b11"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3085",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3086.json b/data/osv/GO-2024-3086.json
new file mode 100644
index 0000000..87855ff
--- /dev/null
+++ b/data/osv/GO-2024-3086.json
@@ -0,0 +1,53 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3086",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-41658",
+ "GHSA-gv2p-4mvg-g32h"
+ ],
+ "summary": "Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036) in github.com/casdoor/casdoor",
+ "details": "Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036) in github.com/casdoor/casdoor",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/casdoor/casdoor",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-gv2p-4mvg-g32h"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41658"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/casdoor/casdoor/blob/v1.577.0/web/src/QrCodePage.js"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3086",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3087.json b/data/osv/GO-2024-3087.json
new file mode 100644
index 0000000..de275a1
--- /dev/null
+++ b/data/osv/GO-2024-3087.json
@@ -0,0 +1,53 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3087",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-41657",
+ "GHSA-mchx-7j67-8mcf"
+ ],
+ "summary": "Casdoor CORS misconfiguration (GHSL-2024-035) in github.com/casdoor/casdoor",
+ "details": "Casdoor CORS misconfiguration (GHSL-2024-035) in github.com/casdoor/casdoor",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/casdoor/casdoor",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-mchx-7j67-8mcf"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41657"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/casdoor/casdoor/blob/v1.577.0/routers/cors_filter.go#L45"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3087",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3088.json b/data/osv/GO-2024-3088.json
new file mode 100644
index 0000000..00e2847
--- /dev/null
+++ b/data/osv/GO-2024-3088.json
@@ -0,0 +1,60 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3088",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-41659",
+ "GHSA-p4fx-qf2h-jpmj"
+ ],
+ "summary": "memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos",
+ "details": "memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/usememos/memos",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.21.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-p4fx-qf2h-jpmj"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41659"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://securitylab.github.com/advisories/GHSL-2024-034_memos"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3088",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3089.json b/data/osv/GO-2024-3089.json
new file mode 100644
index 0000000..8366e4e
--- /dev/null
+++ b/data/osv/GO-2024-3089.json
@@ -0,0 +1,121 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3089",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-43780",
+ "GHSA-2jhx-w3vc-w59g"
+ ],
+ "summary": "Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server",
+ "details": "Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.5.0+incompatible"
+ },
+ {
+ "fixed": "9.5.8+incompatible"
+ },
+ {
+ "introduced": "9.8.0+incompatible"
+ },
+ {
+ "fixed": "9.8.3+incompatible"
+ },
+ {
+ "introduced": "9.9.0+incompatible"
+ },
+ {
+ "fixed": "9.9.2+incompatible"
+ },
+ {
+ "introduced": "9.10.0+incompatible"
+ },
+ {
+ "fixed": "9.10.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-2jhx-w3vc-w59g"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43780"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3089",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3090.json b/data/osv/GO-2024-3090.json
new file mode 100644
index 0000000..a48e4c4
--- /dev/null
+++ b/data/osv/GO-2024-3090.json
@@ -0,0 +1,109 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3090",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-40884",
+ "GHSA-3j95-8g47-fpwh"
+ ],
+ "summary": "Mattermost allows team admin user without \"Add Team Members\" permission to disable invite URL in github.com/mattermost/mattermost-server",
+ "details": "Mattermost allows team admin user without \"Add Team Members\" permission to disable invite URL in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.5.0+incompatible"
+ },
+ {
+ "fixed": "9.5.8+incompatible"
+ },
+ {
+ "introduced": "9.10.0+incompatible"
+ },
+ {
+ "fixed": "9.10.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-3j95-8g47-fpwh"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40884"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3090",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3091.json b/data/osv/GO-2024-3091.json
new file mode 100644
index 0000000..791cad8
--- /dev/null
+++ b/data/osv/GO-2024-3091.json
@@ -0,0 +1,121 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3091",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-42497",
+ "GHSA-fxq9-6946-34q7"
+ ],
+ "summary": "Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server",
+ "details": "Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.5.0+incompatible"
+ },
+ {
+ "fixed": "9.5.8+incompatible"
+ },
+ {
+ "introduced": "9.8.0+incompatible"
+ },
+ {
+ "fixed": "9.8.3+incompatible"
+ },
+ {
+ "introduced": "9.9.0+incompatible"
+ },
+ {
+ "fixed": "9.9.2+incompatible"
+ },
+ {
+ "introduced": "9.10.0+incompatible"
+ },
+ {
+ "fixed": "9.10.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-fxq9-6946-34q7"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42497"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3091",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3092.json b/data/osv/GO-2024-3092.json
new file mode 100644
index 0000000..4ae70b9
--- /dev/null
+++ b/data/osv/GO-2024-3092.json
@@ -0,0 +1,121 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3092",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-39777",
+ "GHSA-q22q-2rrf-m27p"
+ ],
+ "summary": "Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server",
+ "details": "Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.5.0+incompatible"
+ },
+ {
+ "fixed": "9.5.7+incompatible"
+ },
+ {
+ "introduced": "9.7.0+incompatible"
+ },
+ {
+ "fixed": "9.7.6+incompatible"
+ },
+ {
+ "introduced": "9.8.0+incompatible"
+ },
+ {
+ "fixed": "9.8.1+incompatible"
+ },
+ {
+ "introduced": "9.9.0+incompatible"
+ },
+ {
+ "fixed": "9.9.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-q22q-2rrf-m27p"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39777"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3092",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3093.json b/data/osv/GO-2024-3093.json
new file mode 100644
index 0000000..34c4565
--- /dev/null
+++ b/data/osv/GO-2024-3093.json
@@ -0,0 +1,121 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3093",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-32939",
+ "GHSA-4ww8-fprq-cq34"
+ ],
+ "summary": "Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server",
+ "details": "Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.5.0+incompatible"
+ },
+ {
+ "fixed": "9.5.8+incompatible"
+ },
+ {
+ "introduced": "9.8.0+incompatible"
+ },
+ {
+ "fixed": "9.8.3+incompatible"
+ },
+ {
+ "introduced": "9.9.0+incompatible"
+ },
+ {
+ "fixed": "9.9.2+incompatible"
+ },
+ {
+ "introduced": "9.10.0+incompatible"
+ },
+ {
+ "fixed": "9.10.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-4ww8-fprq-cq34"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32939"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3093",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3094.json b/data/osv/GO-2024-3094.json
new file mode 100644
index 0000000..b755969
--- /dev/null
+++ b/data/osv/GO-2024-3094.json
@@ -0,0 +1,121 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3094",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-8071",
+ "GHSA-5263-pm2h-m7hw"
+ ],
+ "summary": "Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server",
+ "details": "Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.5.0+incompatible"
+ },
+ {
+ "fixed": "9.5.8+incompatible"
+ },
+ {
+ "introduced": "9.8.0+incompatible"
+ },
+ {
+ "fixed": "9.8.3+incompatible"
+ },
+ {
+ "introduced": "9.9.0+incompatible"
+ },
+ {
+ "fixed": "9.9.2+incompatible"
+ },
+ {
+ "introduced": "9.10.0+incompatible"
+ },
+ {
+ "fixed": "9.10.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-5263-pm2h-m7hw"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8071"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3094",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3095.json b/data/osv/GO-2024-3095.json
new file mode 100644
index 0000000..fdfa337
--- /dev/null
+++ b/data/osv/GO-2024-3095.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3095",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-43105",
+ "GHSA-869f-px86-vj84"
+ ],
+ "summary": "Mattermost Plugin Channel Export excessive resource consumption in github.com/mattermost/mattermost-plugin-channel-export",
+ "details": "Mattermost Plugin Channel Export excessive resource consumption in github.com/mattermost/mattermost-plugin-channel-export",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-plugin-channel-export",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.0.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-869f-px86-vj84"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43105"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/mattermost/mattermost-plugin-channel-export/commit/bb6da1f6bedd6cefe2276d6493b5541843c543a6"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3095",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3096.json b/data/osv/GO-2024-3096.json
new file mode 100644
index 0000000..5712383
--- /dev/null
+++ b/data/osv/GO-2024-3096.json
@@ -0,0 +1,121 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3096",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-39836",
+ "GHSA-c6vp-jjgv-38wj"
+ ],
+ "summary": "Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server",
+ "details": "Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.5.0+incompatible"
+ },
+ {
+ "fixed": "9.5.8+incompatible"
+ },
+ {
+ "introduced": "9.8.0+incompatible"
+ },
+ {
+ "fixed": "9.8.3+incompatible"
+ },
+ {
+ "introduced": "9.9.0+incompatible"
+ },
+ {
+ "fixed": "9.9.2+incompatible"
+ },
+ {
+ "introduced": "9.10.0+incompatible"
+ },
+ {
+ "fixed": "9.10.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-c6vp-jjgv-38wj"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39836"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3096",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3097.json b/data/osv/GO-2024-3097.json
new file mode 100644
index 0000000..5d04cd3
--- /dev/null
+++ b/data/osv/GO-2024-3097.json
@@ -0,0 +1,121 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3097",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-40886",
+ "GHSA-hrf9-rm95-fpf3"
+ ],
+ "summary": "Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.5.0+incompatible"
+ },
+ {
+ "fixed": "9.5.8+incompatible"
+ },
+ {
+ "introduced": "9.8.0+incompatible"
+ },
+ {
+ "fixed": "9.8.3+incompatible"
+ },
+ {
+ "introduced": "9.9.0+incompatible"
+ },
+ {
+ "fixed": "9.9.2+incompatible"
+ },
+ {
+ "introduced": "9.10.0+incompatible"
+ },
+ {
+ "fixed": "9.10.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-hrf9-rm95-fpf3"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40886"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3097",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3099.json b/data/osv/GO-2024-3099.json
new file mode 100644
index 0000000..63a4e2e
--- /dev/null
+++ b/data/osv/GO-2024-3099.json
@@ -0,0 +1,49 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3099",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-45244",
+ "GHSA-48gg-32q2-4r6m"
+ ],
+ "summary": "Hyperledger Fabric does not verify request has a timestamp within the expected time window in github.com/hyperledger/fabric",
+ "details": "Hyperledger Fabric does not verify request has a timestamp within the expected time window in github.com/hyperledger/fabric",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/hyperledger/fabric",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-48gg-32q2-4r6m"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45244"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/hyperledger/fabric/commit/155457a6624b3c74b22e5729c35c8499bfe952cd"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3099",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3100.json b/data/osv/GO-2024-3100.json
new file mode 100644
index 0000000..82dfcd6
--- /dev/null
+++ b/data/osv/GO-2024-3100.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3100",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-43798",
+ "GHSA-38jh-8h67-m7mj"
+ ],
+ "summary": "Chisel's AUTH environment variable not respected in server entrypoint in github.com/jpillora/chisel",
+ "details": "Chisel's AUTH environment variable not respected in server entrypoint in github.com/jpillora/chisel",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/jpillora/chisel",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.10.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/jpillora/chisel/security/advisories/GHSA-38jh-8h67-m7mj"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43798"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L138"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L452"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3100",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3102.json b/data/osv/GO-2024-3102.json
new file mode 100644
index 0000000..e878336
--- /dev/null
+++ b/data/osv/GO-2024-3102.json
@@ -0,0 +1,84 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3102",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-45043",
+ "GHSA-prf6-xjxh-p698"
+ ],
+ "summary": "OpenTelemetry Collector module AWS Firehose Receiver Authentication Bypass Vulnerability in github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver",
+ "details": "OpenTelemetry Collector module AWS Firehose Receiver Authentication Bypass Vulnerability in github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.49.0"
+ },
+ {
+ "fixed": "0.108.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45043"
+ },
+ {
+ "type": "WEB",
+ "url": "https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http"
+ },
+ {
+ "type": "WEB",
+ "url": "https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/open-telemetry/opentelemetry-collector#alpha"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/371bf6afbd7cfa3253fa1674f5444064e86ef0ac"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/open-telemetry/opentelemetry-collector-releases/pull/74"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3102",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3103.json b/data/osv/GO-2024-3103.json
new file mode 100644
index 0000000..fd3dfe1
--- /dev/null
+++ b/data/osv/GO-2024-3103.json
@@ -0,0 +1,64 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3103",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-45054",
+ "GHSA-mgwr-h7mv-fh29"
+ ],
+ "summary": "Hwameistor Potential Permission Leakage of Cluster Level in github.com/hwameistor/hwameistor",
+ "details": "Hwameistor Potential Permission Leakage of Cluster Level in github.com/hwameistor/hwameistor",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/hwameistor/hwameistor",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.14.6"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45054"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/hwameistor/hwameistor/issues/1457"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/hwameistor/hwameistor/issues/1460"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3103",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3104.json b/data/osv/GO-2024-3104.json
new file mode 100644
index 0000000..5a8d607
--- /dev/null
+++ b/data/osv/GO-2024-3104.json
@@ -0,0 +1,60 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-3104",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-45436",
+ "GHSA-846m-99qv-67mg"
+ ],
+ "summary": "Ollama can extract members of a ZIP archive outside of the parent directory in github.com/ollama/ollama",
+ "details": "Ollama can extract members of a ZIP archive outside of the parent directory in github.com/ollama/ollama",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/ollama/ollama",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.1.47"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-846m-99qv-67mg"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45436"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/ollama/ollama/commit/123a722a6f541e300bc8e34297ac378ebe23f527"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/ollama/ollama/pull/5314"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/ollama/ollama/compare/v0.1.46...v0.1.47"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-3104",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-3081.yaml b/data/reports/GO-2024-3081.yaml
new file mode 100644
index 0000000..f40f8ec
--- /dev/null
+++ b/data/reports/GO-2024-3081.yaml
@@ -0,0 +1,18 @@
+id: GO-2024-3081
+modules:
+ - module: github.com/CosmWasm/wasmd
+ versions:
+ - introduced: 0.52.0
+ - fixed: 0.53.0
+ vulnerable_at: 0.52.0
+summary: 'CWA-2024-006: wasmd non-deterministic module_query_safe query in github.com/CosmWasm/wasmd'
+ghsas:
+ - GHSA-fpgj-cr28-fvpx
+references:
+ - advisory: https://github.com/CosmWasm/wasmd/security/advisories/GHSA-fpgj-cr28-fvpx
+ - fix: https://github.com/CosmWasm/wasmd/commit/db8981db8419fc4daa042ce04e279efb53c4ff29
+ - web: https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-006.md
+source:
+ id: GHSA-fpgj-cr28-fvpx
+ created: 2024-08-30T11:58:15.507187-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3082.yaml b/data/reports/GO-2024-3082.yaml
new file mode 100644
index 0000000..738869a
--- /dev/null
+++ b/data/reports/GO-2024-3082.yaml
@@ -0,0 +1,20 @@
+id: GO-2024-3082
+modules:
+ - module: github.com/CosmWasm/wasmd
+ versions:
+ - fixed: 0.46.0
+ - introduced: 0.50.0
+ - fixed: 0.53.0
+ vulnerable_at: 0.52.0
+summary: 'CWA-2024-005: Stackoverflow in wasmd in github.com/CosmWasm/wasmd'
+ghsas:
+ - GHSA-g8w7-7vgg-x7xg
+references:
+ - advisory: https://github.com/CosmWasm/wasmd/security/advisories/GHSA-g8w7-7vgg-x7xg
+ - fix: https://github.com/CosmWasm/wasmd/commit/71cf6a8145426b82ed6249ecc86ddd281af9f97b
+ - fix: https://github.com/CosmWasm/wasmd/commit/db8981db8419fc4daa042ce04e279efb53c4ff29
+ - web: https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-005.md
+source:
+ id: GHSA-g8w7-7vgg-x7xg
+ created: 2024-08-30T11:58:11.333979-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3083.yaml b/data/reports/GO-2024-3083.yaml
new file mode 100644
index 0000000..1bf376c
--- /dev/null
+++ b/data/reports/GO-2024-3083.yaml
@@ -0,0 +1,20 @@
+id: GO-2024-3083
+modules:
+ - module: github.com/openshift/console
+ unsupported_versions:
+ - last_affected: 6.0.6
+ vulnerable_at: 6.0.6+incompatible
+summary: Openshift Console insufficient entropy vulnerability in github.com/openshift/console
+cves:
+ - CVE-2024-6508
+ghsas:
+ - GHSA-4crf-28c7-v4gr
+references:
+ - advisory: https://github.com/advisories/GHSA-4crf-28c7-v4gr
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6508
+ - web: https://access.redhat.com/security/cve/CVE-2024-6508
+ - web: https://bugzilla.redhat.com/show_bug.cgi?id=2295777
+source:
+ id: GHSA-4crf-28c7-v4gr
+ created: 2024-08-30T11:54:56.473463-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3085.yaml b/data/reports/GO-2024-3085.yaml
new file mode 100644
index 0000000..7f9efbe
--- /dev/null
+++ b/data/reports/GO-2024-3085.yaml
@@ -0,0 +1,22 @@
+id: GO-2024-3085
+modules:
+ - module: goauthentik.io
+ non_go_versions:
+ - fixed: 2024.4.4
+ - introduced: 2024.6.0-rc1
+ - fixed: 2024.6.4
+ vulnerable_at: 0.0.0-20240830143927-1003c79d8cc6
+summary: GoAuthentik vulnerable to Insufficient Authorization for several API endpoints in goauthentik.io
+cves:
+ - CVE-2024-42490
+ghsas:
+ - GHSA-qxqc-27pr-wgc8
+references:
+ - advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-qxqc-27pr-wgc8
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-42490
+ - web: https://github.com/goauthentik/authentik/commit/19318d4c00bb02c4ec3c4f8f15ac2e1dbe8d846c
+ - web: https://github.com/goauthentik/authentik/commit/359b343f51524342a5ca03828e7c975a1d654b11
+source:
+ id: GHSA-qxqc-27pr-wgc8
+ created: 2024-08-30T11:54:49.614232-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3086.yaml b/data/reports/GO-2024-3086.yaml
new file mode 100644
index 0000000..a17d06d
--- /dev/null
+++ b/data/reports/GO-2024-3086.yaml
@@ -0,0 +1,20 @@
+id: GO-2024-3086
+modules:
+ - module: github.com/casdoor/casdoor
+ unsupported_versions:
+ - last_affected: 1.577.0
+ vulnerable_at: 1.685.0
+summary: Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036) in github.com/casdoor/casdoor
+cves:
+ - CVE-2024-41658
+ghsas:
+ - GHSA-gv2p-4mvg-g32h
+references:
+ - advisory: https://github.com/advisories/GHSA-gv2p-4mvg-g32h
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41658
+ - advisory: https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor
+ - web: https://github.com/casdoor/casdoor/blob/v1.577.0/web/src/QrCodePage.js
+source:
+ id: GHSA-gv2p-4mvg-g32h
+ created: 2024-08-30T11:54:45.361649-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3087.yaml b/data/reports/GO-2024-3087.yaml
new file mode 100644
index 0000000..7a68d42
--- /dev/null
+++ b/data/reports/GO-2024-3087.yaml
@@ -0,0 +1,20 @@
+id: GO-2024-3087
+modules:
+ - module: github.com/casdoor/casdoor
+ unsupported_versions:
+ - last_affected: 1.557.0
+ vulnerable_at: 1.685.0
+summary: Casdoor CORS misconfiguration (GHSL-2024-035) in github.com/casdoor/casdoor
+cves:
+ - CVE-2024-41657
+ghsas:
+ - GHSA-mchx-7j67-8mcf
+references:
+ - advisory: https://github.com/advisories/GHSA-mchx-7j67-8mcf
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41657
+ - advisory: https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor
+ - web: https://github.com/casdoor/casdoor/blob/v1.577.0/routers/cors_filter.go#L45
+source:
+ id: GHSA-mchx-7j67-8mcf
+ created: 2024-08-30T11:54:41.213942-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3088.yaml b/data/reports/GO-2024-3088.yaml
new file mode 100644
index 0000000..552fb12
--- /dev/null
+++ b/data/reports/GO-2024-3088.yaml
@@ -0,0 +1,21 @@
+id: GO-2024-3088
+modules:
+ - module: github.com/usememos/memos
+ versions:
+ - fixed: 0.21.0
+ vulnerable_at: 0.20.1
+summary: memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos
+cves:
+ - CVE-2024-41659
+ghsas:
+ - GHSA-p4fx-qf2h-jpmj
+references:
+ - advisory: https://github.com/advisories/GHSA-p4fx-qf2h-jpmj
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41659
+ - advisory: https://securitylab.github.com/advisories/GHSL-2024-034_memos
+ - fix: https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9
+ - web: https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163
+source:
+ id: GHSA-p4fx-qf2h-jpmj
+ created: 2024-08-30T11:54:36.05674-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3089.yaml b/data/reports/GO-2024-3089.yaml
new file mode 100644
index 0000000..6ff45db
--- /dev/null
+++ b/data/reports/GO-2024-3089.yaml
@@ -0,0 +1,32 @@
+id: GO-2024-3089
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.5.0+incompatible
+ - fixed: 9.5.8+incompatible
+ - introduced: 9.8.0+incompatible
+ - fixed: 9.8.3+incompatible
+ - introduced: 9.9.0+incompatible
+ - fixed: 9.9.2+incompatible
+ - introduced: 9.10.0+incompatible
+ - fixed: 9.10.1+incompatible
+ vulnerable_at: 9.10.1-rc3+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ vulnerable_at: 8.0.0-20240830140759-a2a54af3380e
+summary: Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2024-43780
+ghsas:
+ - GHSA-2jhx-w3vc-w59g
+references:
+ - advisory: https://github.com/advisories/GHSA-2jhx-w3vc-w59g
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43780
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-2jhx-w3vc-w59g
+ created: 2024-08-30T12:08:13.728373-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3090.yaml b/data/reports/GO-2024-3090.yaml
new file mode 100644
index 0000000..11e3b36
--- /dev/null
+++ b/data/reports/GO-2024-3090.yaml
@@ -0,0 +1,30 @@
+id: GO-2024-3090
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.5.0+incompatible
+ - fixed: 9.5.8+incompatible
+ - introduced: 9.10.0+incompatible
+ - fixed: 9.10.1+incompatible
+ vulnerable_at: 9.10.1-rc3+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ vulnerable_at: 8.0.0-20240830140759-a2a54af3380e
+summary: |-
+ Mattermost allows team admin user without "Add Team Members" permission to
+ disable invite URL in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2024-40884
+ghsas:
+ - GHSA-3j95-8g47-fpwh
+references:
+ - advisory: https://github.com/advisories/GHSA-3j95-8g47-fpwh
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40884
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-3j95-8g47-fpwh
+ created: 2024-08-30T11:53:57.168505-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3091.yaml b/data/reports/GO-2024-3091.yaml
new file mode 100644
index 0000000..7fd1cc7
--- /dev/null
+++ b/data/reports/GO-2024-3091.yaml
@@ -0,0 +1,34 @@
+id: GO-2024-3091
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.5.0+incompatible
+ - fixed: 9.5.8+incompatible
+ - introduced: 9.8.0+incompatible
+ - fixed: 9.8.3+incompatible
+ - introduced: 9.9.0+incompatible
+ - fixed: 9.9.2+incompatible
+ - introduced: 9.10.0+incompatible
+ - fixed: 9.10.1+incompatible
+ vulnerable_at: 9.10.1-rc3+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ vulnerable_at: 8.0.0-20240830140759-a2a54af3380e
+summary: |-
+ Mattermost allows user with systems manager role with read-only access to teams
+ to perform write operations on teams in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2024-42497
+ghsas:
+ - GHSA-fxq9-6946-34q7
+references:
+ - advisory: https://github.com/advisories/GHSA-fxq9-6946-34q7
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-42497
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-fxq9-6946-34q7
+ created: 2024-08-30T11:53:53.112178-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3092.yaml b/data/reports/GO-2024-3092.yaml
new file mode 100644
index 0000000..8ae9cac
--- /dev/null
+++ b/data/reports/GO-2024-3092.yaml
@@ -0,0 +1,32 @@
+id: GO-2024-3092
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.5.0+incompatible
+ - fixed: 9.5.7+incompatible
+ - introduced: 9.7.0+incompatible
+ - fixed: 9.7.6+incompatible
+ - introduced: 9.8.0+incompatible
+ - fixed: 9.8.1+incompatible
+ - introduced: 9.9.0+incompatible
+ - fixed: 9.9.1+incompatible
+ vulnerable_at: 9.9.1-rc4+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ vulnerable_at: 8.0.0-20240830140759-a2a54af3380e
+summary: Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2024-39777
+ghsas:
+ - GHSA-q22q-2rrf-m27p
+references:
+ - advisory: https://github.com/advisories/GHSA-q22q-2rrf-m27p
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39777
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-q22q-2rrf-m27p
+ created: 2024-08-30T11:53:48.483473-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3093.yaml b/data/reports/GO-2024-3093.yaml
new file mode 100644
index 0000000..7043683
--- /dev/null
+++ b/data/reports/GO-2024-3093.yaml
@@ -0,0 +1,32 @@
+id: GO-2024-3093
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.5.0+incompatible
+ - fixed: 9.5.8+incompatible
+ - introduced: 9.8.0+incompatible
+ - fixed: 9.8.3+incompatible
+ - introduced: 9.9.0+incompatible
+ - fixed: 9.9.2+incompatible
+ - introduced: 9.10.0+incompatible
+ - fixed: 9.10.1+incompatible
+ vulnerable_at: 9.10.1-rc3+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ vulnerable_at: 8.0.0-20240830140759-a2a54af3380e
+summary: Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2024-32939
+ghsas:
+ - GHSA-4ww8-fprq-cq34
+references:
+ - advisory: https://github.com/advisories/GHSA-4ww8-fprq-cq34
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32939
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-4ww8-fprq-cq34
+ created: 2024-08-30T11:53:44.210578-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3094.yaml b/data/reports/GO-2024-3094.yaml
new file mode 100644
index 0000000..e703f43
--- /dev/null
+++ b/data/reports/GO-2024-3094.yaml
@@ -0,0 +1,32 @@
+id: GO-2024-3094
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.5.0+incompatible
+ - fixed: 9.5.8+incompatible
+ - introduced: 9.8.0+incompatible
+ - fixed: 9.8.3+incompatible
+ - introduced: 9.9.0+incompatible
+ - fixed: 9.9.2+incompatible
+ - introduced: 9.10.0+incompatible
+ - fixed: 9.10.1+incompatible
+ vulnerable_at: 9.10.1-rc3+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ vulnerable_at: 8.0.0-20240830140759-a2a54af3380e
+summary: Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2024-8071
+ghsas:
+ - GHSA-5263-pm2h-m7hw
+references:
+ - advisory: https://github.com/advisories/GHSA-5263-pm2h-m7hw
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8071
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-5263-pm2h-m7hw
+ created: 2024-08-30T11:53:39.830198-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3095.yaml b/data/reports/GO-2024-3095.yaml
new file mode 100644
index 0000000..0ef98af
--- /dev/null
+++ b/data/reports/GO-2024-3095.yaml
@@ -0,0 +1,20 @@
+id: GO-2024-3095
+modules:
+ - module: github.com/mattermost/mattermost-plugin-channel-export
+ versions:
+ - fixed: 1.0.1
+ vulnerable_at: 1.0.0
+summary: Mattermost Plugin Channel Export excessive resource consumption in github.com/mattermost/mattermost-plugin-channel-export
+cves:
+ - CVE-2024-43105
+ghsas:
+ - GHSA-869f-px86-vj84
+references:
+ - advisory: https://github.com/advisories/GHSA-869f-px86-vj84
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43105
+ - fix: https://github.com/mattermost/mattermost-plugin-channel-export/commit/bb6da1f6bedd6cefe2276d6493b5541843c543a6
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-869f-px86-vj84
+ created: 2024-08-30T11:53:34.705599-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3096.yaml b/data/reports/GO-2024-3096.yaml
new file mode 100644
index 0000000..6dc3a80
--- /dev/null
+++ b/data/reports/GO-2024-3096.yaml
@@ -0,0 +1,32 @@
+id: GO-2024-3096
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.5.0+incompatible
+ - fixed: 9.5.8+incompatible
+ - introduced: 9.8.0+incompatible
+ - fixed: 9.8.3+incompatible
+ - introduced: 9.9.0+incompatible
+ - fixed: 9.9.2+incompatible
+ - introduced: 9.10.0+incompatible
+ - fixed: 9.10.1+incompatible
+ vulnerable_at: 9.10.1-rc3+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ vulnerable_at: 8.0.0-20240830140759-a2a54af3380e
+summary: Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2024-39836
+ghsas:
+ - GHSA-c6vp-jjgv-38wj
+references:
+ - advisory: https://github.com/advisories/GHSA-c6vp-jjgv-38wj
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39836
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-c6vp-jjgv-38wj
+ created: 2024-08-30T11:52:51.723916-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3097.yaml b/data/reports/GO-2024-3097.yaml
new file mode 100644
index 0000000..03eec4b
--- /dev/null
+++ b/data/reports/GO-2024-3097.yaml
@@ -0,0 +1,32 @@
+id: GO-2024-3097
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.5.0+incompatible
+ - fixed: 9.5.8+incompatible
+ - introduced: 9.8.0+incompatible
+ - fixed: 9.8.3+incompatible
+ - introduced: 9.9.0+incompatible
+ - fixed: 9.9.2+incompatible
+ - introduced: 9.10.0+incompatible
+ - fixed: 9.10.1+incompatible
+ vulnerable_at: 9.10.1-rc3+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ vulnerable_at: 8.0.0-20240830140759-a2a54af3380e
+summary: Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2024-40886
+ghsas:
+ - GHSA-hrf9-rm95-fpf3
+references:
+ - advisory: https://github.com/advisories/GHSA-hrf9-rm95-fpf3
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40886
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-hrf9-rm95-fpf3
+ created: 2024-08-30T11:50:28.768165-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3099.yaml b/data/reports/GO-2024-3099.yaml
new file mode 100644
index 0000000..b46877e
--- /dev/null
+++ b/data/reports/GO-2024-3099.yaml
@@ -0,0 +1,21 @@
+id: GO-2024-3099
+modules:
+ - module: github.com/hyperledger/fabric
+ unsupported_versions:
+ - last_affected: 2.5.9
+ vulnerable_at: 1.4.12
+summary: |-
+ Hyperledger Fabric does not verify request has a timestamp within the expected
+ time window in github.com/hyperledger/fabric
+cves:
+ - CVE-2024-45244
+ghsas:
+ - GHSA-48gg-32q2-4r6m
+references:
+ - advisory: https://github.com/advisories/GHSA-48gg-32q2-4r6m
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45244
+ - fix: https://github.com/hyperledger/fabric/commit/155457a6624b3c74b22e5729c35c8499bfe952cd
+source:
+ id: GHSA-48gg-32q2-4r6m
+ created: 2024-08-30T11:50:13.440878-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3100.yaml b/data/reports/GO-2024-3100.yaml
new file mode 100644
index 0000000..795cedd
--- /dev/null
+++ b/data/reports/GO-2024-3100.yaml
@@ -0,0 +1,20 @@
+id: GO-2024-3100
+modules:
+ - module: github.com/jpillora/chisel
+ versions:
+ - fixed: 1.10.0
+ vulnerable_at: 1.9.1
+summary: Chisel's AUTH environment variable not respected in server entrypoint in github.com/jpillora/chisel
+cves:
+ - CVE-2024-43798
+ghsas:
+ - GHSA-38jh-8h67-m7mj
+references:
+ - advisory: https://github.com/jpillora/chisel/security/advisories/GHSA-38jh-8h67-m7mj
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43798
+ - web: https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L138
+ - web: https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L452
+source:
+ id: GHSA-38jh-8h67-m7mj
+ created: 2024-08-30T11:50:09.347626-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3102.yaml b/data/reports/GO-2024-3102.yaml
new file mode 100644
index 0000000..8eab8d0
--- /dev/null
+++ b/data/reports/GO-2024-3102.yaml
@@ -0,0 +1,30 @@
+id: GO-2024-3102
+modules:
+ - module: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver
+ versions:
+ - introduced: 0.49.0
+ - fixed: 0.108.0
+ vulnerable_at: 0.107.0
+summary: |-
+ OpenTelemetry Collector module AWS Firehose Receiver Authentication Bypass
+ Vulnerability in github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver
+cves:
+ - CVE-2024-45043
+ghsas:
+ - GHSA-prf6-xjxh-p698
+references:
+ - advisory: https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45043
+ - web: https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http
+ - web: https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html
+ - web: https://github.com/open-telemetry/opentelemetry-collector#alpha
+ - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/371bf6afbd7cfa3253fa1674f5444064e86ef0ac
+ - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847
+ - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver
+ - web: https://github.com/open-telemetry/opentelemetry-collector-releases/pull/74
+ - web: https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0
+ - web: https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib
+source:
+ id: GHSA-prf6-xjxh-p698
+ created: 2024-08-30T11:50:01.407659-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3103.yaml b/data/reports/GO-2024-3103.yaml
new file mode 100644
index 0000000..4b1e4a2
--- /dev/null
+++ b/data/reports/GO-2024-3103.yaml
@@ -0,0 +1,22 @@
+id: GO-2024-3103
+modules:
+ - module: github.com/hwameistor/hwameistor
+ versions:
+ - fixed: 0.14.6
+ vulnerable_at: 0.14.5
+summary: Hwameistor Potential Permission Leakage of Cluster Level in github.com/hwameistor/hwameistor
+cves:
+ - CVE-2024-45054
+ghsas:
+ - GHSA-mgwr-h7mv-fh29
+references:
+ - advisory: https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45054
+ - fix: https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450
+ - report: https://github.com/hwameistor/hwameistor/issues/1457
+ - report: https://github.com/hwameistor/hwameistor/issues/1460
+ - web: https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml
+source:
+ id: GHSA-mgwr-h7mv-fh29
+ created: 2024-08-30T11:49:56.278746-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3104.yaml b/data/reports/GO-2024-3104.yaml
new file mode 100644
index 0000000..1cb79ad
--- /dev/null
+++ b/data/reports/GO-2024-3104.yaml
@@ -0,0 +1,21 @@
+id: GO-2024-3104
+modules:
+ - module: github.com/ollama/ollama
+ versions:
+ - fixed: 0.1.47
+ vulnerable_at: 0.1.46
+summary: Ollama can extract members of a ZIP archive outside of the parent directory in github.com/ollama/ollama
+cves:
+ - CVE-2024-45436
+ghsas:
+ - GHSA-846m-99qv-67mg
+references:
+ - advisory: https://github.com/advisories/GHSA-846m-99qv-67mg
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45436
+ - fix: https://github.com/ollama/ollama/commit/123a722a6f541e300bc8e34297ac378ebe23f527
+ - fix: https://github.com/ollama/ollama/pull/5314
+ - web: https://github.com/ollama/ollama/compare/v0.1.46...v0.1.47
+source:
+ id: GHSA-846m-99qv-67mg
+ created: 2024-08-30T11:49:51.257019-04:00
+review_status: UNREVIEWED