data/reports: add 21 unreviewed reports - data/reports/GO-2024-3081.yaml - data/reports/GO-2024-3082.yaml - data/reports/GO-2024-3083.yaml - data/reports/GO-2024-3085.yaml - data/reports/GO-2024-3086.yaml - data/reports/GO-2024-3087.yaml - data/reports/GO-2024-3088.yaml - data/reports/GO-2024-3089.yaml - data/reports/GO-2024-3090.yaml - data/reports/GO-2024-3091.yaml - data/reports/GO-2024-3092.yaml - data/reports/GO-2024-3093.yaml - data/reports/GO-2024-3094.yaml - data/reports/GO-2024-3095.yaml - data/reports/GO-2024-3096.yaml - data/reports/GO-2024-3097.yaml - data/reports/GO-2024-3099.yaml - data/reports/GO-2024-3100.yaml - data/reports/GO-2024-3102.yaml - data/reports/GO-2024-3103.yaml - data/reports/GO-2024-3104.yaml Fixes golang/vulndb#3081 Fixes golang/vulndb#3082 Fixes golang/vulndb#3083 Fixes golang/vulndb#3085 Fixes golang/vulndb#3086 Fixes golang/vulndb#3087 Fixes golang/vulndb#3088 Fixes golang/vulndb#3089 Fixes golang/vulndb#3090 Fixes golang/vulndb#3091 Fixes golang/vulndb#3092 Fixes golang/vulndb#3093 Fixes golang/vulndb#3094 Fixes golang/vulndb#3095 Fixes golang/vulndb#3096 Fixes golang/vulndb#3097 Fixes golang/vulndb#3099 Fixes golang/vulndb#3100 Fixes golang/vulndb#3102 Fixes golang/vulndb#3103 Fixes golang/vulndb#3104 Change-Id: If55f3ff19b07f49b6477d5c0d3eb5f5b6f3adbd0 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/609141 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/data/osv/GO-2024-3081.json b/data/osv/GO-2024-3081.json new file mode 100644 index 0000000..af65c20 --- /dev/null +++ b/data/osv/GO-2024-3081.json
@@ -0,0 +1,51 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3081", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-fpgj-cr28-fvpx" + ], + "summary": "CWA-2024-006: wasmd non-deterministic module_query_safe query in github.com/CosmWasm/wasmd", + "details": "CWA-2024-006: wasmd non-deterministic module_query_safe query in github.com/CosmWasm/wasmd", + "affected": [ + { + "package": { + "name": "github.com/CosmWasm/wasmd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.52.0" + }, + { + "fixed": "0.53.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/CosmWasm/wasmd/security/advisories/GHSA-fpgj-cr28-fvpx" + }, + { + "type": "FIX", + "url": "https://github.com/CosmWasm/wasmd/commit/db8981db8419fc4daa042ce04e279efb53c4ff29" + }, + { + "type": "WEB", + "url": "https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-006.md" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3081", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3082.json b/data/osv/GO-2024-3082.json new file mode 100644 index 0000000..024b2bb --- /dev/null +++ b/data/osv/GO-2024-3082.json
@@ -0,0 +1,61 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3082", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "GHSA-g8w7-7vgg-x7xg" + ], + "summary": "CWA-2024-005: Stackoverflow in wasmd in github.com/CosmWasm/wasmd", + "details": "CWA-2024-005: Stackoverflow in wasmd in github.com/CosmWasm/wasmd", + "affected": [ + { + "package": { + "name": "github.com/CosmWasm/wasmd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.46.0" + }, + { + "introduced": "0.50.0" + }, + { + "fixed": "0.53.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/CosmWasm/wasmd/security/advisories/GHSA-g8w7-7vgg-x7xg" + }, + { + "type": "FIX", + "url": "https://github.com/CosmWasm/wasmd/commit/71cf6a8145426b82ed6249ecc86ddd281af9f97b" + }, + { + "type": "FIX", + "url": "https://github.com/CosmWasm/wasmd/commit/db8981db8419fc4daa042ce04e279efb53c4ff29" + }, + { + "type": "WEB", + "url": "https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-005.md" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3082", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3083.json b/data/osv/GO-2024-3083.json new file mode 100644 index 0000000..c5d2197 --- /dev/null +++ b/data/osv/GO-2024-3083.json
@@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3083", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-6508", + "GHSA-4crf-28c7-v4gr" + ], + "summary": "Openshift Console insufficient entropy vulnerability in github.com/openshift/console", + "details": "Openshift Console insufficient entropy vulnerability in github.com/openshift/console", + "affected": [ + { + "package": { + "name": "github.com/openshift/console", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-4crf-28c7-v4gr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6508" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-6508" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295777" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3083", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3085.json b/data/osv/GO-2024-3085.json new file mode 100644 index 0000000..05c329d --- /dev/null +++ b/data/osv/GO-2024-3085.json
@@ -0,0 +1,73 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3085", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-42490", + "GHSA-qxqc-27pr-wgc8" + ], + "summary": "GoAuthentik vulnerable to Insufficient Authorization for several API endpoints in goauthentik.io", + "details": "GoAuthentik vulnerable to Insufficient Authorization for several API endpoints in goauthentik.io.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: goauthentik.io before v2024.4.4, from v2024.6.0-rc1 before v2024.6.4.", + "affected": [ + { + "package": { + "name": "goauthentik.io", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2024.4.4" + }, + { + "introduced": "2024.6.0-rc1" + }, + { + "fixed": "2024.6.4" + } + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qxqc-27pr-wgc8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42490" + }, + { + "type": "WEB", + "url": "https://github.com/goauthentik/authentik/commit/19318d4c00bb02c4ec3c4f8f15ac2e1dbe8d846c" + }, + { + "type": "WEB", + "url": "https://github.com/goauthentik/authentik/commit/359b343f51524342a5ca03828e7c975a1d654b11" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3085", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3086.json b/data/osv/GO-2024-3086.json new file mode 100644 index 0000000..87855ff --- /dev/null +++ b/data/osv/GO-2024-3086.json
@@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3086", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-41658", + "GHSA-gv2p-4mvg-g32h" + ], + "summary": "Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036) in github.com/casdoor/casdoor", + "details": "Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036) in github.com/casdoor/casdoor", + "affected": [ + { + "package": { + "name": "github.com/casdoor/casdoor", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-gv2p-4mvg-g32h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41658" + }, + { + "type": "ADVISORY", + "url": "https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor" + }, + { + "type": "WEB", + "url": "https://github.com/casdoor/casdoor/blob/v1.577.0/web/src/QrCodePage.js" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3086", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3087.json b/data/osv/GO-2024-3087.json new file mode 100644 index 0000000..de275a1 --- /dev/null +++ b/data/osv/GO-2024-3087.json
@@ -0,0 +1,53 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3087", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-41657", + "GHSA-mchx-7j67-8mcf" + ], + "summary": "Casdoor CORS misconfiguration (GHSL-2024-035) in github.com/casdoor/casdoor", + "details": "Casdoor CORS misconfiguration (GHSL-2024-035) in github.com/casdoor/casdoor", + "affected": [ + { + "package": { + "name": "github.com/casdoor/casdoor", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mchx-7j67-8mcf" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41657" + }, + { + "type": "ADVISORY", + "url": "https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor" + }, + { + "type": "WEB", + "url": "https://github.com/casdoor/casdoor/blob/v1.577.0/routers/cors_filter.go#L45" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3087", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3088.json b/data/osv/GO-2024-3088.json new file mode 100644 index 0000000..00e2847 --- /dev/null +++ b/data/osv/GO-2024-3088.json
@@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3088", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-41659", + "GHSA-p4fx-qf2h-jpmj" + ], + "summary": "memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos", + "details": "memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos", + "affected": [ + { + "package": { + "name": "github.com/usememos/memos", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.21.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-p4fx-qf2h-jpmj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41659" + }, + { + "type": "ADVISORY", + "url": "https://securitylab.github.com/advisories/GHSL-2024-034_memos" + }, + { + "type": "FIX", + "url": "https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9" + }, + { + "type": "WEB", + "url": "https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3088", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3089.json b/data/osv/GO-2024-3089.json new file mode 100644 index 0000000..8366e4e --- /dev/null +++ b/data/osv/GO-2024-3089.json
@@ -0,0 +1,121 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3089", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-43780", + "GHSA-2jhx-w3vc-w59g" + ], + "summary": "Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server", + "details": "Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.8+incompatible" + }, + { + "introduced": "9.8.0+incompatible" + }, + { + "fixed": "9.8.3+incompatible" + }, + { + "introduced": "9.9.0+incompatible" + }, + { + "fixed": "9.9.2+incompatible" + }, + { + "introduced": "9.10.0+incompatible" + }, + { + "fixed": "9.10.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2jhx-w3vc-w59g" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43780" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3089", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3090.json b/data/osv/GO-2024-3090.json new file mode 100644 index 0000000..a48e4c4 --- /dev/null +++ b/data/osv/GO-2024-3090.json
@@ -0,0 +1,109 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3090", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-40884", + "GHSA-3j95-8g47-fpwh" + ], + "summary": "Mattermost allows team admin user without \"Add Team Members\" permission to disable invite URL in github.com/mattermost/mattermost-server", + "details": "Mattermost allows team admin user without \"Add Team Members\" permission to disable invite URL in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.8+incompatible" + }, + { + "introduced": "9.10.0+incompatible" + }, + { + "fixed": "9.10.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-3j95-8g47-fpwh" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40884" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3090", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3091.json b/data/osv/GO-2024-3091.json new file mode 100644 index 0000000..791cad8 --- /dev/null +++ b/data/osv/GO-2024-3091.json
@@ -0,0 +1,121 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3091", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-42497", + "GHSA-fxq9-6946-34q7" + ], + "summary": "Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server", + "details": "Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.8+incompatible" + }, + { + "introduced": "9.8.0+incompatible" + }, + { + "fixed": "9.8.3+incompatible" + }, + { + "introduced": "9.9.0+incompatible" + }, + { + "fixed": "9.9.2+incompatible" + }, + { + "introduced": "9.10.0+incompatible" + }, + { + "fixed": "9.10.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-fxq9-6946-34q7" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42497" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3091", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3092.json b/data/osv/GO-2024-3092.json new file mode 100644 index 0000000..4ae70b9 --- /dev/null +++ b/data/osv/GO-2024-3092.json
@@ -0,0 +1,121 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3092", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-39777", + "GHSA-q22q-2rrf-m27p" + ], + "summary": "Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server", + "details": "Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.7+incompatible" + }, + { + "introduced": "9.7.0+incompatible" + }, + { + "fixed": "9.7.6+incompatible" + }, + { + "introduced": "9.8.0+incompatible" + }, + { + "fixed": "9.8.1+incompatible" + }, + { + "introduced": "9.9.0+incompatible" + }, + { + "fixed": "9.9.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-q22q-2rrf-m27p" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39777" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3092", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3093.json b/data/osv/GO-2024-3093.json new file mode 100644 index 0000000..34c4565 --- /dev/null +++ b/data/osv/GO-2024-3093.json
@@ -0,0 +1,121 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3093", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-32939", + "GHSA-4ww8-fprq-cq34" + ], + "summary": "Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server", + "details": "Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.8+incompatible" + }, + { + "introduced": "9.8.0+incompatible" + }, + { + "fixed": "9.8.3+incompatible" + }, + { + "introduced": "9.9.0+incompatible" + }, + { + "fixed": "9.9.2+incompatible" + }, + { + "introduced": "9.10.0+incompatible" + }, + { + "fixed": "9.10.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-4ww8-fprq-cq34" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32939" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3093", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3094.json b/data/osv/GO-2024-3094.json new file mode 100644 index 0000000..b755969 --- /dev/null +++ b/data/osv/GO-2024-3094.json
@@ -0,0 +1,121 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3094", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-8071", + "GHSA-5263-pm2h-m7hw" + ], + "summary": "Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server", + "details": "Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.8+incompatible" + }, + { + "introduced": "9.8.0+incompatible" + }, + { + "fixed": "9.8.3+incompatible" + }, + { + "introduced": "9.9.0+incompatible" + }, + { + "fixed": "9.9.2+incompatible" + }, + { + "introduced": "9.10.0+incompatible" + }, + { + "fixed": "9.10.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-5263-pm2h-m7hw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8071" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3094", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3095.json b/data/osv/GO-2024-3095.json new file mode 100644 index 0000000..fdfa337 --- /dev/null +++ b/data/osv/GO-2024-3095.json
@@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3095", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-43105", + "GHSA-869f-px86-vj84" + ], + "summary": "Mattermost Plugin Channel Export excessive resource consumption in github.com/mattermost/mattermost-plugin-channel-export", + "details": "Mattermost Plugin Channel Export excessive resource consumption in github.com/mattermost/mattermost-plugin-channel-export", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-plugin-channel-export", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-869f-px86-vj84" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43105" + }, + { + "type": "FIX", + "url": "https://github.com/mattermost/mattermost-plugin-channel-export/commit/bb6da1f6bedd6cefe2276d6493b5541843c543a6" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3095", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3096.json b/data/osv/GO-2024-3096.json new file mode 100644 index 0000000..5712383 --- /dev/null +++ b/data/osv/GO-2024-3096.json
@@ -0,0 +1,121 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3096", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-39836", + "GHSA-c6vp-jjgv-38wj" + ], + "summary": "Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server", + "details": "Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.8+incompatible" + }, + { + "introduced": "9.8.0+incompatible" + }, + { + "fixed": "9.8.3+incompatible" + }, + { + "introduced": "9.9.0+incompatible" + }, + { + "fixed": "9.9.2+incompatible" + }, + { + "introduced": "9.10.0+incompatible" + }, + { + "fixed": "9.10.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-c6vp-jjgv-38wj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39836" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3096", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3097.json b/data/osv/GO-2024-3097.json new file mode 100644 index 0000000..5d04cd3 --- /dev/null +++ b/data/osv/GO-2024-3097.json
@@ -0,0 +1,121 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3097", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-40886", + "GHSA-hrf9-rm95-fpf3" + ], + "summary": "Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server", + "details": "Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.5.0+incompatible" + }, + { + "fixed": "9.5.8+incompatible" + }, + { + "introduced": "9.8.0+incompatible" + }, + { + "fixed": "9.8.3+incompatible" + }, + { + "introduced": "9.9.0+incompatible" + }, + { + "fixed": "9.9.2+incompatible" + }, + { + "introduced": "9.10.0+incompatible" + }, + { + "fixed": "9.10.1+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-hrf9-rm95-fpf3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40886" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3097", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3099.json b/data/osv/GO-2024-3099.json new file mode 100644 index 0000000..63a4e2e --- /dev/null +++ b/data/osv/GO-2024-3099.json
@@ -0,0 +1,49 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3099", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-45244", + "GHSA-48gg-32q2-4r6m" + ], + "summary": "Hyperledger Fabric does not verify request has a timestamp within the expected time window in github.com/hyperledger/fabric", + "details": "Hyperledger Fabric does not verify request has a timestamp within the expected time window in github.com/hyperledger/fabric", + "affected": [ + { + "package": { + "name": "github.com/hyperledger/fabric", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-48gg-32q2-4r6m" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45244" + }, + { + "type": "FIX", + "url": "https://github.com/hyperledger/fabric/commit/155457a6624b3c74b22e5729c35c8499bfe952cd" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3099", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3100.json b/data/osv/GO-2024-3100.json new file mode 100644 index 0000000..82dfcd6 --- /dev/null +++ b/data/osv/GO-2024-3100.json
@@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3100", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-43798", + "GHSA-38jh-8h67-m7mj" + ], + "summary": "Chisel's AUTH environment variable not respected in server entrypoint in github.com/jpillora/chisel", + "details": "Chisel's AUTH environment variable not respected in server entrypoint in github.com/jpillora/chisel", + "affected": [ + { + "package": { + "name": "github.com/jpillora/chisel", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/jpillora/chisel/security/advisories/GHSA-38jh-8h67-m7mj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43798" + }, + { + "type": "WEB", + "url": "https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L138" + }, + { + "type": "WEB", + "url": "https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L452" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3100", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3102.json b/data/osv/GO-2024-3102.json new file mode 100644 index 0000000..e878336 --- /dev/null +++ b/data/osv/GO-2024-3102.json
@@ -0,0 +1,84 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3102", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-45043", + "GHSA-prf6-xjxh-p698" + ], + "summary": "OpenTelemetry Collector module AWS Firehose Receiver Authentication Bypass Vulnerability in github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver", + "details": "OpenTelemetry Collector module AWS Firehose Receiver Authentication Bypass Vulnerability in github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver", + "affected": [ + { + "package": { + "name": "github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.49.0" + }, + { + "fixed": "0.108.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45043" + }, + { + "type": "WEB", + "url": "https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http" + }, + { + "type": "WEB", + "url": "https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html" + }, + { + "type": "WEB", + "url": "https://github.com/open-telemetry/opentelemetry-collector#alpha" + }, + { + "type": "WEB", + "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/371bf6afbd7cfa3253fa1674f5444064e86ef0ac" + }, + { + "type": "WEB", + "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847" + }, + { + "type": "WEB", + "url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver" + }, + { + "type": "WEB", + "url": "https://github.com/open-telemetry/opentelemetry-collector-releases/pull/74" + }, + { + "type": "WEB", + "url": "https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0" + }, + { + "type": "WEB", + "url": "https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3102", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3103.json b/data/osv/GO-2024-3103.json new file mode 100644 index 0000000..fd3dfe1 --- /dev/null +++ b/data/osv/GO-2024-3103.json
@@ -0,0 +1,64 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3103", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-45054", + "GHSA-mgwr-h7mv-fh29" + ], + "summary": "Hwameistor Potential Permission Leakage of Cluster Level in github.com/hwameistor/hwameistor", + "details": "Hwameistor Potential Permission Leakage of Cluster Level in github.com/hwameistor/hwameistor", + "affected": [ + { + "package": { + "name": "github.com/hwameistor/hwameistor", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.14.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45054" + }, + { + "type": "FIX", + "url": "https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450" + }, + { + "type": "REPORT", + "url": "https://github.com/hwameistor/hwameistor/issues/1457" + }, + { + "type": "REPORT", + "url": "https://github.com/hwameistor/hwameistor/issues/1460" + }, + { + "type": "WEB", + "url": "https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3103", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2024-3104.json b/data/osv/GO-2024-3104.json new file mode 100644 index 0000000..5a8d607 --- /dev/null +++ b/data/osv/GO-2024-3104.json
@@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3104", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-45436", + "GHSA-846m-99qv-67mg" + ], + "summary": "Ollama can extract members of a ZIP archive outside of the parent directory in github.com/ollama/ollama", + "details": "Ollama can extract members of a ZIP archive outside of the parent directory in github.com/ollama/ollama", + "affected": [ + { + "package": { + "name": "github.com/ollama/ollama", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.1.47" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-846m-99qv-67mg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45436" + }, + { + "type": "FIX", + "url": "https://github.com/ollama/ollama/commit/123a722a6f541e300bc8e34297ac378ebe23f527" + }, + { + "type": "FIX", + "url": "https://github.com/ollama/ollama/pull/5314" + }, + { + "type": "WEB", + "url": "https://github.com/ollama/ollama/compare/v0.1.46...v0.1.47" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3104", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file
diff --git a/data/reports/GO-2024-3081.yaml b/data/reports/GO-2024-3081.yaml new file mode 100644 index 0000000..f40f8ec --- /dev/null +++ b/data/reports/GO-2024-3081.yaml
@@ -0,0 +1,18 @@ +id: GO-2024-3081 +modules: + - module: github.com/CosmWasm/wasmd + versions: + - introduced: 0.52.0 + - fixed: 0.53.0 + vulnerable_at: 0.52.0 +summary: 'CWA-2024-006: wasmd non-deterministic module_query_safe query in github.com/CosmWasm/wasmd' +ghsas: + - GHSA-fpgj-cr28-fvpx +references: + - advisory: https://github.com/CosmWasm/wasmd/security/advisories/GHSA-fpgj-cr28-fvpx + - fix: https://github.com/CosmWasm/wasmd/commit/db8981db8419fc4daa042ce04e279efb53c4ff29 + - web: https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-006.md +source: + id: GHSA-fpgj-cr28-fvpx + created: 2024-08-30T11:58:15.507187-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3082.yaml b/data/reports/GO-2024-3082.yaml new file mode 100644 index 0000000..738869a --- /dev/null +++ b/data/reports/GO-2024-3082.yaml
@@ -0,0 +1,20 @@ +id: GO-2024-3082 +modules: + - module: github.com/CosmWasm/wasmd + versions: + - fixed: 0.46.0 + - introduced: 0.50.0 + - fixed: 0.53.0 + vulnerable_at: 0.52.0 +summary: 'CWA-2024-005: Stackoverflow in wasmd in github.com/CosmWasm/wasmd' +ghsas: + - GHSA-g8w7-7vgg-x7xg +references: + - advisory: https://github.com/CosmWasm/wasmd/security/advisories/GHSA-g8w7-7vgg-x7xg + - fix: https://github.com/CosmWasm/wasmd/commit/71cf6a8145426b82ed6249ecc86ddd281af9f97b + - fix: https://github.com/CosmWasm/wasmd/commit/db8981db8419fc4daa042ce04e279efb53c4ff29 + - web: https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-005.md +source: + id: GHSA-g8w7-7vgg-x7xg + created: 2024-08-30T11:58:11.333979-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3083.yaml b/data/reports/GO-2024-3083.yaml new file mode 100644 index 0000000..1bf376c --- /dev/null +++ b/data/reports/GO-2024-3083.yaml
@@ -0,0 +1,20 @@ +id: GO-2024-3083 +modules: + - module: github.com/openshift/console + unsupported_versions: + - last_affected: 6.0.6 + vulnerable_at: 6.0.6+incompatible +summary: Openshift Console insufficient entropy vulnerability in github.com/openshift/console +cves: + - CVE-2024-6508 +ghsas: + - GHSA-4crf-28c7-v4gr +references: + - advisory: https://github.com/advisories/GHSA-4crf-28c7-v4gr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6508 + - web: https://access.redhat.com/security/cve/CVE-2024-6508 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2295777 +source: + id: GHSA-4crf-28c7-v4gr + created: 2024-08-30T11:54:56.473463-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3085.yaml b/data/reports/GO-2024-3085.yaml new file mode 100644 index 0000000..7f9efbe --- /dev/null +++ b/data/reports/GO-2024-3085.yaml
@@ -0,0 +1,22 @@ +id: GO-2024-3085 +modules: + - module: goauthentik.io + non_go_versions: + - fixed: 2024.4.4 + - introduced: 2024.6.0-rc1 + - fixed: 2024.6.4 + vulnerable_at: 0.0.0-20240830143927-1003c79d8cc6 +summary: GoAuthentik vulnerable to Insufficient Authorization for several API endpoints in goauthentik.io +cves: + - CVE-2024-42490 +ghsas: + - GHSA-qxqc-27pr-wgc8 +references: + - advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-qxqc-27pr-wgc8 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-42490 + - web: https://github.com/goauthentik/authentik/commit/19318d4c00bb02c4ec3c4f8f15ac2e1dbe8d846c + - web: https://github.com/goauthentik/authentik/commit/359b343f51524342a5ca03828e7c975a1d654b11 +source: + id: GHSA-qxqc-27pr-wgc8 + created: 2024-08-30T11:54:49.614232-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3086.yaml b/data/reports/GO-2024-3086.yaml new file mode 100644 index 0000000..a17d06d --- /dev/null +++ b/data/reports/GO-2024-3086.yaml
@@ -0,0 +1,20 @@ +id: GO-2024-3086 +modules: + - module: github.com/casdoor/casdoor + unsupported_versions: + - last_affected: 1.577.0 + vulnerable_at: 1.685.0 +summary: Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036) in github.com/casdoor/casdoor +cves: + - CVE-2024-41658 +ghsas: + - GHSA-gv2p-4mvg-g32h +references: + - advisory: https://github.com/advisories/GHSA-gv2p-4mvg-g32h + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41658 + - advisory: https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor + - web: https://github.com/casdoor/casdoor/blob/v1.577.0/web/src/QrCodePage.js +source: + id: GHSA-gv2p-4mvg-g32h + created: 2024-08-30T11:54:45.361649-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3087.yaml b/data/reports/GO-2024-3087.yaml new file mode 100644 index 0000000..7a68d42 --- /dev/null +++ b/data/reports/GO-2024-3087.yaml
@@ -0,0 +1,20 @@ +id: GO-2024-3087 +modules: + - module: github.com/casdoor/casdoor + unsupported_versions: + - last_affected: 1.557.0 + vulnerable_at: 1.685.0 +summary: Casdoor CORS misconfiguration (GHSL-2024-035) in github.com/casdoor/casdoor +cves: + - CVE-2024-41657 +ghsas: + - GHSA-mchx-7j67-8mcf +references: + - advisory: https://github.com/advisories/GHSA-mchx-7j67-8mcf + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41657 + - advisory: https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor + - web: https://github.com/casdoor/casdoor/blob/v1.577.0/routers/cors_filter.go#L45 +source: + id: GHSA-mchx-7j67-8mcf + created: 2024-08-30T11:54:41.213942-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3088.yaml b/data/reports/GO-2024-3088.yaml new file mode 100644 index 0000000..552fb12 --- /dev/null +++ b/data/reports/GO-2024-3088.yaml
@@ -0,0 +1,21 @@ +id: GO-2024-3088 +modules: + - module: github.com/usememos/memos + versions: + - fixed: 0.21.0 + vulnerable_at: 0.20.1 +summary: memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos +cves: + - CVE-2024-41659 +ghsas: + - GHSA-p4fx-qf2h-jpmj +references: + - advisory: https://github.com/advisories/GHSA-p4fx-qf2h-jpmj + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41659 + - advisory: https://securitylab.github.com/advisories/GHSL-2024-034_memos + - fix: https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9 + - web: https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163 +source: + id: GHSA-p4fx-qf2h-jpmj + created: 2024-08-30T11:54:36.05674-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3089.yaml b/data/reports/GO-2024-3089.yaml new file mode 100644 index 0000000..6ff45db --- /dev/null +++ b/data/reports/GO-2024-3089.yaml
@@ -0,0 +1,32 @@ +id: GO-2024-3089 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.5.0+incompatible + - fixed: 9.5.8+incompatible + - introduced: 9.8.0+incompatible + - fixed: 9.8.3+incompatible + - introduced: 9.9.0+incompatible + - fixed: 9.9.2+incompatible + - introduced: 9.10.0+incompatible + - fixed: 9.10.1+incompatible + vulnerable_at: 9.10.1-rc3+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + vulnerable_at: 8.0.0-20240830140759-a2a54af3380e +summary: Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server +cves: + - CVE-2024-43780 +ghsas: + - GHSA-2jhx-w3vc-w59g +references: + - advisory: https://github.com/advisories/GHSA-2jhx-w3vc-w59g + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43780 + - web: https://mattermost.com/security-updates +source: + id: GHSA-2jhx-w3vc-w59g + created: 2024-08-30T12:08:13.728373-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3090.yaml b/data/reports/GO-2024-3090.yaml new file mode 100644 index 0000000..11e3b36 --- /dev/null +++ b/data/reports/GO-2024-3090.yaml
@@ -0,0 +1,30 @@ +id: GO-2024-3090 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.5.0+incompatible + - fixed: 9.5.8+incompatible + - introduced: 9.10.0+incompatible + - fixed: 9.10.1+incompatible + vulnerable_at: 9.10.1-rc3+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + vulnerable_at: 8.0.0-20240830140759-a2a54af3380e +summary: |- + Mattermost allows team admin user without "Add Team Members" permission to + disable invite URL in github.com/mattermost/mattermost-server +cves: + - CVE-2024-40884 +ghsas: + - GHSA-3j95-8g47-fpwh +references: + - advisory: https://github.com/advisories/GHSA-3j95-8g47-fpwh + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40884 + - web: https://mattermost.com/security-updates +source: + id: GHSA-3j95-8g47-fpwh + created: 2024-08-30T11:53:57.168505-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3091.yaml b/data/reports/GO-2024-3091.yaml new file mode 100644 index 0000000..7fd1cc7 --- /dev/null +++ b/data/reports/GO-2024-3091.yaml
@@ -0,0 +1,34 @@ +id: GO-2024-3091 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.5.0+incompatible + - fixed: 9.5.8+incompatible + - introduced: 9.8.0+incompatible + - fixed: 9.8.3+incompatible + - introduced: 9.9.0+incompatible + - fixed: 9.9.2+incompatible + - introduced: 9.10.0+incompatible + - fixed: 9.10.1+incompatible + vulnerable_at: 9.10.1-rc3+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + vulnerable_at: 8.0.0-20240830140759-a2a54af3380e +summary: |- + Mattermost allows user with systems manager role with read-only access to teams + to perform write operations on teams in github.com/mattermost/mattermost-server +cves: + - CVE-2024-42497 +ghsas: + - GHSA-fxq9-6946-34q7 +references: + - advisory: https://github.com/advisories/GHSA-fxq9-6946-34q7 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-42497 + - web: https://mattermost.com/security-updates +source: + id: GHSA-fxq9-6946-34q7 + created: 2024-08-30T11:53:53.112178-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3092.yaml b/data/reports/GO-2024-3092.yaml new file mode 100644 index 0000000..8ae9cac --- /dev/null +++ b/data/reports/GO-2024-3092.yaml
@@ -0,0 +1,32 @@ +id: GO-2024-3092 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.5.0+incompatible + - fixed: 9.5.7+incompatible + - introduced: 9.7.0+incompatible + - fixed: 9.7.6+incompatible + - introduced: 9.8.0+incompatible + - fixed: 9.8.1+incompatible + - introduced: 9.9.0+incompatible + - fixed: 9.9.1+incompatible + vulnerable_at: 9.9.1-rc4+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + vulnerable_at: 8.0.0-20240830140759-a2a54af3380e +summary: Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server +cves: + - CVE-2024-39777 +ghsas: + - GHSA-q22q-2rrf-m27p +references: + - advisory: https://github.com/advisories/GHSA-q22q-2rrf-m27p + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39777 + - web: https://mattermost.com/security-updates +source: + id: GHSA-q22q-2rrf-m27p + created: 2024-08-30T11:53:48.483473-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3093.yaml b/data/reports/GO-2024-3093.yaml new file mode 100644 index 0000000..7043683 --- /dev/null +++ b/data/reports/GO-2024-3093.yaml
@@ -0,0 +1,32 @@ +id: GO-2024-3093 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.5.0+incompatible + - fixed: 9.5.8+incompatible + - introduced: 9.8.0+incompatible + - fixed: 9.8.3+incompatible + - introduced: 9.9.0+incompatible + - fixed: 9.9.2+incompatible + - introduced: 9.10.0+incompatible + - fixed: 9.10.1+incompatible + vulnerable_at: 9.10.1-rc3+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + vulnerable_at: 8.0.0-20240830140759-a2a54af3380e +summary: Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server +cves: + - CVE-2024-32939 +ghsas: + - GHSA-4ww8-fprq-cq34 +references: + - advisory: https://github.com/advisories/GHSA-4ww8-fprq-cq34 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-32939 + - web: https://mattermost.com/security-updates +source: + id: GHSA-4ww8-fprq-cq34 + created: 2024-08-30T11:53:44.210578-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3094.yaml b/data/reports/GO-2024-3094.yaml new file mode 100644 index 0000000..e703f43 --- /dev/null +++ b/data/reports/GO-2024-3094.yaml
@@ -0,0 +1,32 @@ +id: GO-2024-3094 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.5.0+incompatible + - fixed: 9.5.8+incompatible + - introduced: 9.8.0+incompatible + - fixed: 9.8.3+incompatible + - introduced: 9.9.0+incompatible + - fixed: 9.9.2+incompatible + - introduced: 9.10.0+incompatible + - fixed: 9.10.1+incompatible + vulnerable_at: 9.10.1-rc3+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + vulnerable_at: 8.0.0-20240830140759-a2a54af3380e +summary: Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server +cves: + - CVE-2024-8071 +ghsas: + - GHSA-5263-pm2h-m7hw +references: + - advisory: https://github.com/advisories/GHSA-5263-pm2h-m7hw + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8071 + - web: https://mattermost.com/security-updates +source: + id: GHSA-5263-pm2h-m7hw + created: 2024-08-30T11:53:39.830198-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3095.yaml b/data/reports/GO-2024-3095.yaml new file mode 100644 index 0000000..0ef98af --- /dev/null +++ b/data/reports/GO-2024-3095.yaml
@@ -0,0 +1,20 @@ +id: GO-2024-3095 +modules: + - module: github.com/mattermost/mattermost-plugin-channel-export + versions: + - fixed: 1.0.1 + vulnerable_at: 1.0.0 +summary: Mattermost Plugin Channel Export excessive resource consumption in github.com/mattermost/mattermost-plugin-channel-export +cves: + - CVE-2024-43105 +ghsas: + - GHSA-869f-px86-vj84 +references: + - advisory: https://github.com/advisories/GHSA-869f-px86-vj84 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43105 + - fix: https://github.com/mattermost/mattermost-plugin-channel-export/commit/bb6da1f6bedd6cefe2276d6493b5541843c543a6 + - web: https://mattermost.com/security-updates +source: + id: GHSA-869f-px86-vj84 + created: 2024-08-30T11:53:34.705599-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3096.yaml b/data/reports/GO-2024-3096.yaml new file mode 100644 index 0000000..6dc3a80 --- /dev/null +++ b/data/reports/GO-2024-3096.yaml
@@ -0,0 +1,32 @@ +id: GO-2024-3096 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.5.0+incompatible + - fixed: 9.5.8+incompatible + - introduced: 9.8.0+incompatible + - fixed: 9.8.3+incompatible + - introduced: 9.9.0+incompatible + - fixed: 9.9.2+incompatible + - introduced: 9.10.0+incompatible + - fixed: 9.10.1+incompatible + vulnerable_at: 9.10.1-rc3+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + vulnerable_at: 8.0.0-20240830140759-a2a54af3380e +summary: Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server +cves: + - CVE-2024-39836 +ghsas: + - GHSA-c6vp-jjgv-38wj +references: + - advisory: https://github.com/advisories/GHSA-c6vp-jjgv-38wj + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39836 + - web: https://mattermost.com/security-updates +source: + id: GHSA-c6vp-jjgv-38wj + created: 2024-08-30T11:52:51.723916-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3097.yaml b/data/reports/GO-2024-3097.yaml new file mode 100644 index 0000000..03eec4b --- /dev/null +++ b/data/reports/GO-2024-3097.yaml
@@ -0,0 +1,32 @@ +id: GO-2024-3097 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.5.0+incompatible + - fixed: 9.5.8+incompatible + - introduced: 9.8.0+incompatible + - fixed: 9.8.3+incompatible + - introduced: 9.9.0+incompatible + - fixed: 9.9.2+incompatible + - introduced: 9.10.0+incompatible + - fixed: 9.10.1+incompatible + vulnerable_at: 9.10.1-rc3+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + vulnerable_at: 8.0.0-20240830140759-a2a54af3380e +summary: Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server +cves: + - CVE-2024-40886 +ghsas: + - GHSA-hrf9-rm95-fpf3 +references: + - advisory: https://github.com/advisories/GHSA-hrf9-rm95-fpf3 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40886 + - web: https://mattermost.com/security-updates +source: + id: GHSA-hrf9-rm95-fpf3 + created: 2024-08-30T11:50:28.768165-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3099.yaml b/data/reports/GO-2024-3099.yaml new file mode 100644 index 0000000..b46877e --- /dev/null +++ b/data/reports/GO-2024-3099.yaml
@@ -0,0 +1,21 @@ +id: GO-2024-3099 +modules: + - module: github.com/hyperledger/fabric + unsupported_versions: + - last_affected: 2.5.9 + vulnerable_at: 1.4.12 +summary: |- + Hyperledger Fabric does not verify request has a timestamp within the expected + time window in github.com/hyperledger/fabric +cves: + - CVE-2024-45244 +ghsas: + - GHSA-48gg-32q2-4r6m +references: + - advisory: https://github.com/advisories/GHSA-48gg-32q2-4r6m + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45244 + - fix: https://github.com/hyperledger/fabric/commit/155457a6624b3c74b22e5729c35c8499bfe952cd +source: + id: GHSA-48gg-32q2-4r6m + created: 2024-08-30T11:50:13.440878-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3100.yaml b/data/reports/GO-2024-3100.yaml new file mode 100644 index 0000000..795cedd --- /dev/null +++ b/data/reports/GO-2024-3100.yaml
@@ -0,0 +1,20 @@ +id: GO-2024-3100 +modules: + - module: github.com/jpillora/chisel + versions: + - fixed: 1.10.0 + vulnerable_at: 1.9.1 +summary: Chisel's AUTH environment variable not respected in server entrypoint in github.com/jpillora/chisel +cves: + - CVE-2024-43798 +ghsas: + - GHSA-38jh-8h67-m7mj +references: + - advisory: https://github.com/jpillora/chisel/security/advisories/GHSA-38jh-8h67-m7mj + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43798 + - web: https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L138 + - web: https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L452 +source: + id: GHSA-38jh-8h67-m7mj + created: 2024-08-30T11:50:09.347626-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3102.yaml b/data/reports/GO-2024-3102.yaml new file mode 100644 index 0000000..8eab8d0 --- /dev/null +++ b/data/reports/GO-2024-3102.yaml
@@ -0,0 +1,30 @@ +id: GO-2024-3102 +modules: + - module: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver + versions: + - introduced: 0.49.0 + - fixed: 0.108.0 + vulnerable_at: 0.107.0 +summary: |- + OpenTelemetry Collector module AWS Firehose Receiver Authentication Bypass + Vulnerability in github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver +cves: + - CVE-2024-45043 +ghsas: + - GHSA-prf6-xjxh-p698 +references: + - advisory: https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45043 + - web: https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http + - web: https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html + - web: https://github.com/open-telemetry/opentelemetry-collector#alpha + - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/371bf6afbd7cfa3253fa1674f5444064e86ef0ac + - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847 + - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver + - web: https://github.com/open-telemetry/opentelemetry-collector-releases/pull/74 + - web: https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0 + - web: https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib +source: + id: GHSA-prf6-xjxh-p698 + created: 2024-08-30T11:50:01.407659-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3103.yaml b/data/reports/GO-2024-3103.yaml new file mode 100644 index 0000000..4b1e4a2 --- /dev/null +++ b/data/reports/GO-2024-3103.yaml
@@ -0,0 +1,22 @@ +id: GO-2024-3103 +modules: + - module: github.com/hwameistor/hwameistor + versions: + - fixed: 0.14.6 + vulnerable_at: 0.14.5 +summary: Hwameistor Potential Permission Leakage of Cluster Level in github.com/hwameistor/hwameistor +cves: + - CVE-2024-45054 +ghsas: + - GHSA-mgwr-h7mv-fh29 +references: + - advisory: https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45054 + - fix: https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450 + - report: https://github.com/hwameistor/hwameistor/issues/1457 + - report: https://github.com/hwameistor/hwameistor/issues/1460 + - web: https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml +source: + id: GHSA-mgwr-h7mv-fh29 + created: 2024-08-30T11:49:56.278746-04:00 +review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3104.yaml b/data/reports/GO-2024-3104.yaml new file mode 100644 index 0000000..1cb79ad --- /dev/null +++ b/data/reports/GO-2024-3104.yaml
@@ -0,0 +1,21 @@ +id: GO-2024-3104 +modules: + - module: github.com/ollama/ollama + versions: + - fixed: 0.1.47 + vulnerable_at: 0.1.46 +summary: Ollama can extract members of a ZIP archive outside of the parent directory in github.com/ollama/ollama +cves: + - CVE-2024-45436 +ghsas: + - GHSA-846m-99qv-67mg +references: + - advisory: https://github.com/advisories/GHSA-846m-99qv-67mg + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45436 + - fix: https://github.com/ollama/ollama/commit/123a722a6f541e300bc8e34297ac378ebe23f527 + - fix: https://github.com/ollama/ollama/pull/5314 + - web: https://github.com/ollama/ollama/compare/v0.1.46...v0.1.47 +source: + id: GHSA-846m-99qv-67mg + created: 2024-08-30T11:49:51.257019-04:00 +review_status: UNREVIEWED