Skip to content

Commit

Permalink
data/reports: add 6 unreviewed reports
Browse files Browse the repository at this point in the history 
  - data/reports/GO-2024-3292.yaml
  - data/reports/GO-2024-3304.yaml
  - data/reports/GO-2024-3305.yaml
  - data/reports/GO-2024-3307.yaml
  - data/reports/GO-2024-3308.yaml
  - data/reports/GO-2024-3310.yaml

Fixes #3292
Fixes #3304
Fixes #3305
Fixes #3307
Fixes #3308
Fixes #3310

Change-Id: I3e79903185ef370a0f3bd7eb140601defc50fc2b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/633598
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
  • Loading branch information
@tatianab @gopherbot
tatianab authored and gopherbot committed Dec 4, 2024
1 parent 435fc8e commit 9d72e77
Show file tree
Hide file tree
Showing 12 changed files with 476 additions and 0 deletions.
72 changes: 72 additions & 0 deletions data/osv/GO-2024-3292.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3292",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-8676",
"GHSA-7p9f-6x8j-gxxp"
],
"summary": "CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o",
"details": "CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o",
"affected": [
{
"package": {
"name": "github.com/cri-o/cri-o",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.29.11"
},
{
"introduced": "1.30.0"
},
{
"fixed": "1.30.8"
},
{
"introduced": "1.31.0"
},
{
"fixed": "1.31.3"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-7p9f-6x8j-gxxp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8676"
},
{
"type": "FIX",
"url": "https://github.com/cri-o/cri-o/commit/e8e7dcb7838d11b5157976bf3e31a5840bb77de7"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-8676"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313842"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3292",
"review_status": "UNREVIEWED"
}
}
60 changes: 60 additions & 0 deletions data/osv/GO-2024-3304.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3304",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-36621",
"GHSA-2mj3-vfvx-fc43"
],
"summary": "Moby Race Condition vulnerability in github.com/moby/moby",
"details": "Moby Race Condition vulnerability in github.com/moby/moby",
"affected": [
{
"package": {
"name": "github.com/moby/moby",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "26.0.0+incompatible"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2mj3-vfvx-fc43"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36621"
},
{
"type": "FIX",
"url": "https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e"
},
{
"type": "WEB",
"url": "https://gist.github.com/1047524396/5d44459edab5fafcdf86b43909b81135"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/blob/v25.0.5/builder/builder-next/adapters/snapshot/layer.go#L24"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3304",
"review_status": "UNREVIEWED"
}
}
60 changes: 60 additions & 0 deletions data/osv/GO-2024-3305.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3305",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-36623",
"GHSA-gh5c-3h97-2f3q"
],
"summary": "Moby Race Condition vulnerability in github.com/moby/moby",
"details": "Moby Race Condition vulnerability in github.com/moby/moby",
"affected": [
{
"package": {
"name": "github.com/moby/moby",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "26.0.0+incompatible"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-gh5c-3h97-2f3q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36623"
},
{
"type": "FIX",
"url": "https://github.com/moby/moby/commit/5689dabfb357b673abdb4391eef426f297d7d1bb"
},
{
"type": "WEB",
"url": "https://gist.github.com/1047524396/c192c0159a19bf58a4373b696467dc29"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/blob/v25.0.3/pkg/streamformatter/streamformatter.go#L115"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3305",
"review_status": "UNREVIEWED"
}
}
48 changes: 48 additions & 0 deletions data/osv/GO-2024-3307.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3307",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-50948"
],
"summary": "CVE-2024-50948 in github.com/mochi-mqtt/server",
"details": "CVE-2024-50948 in github.com/mochi-mqtt/server",
"affected": [
{
"package": {
"name": "github.com/mochi-mqtt/server",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50948"
},
{
"type": "WEB",
"url": "https://gist.github.com/pengwGit/39760ed5ae03171622ca8215dc0d8c60"
},
{
"type": "WEB",
"url": "https://github.com/mochi-mqtt/server"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3307",
"review_status": "UNREVIEWED"
}
}
48 changes: 48 additions & 0 deletions data/osv/GO-2024-3308.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3308",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-54131",
"GHSA-66q9-2rvx-qfj5"
],
"summary": "Kolide Agent Privilege Escalation (Windows, Versions \u003e= 1.5.3, \u003c 1.12.3) in github.com/kolide/launcher",
"details": "Kolide Agent Privilege Escalation (Windows, Versions \u003e= 1.5.3, \u003c 1.12.3) in github.com/kolide/launcher",
"affected": [
{
"package": {
"name": "github.com/kolide/launcher",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.5.3"
},
{
"fixed": "1.12.3"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/kolide/launcher/security/advisories/GHSA-66q9-2rvx-qfj5"
},
{
"type": "FIX",
"url": "https://github.com/kolide/launcher/pull/1510"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3308",
"review_status": "UNREVIEWED"
}
}
65 changes: 65 additions & 0 deletions data/osv/GO-2024-3310.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3310",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-54132",
"GHSA-2m9h-r57g-45pj"
],
"summary": "Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability in github.com/cli/cli",
"details": "Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability in github.com/cli/cli",
"affected": [
{
"package": {
"name": "github.com/cli/cli",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/cli/cli/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.63.1"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj"
},
{
"type": "FIX",
"url": "https://github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3310",
"review_status": "UNREVIEWED"
}
}
25 changes: 25 additions & 0 deletions data/reports/GO-2024-3292.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
id: GO-2024-3292
modules:
- module: github.com/cri-o/cri-o
versions:
- fixed: 1.29.11
- introduced: 1.30.0
- fixed: 1.30.8
- introduced: 1.31.0
- fixed: 1.31.3
vulnerable_at: 1.31.2
summary: 'CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o'
cves:
- CVE-2024-8676
ghsas:
- GHSA-7p9f-6x8j-gxxp
references:
- advisory: https://github.com/cri-o/cri-o/security/advisories/GHSA-7p9f-6x8j-gxxp
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8676
- fix: https://github.com/cri-o/cri-o/commit/e8e7dcb7838d11b5157976bf3e31a5840bb77de7
- web: https://access.redhat.com/security/cve/CVE-2024-8676
- web: https://bugzilla.redhat.com/show_bug.cgi?id=2313842
source:
id: GHSA-7p9f-6x8j-gxxp
created: 2024-12-04T11:10:38.049589-05:00
review_status: UNREVIEWED
Loading

0 comments on commit 9d72e77

Please sign in to comment.