[vulndb] data/reports: add 5 reports
11 views
Skip to first unread message
Tatiana Bradley (Gerrit)
Jul 1, 2024, 2:17:08 PM7/1/24
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Tatiana Bradley has uploaded the change for review![]( "Open in Gerrit")
Commit message
data/reports: add 5 reports
- data/reports/GO-2024-2920.yaml
- data/reports/GO-2024-2921.yaml
- data/reports/GO-2024-2930.yaml
- data/reports/GO-2024-2936.yaml
- data/reports/GO-2024-2943.yaml
Fixes golang/vulndb#2920
Fixes golang/vulndb#2921
Fixes golang/vulndb#2930
Fixes golang/vulndb#2936
Fixes golang/vulndb#2943
Change-Id: I6de64b6c40310fbc70839bdffd8665a4c639d7b3
Change diff
diff --git a/data/osv/GO-2024-2920.json b/data/osv/GO-2024-2920.json
new file mode 100644
index 0000000..e13ad62
--- /dev/null
+++ b/data/osv/GO-2024-2920.json
@@ -0,0 +1,101 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2920",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2023-49559",
+ "GHSA-2hmf-46v7-v6fx"
+ ],
+ "summary": "Denial of service vulnerability via the parseDirectives function in github.com/vektah/gqlparser",
+ "details": "An issue in vektah gqlparser open-source-library allows a remote attacker to cause a denial of service via a crafted script to the parseDirectives function.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/vektah/gqlparser",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/vektah/gqlparser/parser",
+ "symbols": [
+ "ParseQuery",
+ "ParseSchema",
+ "ParseSchemas",
+ "parser.parseDirectives"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "github.com/vektah/gqlparser/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.5.14"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/vektah/gqlparser/v2/parser",
+ "symbols": [
+ "ParseQuery",
+ "ParseSchema",
+ "ParseSchemas",
+ "parser.parseDirectives"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-2hmf-46v7-v6fx"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/vektah/gqlparser/commit/36a3658873bf5a107f42488dfc392949cdd02977"
+ },
+ {
+ "type": "WEB",
+ "url": "https://gist.github.com/uvzz/d3ed9d4532be16ec1040a2cf3dfec8d1"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/99designs/gqlgen/issues/3118"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/vektah/gqlparser/blob/master/parser/query.go#L316"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2920",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-2921.json b/data/osv/GO-2024-2921.json
new file mode 100644
index 0000000..73a5a02
--- /dev/null
+++ b/data/osv/GO-2024-2921.json
@@ -0,0 +1,58 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2921",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-5798",
+ "GHSA-32cj-5wx4-gq8p"
+ ],
+ "summary": "HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault",
+ "details": "HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/hashicorp/vault",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.11.0"
+ },
+ {
+ "fixed": "1.16.3"
+ },
+ {
+ "introduced": "1.17.0-rc1"
+ },
+ {
+ "fixed": "1.17.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-32cj-5wx4-gq8p"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5798"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2921",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-2930.json b/data/osv/GO-2024-2930.json
new file mode 100644
index 0000000..95dbfc8
--- /dev/null
+++ b/data/osv/GO-2024-2930.json
@@ -0,0 +1,127 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2930",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2023-32191",
+ "GHSA-6gr4-52w6-vmqx"
+ ],
+ "summary": "RKE credentials are stored in the RKE1 Cluster state ConfigMap in github.com/rancher/rke",
+ "details": "When RKE provisions a cluster, it stores the cluster state in a configmap called \"full-cluster-state\" inside the \"kube-system\" namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include sensitive data.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/rancher/rke",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.4.18"
+ },
+ {
+ "fixed": "1.4.19"
+ },
+ {
+ "introduced": "1.5.9"
+ },
+ {
+ "fixed": "1.5.10"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/rancher/rke/k8s",
+ "symbols": [
+ "GetSecret",
+ "GetSecretsList",
+ "GetSystemSecret",
+ "UpdateSecret"
+ ]
+ },
+ {
+ "path": "github.com/rancher/rke/cluster",
+ "symbols": [
+ "Cluster.CheckClusterPorts",
+ "Cluster.CleanDeadLogs",
+ "Cluster.CleanupNodes",
+ "Cluster.ClusterRemove",
+ "Cluster.DeployControlPlane",
+ "Cluster.DeployRestoreCerts",
+ "Cluster.DeployStateFile",
+ "Cluster.DeployWorkerPlane",
+ "Cluster.DisableSecretsEncryption",
+ "Cluster.GetStateFileFromConfigMap",
+ "Cluster.PrePullK8sImages",
+ "Cluster.ReconcileDesiredStateEncryptionConfig",
+ "Cluster.RewriteSecrets",
+ "Cluster.RotateEncryptionKey",
+ "Cluster.RunSELinuxCheck",
+ "Cluster.SetUpHosts",
+ "Cluster.StoreAddonConfigMap",
+ "Cluster.SyncLabelsAndTaints",
+ "Cluster.TunnelHosts",
+ "Cluster.UpdateClusterCurrentState",
+ "Cluster.UpgradeControlPlane",
+ "Cluster.UpgradeWorkerPlane",
+ "ConfigureCluster",
+ "FullState.WriteStateFile",
+ "GetClusterCertsFromKubernetes",
+ "GetK8sVersion",
+ "GetStateFromKubernetes",
+ "ReadStateFile",
+ "RebuildKubeconfig",
+ "RebuildState",
+ "ReconcileCluster",
+ "ReconcileEncryptionProviderConfig",
+ "RestartClusterPods",
+ "SaveFullStateToKubernetes",
+ "buildFreshState"
+ ]
+ },
+ {
+ "path": "github.com/rancher/rke/cmd",
+ "symbols": [
+ "ClusterInit",
+ "ClusterRemove",
+ "ClusterUp",
+ "RestoreEtcdSnapshot",
+ "RestoreEtcdSnapshotFromCli",
+ "RetrieveClusterStateConfigMap",
+ "RotateEncryptionKey",
+ "SnapshotRemoveFromEtcdHosts",
+ "SnapshotSaveEtcdHosts",
+ "SnapshotSaveEtcdHostsFromCli",
+ "getStateFile",
+ "saveClusterState"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/rancher/rke/commit/cf49199481a1891909acb1384eed73a5c987d5bd"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/rancher/rke/commit/f7485b8dce376db0fc15a7c3ceb3de7029c8d0cf"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2930",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-2936.json b/data/osv/GO-2024-2936.json
new file mode 100644
index 0000000..d3f56d8
--- /dev/null
+++ b/data/osv/GO-2024-2936.json
@@ -0,0 +1,237 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2936",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-38351",
+ "GHSA-m93w-4fxv-r35v"
+ ],
+ "summary": "PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase",
+ "details": "PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/pocketbase/pocketbase",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.22.14"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/pocketbase/pocketbase/apis",
+ "symbols": [
+ "EnrichRecord",
+ "EnrichRecords",
+ "RecordAuthResponse",
+ "Serve",
+ "recordAuthApi.authWithOAuth2",
+ "recordAuthApi.authWithPassword"
+ ]
+ },
+ {
+ "path": "github.com/pocketbase/pocketbase/models",
+ "symbols": [
+ "NewRecordFromNullStringMap",
+ "NewRecordsFromNullStringMaps",
+ "Record.CleanCopy",
+ "Record.ColumnValueMap",
+ "Record.Email",
+ "Record.EmailVisibility",
+ "Record.FindFileFieldByFile",
+ "Record.Get",
+ "Record.GetBool",
+ "Record.GetDateTime",
+ "Record.GetFloat",
+ "Record.GetInt",
+ "Record.GetString",
+ "Record.GetStringSlice",
+ "Record.GetTime",
+ "Record.LastResetSentAt",
+ "Record.LastVerificationSentAt",
+ "Record.Load",
+ "Record.MarshalJSON",
+ "Record.OriginalCopy",
+ "Record.PasswordHash",
+ "Record.PublicExport",
+ "Record.RefreshTokenKey",
+ "Record.ReplaceModifers",
+ "Record.Set",
+ "Record.SetEmail",
+ "Record.SetEmailVisibility",
+ "Record.SetLastResetSentAt",
+ "Record.SetLastVerificationSentAt",
+ "Record.SetPassword",
+ "Record.SetTokenKey",
+ "Record.SetUsername",
+ "Record.SetVerified",
+ "Record.TokenKey",
+ "Record.UnknownData",
+ "Record.UnmarshalJSON",
+ "Record.UnmarshalJSONField",
+ "Record.Username",
+ "Record.ValidatePassword",
+ "Record.Verified",
+ "Record.getNormalizeDataValueForDB"
+ ]
+ },
+ {
+ "path": "github.com/pocketbase/pocketbase/models/schema",
+ "symbols": [
+ "AuthFieldNames"
+ ]
+ },
+ {
+ "path": "github.com/pocketbase/pocketbase/daos",
+ "symbols": [
+ "Dao.CanAccessRecord",
+ "Dao.CreateViewSchema",
+ "Dao.Delete",
+ "Dao.DeleteAdmin",
+ "Dao.DeleteCollection",
+ "Dao.DeleteExternalAuth",
+ "Dao.DeleteOldLogs",
+ "Dao.DeleteParam",
+ "Dao.DeleteRecord",
+ "Dao.DeleteTable",
+ "Dao.DeleteView",
+ "Dao.ExpandRecord",
+ "Dao.ExpandRecords",
+ "Dao.FindAdminByEmail",
+ "Dao.FindAdminById",
+ "Dao.FindAdminByToken",
+ "Dao.FindAllExternalAuthsByRecord",
+ "Dao.FindAuthRecordByEmail",
+ "Dao.FindAuthRecordByToken",
+ "Dao.FindAuthRecordByUsername",
+ "Dao.FindById",
+ "Dao.FindCollectionByNameOrId",
+ "Dao.FindCollectionReferences",
+ "Dao.FindCollectionsByType",
+ "Dao.FindExternalAuthByRecordAndProvider",
+ "Dao.FindFirstExternalAuthByExpr",
+ "Dao.FindFirstRecordByData",
+ "Dao.FindFirstRecordByFilter",
+ "Dao.FindLogById",
+ "Dao.FindParamByKey",
+ "Dao.FindRecordById",
+ "Dao.FindRecordByViewFile",
+ "Dao.FindRecordsByExpr",
+ "Dao.FindRecordsByFilter",
+ "Dao.FindRecordsByIds",
+ "Dao.FindSettings",
+ "Dao.HasTable",
+ "Dao.ImportCollections",
+ "Dao.IsAdminEmailUnique",
+ "Dao.IsCollectionNameUnique",
+ "Dao.IsRecordValueUnique",
+ "Dao.LogsStats",
+ "Dao.RecordQuery",
+ "Dao.RunInTransaction",
+ "Dao.Save",
+ "Dao.SaveAdmin",
+ "Dao.SaveCollection",
+ "Dao.SaveExternalAuth",
+ "Dao.SaveLog",
+ "Dao.SaveParam",
+ "Dao.SaveRecord",
+ "Dao.SaveSettings",
+ "Dao.SaveView",
+ "Dao.SuggestUniqueAuthRecordUsername",
+ "Dao.SyncRecordTableSchema",
+ "Dao.TableColumns",
+ "Dao.TableIndexes",
+ "Dao.TableInfo",
+ "Dao.TotalAdmins",
+ "Dao.Vacuum"
+ ]
+ },
+ {
+ "path": "github.com/pocketbase/pocketbase/forms",
+ "symbols": [
+ "AdminLogin.Submit",
+ "AdminLogin.Validate",
+ "AdminPasswordResetConfirm.Submit",
+ "AdminPasswordResetConfirm.Validate",
+ "AdminPasswordResetRequest.Submit",
+ "AdminPasswordResetRequest.Validate",
+ "AdminUpsert.Submit",
+ "AdminUpsert.Validate",
+ "AppleClientSecretCreate.Submit",
+ "AppleClientSecretCreate.Validate",
+ "BackupCreate.Submit",
+ "BackupCreate.Validate",
+ "BackupUpload.Submit",
+ "BackupUpload.Validate",
+ "CollectionUpsert.Submit",
+ "CollectionUpsert.Validate",
+ "CollectionsImport.Submit",
+ "CollectionsImport.Validate",
+ "NewRecordUpsert",
+ "RealtimeSubscribe.Validate",
+ "RecordEmailChangeConfirm.Submit",
+ "RecordEmailChangeConfirm.Validate",
+ "RecordEmailChangeRequest.Submit",
+ "RecordEmailChangeRequest.Validate",
+ "RecordOAuth2Login.Submit",
+ "RecordOAuth2Login.Validate",
+ "RecordOAuth2Login.submit",
+ "RecordPasswordLogin.Submit",
+ "RecordPasswordLogin.Validate",
+ "RecordPasswordResetConfirm.Submit",
+ "RecordPasswordResetConfirm.Validate",
+ "RecordPasswordResetRequest.Submit",
+ "RecordPasswordResetRequest.Validate",
+ "RecordUpsert.DrySubmit",
+ "RecordUpsert.LoadData",
+ "RecordUpsert.LoadRequest",
+ "RecordUpsert.Submit",
+ "RecordUpsert.Validate",
+ "RecordUpsert.ValidateAndFill",
+ "RecordVerificationConfirm.Submit",
+ "RecordVerificationConfirm.Validate",
+ "RecordVerificationRequest.Submit",
+ "RecordVerificationRequest.Validate",
+ "SettingsUpsert.Submit",
+ "SettingsUpsert.Validate",
+ "TestEmailSend.Submit",
+ "TestEmailSend.Validate",
+ "TestS3Filesystem.Submit",
+ "TestS3Filesystem.Validate"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/pocketbase/pocketbase/commit/58ace5d5e7b9b979490019cf8d1b88491e5daec5"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pocketbase/pocketbase/discussions/4355"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2936",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-2943.json b/data/osv/GO-2024-2943.json
new file mode 100644
index 0000000..18cb3c7
--- /dev/null
+++ b/data/osv/GO-2024-2943.json
@@ -0,0 +1,64 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2943",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-38359",
+ "GHSA-9gxx-58q6-42p7"
+ ],
+ "summary": "Lightning Network Daemon (LND)'s onion processing logic leads to a denial of service in github.com/lightningnetwork/lnd",
+ "details": "Lightning Network Daemon (LND)'s onion processing logic leads to a denial of service in github.com/lightningnetwork/lnd",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/lightningnetwork/lnd",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.17.0-beta"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38359"
+ },
+ {
+ "type": "WEB",
+ "url": "https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lightning.network"
+ },
+ {
+ "type": "WEB",
+ "url": "https://morehouse.github.io/lightning/lnd-onion-bomb"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2943",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2920.yaml b/data/reports/GO-2024-2920.yaml
new file mode 100644
index 0000000..bfe4767
--- /dev/null
+++ b/data/reports/GO-2024-2920.yaml
@@ -0,0 +1,50 @@
+id: GO-2024-2920
+modules:
+ - module: github.com/vektah/gqlparser
+ vulnerable_at: 1.3.1
+ packages:
+ - package: github.com/vektah/gqlparser/parser
+ symbols:
+ - parser.parseDirectives
+ derived_symbols:
+ - ParseQuery
+ - ParseSchema
+ - ParseSchemas
+ - module: github.com/vektah/gqlparser/v2
+ versions:
+ - fixed: 2.5.14
+ vulnerable_at: 2.5.13
+ packages:
+ - package: github.com/vektah/gqlparser/v2/parser
+ symbols:
+ - parser.parseDirectives
+ derived_symbols:
+ - ParseQuery
+ - ParseSchema
+ - ParseSchemas
+summary: Denial of service vulnerability via the parseDirectives function in github.com/vektah/gqlparser
+description: |-
+ An issue in vektah gqlparser open-source-library allows a remote
+ attacker to cause a denial of service via a crafted script to the
+ parseDirectives function.
+cves:
+ - CVE-2023-49559
+ghsas:
+ - GHSA-2hmf-46v7-v6fx
+unknown_aliases:
+ - CGA-28jv-3vhj-mh4f
+ - CGA-f2h6-vhfv-9wfh
+ - CGA-pq49-565p-4jxc
+ - CGA-qxv7-23p6-xhwj
+ - CGA-r238-8h2v-2g64
+ - CGA-vq2h-9hfx-rqr4
+references:
+ - advisory: https://github.com/advisories/GHSA-2hmf-46v7-v6fx
+ - fix: https://github.com/vektah/gqlparser/commit/36a3658873bf5a107f42488dfc392949cdd02977
+ - web: https://gist.github.com/uvzz/d3ed9d4532be16ec1040a2cf3dfec8d1
+ - web: https://github.com/99designs/gqlgen/issues/3118
+ - web: https://github.com/vektah/gqlparser/blob/master/parser/query.go#L316
+source:
+ id: GHSA-2hmf-46v7-v6fx
+ created: 2024-07-01T13:30:21.392218-04:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2024-2921.yaml b/data/reports/GO-2024-2921.yaml
new file mode 100644
index 0000000..5d8edde
--- /dev/null
+++ b/data/reports/GO-2024-2921.yaml
@@ -0,0 +1,30 @@
+id: GO-2024-2921
+modules:
+ - module: github.com/hashicorp/vault
+ versions:
+ - introduced: 0.11.0
+ - fixed: 1.16.3
+ - introduced: 1.17.0-rc1
+ - fixed: 1.17.0
+ non_go_versions:
+ - fixed: 1.15.9
+ vulnerable_at: 1.17.0-rc1
+summary: |-
+ HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in
+ github.com/hashicorp/vault
+cves:
+ - CVE-2024-5798
+ghsas:
+ - GHSA-32cj-5wx4-gq8p
+unknown_aliases:
+ - BIT-vault-2024-5798
+references:
+ - advisory: https://github.com/advisories/GHSA-32cj-5wx4-gq8p
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-5798
+ - web: https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770
+notes:
+ - manually removed 'introduced: 1.16.0-rc1' to fix overlapping versions
+source:
+ id: GHSA-32cj-5wx4-gq8p
+ created: 2024-07-01T13:30:14.94375-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-2930.yaml b/data/reports/GO-2024-2930.yaml
new file mode 100644
index 0000000..be3dcdd
--- /dev/null
+++ b/data/reports/GO-2024-2930.yaml
@@ -0,0 +1,87 @@
+id: GO-2024-2930
+modules:
+ - module: github.com/rancher/rke
+ versions:
+ - introduced: 1.4.18
+ - fixed: 1.4.19
+ - introduced: 1.5.9
+ - fixed: 1.5.10
+ vulnerable_at: 1.5.10-rc.1
+ packages:
+ - package: github.com/rancher/rke/k8s
+ symbols:
+ - UpdateSecret
+ - GetSecretsList
+ - GetSecret
+ - GetSystemSecret
+ - package: github.com/rancher/rke/cluster
+ symbols:
+ - SaveFullStateToKubernetes
+ - RebuildState
+ - GetK8sVersion
+ - Cluster.GetStateFileFromConfigMap
+ - Cluster.StoreAddonConfigMap
+ - FullState.WriteStateFile
+ - buildFreshState
+ - ReadStateFile
+ - GetStateFromKubernetes
+ derived_symbols:
+ - Cluster.CheckClusterPorts
+ - Cluster.CleanDeadLogs
+ - Cluster.CleanupNodes
+ - Cluster.ClusterRemove
+ - Cluster.DeployControlPlane
+ - Cluster.DeployRestoreCerts
+ - Cluster.DeployStateFile
+ - Cluster.DeployWorkerPlane
+ - Cluster.DisableSecretsEncryption
+ - Cluster.PrePullK8sImages
+ - Cluster.ReconcileDesiredStateEncryptionConfig
+ - Cluster.RewriteSecrets
+ - Cluster.RotateEncryptionKey
+ - Cluster.RunSELinuxCheck
+ - Cluster.SetUpHosts
+ - Cluster.SyncLabelsAndTaints
+ - Cluster.TunnelHosts
+ - Cluster.UpdateClusterCurrentState
+ - Cluster.UpgradeControlPlane
+ - Cluster.UpgradeWorkerPlane
+ - ConfigureCluster
+ - GetClusterCertsFromKubernetes
+ - RebuildKubeconfig
+ - ReconcileCluster
+ - ReconcileEncryptionProviderConfig
+ - RestartClusterPods
+ - package: github.com/rancher/rke/cmd
+ symbols:
+ - ClusterUp
+ - getStateFile
+ - saveClusterState
+ derived_symbols:
+ - ClusterInit
+ - ClusterRemove
+ - RestoreEtcdSnapshot
+ - RestoreEtcdSnapshotFromCli
+ - RetrieveClusterStateConfigMap
+ - RotateEncryptionKey
+ - SnapshotRemoveFromEtcdHosts
+ - SnapshotSaveEtcdHosts
+ - SnapshotSaveEtcdHostsFromCli
+summary: RKE credentials are stored in the RKE1 Cluster state ConfigMap in github.com/rancher/rke
+description: |-
+ When RKE provisions a cluster, it stores the cluster state in a configmap called
+ "full-cluster-state" inside the "kube-system" namespace of the cluster itself.
+ This cluster state object contains information used to set up the K8s cluster,
+ which may include sensitive data.
+cves:
+ - CVE-2023-32191
+ghsas:
+ - GHSA-6gr4-52w6-vmqx
+references:
+ - advisory: https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx
+ - fix: https://github.com/rancher/rke/commit/cf49199481a1891909acb1384eed73a5c987d5bd
+ - fix: https://github.com/rancher/rke/commit/f7485b8dce376db0fc15a7c3ceb3de7029c8d0cf
+source:
+ id: GHSA-6gr4-52w6-vmqx
+ created: 2024-07-01T13:30:12.796528-04:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2024-2936.yaml b/data/reports/GO-2024-2936.yaml
new file mode 100644
index 0000000..ad3e36c
--- /dev/null
+++ b/data/reports/GO-2024-2936.yaml
@@ -0,0 +1,191 @@
+id: GO-2024-2936
+modules:
+ - module: github.com/pocketbase/pocketbase
+ versions:
+ - fixed: 0.22.14
+ vulnerable_at: 0.22.14-rc
+ packages:
+ - package: github.com/pocketbase/pocketbase/apis
+ symbols:
+ - RecordAuthResponse
+ - recordAuthApi.authWithPassword
+ - recordAuthApi.authWithOAuth2
+ derived_symbols:
+ - EnrichRecord
+ - EnrichRecords
+ - Serve
+ - package: github.com/pocketbase/pocketbase/models
+ symbols:
+ - Record.getNormalizeDataValueForDB
+ - Record.Get
+ - Record.Set
+ derived_symbols:
+ - NewRecordFromNullStringMap
+ - NewRecordsFromNullStringMaps
+ - Record.CleanCopy
+ - Record.ColumnValueMap
+ - Record.Email
+ - Record.EmailVisibility
+ - Record.FindFileFieldByFile
+ - Record.GetBool
+ - Record.GetDateTime
+ - Record.GetFloat
+ - Record.GetInt
+ - Record.GetString
+ - Record.GetStringSlice
+ - Record.GetTime
+ - Record.LastResetSentAt
+ - Record.LastVerificationSentAt
+ - Record.Load
+ - Record.MarshalJSON
+ - Record.OriginalCopy
+ - Record.PasswordHash
+ - Record.PublicExport
+ - Record.RefreshTokenKey
+ - Record.ReplaceModifers
+ - Record.SetEmail
+ - Record.SetEmailVisibility
+ - Record.SetLastResetSentAt
+ - Record.SetLastVerificationSentAt
+ - Record.SetPassword
+ - Record.SetTokenKey
+ - Record.SetUsername
+ - Record.SetVerified
+ - Record.TokenKey
+ - Record.UnknownData
+ - Record.UnmarshalJSON
+ - Record.UnmarshalJSONField
+ - Record.Username
+ - Record.ValidatePassword
+ - Record.Verified
+ - package: github.com/pocketbase/pocketbase/models/schema
+ symbols:
+ - AuthFieldNames
+ - package: github.com/pocketbase/pocketbase/daos
+ symbols:
+ - Dao.SyncRecordTableSchema
+ derived_symbols:
+ - Dao.CanAccessRecord
+ - Dao.CreateViewSchema
+ - Dao.Delete
+ - Dao.DeleteAdmin
+ - Dao.DeleteCollection
+ - Dao.DeleteExternalAuth
+ - Dao.DeleteOldLogs
+ - Dao.DeleteParam
+ - Dao.DeleteRecord
+ - Dao.DeleteTable
+ - Dao.DeleteView
+ - Dao.ExpandRecord
+ - Dao.ExpandRecords
+ - Dao.FindAdminByEmail
+ - Dao.FindAdminById
+ - Dao.FindAdminByToken
+ - Dao.FindAllExternalAuthsByRecord
+ - Dao.FindAuthRecordByEmail
+ - Dao.FindAuthRecordByToken
+ - Dao.FindAuthRecordByUsername
+ - Dao.FindById
+ - Dao.FindCollectionByNameOrId
+ - Dao.FindCollectionReferences
+ - Dao.FindCollectionsByType
+ - Dao.FindExternalAuthByRecordAndProvider
+ - Dao.FindFirstExternalAuthByExpr
+ - Dao.FindFirstRecordByData
+ - Dao.FindFirstRecordByFilter
+ - Dao.FindLogById
+ - Dao.FindParamByKey
+ - Dao.FindRecordById
+ - Dao.FindRecordByViewFile
+ - Dao.FindRecordsByExpr
+ - Dao.FindRecordsByFilter
+ - Dao.FindRecordsByIds
+ - Dao.FindSettings
+ - Dao.HasTable
+ - Dao.ImportCollections
+ - Dao.IsAdminEmailUnique
+ - Dao.IsCollectionNameUnique
+ - Dao.IsRecordValueUnique
+ - Dao.LogsStats
+ - Dao.RecordQuery
+ - Dao.RunInTransaction
+ - Dao.Save
+ - Dao.SaveAdmin
+ - Dao.SaveCollection
+ - Dao.SaveExternalAuth
+ - Dao.SaveLog
+ - Dao.SaveParam
+ - Dao.SaveRecord
+ - Dao.SaveSettings
+ - Dao.SaveView
+ - Dao.SuggestUniqueAuthRecordUsername
+ - Dao.TableColumns
+ - Dao.TableIndexes
+ - Dao.TableInfo
+ - Dao.TotalAdmins
+ - Dao.Vacuum
+ - package: github.com/pocketbase/pocketbase/forms
+ symbols:
+ - RecordOAuth2Login.submit
+ derived_symbols:
+ - AdminLogin.Submit
+ - AdminLogin.Validate
+ - AdminPasswordResetConfirm.Submit
+ - AdminPasswordResetConfirm.Validate
+ - AdminPasswordResetRequest.Submit
+ - AdminPasswordResetRequest.Validate
+ - AdminUpsert.Submit
+ - AdminUpsert.Validate
+ - AppleClientSecretCreate.Submit
+ - AppleClientSecretCreate.Validate
+ - BackupCreate.Submit
+ - BackupCreate.Validate
+ - BackupUpload.Submit
+ - BackupUpload.Validate
+ - CollectionUpsert.Submit
+ - CollectionUpsert.Validate
+ - CollectionsImport.Submit
+ - CollectionsImport.Validate
+ - NewRecordUpsert
+ - RealtimeSubscribe.Validate
+ - RecordEmailChangeConfirm.Submit
+ - RecordEmailChangeConfirm.Validate
+ - RecordEmailChangeRequest.Submit
+ - RecordEmailChangeRequest.Validate
+ - RecordOAuth2Login.Submit
+ - RecordOAuth2Login.Validate
+ - RecordPasswordLogin.Submit
+ - RecordPasswordLogin.Validate
+ - RecordPasswordResetConfirm.Submit
+ - RecordPasswordResetConfirm.Validate
+ - RecordPasswordResetRequest.Submit
+ - RecordPasswordResetRequest.Validate
+ - RecordUpsert.DrySubmit
+ - RecordUpsert.LoadData
+ - RecordUpsert.LoadRequest
+ - RecordUpsert.Submit
+ - RecordUpsert.Validate
+ - RecordUpsert.ValidateAndFill
+ - RecordVerificationConfirm.Submit
+ - RecordVerificationConfirm.Validate
+ - RecordVerificationRequest.Submit
+ - RecordVerificationRequest.Validate
+ - SettingsUpsert.Submit
+ - SettingsUpsert.Validate
+ - TestEmailSend.Submit
+ - TestEmailSend.Validate
+ - TestS3Filesystem.Submit
+ - TestS3Filesystem.Validate
+summary: PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase
+cves:
+ - CVE-2024-38351
+ghsas:
+ - GHSA-m93w-4fxv-r35v
+references:
+ - advisory: https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v
+ - fix: https://github.com/pocketbase/pocketbase/commit/58ace5d5e7b9b979490019cf8d1b88491e5daec5
+ - web: https://github.com/pocketbase/pocketbase/discussions/4355
+source:
+ id: GHSA-m93w-4fxv-r35v
+ created: 2024-07-01T13:30:10.970751-04:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2024-2943.yaml b/data/reports/GO-2024-2943.yaml
new file mode 100644
index 0000000..fe78a17
--- /dev/null
+++ b/data/reports/GO-2024-2943.yaml
@@ -0,0 +1,24 @@
+id: GO-2024-2943
+modules:
+ - module: github.com/lightningnetwork/lnd
+ versions:
+ - fixed: 0.17.0-beta
+ vulnerable_at: 0.16.4-beta.rc1
+summary: |-
+ Lightning Network Daemon (LND)'s onion processing logic leads to a denial of
+ service in github.com/lightningnetwork/lnd
+cves:
+ - CVE-2024-38359
+ghsas:
+ - GHSA-9gxx-58q6-42p7
+references:
+ - advisory: https://github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-38359
+ - web: https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979
+ - web: https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta
+ - web: https://lightning.network
+ - web: https://morehouse.github.io/lightning/lnd-onion-bomb
+source:
+ id: GHSA-9gxx-58q6-42p7
+ created: 2024-07-01T14:09:09.810773-04:00
+review_status: UNREVIEWED
Change information
Files:
- A data/osv/GO-2024-2920.json
- A data/osv/GO-2024-2921.json
- A data/osv/GO-2024-2930.json
- A data/osv/GO-2024-2936.json
- A data/osv/GO-2024-2943.json
- A data/reports/GO-2024-2920.yaml
- A data/reports/GO-2024-2921.yaml
- A data/reports/GO-2024-2930.yaml
- A data/reports/GO-2024-2936.yaml
- A data/reports/GO-2024-2943.yaml
Change size: L
Delta: 10 files changed, 969 insertions(+), 0 deletions(-)
Related details
Attention set is empty
Submit Requirements:
Code-Review
LUCI-Pass
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Zvonimir Pavlinovic (Gerrit)
Jul 1, 2024, 3:58:21 PM7/1/24
to Tatiana Bradley, goph...@pubsubhelper.golang.org, Go LUCI, golang-co...@googlegroups.com
Attention needed from Tatiana Bradley
Zvonimir Pavlinovic voted Code-Review+2![]( "Open in Gerrit")
| Code-Review | +2 |
Related details
Attention is currently required from:
- Tatiana Bradley
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Tatiana Bradley (Gerrit)
Jul 1, 2024, 3:59:16 PM7/1/24
to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Zvonimir Pavlinovic, Go LUCI, golang-co...@googlegroups.com
Tatiana Bradley submitted the change![]( "Open in Gerrit")
Change information
Commit message:
data/reports: add 5 reports
- data/reports/GO-2024-2920.yaml
- data/reports/GO-2024-2921.yaml
- data/reports/GO-2024-2930.yaml
- data/reports/GO-2024-2936.yaml
- data/reports/GO-2024-2943.yaml
Fixes golang/vulndb#2920
Fixes golang/vulndb#2921
Fixes golang/vulndb#2930
Fixes golang/vulndb#2936
Fixes golang/vulndb#2943
Change-Id: I6de64b6c40310fbc70839bdffd8665a4c639d7b3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595957
LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavl...@google.com>
Files:
- A data/osv/GO-2024-2920.json
- A data/osv/GO-2024-2921.json
- A data/osv/GO-2024-2930.json
- A data/osv/GO-2024-2936.json
- A data/osv/GO-2024-2943.json
- A data/reports/GO-2024-2920.yaml
- A data/reports/GO-2024-2921.yaml
- A data/reports/GO-2024-2930.yaml
- A data/reports/GO-2024-2936.yaml
- A data/reports/GO-2024-2943.yaml
Change size: L
Delta: 10 files changed, 969 insertions(+), 0 deletions(-)
Branch: refs/heads/master
Submit Requirements:
Code-Review: +2 by Zvonimir Pavlinovic
TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages