data/reports: add 4 unreviewed reports

tatianab · gopherbot · commit 64cbf39ff04e · 2024-11-06T17:21:43.000Z
- data/reports/GO-2024-3251.yaml - data/reports/GO-2024-3252.yaml - data/reports/GO-2024-3253.yaml - data/reports/GO-2024-3254.yaml Fixes #3251 Fixes #3252 Fixes #3253 Fixes #3254 Change-Id: Ib263e13922d9ade0f30629b7f9a902de630fb2bc Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/625955 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2024-3251.json b/data/osv/GO-2024-3251.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3251",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-10389",
+    "GHSA-q3rp-vvm7-j8jg"
+  ],
+  "summary": "Safearchive Path Traversal vulnerability in github.com/google/safearchive",
+  "details": "Safearchive Path Traversal vulnerability in github.com/google/safearchive",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/google/safearchive",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20241025131057-f7ce9d7b6f9c"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-q3rp-vvm7-j8jg"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10389"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/google/safearchive/commit/f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3251",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-3252.json b/data/osv/GO-2024-3252.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3252",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-51746",
+    "GHSA-8pmp-678w-c8xx"
+  ],
+  "summary": "gitsign may use incorrect Rekor entries during verification in github.com/sigstore/gitsign",
+  "details": "gitsign may use incorrect Rekor entries during verification in github.com/sigstore/gitsign",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/sigstore/gitsign",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.11.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51746"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3252",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-3253.json b/data/osv/GO-2024-3253.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3253",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-48057",
+    "GHSA-ghx4-cgxw-7h9p"
+  ],
+  "summary": "LocalAI Cross-site Scripting vulnerability in github.com/mudler/LocalAI",
+  "details": "LocalAI Cross-site Scripting vulnerability in github.com/mudler/LocalAI",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/mudler/LocalAI",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-ghx4-cgxw-7h9p"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48057"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/AfterSnows/1bd7ee5a3a42dbb5f5ff67f7f9c8ccec"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mudler/LocalAI/blob/master/core/http/views/index.html#L75"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rumbling-slice-eb0.notion.site/LocalAI-deleted-model-with-storage-XSS-CSRF-vulnerability-in-mudler-localai-101e3cda9e8c80e0ac12fe418d5dd982?pvs=4"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3253",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-3254.json b/data/osv/GO-2024-3254.json
@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3254",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-51735",
+    "GHSA-wvv7-wm5v-w2gv"
+  ],
+  "summary": "Osmedeus Web Server Vulnerable to Stored XSS, Leading to RCE in github.com/j3ssie/osmedeus",
+  "details": "Osmedeus Web Server Vulnerable to Stored XSS, Leading to RCE in github.com/j3ssie/osmedeus",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/j3ssie/osmedeus",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/j3ssie/osmedeus/security/advisories/GHSA-wvv7-wm5v-w2gv"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51735"
+    },
+    {
+      "type": "WEB",
+      "url": "https://drive.google.com/file/d/1u-YowfzFV1tUqLaZk4s4Y1DykFhJZ8gR/view?usp=sharing"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3254",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/reports/GO-2024-3251.yaml b/data/reports/GO-2024-3251.yaml
@@ -0,0 +1,20 @@
+id: GO-2024-3251
+modules:
+    - module: github.com/google/safearchive
+      versions:
+        - fixed: 0.0.0-20241025131057-f7ce9d7b6f9c
+summary: Safearchive Path Traversal vulnerability in github.com/google/safearchive
+cves:
+    - CVE-2024-10389
+ghsas:
+    - GHSA-q3rp-vvm7-j8jg
+references:
+    - advisory: https://github.com/advisories/GHSA-q3rp-vvm7-j8jg
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-10389
+    - fix: https://github.com/google/safearchive/commit/f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc
+notes:
+    - fix: 'github.com/google/safearchive: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+    id: GHSA-q3rp-vvm7-j8jg
+    created: 2024-11-06T11:55:09.66027-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3252.yaml b/data/reports/GO-2024-3252.yaml
@@ -0,0 +1,18 @@
+id: GO-2024-3252
+modules:
+    - module: github.com/sigstore/gitsign
+      versions:
+        - fixed: 0.11.0
+      vulnerable_at: 0.10.2
+summary: gitsign may use incorrect Rekor entries during verification in github.com/sigstore/gitsign
+cves:
+    - CVE-2024-51746
+ghsas:
+    - GHSA-8pmp-678w-c8xx
+references:
+    - advisory: https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-51746
+source:
+    id: GHSA-8pmp-678w-c8xx
+    created: 2024-11-06T11:55:06.276361-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3253.yaml b/data/reports/GO-2024-3253.yaml
@@ -0,0 +1,21 @@
+id: GO-2024-3253
+modules:
+    - module: github.com/mudler/LocalAI
+      unsupported_versions:
+        - last_affected: 2.20.1
+      vulnerable_at: 1.40.0
+summary: LocalAI Cross-site Scripting vulnerability in github.com/mudler/LocalAI
+cves:
+    - CVE-2024-48057
+ghsas:
+    - GHSA-ghx4-cgxw-7h9p
+references:
+    - advisory: https://github.com/advisories/GHSA-ghx4-cgxw-7h9p
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-48057
+    - web: https://gist.github.com/AfterSnows/1bd7ee5a3a42dbb5f5ff67f7f9c8ccec
+    - web: https://github.com/mudler/LocalAI/blob/master/core/http/views/index.html#L75
+    - web: https://rumbling-slice-eb0.notion.site/LocalAI-deleted-model-with-storage-XSS-CSRF-vulnerability-in-mudler-localai-101e3cda9e8c80e0ac12fe418d5dd982?pvs=4
+source:
+    id: GHSA-ghx4-cgxw-7h9p
+    created: 2024-11-06T11:54:56.535401-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3254.yaml b/data/reports/GO-2024-3254.yaml
@@ -0,0 +1,19 @@
+id: GO-2024-3254
+modules:
+    - module: github.com/j3ssie/osmedeus
+      unsupported_versions:
+        - last_affected: 4.6.4
+      vulnerable_at: 0.0.0-20240404115937-815c261d44f6
+summary: Osmedeus Web Server Vulnerable to Stored XSS, Leading to RCE in github.com/j3ssie/osmedeus
+cves:
+    - CVE-2024-51735
+ghsas:
+    - GHSA-wvv7-wm5v-w2gv
+references:
+    - advisory: https://github.com/j3ssie/osmedeus/security/advisories/GHSA-wvv7-wm5v-w2gv
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-51735
+    - web: https://drive.google.com/file/d/1u-YowfzFV1tUqLaZk4s4Y1DykFhJZ8gR/view?usp=sharing
+source:
+    id: GHSA-wvv7-wm5v-w2gv
+    created: 2024-11-06T11:54:48.127027-05:00
+review_status: UNREVIEWED
