data/reports: add 44 unreviewed reports

  - data/reports/GO-2024-2576.yaml
  - data/reports/GO-2024-2695.yaml
  - data/reports/GO-2024-2737.yaml
  - data/reports/GO-2024-2795.yaml
  - data/reports/GO-2024-2799.yaml
  - data/reports/GO-2024-2715.yaml
  - data/reports/GO-2024-2798.yaml
  - data/reports/GO-2024-2793.yaml
  - data/reports/GO-2024-2705.yaml
  - data/reports/GO-2024-2808.yaml
  - data/reports/GO-2024-2875.yaml
  - data/reports/GO-2024-2635.yaml
  - data/reports/GO-2024-2707.yaml
  - data/reports/GO-2024-2797.yaml
  - data/reports/GO-2024-2726.yaml
  - data/reports/GO-2024-2650.yaml
  - data/reports/GO-2024-2698.yaml
  - data/reports/GO-2024-2760.yaml
  - data/reports/GO-2024-2788.yaml
  - data/reports/GO-2024-2629.yaml
  - data/reports/GO-2024-2771.yaml
  - data/reports/GO-2024-2794.yaml
  - data/reports/GO-2024-2637.yaml
  - data/reports/GO-2024-2734.yaml
  - data/reports/GO-2024-2764.yaml
  - data/reports/GO-2024-2762.yaml
  - data/reports/GO-2024-2566.yaml
  - data/reports/GO-2024-2789.yaml
  - data/reports/GO-2024-2664.yaml
  - data/reports/GO-2024-2688.yaml
  - data/reports/GO-2024-2697.yaml
  - data/reports/GO-2024-2719.yaml
  - data/reports/GO-2024-2718.yaml
  - data/reports/GO-2024-2468.yaml
  - data/reports/GO-2024-2717.yaml
  - data/reports/GO-2024-2761.yaml
  - data/reports/GO-2024-2796.yaml
  - data/reports/GO-2024-2706.yaml
  - data/reports/GO-2024-2722.yaml
  - data/reports/GO-2024-2665.yaml
  - data/reports/GO-2024-2750.yaml
  - data/reports/GO-2024-2809.yaml
  - data/reports/GO-2024-2696.yaml
  - data/reports/GO-2024-2732.yaml

Fixes #2576
Fixes #2695
Fixes #2737
Fixes #2795
Fixes #2799
Fixes #2715
Fixes #2798
Fixes #2793
Fixes #2705
Fixes #2808
Fixes #2875
Fixes #2635
Fixes #2707
Fixes #2797
Fixes #2726
Fixes #2650
Fixes #2698
Fixes #2760
Fixes #2788
Fixes #2629
Fixes #2771
Fixes #2794
Fixes #2637
Fixes #2734
Fixes #2764
Fixes #2762
Fixes #2566
Fixes #2789
Fixes #2664
Fixes #2688
Fixes #2697
Fixes #2719
Fixes #2718
Fixes #2468
Fixes #2717
Fixes #2761
Fixes #2796
Fixes #2706
Fixes #2722
Fixes #2665
Fixes #2750
Fixes #2809
Fixes #2696
Fixes #2732

Change-Id: I8f664cb56ccc1fbce1437179178f78fa3825a1c5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590278
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>

Author: tatianab

data/osv/GO-2024-2468.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2468",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2022-3328",
+    "GHSA-cjqf-877p-7m3f"
+  ],
+  "summary": "snapd Race Condition vulnerability in github.com/snapcore/snapd",
+  "details": "snapd Race Condition vulnerability in github.com/snapcore/snapd",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/snapcore/snapd",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3328"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-cjqf-877p-7m3f"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3328"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/snapcore/snapd/commit/21ebc51f00b8a1417888faa2e83a372fd29d0f5e"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/snapcore/snapd/commit/6226cdc57052f4b7057d92f2e549aa169e35cd2d"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/snapcore/snapd/pull/12380"
+    },
+    {
+      "type": "WEB",
+      "url": "https://ubuntu.com/security/notices/USN-5753-1"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2468",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-2566.json

@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2566",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-24776",
+    "GHSA-r833-w756-h5p2"
+  ],
+  "summary": "Mattermost fails to check the required permissions in github.com/mattermost/mattermost/server/v8",
+  "details": "Mattermost fails to check the required permissions in github.com/mattermost/mattermost/server/v8",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost/server/v8",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-r833-w756-h5p2"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24776"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2566",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-2576.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2576",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-1485",
+    "GHSA-84xv-jfrm-h4gm"
+  ],
+  "summary": "registry-support: decompress can delete files outside scope via relative paths in github.com/devfile/registry-support/registry-library",
+  "details": "registry-support: decompress can delete files outside scope via relative paths in github.com/devfile/registry-support/registry-library",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/devfile/registry-support/registry-library",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-84xv-jfrm-h4gm"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1485"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2024-1485"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264106"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/devfile/registry-support/commit/0e44b9ca6d03fac4fc3f77d37656d56dc5defe0d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/devfile/registry-support/pull/197"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2576",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-2629.json

@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2629",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-1442",
+    "GHSA-5mxf-42f5-j782"
+  ],
+  "summary": "Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana",
+  "details": "Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/grafana/grafana",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-5mxf-42f5-j782"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1442"
+    },
+    {
+      "type": "WEB",
+      "url": "https://grafana.com/security/security-advisories/cve-2024-1442"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2629",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-2635.json

@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2635",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-1952",
+    "GHSA-r4fm-g65h-cr54"
+  ],
+  "summary": "Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost/server/v8",
+  "details": "Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost/server/v8",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost/server/v8",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-r4fm-g65h-cr54"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1952"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2635",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-2637.json

@@ -0,0 +1,53 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2637",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-28197",
+    "GHSA-mq4x-r2w3-j7mr"
+  ],
+  "summary": "Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel",
+  "details": "Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/zitadel/zitadel",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28197"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/zitadel/zitadel/commit/d4c553b75a214e41299af010ef4b26174a0f802c"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/zitadel/zitadel/commit/e82cb51eb819c6cdba8123c9c34c5739b46b29eb"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2637",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-2650.json

@@ -0,0 +1,47 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2650",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-v8mx-hp2q-gw85"
+  ],
+  "summary": "Golang SDK for Vela Insecure Variable Substitution in github.com/go-vela/sdk-go",
+  "details": "Golang SDK for Vela Insecure Variable Substitution in github.com/go-vela/sdk-go",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/go-vela/sdk-go",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.23.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/go-vela/sdk-go/security/advisories/GHSA-v8mx-hp2q-gw85"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/go-vela/sdk-go/commit/e3a34719badf37928e60f4402abe51f8b50055e1"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2650",
+    "review_status": "UNREVIEWED"
+  }
+}