data/excluded,data/reports: add 6 reports

tatianab · tatianab · commit c9ed1ff24bf0 · 2024-07-22T18:24:24.000Z
- data/excluded/GO-2024-2985.yaml - data/excluded/GO-2024-2986.yaml - data/reports/GO-2024-2987.yaml - data/reports/GO-2024-2989.yaml - data/reports/GO-2024-2990.yaml - data/reports/GO-2024-2992.yaml Fixes #2985 Fixes #2986 Fixes #2987 Fixes #2989 Fixes #2990 Fixes #2992 Change-Id: Ic7fbcd2b3fb62df054f13fdba9b4b4cb1aee8d6e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599457 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/data/excluded/GO-2024-2985.yaml b/data/excluded/GO-2024-2985.yaml
@@ -0,0 +1,6 @@
+id: GO-2024-2985
+excluded: NOT_GO_CODE
+modules:
+    - module: github.com/apache/airflow
+cves:
+    - CVE-2024-39863
diff --git a/data/excluded/GO-2024-2986.yaml b/data/excluded/GO-2024-2986.yaml
@@ -0,0 +1,6 @@
+id: GO-2024-2986
+excluded: NOT_GO_CODE
+modules:
+    - module: github.com/apache/airflow
+cves:
+    - CVE-2024-39877
diff --git a/data/osv/GO-2024-2987.json b/data/osv/GO-2024-2987.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2987",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-6535",
+    "GHSA-w799-v85j-88pg"
+  ],
+  "summary": "Skupper uses a static cookie secret for the openshift oauth-proxy in github.com/skupperproject/skupper",
+  "details": "Skupper uses a static cookie secret for the openshift oauth-proxy in github.com/skupperproject/skupper",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/skupperproject/skupper",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20240703184342-c26bce4079ff"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-w799-v85j-88pg"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6535"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/skupperproject/skupper/commit/d2cb3782e807853694ee66b6e3d4a1917485eb71"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2024-6535"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296024"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2987",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2989.json b/data/osv/GO-2024-2989.json
@@ -0,0 +1,82 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2989",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-40641",
+    "GHSA-c3q9-c27p-cw9h"
+  ],
+  "summary": "projectdiscovery/nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei",
+  "details": "projectdiscovery/nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/projectdiscovery/nuclei",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/projectdiscovery/nuclei/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/projectdiscovery/nuclei/v3",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.3.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40641"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2989",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2990.json b/data/osv/GO-2024-2990.json
@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2990",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-39907",
+    "GHSA-5grx-v727-qmq6"
+  ],
+  "summary": "1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel",
+  "details": "1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/1Panel-dev/1Panel before v1.10.12-tls.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/1Panel-dev/1Panel",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "1.10.12-tls"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39907"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/1Panel-dev/1Panel/commit/ff549a47937c1314e6ee08453a1d2128242440cd"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2990",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2992.json b/data/osv/GO-2024-2992.json
@@ -0,0 +1,51 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2992",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-39911"
+  ],
+  "summary": "1Panel SQL injection in github.com/1Panel-dev/1Panel",
+  "details": "1Panel SQL injection in github.com/1Panel-dev/1Panel",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/1Panel-dev/1Panel",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.10.12-lts"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39911"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.mo60.cn/index.php/archives/1Panel_SQLinjection2Rce.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-7m53-pwp6-v3f5"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2992",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/reports/GO-2024-2987.yaml b/data/reports/GO-2024-2987.yaml
@@ -0,0 +1,22 @@
+id: GO-2024-2987
+modules:
+    - module: github.com/skupperproject/skupper
+      versions:
+        - fixed: 0.0.0-20240703184342-c26bce4079ff
+summary: Skupper uses a static cookie secret for the openshift oauth-proxy in github.com/skupperproject/skupper
+cves:
+    - CVE-2024-6535
+ghsas:
+    - GHSA-w799-v85j-88pg
+references:
+    - advisory: https://github.com/advisories/GHSA-w799-v85j-88pg
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6535
+    - fix: https://github.com/skupperproject/skupper/commit/d2cb3782e807853694ee66b6e3d4a1917485eb71
+    - web: https://access.redhat.com/security/cve/CVE-2024-6535
+    - web: https://bugzilla.redhat.com/show_bug.cgi?id=2296024
+notes:
+    - fix: 'github.com/skupperproject/skupper: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+    id: GHSA-w799-v85j-88pg
+    created: 2024-07-18T16:18:19.770441-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-2989.yaml b/data/reports/GO-2024-2989.yaml
@@ -0,0 +1,24 @@
+id: GO-2024-2989
+modules:
+    - module: github.com/projectdiscovery/nuclei
+      vulnerable_at: 1.1.7
+    - module: github.com/projectdiscovery/nuclei/v2
+      vulnerable_at: 2.9.15
+    - module: github.com/projectdiscovery/nuclei/v3
+      versions:
+        - fixed: 3.3.0
+      vulnerable_at: 3.2.9
+summary: |-
+    projectdiscovery/nuclei allows unsigned code template execution through
+    workflows in github.com/projectdiscovery/nuclei
+cves:
+    - CVE-2024-40641
+ghsas:
+    - GHSA-c3q9-c27p-cw9h
+references:
+    - advisory: https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40641
+source:
+    id: GHSA-c3q9-c27p-cw9h
+    created: 2024-07-18T16:18:07.953998-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-2990.yaml b/data/reports/GO-2024-2990.yaml
@@ -0,0 +1,19 @@
+id: GO-2024-2990
+modules:
+    - module: github.com/1Panel-dev/1Panel
+      non_go_versions:
+        - fixed: 1.10.12-tls
+      vulnerable_at: 1.9.6
+summary: 1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel
+cves:
+    - CVE-2024-39907
+ghsas:
+    - GHSA-5grx-v727-qmq6
+references:
+    - advisory: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39907
+    - fix: https://github.com/1Panel-dev/1Panel/commit/ff549a47937c1314e6ee08453a1d2128242440cd
+source:
+    id: GHSA-5grx-v727-qmq6
+    created: 2024-07-18T16:18:04.925699-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-2992.yaml b/data/reports/GO-2024-2992.yaml
@@ -0,0 +1,17 @@
+id: GO-2024-2992
+modules:
+    - module: github.com/1Panel-dev/1Panel
+      versions:
+        - fixed: 1.10.12-lts
+      vulnerable_at: 1.10.12-beta
+summary: 1Panel SQL injection in github.com/1Panel-dev/1Panel
+cves:
+    - CVE-2024-39911
+references:
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39911
+    - web: https://blog.mo60.cn/index.php/archives/1Panel_SQLinjection2Rce.html
+    - web: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-7m53-pwp6-v3f5
+source:
+    id: CVE-2024-39911
+    created: 2024-07-18T16:18:00.687879-04:00
+review_status: UNREVIEWED
