File tree 16 files changed +738
-0
lines changed
16 files changed +738
-0
lines changed Original file line number Diff line number Diff line change 1+ {
2+ "schema_version" : " 1.3.1"
3+ "id" : " GO-2024-3108"
4+ "modified" : " 0001-01-01T00:00:00Z"
5+ "published" : " 0001-01-01T00:00:00Z"
6+ "aliases" : [
7+ " CVE-2024-45388"
8+ " GHSA-6xx4-x46f-f897"
9+ ],
10+ "summary" : " Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`) in github.com/SpectoLabs/hoverfly"
11+ "details" : " Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`) in github.com/SpectoLabs/hoverfly"
12+ "affected" : [
13+ {
14+ "package" : {
15+ "name" : " github.com/SpectoLabs/hoverfly"
16+ "ecosystem" : " Go"
17+ },
18+ "ranges" : [
19+ {
20+ "type" : " SEMVER"
21+ "events" : [
22+ {
23+ "introduced" : " 0"
24+ },
25+ {
26+ "fixed" : " 1.10.3"
27+ }
28+ ]
29+ }
30+ ],
31+ "ecosystem_specific" : {}
32+ }
33+ ],
34+ "references" : [
35+ {
36+ "type" : " ADVISORY"
37+ "url" : " https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-6xx4-x46f-f897"
38+ },
39+ {
40+ "type" : " ADVISORY"
41+ "url" : " https://nvd.nist.gov/vuln/detail/CVE-2024-45388"
42+ },
43+ {
44+ "type" : " WEB"
45+ "url" : " https://codeql.github.com/codeql-query-help/go/go-path-injection"
46+ },
47+ {
48+ "type" : " WEB"
49+ "url" : " https://github.com/SpectoLabs/hoverfly/releases/tag/v1.10.3"
50+ },
51+ {
52+ "type" : " WEB"
53+ "url" : " https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/handlers/v2/simulation_handler.go#L87"
54+ }
55+ ],
56+ "database_specific" : {
57+ "url" : " https://pkg.go.dev/vuln/GO-2024-3108"
58+ "review_status" : " UNREVIEWED"
59+ }
60+ }
Original file line number Diff line number Diff line change 1+ {
2+ "schema_version" : " 1.3.1"
3+ "id" : " GO-2024-3110"
4+ "modified" : " 0001-01-01T00:00:00Z"
5+ "published" : " 0001-01-01T00:00:00Z"
6+ "aliases" : [
7+ " CVE-2024-45310"
8+ " GHSA-jfvp-7x6p-h2pv"
9+ ],
10+ "summary" : " runc can be confused to create empty files/directories on the host in github.com/opencontainers/runc"
11+ "details" : " runc can be confused to create empty files/directories on the host in github.com/opencontainers/runc"
12+ "affected" : [
13+ {
14+ "package" : {
15+ "name" : " github.com/opencontainers/runc"
16+ "ecosystem" : " Go"
17+ },
18+ "ranges" : [
19+ {
20+ "type" : " SEMVER"
21+ "events" : [
22+ {
23+ "introduced" : " 0"
24+ },
25+ {
26+ "fixed" : " 1.1.14"
27+ },
28+ {
29+ "introduced" : " 1.2.0-rc.1"
30+ },
31+ {
32+ "fixed" : " 1.2.0-rc.3"
33+ }
34+ ]
35+ }
36+ ],
37+ "ecosystem_specific" : {}
38+ }
39+ ],
40+ "references" : [
41+ {
42+ "type" : " ADVISORY"
43+ "url" : " https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv"
44+ },
45+ {
46+ "type" : " ADVISORY"
47+ "url" : " https://nvd.nist.gov/vuln/detail/CVE-2024-45310"
48+ },
49+ {
50+ "type" : " FIX"
51+ "url" : " https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7"
52+ },
53+ {
54+ "type" : " FIX"
55+ "url" : " https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e"
56+ },
57+ {
58+ "type" : " FIX"
59+ "url" : " https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf"
60+ },
61+ {
62+ "type" : " FIX"
63+ "url" : " https://github.com/opencontainers/runc/pull/4359"
64+ }
65+ ],
66+ "database_specific" : {
67+ "url" : " https://pkg.go.dev/vuln/GO-2024-3110"
68+ "review_status" : " UNREVIEWED"
69+ }
70+ }
Original file line number Diff line number Diff line change 1+ {
2+ "schema_version" : " 1.3.1"
3+ "id" : " GO-2024-3113"
4+ "modified" : " 0001-01-01T00:00:00Z"
5+ "published" : " 0001-01-01T00:00:00Z"
6+ "aliases" : [
7+ " CVE-2024-8365"
8+ " GHSA-jjxf-26c9-77gm"
9+ ],
10+ "summary" : " Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault"
11+ "details" : " Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault"
12+ "affected" : [
13+ {
14+ "package" : {
15+ "name" : " github.com/hashicorp/vault"
16+ "ecosystem" : " Go"
17+ },
18+ "ranges" : [
19+ {
20+ "type" : " SEMVER"
21+ "events" : [
22+ {
23+ "introduced" : " 1.17.3"
24+ },
25+ {
26+ "fixed" : " 1.17.5"
27+ }
28+ ]
29+ }
30+ ],
31+ "ecosystem_specific" : {}
32+ }
33+ ],
34+ "references" : [
35+ {
36+ "type" : " ADVISORY"
37+ "url" : " https://github.com/advisories/GHSA-jjxf-26c9-77gm"
38+ },
39+ {
40+ "type" : " ADVISORY"
41+ "url" : " https://nvd.nist.gov/vuln/detail/CVE-2024-8365"
42+ },
43+ {
44+ "type" : " WEB"
45+ "url" : " https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices"
46+ }
47+ ],
48+ "database_specific" : {
49+ "url" : " https://pkg.go.dev/vuln/GO-2024-3113"
50+ "review_status" : " UNREVIEWED"
51+ }
52+ }
Original file line number Diff line number Diff line change 1+ {
2+ "schema_version" : " 1.3.1"
3+ "id" : " GO-2024-3114"
4+ "modified" : " 0001-01-01T00:00:00Z"
5+ "published" : " 0001-01-01T00:00:00Z"
6+ "aliases" : [
7+ " CVE-2024-43405"
8+ " GHSA-7h5p-mmpp-hgmm"
9+ ],
10+ "summary" : " Nuclei Template Signature Verification Bypass in github.com/projectdiscovery/nuclei"
11+ "details" : " Nuclei Template Signature Verification Bypass in github.com/projectdiscovery/nuclei"
12+ "affected" : [
13+ {
14+ "package" : {
15+ "name" : " github.com/projectdiscovery/nuclei"
16+ "ecosystem" : " Go"
17+ },
18+ "ranges" : [
19+ {
20+ "type" : " SEMVER"
21+ "events" : [
22+ {
23+ "introduced" : " 0"
24+ }
25+ ]
26+ }
27+ ],
28+ "ecosystem_specific" : {}
29+ },
30+ {
31+ "package" : {
32+ "name" : " github.com/projectdiscovery/nuclei/v2"
33+ "ecosystem" : " Go"
34+ },
35+ "ranges" : [
36+ {
37+ "type" : " SEMVER"
38+ "events" : [
39+ {
40+ "introduced" : " 0"
41+ }
42+ ]
43+ }
44+ ],
45+ "ecosystem_specific" : {}
46+ },
47+ {
48+ "package" : {
49+ "name" : " github.com/projectdiscovery/nuclei/v3"
50+ "ecosystem" : " Go"
51+ },
52+ "ranges" : [
53+ {
54+ "type" : " SEMVER"
55+ "events" : [
56+ {
57+ "introduced" : " 3.0.0"
58+ },
59+ {
60+ "fixed" : " 3.3.2"
61+ }
62+ ]
63+ }
64+ ],
65+ "ecosystem_specific" : {}
66+ }
67+ ],
68+ "references" : [
69+ {
70+ "type" : " ADVISORY"
71+ "url" : " https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-7h5p-mmpp-hgmm"
72+ },
73+ {
74+ "type" : " ADVISORY"
75+ "url" : " https://nvd.nist.gov/vuln/detail/CVE-2024-43405"
76+ },
77+ {
78+ "type" : " FIX"
79+ "url" : " https://github.com/projectdiscovery/nuclei/commit/0da993afe6d41b4b1b814e8fad23a2acba13c60a"
80+ }
81+ ],
82+ "database_specific" : {
83+ "url" : " https://pkg.go.dev/vuln/GO-2024-3114"
84+ "review_status" : " UNREVIEWED"
85+ }
86+ }
Original file line number Diff line number Diff line change 1+ {
2+ "schema_version" : " 1.3.1"
3+ "id" : " GO-2024-3116"
4+ "modified" : " 0001-01-01T00:00:00Z"
5+ "published" : " 0001-01-01T00:00:00Z"
6+ "aliases" : [
7+ " CVE-2024-45395"
8+ " GHSA-cq38-jh5f-37mq"
9+ ],
10+ "summary" : " sigstore-go has an unbounded loop over untrusted input can lead to endless data attack in github.com/sigstore/sigstore-go"
11+ "details" : " sigstore-go has an unbounded loop over untrusted input can lead to endless data attack in github.com/sigstore/sigstore-go"
12+ "affected" : [
13+ {
14+ "package" : {
15+ "name" : " github.com/sigstore/sigstore-go"
16+ "ecosystem" : " Go"
17+ },
18+ "ranges" : [
19+ {
20+ "type" : " SEMVER"
21+ "events" : [
22+ {
23+ "introduced" : " 0"
24+ },
25+ {
26+ "fixed" : " 0.6.1"
27+ }
28+ ]
29+ }
30+ ],
31+ "ecosystem_specific" : {}
32+ }
33+ ],
34+ "references" : [
35+ {
36+ "type" : " ADVISORY"
37+ "url" : " https://github.com/sigstore/sigstore-go/security/advisories/GHSA-cq38-jh5f-37mq"
38+ },
39+ {
40+ "type" : " ADVISORY"
41+ "url" : " https://nvd.nist.gov/vuln/detail/CVE-2024-45395"
42+ },
43+ {
44+ "type" : " FIX"
45+ "url" : " https://github.com/sigstore/sigstore-go/commit/01e70e89e58226286d7977b4dba43b6be472b12c"
46+ },
47+ {
48+ "type" : " WEB"
49+ "url" : " https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/signature.go#L183-L193"
50+ },
51+ {
52+ "type" : " WEB"
53+ "url" : " https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tlog.go#L74-L178"
54+ },
55+ {
56+ "type" : " WEB"
57+ "url" : " https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tsa.go#L59-L68"
58+ }
59+ ],
60+ "database_specific" : {
61+ "url" : " https://pkg.go.dev/vuln/GO-2024-3116"
62+ "review_status" : " UNREVIEWED"
63+ }
64+ }
You can’t perform that action at this time.
0 commit comments