diff --git a/data/osv/GO-2024-3292.json b/data/osv/GO-2024-3292.json new file mode 100644 index 00000000..8f6833dd --- /dev/null +++ b/data/osv/GO-2024-3292.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3292", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-8676", + "GHSA-7p9f-6x8j-gxxp" + ], + "summary": "CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o", + "details": "CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o", + "affected": [ + { + "package": { + "name": "github.com/cri-o/cri-o", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.29.11" + }, + { + "introduced": "1.30.0" + }, + { + "fixed": "1.30.8" + }, + { + "introduced": "1.31.0" + }, + { + "fixed": "1.31.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-7p9f-6x8j-gxxp" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8676" + }, + { + "type": "FIX", + "url": "https://github.com/cri-o/cri-o/commit/e8e7dcb7838d11b5157976bf3e31a5840bb77de7" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-8676" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313842" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3292", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3304.json b/data/osv/GO-2024-3304.json new file mode 100644 index 00000000..84d15451 --- /dev/null +++ b/data/osv/GO-2024-3304.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3304", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-36621", + "GHSA-2mj3-vfvx-fc43" + ], + "summary": "Moby Race Condition vulnerability in github.com/moby/moby", + "details": "Moby Race Condition vulnerability in github.com/moby/moby", + "affected": [ + { + "package": { + "name": "github.com/moby/moby", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "26.0.0+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2mj3-vfvx-fc43" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36621" + }, + { + "type": "FIX", + "url": "https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e" + }, + { + "type": "WEB", + "url": "https://gist.github.com/1047524396/5d44459edab5fafcdf86b43909b81135" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/blob/v25.0.5/builder/builder-next/adapters/snapshot/layer.go#L24" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3304", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3305.json b/data/osv/GO-2024-3305.json new file mode 100644 index 00000000..52674299 --- /dev/null +++ b/data/osv/GO-2024-3305.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3305", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-36623", + "GHSA-gh5c-3h97-2f3q" + ], + "summary": "Moby Race Condition vulnerability in github.com/moby/moby", + "details": "Moby Race Condition vulnerability in github.com/moby/moby", + "affected": [ + { + "package": { + "name": "github.com/moby/moby", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "26.0.0+incompatible" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-gh5c-3h97-2f3q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36623" + }, + { + "type": "FIX", + "url": "https://github.com/moby/moby/commit/5689dabfb357b673abdb4391eef426f297d7d1bb" + }, + { + "type": "WEB", + "url": "https://gist.github.com/1047524396/c192c0159a19bf58a4373b696467dc29" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/blob/v25.0.3/pkg/streamformatter/streamformatter.go#L115" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3305", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3307.json b/data/osv/GO-2024-3307.json new file mode 100644 index 00000000..66ef0f10 --- /dev/null +++ b/data/osv/GO-2024-3307.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3307", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-50948" + ], + "summary": "CVE-2024-50948 in github.com/mochi-mqtt/server", + "details": "CVE-2024-50948 in github.com/mochi-mqtt/server", + "affected": [ + { + "package": { + "name": "github.com/mochi-mqtt/server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50948" + }, + { + "type": "WEB", + "url": "https://gist.github.com/pengwGit/39760ed5ae03171622ca8215dc0d8c60" + }, + { + "type": "WEB", + "url": "https://github.com/mochi-mqtt/server" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3307", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3308.json b/data/osv/GO-2024-3308.json new file mode 100644 index 00000000..5dd3aa71 --- /dev/null +++ b/data/osv/GO-2024-3308.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3308", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-54131", + "GHSA-66q9-2rvx-qfj5" + ], + "summary": "Kolide Agent Privilege Escalation (Windows, Versions \u003e= 1.5.3, \u003c 1.12.3) in github.com/kolide/launcher", + "details": "Kolide Agent Privilege Escalation (Windows, Versions \u003e= 1.5.3, \u003c 1.12.3) in github.com/kolide/launcher", + "affected": [ + { + "package": { + "name": "github.com/kolide/launcher", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.3" + }, + { + "fixed": "1.12.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kolide/launcher/security/advisories/GHSA-66q9-2rvx-qfj5" + }, + { + "type": "FIX", + "url": "https://github.com/kolide/launcher/pull/1510" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3308", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3310.json b/data/osv/GO-2024-3310.json new file mode 100644 index 00000000..b2f81aff --- /dev/null +++ b/data/osv/GO-2024-3310.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3310", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-54132", + "GHSA-2m9h-r57g-45pj" + ], + "summary": "Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability in github.com/cli/cli", + "details": "Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability in github.com/cli/cli", + "affected": [ + { + "package": { + "name": "github.com/cli/cli", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/cli/cli/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.63.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj" + }, + { + "type": "FIX", + "url": "https://github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3310", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-3292.yaml b/data/reports/GO-2024-3292.yaml new file mode 100644 index 00000000..f4efac02 --- /dev/null +++ b/data/reports/GO-2024-3292.yaml @@ -0,0 +1,25 @@ +id: GO-2024-3292 +modules: + - module: github.com/cri-o/cri-o + versions: + - fixed: 1.29.11 + - introduced: 1.30.0 + - fixed: 1.30.8 + - introduced: 1.31.0 + - fixed: 1.31.3 + vulnerable_at: 1.31.2 +summary: 'CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o' +cves: + - CVE-2024-8676 +ghsas: + - GHSA-7p9f-6x8j-gxxp +references: + - advisory: https://github.com/cri-o/cri-o/security/advisories/GHSA-7p9f-6x8j-gxxp + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8676 + - fix: https://github.com/cri-o/cri-o/commit/e8e7dcb7838d11b5157976bf3e31a5840bb77de7 + - web: https://access.redhat.com/security/cve/CVE-2024-8676 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2313842 +source: + id: GHSA-7p9f-6x8j-gxxp + created: 2024-12-04T11:10:38.049589-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3304.yaml b/data/reports/GO-2024-3304.yaml new file mode 100644 index 00000000..0200a55c --- /dev/null +++ b/data/reports/GO-2024-3304.yaml @@ -0,0 +1,21 @@ +id: GO-2024-3304 +modules: + - module: github.com/moby/moby + versions: + - fixed: 26.0.0+incompatible + vulnerable_at: 26.0.0-rc3+incompatible +summary: Moby Race Condition vulnerability in github.com/moby/moby +cves: + - CVE-2024-36621 +ghsas: + - GHSA-2mj3-vfvx-fc43 +references: + - advisory: https://github.com/advisories/GHSA-2mj3-vfvx-fc43 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36621 + - fix: https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e + - web: https://gist.github.com/1047524396/5d44459edab5fafcdf86b43909b81135 + - web: https://github.com/moby/moby/blob/v25.0.5/builder/builder-next/adapters/snapshot/layer.go#L24 +source: + id: GHSA-2mj3-vfvx-fc43 + created: 2024-12-04T11:10:26.003799-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3305.yaml b/data/reports/GO-2024-3305.yaml new file mode 100644 index 00000000..e140e934 --- /dev/null +++ b/data/reports/GO-2024-3305.yaml @@ -0,0 +1,21 @@ +id: GO-2024-3305 +modules: + - module: github.com/moby/moby + versions: + - fixed: 26.0.0+incompatible + vulnerable_at: 26.0.0-rc3+incompatible +summary: Moby Race Condition vulnerability in github.com/moby/moby +cves: + - CVE-2024-36623 +ghsas: + - GHSA-gh5c-3h97-2f3q +references: + - advisory: https://github.com/advisories/GHSA-gh5c-3h97-2f3q + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36623 + - fix: https://github.com/moby/moby/commit/5689dabfb357b673abdb4391eef426f297d7d1bb + - web: https://gist.github.com/1047524396/c192c0159a19bf58a4373b696467dc29 + - web: https://github.com/moby/moby/blob/v25.0.3/pkg/streamformatter/streamformatter.go#L115 +source: + id: GHSA-gh5c-3h97-2f3q + created: 2024-12-04T11:10:16.02651-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3307.yaml b/data/reports/GO-2024-3307.yaml new file mode 100644 index 00000000..4243befc --- /dev/null +++ b/data/reports/GO-2024-3307.yaml @@ -0,0 +1,15 @@ +id: GO-2024-3307 +modules: + - module: github.com/mochi-mqtt/server + vulnerable_at: 1.3.2 +summary: CVE-2024-50948 in github.com/mochi-mqtt/server +cves: + - CVE-2024-50948 +references: + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-50948 + - web: https://gist.github.com/pengwGit/39760ed5ae03171622ca8215dc0d8c60 + - web: https://github.com/mochi-mqtt/server +source: + id: CVE-2024-50948 + created: 2024-12-04T11:09:38.711662-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3308.yaml b/data/reports/GO-2024-3308.yaml new file mode 100644 index 00000000..cadd730c --- /dev/null +++ b/data/reports/GO-2024-3308.yaml @@ -0,0 +1,19 @@ +id: GO-2024-3308 +modules: + - module: github.com/kolide/launcher + versions: + - introduced: 1.5.3 + - fixed: 1.12.3 + vulnerable_at: 1.12.2 +summary: Kolide Agent Privilege Escalation (Windows, Versions >= 1.5.3, < 1.12.3) in github.com/kolide/launcher +cves: + - CVE-2024-54131 +ghsas: + - GHSA-66q9-2rvx-qfj5 +references: + - advisory: https://github.com/kolide/launcher/security/advisories/GHSA-66q9-2rvx-qfj5 + - fix: https://github.com/kolide/launcher/pull/1510 +source: + id: GHSA-66q9-2rvx-qfj5 + created: 2024-12-04T11:09:34.260404-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3310.yaml b/data/reports/GO-2024-3310.yaml new file mode 100644 index 00000000..ce084d46 --- /dev/null +++ b/data/reports/GO-2024-3310.yaml @@ -0,0 +1,22 @@ +id: GO-2024-3310 +modules: + - module: github.com/cli/cli + vulnerable_at: 1.14.0 + - module: github.com/cli/cli/v2 + versions: + - fixed: 2.63.1 + vulnerable_at: 2.63.0 +summary: |- + Downloading malicious GitHub Actions workflow artifact results in path traversal + vulnerability in github.com/cli/cli +cves: + - CVE-2024-54132 +ghsas: + - GHSA-2m9h-r57g-45pj +references: + - advisory: https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj + - fix: https://github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932 +source: + id: GHSA-2m9h-r57g-45pj + created: 2024-12-04T11:09:30.180797-05:00 +review_status: UNREVIEWED