From 9d72e7789ab6437b9fd0acc469f327c1a4dcfbdb Mon Sep 17 00:00:00 2001
From: Tatiana Bradley <tatianabradley@google.com>
Date: Wed, 4 Dec 2024 11:12:12 -0500
Subject: [PATCH] data/reports: add 6 unreviewed reports

  - data/reports/GO-2024-3292.yaml
  - data/reports/GO-2024-3304.yaml
  - data/reports/GO-2024-3305.yaml
  - data/reports/GO-2024-3307.yaml
  - data/reports/GO-2024-3308.yaml
  - data/reports/GO-2024-3310.yaml

Fixes golang/vulndb#3292
Fixes golang/vulndb#3304
Fixes golang/vulndb#3305
Fixes golang/vulndb#3307
Fixes golang/vulndb#3308
Fixes golang/vulndb#3310

Change-Id: I3e79903185ef370a0f3bd7eb140601defc50fc2b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/633598
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
---
 data/osv/GO-2024-3292.json     | 72 ++++++++++++++++++++++++++++++++++
 data/osv/GO-2024-3304.json     | 60 ++++++++++++++++++++++++++++
 data/osv/GO-2024-3305.json     | 60 ++++++++++++++++++++++++++++
 data/osv/GO-2024-3307.json     | 48 +++++++++++++++++++++++
 data/osv/GO-2024-3308.json     | 48 +++++++++++++++++++++++
 data/osv/GO-2024-3310.json     | 65 ++++++++++++++++++++++++++++++
 data/reports/GO-2024-3292.yaml | 25 ++++++++++++
 data/reports/GO-2024-3304.yaml | 21 ++++++++++
 data/reports/GO-2024-3305.yaml | 21 ++++++++++
 data/reports/GO-2024-3307.yaml | 15 +++++++
 data/reports/GO-2024-3308.yaml | 19 +++++++++
 data/reports/GO-2024-3310.yaml | 22 +++++++++++
 12 files changed, 476 insertions(+)
 create mode 100644 data/osv/GO-2024-3292.json
 create mode 100644 data/osv/GO-2024-3304.json
 create mode 100644 data/osv/GO-2024-3305.json
 create mode 100644 data/osv/GO-2024-3307.json
 create mode 100644 data/osv/GO-2024-3308.json
 create mode 100644 data/osv/GO-2024-3310.json
 create mode 100644 data/reports/GO-2024-3292.yaml
 create mode 100644 data/reports/GO-2024-3304.yaml
 create mode 100644 data/reports/GO-2024-3305.yaml
 create mode 100644 data/reports/GO-2024-3307.yaml
 create mode 100644 data/reports/GO-2024-3308.yaml
 create mode 100644 data/reports/GO-2024-3310.yaml

diff --git a/data/osv/GO-2024-3292.json b/data/osv/GO-2024-3292.json
new file mode 100644
index 00000000..8f6833dd
--- /dev/null
+++ b/data/osv/GO-2024-3292.json
@@ -0,0 +1,72 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3292",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-8676",
+    "GHSA-7p9f-6x8j-gxxp"
+  ],
+  "summary": "CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o",
+  "details": "CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/cri-o/cri-o",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.29.11"
+            },
+            {
+              "introduced": "1.30.0"
+            },
+            {
+              "fixed": "1.30.8"
+            },
+            {
+              "introduced": "1.31.0"
+            },
+            {
+              "fixed": "1.31.3"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-7p9f-6x8j-gxxp"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8676"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cri-o/cri-o/commit/e8e7dcb7838d11b5157976bf3e31a5840bb77de7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2024-8676"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313842"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3292",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3304.json b/data/osv/GO-2024-3304.json
new file mode 100644
index 00000000..84d15451
--- /dev/null
+++ b/data/osv/GO-2024-3304.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3304",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-36621",
+    "GHSA-2mj3-vfvx-fc43"
+  ],
+  "summary": "Moby Race Condition vulnerability in github.com/moby/moby",
+  "details": "Moby Race Condition vulnerability in github.com/moby/moby",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/moby/moby",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "26.0.0+incompatible"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-2mj3-vfvx-fc43"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36621"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/1047524396/5d44459edab5fafcdf86b43909b81135"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/moby/moby/blob/v25.0.5/builder/builder-next/adapters/snapshot/layer.go#L24"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3304",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3305.json b/data/osv/GO-2024-3305.json
new file mode 100644
index 00000000..52674299
--- /dev/null
+++ b/data/osv/GO-2024-3305.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3305",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-36623",
+    "GHSA-gh5c-3h97-2f3q"
+  ],
+  "summary": "Moby Race Condition vulnerability in github.com/moby/moby",
+  "details": "Moby Race Condition vulnerability in github.com/moby/moby",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/moby/moby",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "26.0.0+incompatible"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-gh5c-3h97-2f3q"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36623"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/moby/moby/commit/5689dabfb357b673abdb4391eef426f297d7d1bb"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/1047524396/c192c0159a19bf58a4373b696467dc29"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/moby/moby/blob/v25.0.3/pkg/streamformatter/streamformatter.go#L115"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3305",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3307.json b/data/osv/GO-2024-3307.json
new file mode 100644
index 00000000..66ef0f10
--- /dev/null
+++ b/data/osv/GO-2024-3307.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3307",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-50948"
+  ],
+  "summary": "CVE-2024-50948 in github.com/mochi-mqtt/server",
+  "details": "CVE-2024-50948 in github.com/mochi-mqtt/server",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/mochi-mqtt/server",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50948"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/pengwGit/39760ed5ae03171622ca8215dc0d8c60"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mochi-mqtt/server"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3307",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3308.json b/data/osv/GO-2024-3308.json
new file mode 100644
index 00000000..5dd3aa71
--- /dev/null
+++ b/data/osv/GO-2024-3308.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3308",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-54131",
+    "GHSA-66q9-2rvx-qfj5"
+  ],
+  "summary": "Kolide Agent Privilege Escalation (Windows, Versions \u003e= 1.5.3, \u003c 1.12.3) in github.com/kolide/launcher",
+  "details": "Kolide Agent Privilege Escalation (Windows, Versions \u003e= 1.5.3, \u003c 1.12.3) in github.com/kolide/launcher",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/kolide/launcher",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.5.3"
+            },
+            {
+              "fixed": "1.12.3"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/kolide/launcher/security/advisories/GHSA-66q9-2rvx-qfj5"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/kolide/launcher/pull/1510"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3308",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-3310.json b/data/osv/GO-2024-3310.json
new file mode 100644
index 00000000..b2f81aff
--- /dev/null
+++ b/data/osv/GO-2024-3310.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3310",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-54132",
+    "GHSA-2m9h-r57g-45pj"
+  ],
+  "summary": "Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability in github.com/cli/cli",
+  "details": "Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability in github.com/cli/cli",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/cli/cli",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/cli/cli/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.63.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3310",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-3292.yaml b/data/reports/GO-2024-3292.yaml
new file mode 100644
index 00000000..f4efac02
--- /dev/null
+++ b/data/reports/GO-2024-3292.yaml
@@ -0,0 +1,25 @@
+id: GO-2024-3292
+modules:
+    - module: github.com/cri-o/cri-o
+      versions:
+        - fixed: 1.29.11
+        - introduced: 1.30.0
+        - fixed: 1.30.8
+        - introduced: 1.31.0
+        - fixed: 1.31.3
+      vulnerable_at: 1.31.2
+summary: 'CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o'
+cves:
+    - CVE-2024-8676
+ghsas:
+    - GHSA-7p9f-6x8j-gxxp
+references:
+    - advisory: https://github.com/cri-o/cri-o/security/advisories/GHSA-7p9f-6x8j-gxxp
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8676
+    - fix: https://github.com/cri-o/cri-o/commit/e8e7dcb7838d11b5157976bf3e31a5840bb77de7
+    - web: https://access.redhat.com/security/cve/CVE-2024-8676
+    - web: https://bugzilla.redhat.com/show_bug.cgi?id=2313842
+source:
+    id: GHSA-7p9f-6x8j-gxxp
+    created: 2024-12-04T11:10:38.049589-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3304.yaml b/data/reports/GO-2024-3304.yaml
new file mode 100644
index 00000000..0200a55c
--- /dev/null
+++ b/data/reports/GO-2024-3304.yaml
@@ -0,0 +1,21 @@
+id: GO-2024-3304
+modules:
+    - module: github.com/moby/moby
+      versions:
+        - fixed: 26.0.0+incompatible
+      vulnerable_at: 26.0.0-rc3+incompatible
+summary: Moby Race Condition vulnerability in github.com/moby/moby
+cves:
+    - CVE-2024-36621
+ghsas:
+    - GHSA-2mj3-vfvx-fc43
+references:
+    - advisory: https://github.com/advisories/GHSA-2mj3-vfvx-fc43
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36621
+    - fix: https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e
+    - web: https://gist.github.com/1047524396/5d44459edab5fafcdf86b43909b81135
+    - web: https://github.com/moby/moby/blob/v25.0.5/builder/builder-next/adapters/snapshot/layer.go#L24
+source:
+    id: GHSA-2mj3-vfvx-fc43
+    created: 2024-12-04T11:10:26.003799-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3305.yaml b/data/reports/GO-2024-3305.yaml
new file mode 100644
index 00000000..e140e934
--- /dev/null
+++ b/data/reports/GO-2024-3305.yaml
@@ -0,0 +1,21 @@
+id: GO-2024-3305
+modules:
+    - module: github.com/moby/moby
+      versions:
+        - fixed: 26.0.0+incompatible
+      vulnerable_at: 26.0.0-rc3+incompatible
+summary: Moby Race Condition vulnerability in github.com/moby/moby
+cves:
+    - CVE-2024-36623
+ghsas:
+    - GHSA-gh5c-3h97-2f3q
+references:
+    - advisory: https://github.com/advisories/GHSA-gh5c-3h97-2f3q
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36623
+    - fix: https://github.com/moby/moby/commit/5689dabfb357b673abdb4391eef426f297d7d1bb
+    - web: https://gist.github.com/1047524396/c192c0159a19bf58a4373b696467dc29
+    - web: https://github.com/moby/moby/blob/v25.0.3/pkg/streamformatter/streamformatter.go#L115
+source:
+    id: GHSA-gh5c-3h97-2f3q
+    created: 2024-12-04T11:10:16.02651-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3307.yaml b/data/reports/GO-2024-3307.yaml
new file mode 100644
index 00000000..4243befc
--- /dev/null
+++ b/data/reports/GO-2024-3307.yaml
@@ -0,0 +1,15 @@
+id: GO-2024-3307
+modules:
+    - module: github.com/mochi-mqtt/server
+      vulnerable_at: 1.3.2
+summary: CVE-2024-50948 in github.com/mochi-mqtt/server
+cves:
+    - CVE-2024-50948
+references:
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-50948
+    - web: https://gist.github.com/pengwGit/39760ed5ae03171622ca8215dc0d8c60
+    - web: https://github.com/mochi-mqtt/server
+source:
+    id: CVE-2024-50948
+    created: 2024-12-04T11:09:38.711662-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3308.yaml b/data/reports/GO-2024-3308.yaml
new file mode 100644
index 00000000..cadd730c
--- /dev/null
+++ b/data/reports/GO-2024-3308.yaml
@@ -0,0 +1,19 @@
+id: GO-2024-3308
+modules:
+    - module: github.com/kolide/launcher
+      versions:
+        - introduced: 1.5.3
+        - fixed: 1.12.3
+      vulnerable_at: 1.12.2
+summary: Kolide Agent Privilege Escalation (Windows, Versions >= 1.5.3, < 1.12.3) in github.com/kolide/launcher
+cves:
+    - CVE-2024-54131
+ghsas:
+    - GHSA-66q9-2rvx-qfj5
+references:
+    - advisory: https://github.com/kolide/launcher/security/advisories/GHSA-66q9-2rvx-qfj5
+    - fix: https://github.com/kolide/launcher/pull/1510
+source:
+    id: GHSA-66q9-2rvx-qfj5
+    created: 2024-12-04T11:09:34.260404-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3310.yaml b/data/reports/GO-2024-3310.yaml
new file mode 100644
index 00000000..ce084d46
--- /dev/null
+++ b/data/reports/GO-2024-3310.yaml
@@ -0,0 +1,22 @@
+id: GO-2024-3310
+modules:
+    - module: github.com/cli/cli
+      vulnerable_at: 1.14.0
+    - module: github.com/cli/cli/v2
+      versions:
+        - fixed: 2.63.1
+      vulnerable_at: 2.63.0
+summary: |-
+    Downloading malicious GitHub Actions workflow artifact results in path traversal
+    vulnerability in github.com/cli/cli
+cves:
+    - CVE-2024-54132
+ghsas:
+    - GHSA-2m9h-r57g-45pj
+references:
+    - advisory: https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj
+    - fix: https://github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932
+source:
+    id: GHSA-2m9h-r57g-45pj
+    created: 2024-12-04T11:09:30.180797-05:00
+review_status: UNREVIEWED