diff --git a/data/excluded/GO-2022-0231.yaml b/data/excluded/GO-2022-0231.yaml deleted file mode 100644 index bdfea6e6..00000000 --- a/data/excluded/GO-2022-0231.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0231 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/schollz/rwtxt -cves: - - CVE-2021-20848 -ghsas: - - GHSA-458f-26r3-x2c3 diff --git a/data/excluded/GO-2022-0249.yaml b/data/excluded/GO-2022-0249.yaml deleted file mode 100644 index ef763e4e..00000000 --- a/data/excluded/GO-2022-0249.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0249 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/cloudflare/cfrpki -cves: - - CVE-2021-3908 -ghsas: - - GHSA-g5gj-9ggf-9vmq diff --git a/data/excluded/GO-2022-0250.yaml b/data/excluded/GO-2022-0250.yaml deleted file mode 100644 index be2e401c..00000000 --- a/data/excluded/GO-2022-0250.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0250 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/cloudflare/cfrpki -cves: - - CVE-2021-3909 -ghsas: - - GHSA-8cvr-4rrf-f244 diff --git a/data/excluded/GO-2022-0260.yaml b/data/excluded/GO-2022-0260.yaml deleted file mode 100644 index e8a038a5..00000000 --- a/data/excluded/GO-2022-0260.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0260 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/fluxcd/kustomize-controller -cves: - - CVE-2021-41254 -ghsas: - - GHSA-35rf-v2jv-gfg7 diff --git a/data/excluded/GO-2022-0261.yaml b/data/excluded/GO-2022-0261.yaml deleted file mode 100644 index c05360c8..00000000 --- a/data/excluded/GO-2022-0261.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0261 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/minio/console -cves: - - CVE-2021-41266 -ghsas: - - GHSA-4999-659w-mq36 diff --git a/data/excluded/GO-2022-0270.yaml b/data/excluded/GO-2022-0270.yaml deleted file mode 100644 index 38ab81a8..00000000 --- a/data/excluded/GO-2022-0270.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0270 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/google/exposure-notifications-verification-server -cves: - - CVE-2021-22565 -ghsas: - - GHSA-wx8q-rgfr-cf6v diff --git a/data/excluded/GO-2022-0278.yaml b/data/excluded/GO-2022-0278.yaml deleted file mode 100644 index 41200af8..00000000 --- a/data/excluded/GO-2022-0278.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0278 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/containerd/containerd -cves: - - CVE-2021-43816 -ghsas: - - GHSA-mvff-h3cj-wj9c diff --git a/data/excluded/GO-2022-0281.yaml b/data/excluded/GO-2022-0281.yaml deleted file mode 100644 index 4ef87294..00000000 --- a/data/excluded/GO-2022-0281.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0281 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/containers/podman -cves: - - CVE-2021-4024 -ghsas: - - GHSA-3cf2-x423-x582 diff --git a/data/excluded/GO-2022-0291.yaml b/data/excluded/GO-2022-0291.yaml deleted file mode 100644 index befda42b..00000000 --- a/data/excluded/GO-2022-0291.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0291 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/owncast/owncast -cves: - - CVE-2021-39183 -ghsas: - - GHSA-2hfj-cxw7-g45p diff --git a/data/excluded/GO-2022-0295.yaml b/data/excluded/GO-2022-0295.yaml deleted file mode 100644 index 8b1680f6..00000000 --- a/data/excluded/GO-2022-0295.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0295 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/authzed/spicedb -cves: - - CVE-2022-21646 -ghsas: - - GHSA-7p8f-8hjm-wm92 diff --git a/data/excluded/GO-2022-0298.yaml b/data/excluded/GO-2022-0298.yaml deleted file mode 100644 index aa838505..00000000 --- a/data/excluded/GO-2022-0298.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0298 -excluded: NOT_IMPORTABLE -modules: - - module: github.com/github/gh-ost -cves: - - CVE-2022-21687 -ghsas: - - GHSA-rrp4-2xx3-mv29 diff --git a/data/excluded/GO-2022-0302.yaml b/data/excluded/GO-2022-0302.yaml deleted file mode 100644 index e3d8bf2d..00000000 --- a/data/excluded/GO-2022-0302.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0302 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/navidrome/navidrome -cves: - - CVE-2022-23857 -ghsas: - - GHSA-pmcr-2rhp-36hr diff --git a/data/excluded/GO-2022-0303.yaml b/data/excluded/GO-2022-0303.yaml deleted file mode 100644 index 48061140..00000000 --- a/data/excluded/GO-2022-0303.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0303 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/casdoor/casdoor -cves: - - CVE-2022-24124 -ghsas: - - GHSA-m358-g4rp-533r diff --git a/data/excluded/GO-2022-0304.yaml b/data/excluded/GO-2022-0304.yaml deleted file mode 100644 index 2a403b12..00000000 --- a/data/excluded/GO-2022-0304.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0304 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/argoproj/argo-cd -cves: - - CVE-2022-24348 -ghsas: - - GHSA-63qx-x74g-jcr7 diff --git a/data/excluded/GO-2022-0305.yaml b/data/excluded/GO-2022-0305.yaml deleted file mode 100644 index ede15d99..00000000 --- a/data/excluded/GO-2022-0305.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0305 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/grafana/agent -cves: - - CVE-2021-41090 -ghsas: - - GHSA-9c4x-5hgq-q3wh diff --git a/data/excluded/GO-2022-0306.yaml b/data/excluded/GO-2022-0306.yaml deleted file mode 100644 index 72730992..00000000 --- a/data/excluded/GO-2022-0306.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0306 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/foxcpp/maddy -cves: - - CVE-2021-42583 -ghsas: - - GHSA-5r5w-h76p-m726 diff --git a/data/excluded/GO-2022-0307.yaml b/data/excluded/GO-2022-0307.yaml deleted file mode 100644 index 60838856..00000000 --- a/data/excluded/GO-2022-0307.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0307 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/nats-io/nats-server -cves: - - CVE-2022-24450 -ghsas: - - GHSA-g6w6-r76c-28j7 diff --git a/data/excluded/GO-2022-0308.yaml b/data/excluded/GO-2022-0308.yaml deleted file mode 100644 index 839d1735..00000000 --- a/data/excluded/GO-2022-0308.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0308 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/go-gitea/gitea -cves: - - CVE-2021-45325 -ghsas: - - GHSA-8h8p-x289-vvqr diff --git a/data/excluded/GO-2022-0309.yaml b/data/excluded/GO-2022-0309.yaml deleted file mode 100644 index 2ee9f723..00000000 --- a/data/excluded/GO-2022-0309.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0309 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/go-gitea/gitea -cves: - - CVE-2021-45326 -ghsas: - - GHSA-4wp3-8q92-mh8w diff --git a/data/excluded/GO-2022-0310.yaml b/data/excluded/GO-2022-0310.yaml deleted file mode 100644 index 64753d8b..00000000 --- a/data/excluded/GO-2022-0310.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: GO-2022-0310 -excluded: EFFECTIVELY_PRIVATE -modules: - - module: github.com/go-gitea/gitea -cves: - - CVE-2021-45327 -ghsas: - - GHSA-jrpg-35hw-m4p9 diff --git a/data/osv/GO-2022-0231.json b/data/osv/GO-2022-0231.json new file mode 100644 index 00000000..eeb0fdb4 --- /dev/null +++ b/data/osv/GO-2022-0231.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0231", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-20848", + "GHSA-458f-26r3-x2c3" + ], + "summary": "Cross-site Scripting in github.com/schollz/rwtxt", + "details": "Cross-site Scripting in github.com/schollz/rwtxt", + "affected": [ + { + "package": { + "name": "github.com/schollz/rwtxt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.6" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-458f-26r3-x2c3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20848" + }, + { + "type": "FIX", + "url": "https://github.com/schollz/rwtxt/commit/c09fb17375c4c47b49524c688288af1fe20e730a" + }, + { + "type": "WEB", + "url": "https://jvn.jp/en/jp/JVN22515597/index.html" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0231", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0249.json b/data/osv/GO-2022-0249.json new file mode 100644 index 00000000..9272a6d7 --- /dev/null +++ b/data/osv/GO-2022-0249.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0249", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3908", + "GHSA-g5gj-9ggf-9vmq" + ], + "summary": "Infinite certificate chain depth results in OctoRPKI running forever in github.com/cloudflare/cfrpki", + "details": "Infinite certificate chain depth results in OctoRPKI running forever in github.com/cloudflare/cfrpki", + "affected": [ + { + "package": { + "name": "github.com/cloudflare/cfrpki", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3908" + }, + { + "type": "WEB", + "url": "https://github.com/cloudflare/cfrpki/releases/tag/v1.4.0" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5041" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0249", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0250.json b/data/osv/GO-2022-0250.json new file mode 100644 index 00000000..ca539235 --- /dev/null +++ b/data/osv/GO-2022-0250.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0250", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-3909", + "GHSA-8cvr-4rrf-f244" + ], + "summary": "Infinite open connection causes OctoRPKI to hang forever in github.com/cloudflare/cfrpki", + "details": "Infinite open connection causes OctoRPKI to hang forever in github.com/cloudflare/cfrpki", + "affected": [ + { + "package": { + "name": "github.com/cloudflare/cfrpki", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3909" + }, + { + "type": "WEB", + "url": "https://github.com/cloudflare/cfrpki/releases/tag/v1.4.0" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2021/dsa-5033" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5041" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0250", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0260.json b/data/osv/GO-2022-0260.json new file mode 100644 index 00000000..a9d39ca5 --- /dev/null +++ b/data/osv/GO-2022-0260.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0260", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-41254", + "GHSA-35rf-v2jv-gfg7" + ], + "summary": "Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller", + "details": "Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller", + "affected": [ + { + "package": { + "name": "github.com/fluxcd/kustomize-controller", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.15.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/fluxcd/kustomize-controller/security/advisories/GHSA-35rf-v2jv-gfg7" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41254" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0260", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0261.json b/data/osv/GO-2022-0261.json new file mode 100644 index 00000000..af1c1d61 --- /dev/null +++ b/data/osv/GO-2022-0261.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0261", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-41266", + "GHSA-4999-659w-mq36" + ], + "summary": "Authentication bypass issue in the Operator Console in github.com/minio/console", + "details": "Authentication bypass issue in the Operator Console in github.com/minio/console", + "affected": [ + { + "package": { + "name": "github.com/minio/console", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41266" + }, + { + "type": "FIX", + "url": "https://github.com/minio/console/pull/1217" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0261", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0270.json b/data/osv/GO-2022-0270.json new file mode 100644 index 00000000..e26ee013 --- /dev/null +++ b/data/osv/GO-2022-0270.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0270", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-22565", + "GHSA-wx8q-rgfr-cf6v" + ], + "summary": "Insufficient Granularity of Access Control in github.com/google/exposure-notifications-verification-server", + "details": "Insufficient Granularity of Access Control in github.com/google/exposure-notifications-verification-server", + "affected": [ + { + "package": { + "name": "github.com/google/exposure-notifications-verification-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-wx8q-rgfr-cf6v" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22565" + }, + { + "type": "WEB", + "url": "https://github.com/google/exposure-notifications-verification-server" + }, + { + "type": "WEB", + "url": "https://github.com/google/exposure-notifications-verification-server/releases/tag/v1.1.2" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0270", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0278.json b/data/osv/GO-2022-0278.json new file mode 100644 index 00000000..733bb0e7 --- /dev/null +++ b/data/osv/GO-2022-0278.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0278", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-43816", + "GHSA-mvff-h3cj-wj9c" + ], + "summary": "Unprivileged pod using `hostPath` can side-step active LSM when it is SELinux in github.com/containerd/containerd", + "details": "Unprivileged pod using `hostPath` can side-step active LSM when it is SELinux in github.com/containerd/containerd", + "affected": [ + { + "package": { + "name": "github.com/containerd/containerd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.0" + }, + { + "fixed": "1.5.9" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43816" + }, + { + "type": "FIX", + "url": "https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea" + }, + { + "type": "REPORT", + "url": "https://github.com/containerd/containerd/issues/6194" + }, + { + "type": "WEB", + "url": "https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0278", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0281.json b/data/osv/GO-2022-0281.json new file mode 100644 index 00000000..91a5dcfd --- /dev/null +++ b/data/osv/GO-2022-0281.json @@ -0,0 +1,94 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0281", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-4024", + "GHSA-3cf2-x423-x582" + ], + "summary": "Exposure of Sensitive Information to an Unauthorized Actor and Origin Validation Error in podman in github.com/containers/podman", + "details": "Exposure of Sensitive Information to an Unauthorized Actor and Origin Validation Error in podman in github.com/containers/podman", + "affected": [ + { + "package": { + "name": "github.com/containers/podman", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/containers/podman/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/containers/podman/v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.4.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-3cf2-x423-x582" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4024" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2026675," + }, + { + "type": "WEB", + "url": "https://github.com/containers/podman/releases/tag/v3.4.3" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QFFVJ6S3ZRMPDYB7KYAWEMDHXFZYQPU3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0281", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0291.json b/data/osv/GO-2022-0291.json new file mode 100644 index 00000000..fd9e1d55 --- /dev/null +++ b/data/osv/GO-2022-0291.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0291", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-39183", + "GHSA-2hfj-cxw7-g45p" + ], + "summary": "Unsafe inline XSS in pasting DOM element into chat in github.com/owncast/owncast", + "details": "Unsafe inline XSS in pasting DOM element into chat in github.com/owncast/owncast", + "affected": [ + { + "package": { + "name": "github.com/owncast/owncast", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.9" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39183" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0291", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0295.json b/data/osv/GO-2022-0295.json new file mode 100644 index 00000000..4f7736d2 --- /dev/null +++ b/data/osv/GO-2022-0295.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0295", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-21646", + "GHSA-7p8f-8hjm-wm92" + ], + "summary": "Lookup operations do not take into account wildcards in SpiceDB in github.com/authzed/spicedb", + "details": "Lookup operations do not take into account wildcards in SpiceDB in github.com/authzed/spicedb", + "affected": [ + { + "package": { + "name": "github.com/authzed/spicedb", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.3.0" + }, + { + "fixed": "1.4.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-7p8f-8hjm-wm92" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21646" + }, + { + "type": "FIX", + "url": "https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970" + }, + { + "type": "REPORT", + "url": "https://github.com/authzed/spicedb/issues/358" + }, + { + "type": "WEB", + "url": "https://github.com/authzed/spicedb/releases/tag/v1.4.0" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0295", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0298.json b/data/osv/GO-2022-0298.json new file mode 100644 index 00000000..ad44ef9b --- /dev/null +++ b/data/osv/GO-2022-0298.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0298", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-21687", + "GHSA-rrp4-2xx3-mv29" + ], + "summary": "Command injection in gh-ost in github.com/github/gh-ost", + "details": "Command injection in gh-ost in github.com/github/gh-ost", + "affected": [ + { + "package": { + "name": "github.com/github/gh-ost", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.3" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/github/gh-ost/security/advisories/GHSA-rrp4-2xx3-mv29" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21687" + }, + { + "type": "FIX", + "url": "https://github.com/github/gh-ost/commit/a91ab042de013cfd8fbb633763438932d9080d8f" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0298", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0302.json b/data/osv/GO-2022-0302.json new file mode 100644 index 00000000..f1b1f523 --- /dev/null +++ b/data/osv/GO-2022-0302.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0302", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-23857", + "GHSA-pmcr-2rhp-36hr" + ], + "summary": "SQL injection in github.com/navidrome/navidrome", + "details": "SQL injection in github.com/navidrome/navidrome", + "affected": [ + { + "package": { + "name": "github.com/navidrome/navidrome", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.47.5" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-pmcr-2rhp-36hr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23857" + }, + { + "type": "FIX", + "url": "https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d" + }, + { + "type": "WEB", + "url": "https://github.com/navidrome/navidrome/releases/tag/v0.47.5" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0302", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0303.json b/data/osv/GO-2022-0303.json new file mode 100644 index 00000000..1b0abe49 --- /dev/null +++ b/data/osv/GO-2022-0303.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0303", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24124", + "GHSA-m358-g4rp-533r" + ], + "summary": "SQL Injection in Casdoor in github.com/casdoor/casdoor", + "details": "SQL Injection in Casdoor in github.com/casdoor/casdoor", + "affected": [ + { + "package": { + "name": "github.com/casdoor/casdoor", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-m358-g4rp-533r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24124" + }, + { + "type": "FIX", + "url": "https://github.com/casdoor/casdoor/commit/5ec0c7a89005819960d8fe07f5ddda13d1371b8c" + }, + { + "type": "FIX", + "url": "https://github.com/casdoor/casdoor/pull/442" + }, + { + "type": "REPORT", + "url": "https://github.com/casdoor/casdoor/issues/439" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/166163/Casdoor-1.13.0-SQL-Injection.html" + }, + { + "type": "WEB", + "url": "https://github.com/casdoor/casdoor/compare/v1.13.0...v1.13.1" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0303", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0304.json b/data/osv/GO-2022-0304.json new file mode 100644 index 00000000..c23dc97a --- /dev/null +++ b/data/osv/GO-2022-0304.json @@ -0,0 +1,87 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0304", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24348", + "GHSA-63qx-x74g-jcr7" + ], + "summary": "Path traversal and dereference of symlinks in Argo CD in github.com/argoproj/argo-cd", + "details": "Path traversal and dereference of symlinks in Argo CD in github.com/argoproj/argo-cd", + "affected": [ + { + "package": { + "name": "github.com/argoproj/argo-cd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/argoproj/argo-cd/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.9" + }, + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.4" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24348" + }, + { + "type": "FIX", + "url": "https://github.com/argoproj/argo-cd/commit/78c2084f0febd159039ff785ddc2bd4ba1cecf88" + }, + { + "type": "WEB", + "url": "https://apiiro.com/blog/malicious-kubernetes-helm-charts-can-be-used-to-steal-sensitive-information-from-argo-cd-deployments" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.9" + }, + { + "type": "WEB", + "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0304", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0305.json b/data/osv/GO-2022-0305.json new file mode 100644 index 00000000..09e60837 --- /dev/null +++ b/data/osv/GO-2022-0305.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0305", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-41090", + "GHSA-9c4x-5hgq-q3wh" + ], + "summary": "Instance config inline secret exposure in Grafana in github.com/grafana/agent", + "details": "Instance config inline secret exposure in Grafana in github.com/grafana/agent", + "affected": [ + { + "package": { + "name": "github.com/grafana/agent", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.14.0" + }, + { + "fixed": "0.21.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/grafana/agent/security/advisories/GHSA-9c4x-5hgq-q3wh" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41090" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/agent/commit/a5479755e946e5c7cddb793ee9adda8f5692ba11" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/agent/commit/af7fb01e31fe2d389e5f1c36b399ddc46b412b21" + }, + { + "type": "FIX", + "url": "https://github.com/grafana/agent/pull/1152" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/agent/releases/tag/v0.20.1" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/agent/releases/tag/v0.21.2" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20211229-0004" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0305", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0306.json b/data/osv/GO-2022-0306.json new file mode 100644 index 00000000..7d7fca83 --- /dev/null +++ b/data/osv/GO-2022-0306.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0306", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-42583", + "GHSA-5r5w-h76p-m726" + ], + "summary": "Use of a Broken or Risky Cryptographic Algorithm in Max Mazurov Maddy in github.com/foxcpp/maddy", + "details": "Use of a Broken or Risky Cryptographic Algorithm in Max Mazurov Maddy in github.com/foxcpp/maddy", + "affected": [ + { + "package": { + "name": "github.com/foxcpp/maddy", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.5.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-5r5w-h76p-m726" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42583" + }, + { + "type": "WEB", + "url": "https://github.com/foxcpp/maddy/blob/df40dce1284cd0fd0a9e8e7894029553d653d0a5/internal/auth/shadow/verify.go" + }, + { + "type": "WEB", + "url": "https://github.com/foxcpp/maddy/releases/tag/v0.5.2" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0306", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0307.json b/data/osv/GO-2022-0307.json new file mode 100644 index 00000000..fce986ae --- /dev/null +++ b/data/osv/GO-2022-0307.json @@ -0,0 +1,93 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0307", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-24450", + "GHSA-g6w6-r76c-28j7" + ], + "summary": "Incorrect Authorization in NATS nats-server in github.com/nats-io/nats-server", + "details": "Incorrect Authorization in NATS nats-server in github.com/nats-io/nats-server", + "affected": [ + { + "package": { + "name": "github.com/nats-io/nats-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/nats-io/nats-server/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.7.2" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/nats-io/nats-streaming-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.15.0" + }, + { + "fixed": "0.24.1" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-g6w6-r76c-28j7" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24450" + }, + { + "type": "WEB", + "url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt" + }, + { + "type": "WEB", + "url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0307", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0308.json b/data/osv/GO-2022-0308.json new file mode 100644 index 00000000..7a120c00 --- /dev/null +++ b/data/osv/GO-2022-0308.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0308", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-45325", + "GHSA-8h8p-x289-vvqr" + ], + "summary": "Gitea displaying raw OpenID error in UI in github.com/go-gitea/gitea", + "details": "Gitea displaying raw OpenID error in UI in github.com/go-gitea/gitea", + "affected": [ + { + "package": { + "name": "github.com/go-gitea/gitea", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.7.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8h8p-x289-vvqr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45325" + }, + { + "type": "FIX", + "url": "https://github.com/go-gitea/gitea/pull/5705" + }, + { + "type": "FIX", + "url": "https://github.com/go-gitea/gitea/pull/5712" + }, + { + "type": "WEB", + "url": "https://blog.gitea.io/2019/01/gitea-1.7.0-is-released" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0308", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0309.json b/data/osv/GO-2022-0309.json new file mode 100644 index 00000000..8a8dd3ff --- /dev/null +++ b/data/osv/GO-2022-0309.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0309", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-45326", + "GHSA-4wp3-8q92-mh8w" + ], + "summary": "Cross Site Request Forgery in Gitea in github.com/go-gitea/gitea", + "details": "Cross Site Request Forgery in Gitea in github.com/go-gitea/gitea", + "affected": [ + { + "package": { + "name": "github.com/go-gitea/gitea", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-4wp3-8q92-mh8w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45326" + }, + { + "type": "FIX", + "url": "https://github.com/go-gitea/gitea/pull/4840" + }, + { + "type": "REPORT", + "url": "https://github.com/go-gitea/gitea/issues/4838" + }, + { + "type": "WEB", + "url": "https://blog.gitea.io/2018/10/gitea-1.5.2-is-released" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0309", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2022-0310.json b/data/osv/GO-2022-0310.json new file mode 100644 index 00000000..55e279e8 --- /dev/null +++ b/data/osv/GO-2022-0310.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2022-0310", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2021-45327", + "GHSA-jrpg-35hw-m4p9" + ], + "summary": "Capture-replay in Gitea in code.gitea.io/gitea", + "details": "Capture-replay in Gitea in code.gitea.io/gitea", + "affected": [ + { + "package": { + "name": "code.gitea.io/gitea", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.2" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-jrpg-35hw-m4p9" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45327" + }, + { + "type": "WEB", + "url": "https://blog.gitea.io/2020/03/gitea-1.11.2-is-released" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/commit/4cb18601ff33dda5edb47d5b452cc8f2dc39dd67" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/commit/6f5656ab0ebec03fe63898208dabc802c4be46ab" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/commit/ed664a9e1dae4d4660e60c981173bbc5102e69ea" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/pull/10462" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/pull/10465" + }, + { + "type": "WEB", + "url": "https://github.com/go-gitea/gitea/pull/10582" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0310", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2022-0231.yaml b/data/reports/GO-2022-0231.yaml new file mode 100644 index 00000000..c3421d65 --- /dev/null +++ b/data/reports/GO-2022-0231.yaml @@ -0,0 +1,21 @@ +id: GO-2022-0231 +modules: + - module: github.com/schollz/rwtxt + versions: + - fixed: 1.8.6 + vulnerable_at: 1.8.5 +summary: Cross-site Scripting in github.com/schollz/rwtxt +cves: + - CVE-2021-20848 +ghsas: + - GHSA-458f-26r3-x2c3 +references: + - advisory: https://github.com/advisories/GHSA-458f-26r3-x2c3 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-20848 + - fix: https://github.com/schollz/rwtxt/commit/c09fb17375c4c47b49524c688288af1fe20e730a + - web: https://jvn.jp/en/jp/JVN22515597/index.html +source: + id: GHSA-458f-26r3-x2c3 + created: 2024-08-20T12:53:35.179757-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0249.yaml b/data/reports/GO-2022-0249.yaml new file mode 100644 index 00000000..1ad682b3 --- /dev/null +++ b/data/reports/GO-2022-0249.yaml @@ -0,0 +1,21 @@ +id: GO-2022-0249 +modules: + - module: github.com/cloudflare/cfrpki + versions: + - fixed: 1.4.0 + vulnerable_at: 1.3.0 +summary: Infinite certificate chain depth results in OctoRPKI running forever in github.com/cloudflare/cfrpki +cves: + - CVE-2021-3908 +ghsas: + - GHSA-g5gj-9ggf-9vmq +references: + - advisory: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-3908 + - web: https://github.com/cloudflare/cfrpki/releases/tag/v1.4.0 + - web: https://www.debian.org/security/2022/dsa-5041 +source: + id: GHSA-g5gj-9ggf-9vmq + created: 2024-08-20T12:53:42.831332-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0250.yaml b/data/reports/GO-2022-0250.yaml new file mode 100644 index 00000000..7c0e3e72 --- /dev/null +++ b/data/reports/GO-2022-0250.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0250 +modules: + - module: github.com/cloudflare/cfrpki + versions: + - fixed: 1.4.0 + vulnerable_at: 1.3.0 +summary: Infinite open connection causes OctoRPKI to hang forever in github.com/cloudflare/cfrpki +cves: + - CVE-2021-3909 +ghsas: + - GHSA-8cvr-4rrf-f244 +references: + - advisory: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-3909 + - web: https://github.com/cloudflare/cfrpki/releases/tag/v1.4.0 + - web: https://www.debian.org/security/2021/dsa-5033 + - web: https://www.debian.org/security/2022/dsa-5041 +source: + id: GHSA-8cvr-4rrf-f244 + created: 2024-08-20T12:53:47.261004-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0260.yaml b/data/reports/GO-2022-0260.yaml new file mode 100644 index 00000000..4b669288 --- /dev/null +++ b/data/reports/GO-2022-0260.yaml @@ -0,0 +1,19 @@ +id: GO-2022-0260 +modules: + - module: github.com/fluxcd/kustomize-controller + versions: + - fixed: 0.15.0 + vulnerable_at: 0.14.1 +summary: Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller +cves: + - CVE-2021-41254 +ghsas: + - GHSA-35rf-v2jv-gfg7 +references: + - advisory: https://github.com/fluxcd/kustomize-controller/security/advisories/GHSA-35rf-v2jv-gfg7 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-41254 +source: + id: GHSA-35rf-v2jv-gfg7 + created: 2024-08-20T12:54:02.780064-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0261.yaml b/data/reports/GO-2022-0261.yaml new file mode 100644 index 00000000..6b06ccde --- /dev/null +++ b/data/reports/GO-2022-0261.yaml @@ -0,0 +1,20 @@ +id: GO-2022-0261 +modules: + - module: github.com/minio/console + versions: + - fixed: 0.12.3 + vulnerable_at: 0.12.2 +summary: Authentication bypass issue in the Operator Console in github.com/minio/console +cves: + - CVE-2021-41266 +ghsas: + - GHSA-4999-659w-mq36 +references: + - advisory: https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-41266 + - fix: https://github.com/minio/console/pull/1217 +source: + id: GHSA-4999-659w-mq36 + created: 2024-08-20T12:54:05.540954-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0270.yaml b/data/reports/GO-2022-0270.yaml new file mode 100644 index 00000000..be4973b0 --- /dev/null +++ b/data/reports/GO-2022-0270.yaml @@ -0,0 +1,23 @@ +id: GO-2022-0270 +modules: + - module: github.com/google/exposure-notifications-verification-server + versions: + - fixed: 1.1.2 + vulnerable_at: 1.1.1 +summary: |- + Insufficient Granularity of Access Control in + github.com/google/exposure-notifications-verification-server +cves: + - CVE-2021-22565 +ghsas: + - GHSA-wx8q-rgfr-cf6v +references: + - advisory: https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-wx8q-rgfr-cf6v + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-22565 + - web: https://github.com/google/exposure-notifications-verification-server + - web: https://github.com/google/exposure-notifications-verification-server/releases/tag/v1.1.2 +source: + id: GHSA-wx8q-rgfr-cf6v + created: 2024-08-20T12:54:36.470114-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0278.yaml b/data/reports/GO-2022-0278.yaml new file mode 100644 index 00000000..97381c7f --- /dev/null +++ b/data/reports/GO-2022-0278.yaml @@ -0,0 +1,25 @@ +id: GO-2022-0278 +modules: + - module: github.com/containerd/containerd + versions: + - introduced: 1.5.0 + - fixed: 1.5.9 + vulnerable_at: 1.5.8 +summary: Unprivileged pod using `hostPath` can side-step active LSM when it is SELinux in github.com/containerd/containerd +cves: + - CVE-2021-43816 +ghsas: + - GHSA-mvff-h3cj-wj9c +references: + - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-43816 + - fix: https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea + - report: https://github.com/containerd/containerd/issues/6194 + - web: https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299 + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID +source: + id: GHSA-mvff-h3cj-wj9c + created: 2024-08-20T12:54:59.121124-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0281.yaml b/data/reports/GO-2022-0281.yaml new file mode 100644 index 00000000..59dbe6fe --- /dev/null +++ b/data/reports/GO-2022-0281.yaml @@ -0,0 +1,28 @@ +id: GO-2022-0281 +modules: + - module: github.com/containers/podman + vulnerable_at: 1.9.3 + - module: github.com/containers/podman/v2 + vulnerable_at: 2.2.1 + - module: github.com/containers/podman/v3 + versions: + - fixed: 3.4.3 + vulnerable_at: 3.4.2 +summary: |- + Exposure of Sensitive Information to an Unauthorized Actor and Origin Validation + Error in podman in github.com/containers/podman +cves: + - CVE-2021-4024 +ghsas: + - GHSA-3cf2-x423-x582 +references: + - advisory: https://github.com/advisories/GHSA-3cf2-x423-x582 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-4024 + - web: https://bugzilla.redhat.com/show_bug.cgi?id=2026675, + - web: https://github.com/containers/podman/releases/tag/v3.4.3 + - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QFFVJ6S3ZRMPDYB7KYAWEMDHXFZYQPU3 +source: + id: GHSA-3cf2-x423-x582 + created: 2024-08-20T12:55:24.303654-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0291.yaml b/data/reports/GO-2022-0291.yaml new file mode 100644 index 00000000..beadbdf8 --- /dev/null +++ b/data/reports/GO-2022-0291.yaml @@ -0,0 +1,19 @@ +id: GO-2022-0291 +modules: + - module: github.com/owncast/owncast + versions: + - fixed: 0.0.9 + vulnerable_at: 0.0.8 +summary: Unsafe inline XSS in pasting DOM element into chat in github.com/owncast/owncast +cves: + - CVE-2021-39183 +ghsas: + - GHSA-2hfj-cxw7-g45p +references: + - advisory: https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-39183 +source: + id: GHSA-2hfj-cxw7-g45p + created: 2024-08-20T12:56:00.503249-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0295.yaml b/data/reports/GO-2022-0295.yaml new file mode 100644 index 00000000..9277b49f --- /dev/null +++ b/data/reports/GO-2022-0295.yaml @@ -0,0 +1,23 @@ +id: GO-2022-0295 +modules: + - module: github.com/authzed/spicedb + versions: + - introduced: 1.3.0 + - fixed: 1.4.0 + vulnerable_at: 1.3.0 +summary: Lookup operations do not take into account wildcards in SpiceDB in github.com/authzed/spicedb +cves: + - CVE-2022-21646 +ghsas: + - GHSA-7p8f-8hjm-wm92 +references: + - advisory: https://github.com/authzed/spicedb/security/advisories/GHSA-7p8f-8hjm-wm92 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-21646 + - fix: https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970 + - report: https://github.com/authzed/spicedb/issues/358 + - web: https://github.com/authzed/spicedb/releases/tag/v1.4.0 +source: + id: GHSA-7p8f-8hjm-wm92 + created: 2024-08-20T12:56:13.496889-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0298.yaml b/data/reports/GO-2022-0298.yaml new file mode 100644 index 00000000..ec24d283 --- /dev/null +++ b/data/reports/GO-2022-0298.yaml @@ -0,0 +1,20 @@ +id: GO-2022-0298 +modules: + - module: github.com/github/gh-ost + versions: + - fixed: 1.1.3 + vulnerable_at: 1.1.2 +summary: Command injection in gh-ost in github.com/github/gh-ost +cves: + - CVE-2022-21687 +ghsas: + - GHSA-rrp4-2xx3-mv29 +references: + - advisory: https://github.com/github/gh-ost/security/advisories/GHSA-rrp4-2xx3-mv29 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-21687 + - fix: https://github.com/github/gh-ost/commit/a91ab042de013cfd8fbb633763438932d9080d8f +source: + id: GHSA-rrp4-2xx3-mv29 + created: 2024-08-20T12:56:29.18545-04:00 +review_status: UNREVIEWED +unexcluded: NOT_IMPORTABLE diff --git a/data/reports/GO-2022-0302.yaml b/data/reports/GO-2022-0302.yaml new file mode 100644 index 00000000..0c2a5a74 --- /dev/null +++ b/data/reports/GO-2022-0302.yaml @@ -0,0 +1,21 @@ +id: GO-2022-0302 +modules: + - module: github.com/navidrome/navidrome + versions: + - fixed: 0.47.5 + vulnerable_at: 0.47.0 +summary: SQL injection in github.com/navidrome/navidrome +cves: + - CVE-2022-23857 +ghsas: + - GHSA-pmcr-2rhp-36hr +references: + - advisory: https://github.com/advisories/GHSA-pmcr-2rhp-36hr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-23857 + - fix: https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d + - web: https://github.com/navidrome/navidrome/releases/tag/v0.47.5 +source: + id: GHSA-pmcr-2rhp-36hr + created: 2024-08-20T12:56:40.212679-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0303.yaml b/data/reports/GO-2022-0303.yaml new file mode 100644 index 00000000..0628dd0e --- /dev/null +++ b/data/reports/GO-2022-0303.yaml @@ -0,0 +1,24 @@ +id: GO-2022-0303 +modules: + - module: github.com/casdoor/casdoor + versions: + - fixed: 1.13.1 + vulnerable_at: 1.13.0 +summary: SQL Injection in Casdoor in github.com/casdoor/casdoor +cves: + - CVE-2022-24124 +ghsas: + - GHSA-m358-g4rp-533r +references: + - advisory: https://github.com/advisories/GHSA-m358-g4rp-533r + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-24124 + - fix: https://github.com/casdoor/casdoor/commit/5ec0c7a89005819960d8fe07f5ddda13d1371b8c + - fix: https://github.com/casdoor/casdoor/pull/442 + - report: https://github.com/casdoor/casdoor/issues/439 + - web: http://packetstormsecurity.com/files/166163/Casdoor-1.13.0-SQL-Injection.html + - web: https://github.com/casdoor/casdoor/compare/v1.13.0...v1.13.1 +source: + id: GHSA-m358-g4rp-533r + created: 2024-08-20T12:56:44.208608-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0304.yaml b/data/reports/GO-2022-0304.yaml new file mode 100644 index 00000000..92e38a2a --- /dev/null +++ b/data/reports/GO-2022-0304.yaml @@ -0,0 +1,27 @@ +id: GO-2022-0304 +modules: + - module: github.com/argoproj/argo-cd + vulnerable_at: 1.8.6 + - module: github.com/argoproj/argo-cd/v2 + versions: + - fixed: 2.1.9 + - introduced: 2.2.0 + - fixed: 2.2.4 + vulnerable_at: 2.2.3 +summary: Path traversal and dereference of symlinks in Argo CD in github.com/argoproj/argo-cd +cves: + - CVE-2022-24348 +ghsas: + - GHSA-63qx-x74g-jcr7 +references: + - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-24348 + - fix: https://github.com/argoproj/argo-cd/commit/78c2084f0febd159039ff785ddc2bd4ba1cecf88 + - web: https://apiiro.com/blog/malicious-kubernetes-helm-charts-can-be-used-to-steal-sensitive-information-from-argo-cd-deployments + - web: https://github.com/argoproj/argo-cd/releases/tag/v2.1.9 + - web: https://github.com/argoproj/argo-cd/releases/tag/v2.2.4 +source: + id: GHSA-63qx-x74g-jcr7 + created: 2024-08-20T12:56:49.601119-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0305.yaml b/data/reports/GO-2022-0305.yaml new file mode 100644 index 00000000..5f8ac742 --- /dev/null +++ b/data/reports/GO-2022-0305.yaml @@ -0,0 +1,26 @@ +id: GO-2022-0305 +modules: + - module: github.com/grafana/agent + versions: + - introduced: 0.14.0 + - fixed: 0.21.2 + vulnerable_at: 0.21.1 +summary: Instance config inline secret exposure in Grafana in github.com/grafana/agent +cves: + - CVE-2021-41090 +ghsas: + - GHSA-9c4x-5hgq-q3wh +references: + - advisory: https://github.com/grafana/agent/security/advisories/GHSA-9c4x-5hgq-q3wh + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-41090 + - fix: https://github.com/grafana/agent/commit/a5479755e946e5c7cddb793ee9adda8f5692ba11 + - fix: https://github.com/grafana/agent/commit/af7fb01e31fe2d389e5f1c36b399ddc46b412b21 + - fix: https://github.com/grafana/agent/pull/1152 + - web: https://github.com/grafana/agent/releases/tag/v0.20.1 + - web: https://github.com/grafana/agent/releases/tag/v0.21.2 + - web: https://security.netapp.com/advisory/ntap-20211229-0004 +source: + id: GHSA-9c4x-5hgq-q3wh + created: 2024-08-20T12:56:55.576848-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0306.yaml b/data/reports/GO-2022-0306.yaml new file mode 100644 index 00000000..422511fe --- /dev/null +++ b/data/reports/GO-2022-0306.yaml @@ -0,0 +1,21 @@ +id: GO-2022-0306 +modules: + - module: github.com/foxcpp/maddy + versions: + - fixed: 0.5.2 + vulnerable_at: 0.5.1 +summary: Use of a Broken or Risky Cryptographic Algorithm in Max Mazurov Maddy in github.com/foxcpp/maddy +cves: + - CVE-2021-42583 +ghsas: + - GHSA-5r5w-h76p-m726 +references: + - advisory: https://github.com/advisories/GHSA-5r5w-h76p-m726 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-42583 + - web: https://github.com/foxcpp/maddy/blob/df40dce1284cd0fd0a9e8e7894029553d653d0a5/internal/auth/shadow/verify.go + - web: https://github.com/foxcpp/maddy/releases/tag/v0.5.2 +source: + id: GHSA-5r5w-h76p-m726 + created: 2024-08-20T12:57:02.727014-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0307.yaml b/data/reports/GO-2022-0307.yaml new file mode 100644 index 00000000..c680296b --- /dev/null +++ b/data/reports/GO-2022-0307.yaml @@ -0,0 +1,29 @@ +id: GO-2022-0307 +modules: + - module: github.com/nats-io/nats-server + vulnerable_at: 1.4.1 + - module: github.com/nats-io/nats-server/v2 + versions: + - introduced: 2.0.0 + - fixed: 2.7.2 + vulnerable_at: 2.7.1 + - module: github.com/nats-io/nats-streaming-server + versions: + - introduced: 0.15.0 + - fixed: 0.24.1 + vulnerable_at: 0.24.0 +summary: Incorrect Authorization in NATS nats-server in github.com/nats-io/nats-server +cves: + - CVE-2022-24450 +ghsas: + - GHSA-g6w6-r76c-28j7 +references: + - advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-g6w6-r76c-28j7 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-24450 + - web: https://advisories.nats.io/CVE/CVE-2022-24450.txt + - web: https://github.com/nats-io/nats-server/releases/tag/v2.7.2 +source: + id: GHSA-g6w6-r76c-28j7 + created: 2024-08-20T12:57:06.090056-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0308.yaml b/data/reports/GO-2022-0308.yaml new file mode 100644 index 00000000..cd523a8e --- /dev/null +++ b/data/reports/GO-2022-0308.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0308 +modules: + - module: github.com/go-gitea/gitea + versions: + - fixed: 1.7.0 + vulnerable_at: 1.7.0-rc3 +summary: Gitea displaying raw OpenID error in UI in github.com/go-gitea/gitea +cves: + - CVE-2021-45325 +ghsas: + - GHSA-8h8p-x289-vvqr +references: + - advisory: https://github.com/advisories/GHSA-8h8p-x289-vvqr + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-45325 + - fix: https://github.com/go-gitea/gitea/pull/5705 + - fix: https://github.com/go-gitea/gitea/pull/5712 + - web: https://blog.gitea.io/2019/01/gitea-1.7.0-is-released +source: + id: GHSA-8h8p-x289-vvqr + created: 2024-08-20T12:57:09.790238-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0309.yaml b/data/reports/GO-2022-0309.yaml new file mode 100644 index 00000000..d327c648 --- /dev/null +++ b/data/reports/GO-2022-0309.yaml @@ -0,0 +1,22 @@ +id: GO-2022-0309 +modules: + - module: github.com/go-gitea/gitea + versions: + - fixed: 1.5.2 + vulnerable_at: 1.5.1 +summary: Cross Site Request Forgery in Gitea in github.com/go-gitea/gitea +cves: + - CVE-2021-45326 +ghsas: + - GHSA-4wp3-8q92-mh8w +references: + - advisory: https://github.com/advisories/GHSA-4wp3-8q92-mh8w + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-45326 + - fix: https://github.com/go-gitea/gitea/pull/4840 + - report: https://github.com/go-gitea/gitea/issues/4838 + - web: https://blog.gitea.io/2018/10/gitea-1.5.2-is-released +source: + id: GHSA-4wp3-8q92-mh8w + created: 2024-08-20T12:57:15.238093-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE diff --git a/data/reports/GO-2022-0310.yaml b/data/reports/GO-2022-0310.yaml new file mode 100644 index 00000000..9667f4ac --- /dev/null +++ b/data/reports/GO-2022-0310.yaml @@ -0,0 +1,26 @@ +id: GO-2022-0310 +modules: + - module: code.gitea.io/gitea + versions: + - fixed: 1.11.2 + vulnerable_at: 1.11.1 +summary: Capture-replay in Gitea in code.gitea.io/gitea +cves: + - CVE-2021-45327 +ghsas: + - GHSA-jrpg-35hw-m4p9 +references: + - advisory: https://github.com/advisories/GHSA-jrpg-35hw-m4p9 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-45327 + - web: https://blog.gitea.io/2020/03/gitea-1.11.2-is-released + - web: https://github.com/go-gitea/gitea/commit/4cb18601ff33dda5edb47d5b452cc8f2dc39dd67 + - web: https://github.com/go-gitea/gitea/commit/6f5656ab0ebec03fe63898208dabc802c4be46ab + - web: https://github.com/go-gitea/gitea/commit/ed664a9e1dae4d4660e60c981173bbc5102e69ea + - web: https://github.com/go-gitea/gitea/pull/10462 + - web: https://github.com/go-gitea/gitea/pull/10465 + - web: https://github.com/go-gitea/gitea/pull/10582 +source: + id: GHSA-jrpg-35hw-m4p9 + created: 2024-08-20T12:57:21.259316-04:00 +review_status: UNREVIEWED +unexcluded: EFFECTIVELY_PRIVATE