data/reports: add 7 unreviewed reports

  - data/reports/GO-2024-3284.yaml
  - data/reports/GO-2024-3286.yaml
  - data/reports/GO-2024-3287.yaml
  - data/reports/GO-2024-3288.yaml
  - data/reports/GO-2024-3289.yaml
  - data/reports/GO-2024-3290.yaml
  - data/reports/GO-2024-3291.yaml

Fixes #3284
Fixes #3286
Fixes #3287
Fixes #3288
Fixes #3289
Fixes #3290
Fixes #3291

Change-Id: I3f9c602c3b0cb612717f991bef1e379b383c19b8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/632255
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>

Author: tatianab

data/osv/GO-2024-3284.json

@@ -0,0 +1,71 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3284",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-37820",
+    "GHSA-9g6g-xqv5-8g5w"
+  ],
+  "summary": "PingCAP TiDB nil pointer dereference in github.com/pingcap/tidb",
+  "details": "PingCAP TiDB nil pointer dereference in github.com/pingcap/tidb.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/pingcap/tidb before v8.2.0.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/pingcap/tidb",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "8.2.0"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-9g6g-xqv5-8g5w"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37820"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/pingcap/tidb/commit/3d68bd21240c610c6307713e2bd54a5e71c32608"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://github.com/pingcap/tidb/issues/53580"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/ycybfhb/a9c1e14ce281f2f553adca84d384b761"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3284",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-3286.json

@@ -0,0 +1,76 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3286",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-10220",
+    "GHSA-27wf-5967-98gx"
+  ],
+  "summary": "Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes",
+  "details": "Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes",
+  "affected": [
+    {
+      "package": {
+        "name": "k8s.io/kubernetes",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.28.12"
+            },
+            {
+              "introduced": "1.29.0"
+            },
+            {
+              "fixed": "1.29.7"
+            },
+            {
+              "introduced": "1.30.0"
+            },
+            {
+              "fixed": "1.30.3"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-27wf-5967-98gx"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10220"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2024/11/20/1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/commit/1ab06efe92d8e898ca1931471c9533ce94aba29b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/issues/128885"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/kubernetes-security-announce/c/ptNgV5Necko"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3286",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-3287.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3287",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-45719",
+    "GHSA-mr95-vfcf-fx9p"
+  ],
+  "summary": "Apache Answer: Predictable Authorization Token Using UUIDv1 in github.com/apache/incubator-answer",
+  "details": "Apache Answer: Predictable Authorization Token Using UUIDv1 in github.com/apache/incubator-answer",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/apache/incubator-answer",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.4.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-mr95-vfcf-fx9p"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45719"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2024/11/22/1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/sz2d0z39k01nbx3r9pj65t76o1hy9491"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3287",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-3288.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3288",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-7f6p-phw2-8253"
+  ],
+  "summary": "Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws in github.com/taurusgroup/multi-party-sig",
+  "details": "Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws in github.com/taurusgroup/multi-party-sig",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/taurusgroup/multi-party-sig",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/taurushq-io/multi-party-sig/security/advisories/GHSA-7f6p-phw2-8253"
+    },
+    {
+      "type": "WEB",
+      "url": "https://eprint.iacr.org/2018/499.pdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/taurushq-io/multi-party-sig/blob/4d84aafb57b437da1b933db9a265fb7ce4e7c138/internal/ot/extended.go#L188"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/taurushq-io/multi-party-sig/tree/otfix"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3288",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-3289.json

@@ -0,0 +1,53 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3289",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-6538",
+    "GHSA-v3w7-g6p2-mpx7"
+  ],
+  "summary": "OpenShift Console Server Side Request Forgery vulnerability in github.com/openshift/console",
+  "details": "OpenShift Console Server Side Request Forgery vulnerability in github.com/openshift/console",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/openshift/console",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-v3w7-g6p2-mpx7"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6538"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2024-6538"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296057"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3289",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-3290.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3290",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-52529",
+    "GHSA-xg58-75qf-9r67"
+  ],
+  "summary": "Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in github.com/cilium/cilium",
+  "details": "Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in github.com/cilium/cilium",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/cilium/cilium",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.16.0"
+            },
+            {
+              "fixed": "1.16.4"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52529"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cilium/cilium/pull/35150"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3290",
+    "review_status": "UNREVIEWED"
+  }
+}