data/reports: add 7 reports

  - data/reports/GO-2025-3508.yaml
  - data/reports/GO-2025-3509.yaml
  - data/reports/GO-2025-3510.yaml
  - data/reports/GO-2025-3511.yaml
  - data/reports/GO-2025-3512.yaml
  - data/reports/GO-2025-3514.yaml
  - data/reports/GO-2025-3515.yaml

Fixes #3508
Fixes #3509
Fixes #3510
Fixes #3511
Fixes #3512
Fixes #3514
Fixes #3515

Change-Id: I47e0e0ed27716c87e93329e4c230a10848457115
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/657255
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
Auto-Submit: Neal Patel <[email protected]>
Commit-Queue: Neal Patel <[email protected]>

Author: thatnealpatel

data/osv/GO-2025-3508.json

@@ -0,0 +1,93 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3508",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-52812",
+    "GHSA-6hrw-x7pr-4mp8"
+  ],
+  "summary": "LF Edge eKuiper allows Stored XSS in Rules Functionality in github.com/lf-edge/ekuiper",
+  "details": "LF Edge eKuiper allows Stored XSS in Rules Functionality in github.com/lf-edge/ekuiper",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/lf-edge/ekuiper",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/lf-edge/ekuiper/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.8"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-6hrw-x7pr-4mp8"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52812"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L681"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L716"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L735"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L794"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L809"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L824"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lf-edge/ekuiper/releases/tag/v2.0.8"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3508",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3509.json

@@ -0,0 +1,70 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3509",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-27616",
+    "GHSA-9m63-33q3-xq5x"
+  ],
+  "summary": "Vela Server Has Insufficient Webhook Payload Data Verification in github.com/go-vela/server",
+  "details": "Vela Server Has Insufficient Webhook Payload Data Verification in github.com/go-vela/server",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/go-vela/server",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.25.3"
+            },
+            {
+              "introduced": "0.26.0"
+            },
+            {
+              "fixed": "0.26.3"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/go-vela/server/security/advisories/GHSA-9m63-33q3-xq5x"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27616"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/go-vela/server/commit/257886e5a3eea518548387885894e239668584f5"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/go-vela/server/commit/67c1892e2464dc54b8d2588815dfb7819222500b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-vela/server/releases/tag/v0.25.3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-vela/server/releases/tag/v0.26.3"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3509",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3510.json

@@ -0,0 +1,53 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3510",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-1296",
+    "GHSA-c3q9-q986-vrwh"
+  ],
+  "summary": "Nomad is vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs in github.com/hashicorp/nomad",
+  "details": "Nomad is vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs in github.com/hashicorp/nomad",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/hashicorp/nomad",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-c3q9-q986-vrwh"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1296"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/hashicorp/nomad/commit/dc482bf9058faf7a192486eb52caa1d42646f6b3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2025-04-nomad-exposes-sensitive-workload-identity-and-client-secret-token-in-audit-logs/73737"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3510",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3511.json

@@ -0,0 +1,76 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3511",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-27403",
+    "GHSA-44f7-5fj5-h4px"
+  ],
+  "summary": "Ratify Azure authentication providers can leak authentication tokens to non-Azure container registries in github.com/deislabs/ratify",
+  "details": "Ratify Azure authentication providers can leak authentication tokens to non-Azure container registries in github.com/deislabs/ratify",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/deislabs/ratify",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.2.3"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/ratify-project/ratify",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.3.0"
+            },
+            {
+              "fixed": "1.3.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/ratify-project/ratify/security/advisories/GHSA-44f7-5fj5-h4px"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27403"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/ratify-project/ratify/commit/0ec0c08490e3d672ae64b1a220c90d5484f1c93f"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/ratify-project/ratify/commit/84c7c48fa76bb9a1c9583635d1e90bc25b1a546c"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3511",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3512.json

@@ -0,0 +1,83 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3512",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-1725",
+    "GHSA-fg9q-5cw2-p6r9"
+  ],
+  "summary": "kubevirt-csi: PersistentVolume allows access to HCP's root node in github.com/kubevirt/csi-driver",
+  "details": "kubevirt-csi: PersistentVolume allows access to HCP's root node in github.com/kubevirt/csi-driver.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/kubevirt/csi-driver before v0.0.0-202403081943-cc28dcbb0afc14.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/kubevirt/csi-driver",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "0.0.0-202403081943-cc28dcbb0afc14"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-fg9q-5cw2-p6r9"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1725"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/kubevirt/csi-driver/commit/cc28dcbb0afca0a7cb8a73bc998ab49f864ed560"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2024:1559"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2024:1891"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2024:2047"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2024-1725"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265398"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3512",
+    "review_status": "UNREVIEWED"
+  }
+}