data/reports: add 4 reports

thatnealpatel · gopherbot · commit 5153d9bbc4d4 · 2025-03-18T11:14:48.000-07:00
- data/reports/GO-2025-3527.yaml - data/reports/GO-2025-3528.yaml - data/reports/GO-2025-3529.yaml - data/reports/GO-2025-3530.yaml Fixes #3527 Fixes #3528 Fixes #3529 Fixes #3530 Change-Id: I9fecefd23b84996e5bcda75c65362327043092eb Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/658855 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Neal Patel <nealpatel@google.com>
diff --git a/data/osv/GO-2025-3527.json b/data/osv/GO-2025-3527.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3527",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-0495",
+    "GHSA-m4gq-fm9h-8q75"
+  ],
+  "summary": "buildx allows a possible credential leakage to telemetry endpoint in github.com/docker/buildx",
+  "details": "buildx allows a possible credential leakage to telemetry endpoint in github.com/docker/buildx",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/docker/buildx",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.21.3"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/docker/buildx/security/advisories/GHSA-m4gq-fm9h-8q75"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0495"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/docker/buildx/commit/18ccba072076ddbfb0aeedd6746d7719b0729b58"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3527",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3528.json b/data/osv/GO-2025-3528.json
@@ -0,0 +1,82 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3528",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-40635",
+    "GHSA-265r-hfxg-fhmg"
+  ],
+  "summary": "containerd has an integer overflow in User ID handling in github.com/containerd/containerd",
+  "details": "containerd has an integer overflow in User ID handling in github.com/containerd/containerd",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/containerd/containerd",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.6.38"
+            },
+            {
+              "introduced": "1.7.0-beta.0"
+            },
+            {
+              "fixed": "1.7.27"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/containerd/containerd/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.4"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3528",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3529.json b/data/osv/GO-2025-3529.json
@@ -0,0 +1,53 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3529",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-2241",
+    "GHSA-c339-mwfc-fmr2"
+  ],
+  "summary": "Openshift Hive Exposes VCenter Credentials via ClusterProvision in github.com/openshift/hive",
+  "details": "Openshift Hive Exposes VCenter Credentials via ClusterProvision in github.com/openshift/hive",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/openshift/hive",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-c339-mwfc-fmr2"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2241"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2025-2241"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351350"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3529",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3530.json b/data/osv/GO-2025-3530.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3530",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-29781",
+    "GHSA-c98h-7hp9-v9hq"
+  ],
+  "summary": "Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD in github.com/metal3-io/baremetal-operator/apis",
+  "details": "Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD in github.com/metal3-io/baremetal-operator/apis",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/metal3-io/baremetal-operator/apis",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.8.1"
+            },
+            {
+              "introduced": "0.9.0"
+            },
+            {
+              "fixed": "0.9.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-c98h-7hp9-v9hq"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/metal3-io/baremetal-operator/commit/19f8443b1fe182f76dd81b43122e8dd102f8b94c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/metal3-io/baremetal-operator/pull/2321"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/metal3-io/baremetal-operator/pull/2322"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/metal3-io/metal3-docs/blob/main/design/baremetal-operator/bmc-events.md"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3530",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/reports/GO-2025-3527.yaml b/data/reports/GO-2025-3527.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-3527
+modules:
+    - module: github.com/docker/buildx
+      versions:
+        - fixed: 0.21.3
+      vulnerable_at: 0.21.2
+summary: buildx allows a possible credential leakage to telemetry endpoint in github.com/docker/buildx
+cves:
+    - CVE-2025-0495
+ghsas:
+    - GHSA-m4gq-fm9h-8q75
+references:
+    - advisory: https://github.com/docker/buildx/security/advisories/GHSA-m4gq-fm9h-8q75
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-0495
+    - fix: https://github.com/docker/buildx/commit/18ccba072076ddbfb0aeedd6746d7719b0729b58
+source:
+    id: GHSA-m4gq-fm9h-8q75
+    created: 2025-03-18T12:19:18.62408-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3528.yaml b/data/reports/GO-2025-3528.yaml
@@ -0,0 +1,26 @@
+id: GO-2025-3528
+modules:
+    - module: github.com/containerd/containerd
+      versions:
+        - fixed: 1.6.38
+        - introduced: 1.7.0-beta.0
+        - fixed: 1.7.27
+      vulnerable_at: 1.7.26
+    - module: github.com/containerd/containerd/v2
+      versions:
+        - fixed: 2.0.4
+      vulnerable_at: 2.0.3
+summary: containerd has an integer overflow in User ID handling in github.com/containerd/containerd
+cves:
+    - CVE-2024-40635
+ghsas:
+    - GHSA-265r-hfxg-fhmg
+references:
+    - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg
+    - fix: https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da
+    - fix: https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20
+    - fix: https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a
+source:
+    id: GHSA-265r-hfxg-fhmg
+    created: 2025-03-18T12:19:26.864701-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3529.yaml b/data/reports/GO-2025-3529.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3529
+modules:
+    - module: github.com/openshift/hive
+      unsupported_versions:
+        - last_affected: 1.1.16
+      vulnerable_at: 1.1.16
+summary: Openshift Hive Exposes VCenter Credentials via ClusterProvision in github.com/openshift/hive
+cves:
+    - CVE-2025-2241
+ghsas:
+    - GHSA-c339-mwfc-fmr2
+references:
+    - advisory: https://github.com/advisories/GHSA-c339-mwfc-fmr2
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-2241
+    - web: https://access.redhat.com/security/cve/CVE-2025-2241
+    - web: https://bugzilla.redhat.com/show_bug.cgi?id=2351350
+source:
+    id: GHSA-c339-mwfc-fmr2
+    created: 2025-03-18T12:19:35.546967-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3530.yaml b/data/reports/GO-2025-3530.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3530
+modules:
+    - module: github.com/metal3-io/baremetal-operator/apis
+      versions:
+        - fixed: 0.8.1
+        - introduced: 0.9.0
+        - fixed: 0.9.1
+      vulnerable_at: 0.9.0
+summary: |-
+    Bare Metal Operator (BMO) can expose any secret from other namespaces via
+    BMCEventSubscription CRD in github.com/metal3-io/baremetal-operator/apis
+cves:
+    - CVE-2025-29781
+ghsas:
+    - GHSA-c98h-7hp9-v9hq
+references:
+    - advisory: https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-c98h-7hp9-v9hq
+    - web: https://github.com/metal3-io/baremetal-operator/commit/19f8443b1fe182f76dd81b43122e8dd102f8b94c
+    - web: https://github.com/metal3-io/baremetal-operator/pull/2321
+    - web: https://github.com/metal3-io/baremetal-operator/pull/2322
+    - web: https://github.com/metal3-io/metal3-docs/blob/main/design/baremetal-operator/bmc-events.md
+source:
+    id: GHSA-c98h-7hp9-v9hq
+    created: 2025-03-18T12:19:45.05457-04:00
+review_status: UNREVIEWED
