data/reports: add 5 unreviewed reports

tatianab · gopherbot · commit 6f05161aef84 · 2024-08-22T20:03:04.000Z
- data/reports/GO-2024-3076.yaml - data/reports/GO-2024-3077.yaml - data/reports/GO-2024-3078.yaml - data/reports/GO-2024-3079.yaml - data/reports/GO-2024-3080.yaml Fixes #3076 Fixes #3077 Fixes #3078 Fixes #3079 Fixes #3080 Change-Id: Iaa16597434903127a8393697316faf903ac7896f Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607335 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/data/osv/GO-2024-3076.json b/data/osv/GO-2024-3076.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3076",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-43379",
+    "GHSA-3r74-v83p-f4f4"
+  ],
+  "summary": "Trufflehog vulnerable to Blind SSRF in some Detectors in github.com/trufflesecurity/trufflehog",
+  "details": "Trufflehog vulnerable to Blind SSRF in some Detectors in github.com/trufflesecurity/trufflehog",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/trufflesecurity/trufflehog",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/trufflesecurity/trufflehog/v3",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.81.9"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/trufflesecurity/trufflehog/security/advisories/GHSA-3r74-v83p-f4f4"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43379"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/trufflesecurity/trufflehog/commit/fe5624c70923355128868cffd647b6e2cfe11443"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3076",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-3077.json b/data/osv/GO-2024-3077.json
@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3077",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-39690",
+    "GHSA-mq69-4j5w-3qwp"
+  ],
+  "summary": "Capsule tenant owner with \"patch namespace\" permission can hijack system namespaces in github.com/projectcapsule/capsule",
+  "details": "Capsule tenant owner with \"patch namespace\" permission can hijack system namespaces in github.com/projectcapsule/capsule",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/projectcapsule/capsule",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39690"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3077",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-3078.json b/data/osv/GO-2024-3078.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3078",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-43406",
+    "GHSA-r5ph-4jxm-6j9p"
+  ],
+  "summary": "LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper",
+  "details": "LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/lf-edge/ekuiper",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.14.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43406"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3078",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-3079.json b/data/osv/GO-2024-3079.json
@@ -0,0 +1,77 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3079",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-6322",
+    "GHSA-hh8p-374f-qgr5"
+  ],
+  "summary": "Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana",
+  "details": "Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/grafana/grafana from v11.1.0 before v11.1.1, from v11.1.2 before v11.1.3.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/grafana/grafana",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "11.1.0"
+              },
+              {
+                "fixed": "11.1.1"
+              },
+              {
+                "introduced": "11.1.2"
+              },
+              {
+                "fixed": "11.1.3"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-hh8p-374f-qgr5"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6322"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/grafana/grafana/commit/4cb3ba5d1a7ab8b9676034e89dada2fcde1766ef"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/grafana/grafana/commit/9cdba084a9100c6b11d32eef9d2bd53656c6964a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://grafana.com/security/security-advisories/cve-2024-6322"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3079",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-3080.json b/data/osv/GO-2024-3080.json
@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3080",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-43403",
+    "GHSA-h27c-6xm3-mcqp"
+  ],
+  "summary": "Kanister vulnerable to cluster-level privilege escalation in github.com/kanisterio/kanister",
+  "details": "Kanister vulnerable to cluster-level privilege escalation in github.com/kanisterio/kanister",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/kanisterio/kanister",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/kanisterio/kanister/security/advisories/GHSA-h27c-6xm3-mcqp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kanisterio/kanister/blob/master/helm/kanister-operator/templates/rbac.yaml#L49"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kanisterio/kanister/wiki/2023%E2%80%9024-Community-Meeting-Notes"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3080",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/reports/GO-2024-3076.yaml b/data/reports/GO-2024-3076.yaml
@@ -0,0 +1,21 @@
+id: GO-2024-3076
+modules:
+    - module: github.com/trufflesecurity/trufflehog
+      vulnerable_at: 0.0.0-20220127183845-e9ac138996e7
+    - module: github.com/trufflesecurity/trufflehog/v3
+      versions:
+        - fixed: 3.81.9
+      vulnerable_at: 3.81.8
+summary: Trufflehog vulnerable to Blind SSRF in some Detectors in github.com/trufflesecurity/trufflehog
+cves:
+    - CVE-2024-43379
+ghsas:
+    - GHSA-3r74-v83p-f4f4
+references:
+    - advisory: https://github.com/trufflesecurity/trufflehog/security/advisories/GHSA-3r74-v83p-f4f4
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43379
+    - fix: https://github.com/trufflesecurity/trufflehog/commit/fe5624c70923355128868cffd647b6e2cfe11443
+source:
+    id: GHSA-3r74-v83p-f4f4
+    created: 2024-08-21T10:26:13.043304-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3077.yaml b/data/reports/GO-2024-3077.yaml
@@ -0,0 +1,21 @@
+id: GO-2024-3077
+modules:
+    - module: github.com/projectcapsule/capsule
+      unsupported_versions:
+        - last_affected: 0.7.0
+      vulnerable_at: 0.7.0
+summary: |-
+    Capsule tenant owner with "patch namespace" permission can hijack system
+    namespaces in github.com/projectcapsule/capsule
+cves:
+    - CVE-2024-39690
+ghsas:
+    - GHSA-mq69-4j5w-3qwp
+references:
+    - advisory: https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39690
+    - fix: https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584
+source:
+    id: GHSA-mq69-4j5w-3qwp
+    created: 2024-08-21T10:26:09.725236-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3078.yaml b/data/reports/GO-2024-3078.yaml
@@ -0,0 +1,19 @@
+id: GO-2024-3078
+modules:
+    - module: github.com/lf-edge/ekuiper
+      versions:
+        - fixed: 1.14.2
+      vulnerable_at: 1.14.1
+summary: LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper
+cves:
+    - CVE-2024-43406
+ghsas:
+    - GHSA-r5ph-4jxm-6j9p
+references:
+    - advisory: https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43406
+    - fix: https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503
+source:
+    id: GHSA-r5ph-4jxm-6j9p
+    created: 2024-08-21T10:26:05.798948-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3079.yaml b/data/reports/GO-2024-3079.yaml
@@ -0,0 +1,24 @@
+id: GO-2024-3079
+modules:
+    - module: github.com/grafana/grafana
+      non_go_versions:
+        - introduced: 11.1.0
+        - fixed: 11.1.1
+        - introduced: 11.1.2
+        - fixed: 11.1.3
+      vulnerable_at: 5.4.5+incompatible
+summary: Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana
+cves:
+    - CVE-2024-6322
+ghsas:
+    - GHSA-hh8p-374f-qgr5
+references:
+    - advisory: https://github.com/advisories/GHSA-hh8p-374f-qgr5
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6322
+    - fix: https://github.com/grafana/grafana/commit/4cb3ba5d1a7ab8b9676034e89dada2fcde1766ef
+    - fix: https://github.com/grafana/grafana/commit/9cdba084a9100c6b11d32eef9d2bd53656c6964a
+    - web: https://grafana.com/security/security-advisories/cve-2024-6322
+source:
+    id: GHSA-hh8p-374f-qgr5
+    created: 2024-08-21T10:25:47.658165-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3080.yaml b/data/reports/GO-2024-3080.yaml
