data/reports: add 3 reports

  - data/reports/GO-2025-3462.yaml
  - data/reports/GO-2025-3476.yaml
  - data/reports/GO-2025-3485.yaml

Updates #3462
Updates #3476
Updates #3485

Change-Id: Icdf8b3080cf005af8d731df3180d72dba473ad18
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/652896
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Neal Patel <[email protected]>

Author: thatnealpatel

data/osv/GO-2025-3462.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3462",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-1243",
+    "GHSA-q9w6-cwj4-gf4p"
+  ],
+  "summary": "Unencrypted transmission in Temporal api-go library in go.temporal.io/api",
+  "details": "Unencrypted transmission in Temporal api-go library in go.temporal.io/api",
+  "affected": [
+    {
+      "package": {
+        "name": "go.temporal.io/api",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.44.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "go.temporal.io/api/proxy",
+            "symbols": [
+              "NewPayloadVisitorInterceptor"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-q9w6-cwj4-gf4p"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/temporalio/api-go/commit/dad8b169ada911d3778e070484d1ae78a58bd22b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/temporalio/api-go/releases/tag/v1.44.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://temporal.io/blog/announcing-a-new-operation-workflow-update"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3462",
+    "review_status": "REVIEWED"
+  }
+}

data/osv/GO-2025-3476.json

@@ -0,0 +1,83 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3476",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-x5vx-95h7-rv4p"
+  ],
+  "summary": "Cosmos SDK: Groups module can halt chain when handling a malicious proposal in github.com/cosmos/cosmos-sdk",
+  "details": "Cosmos SDK: Groups module can halt chain when handling a malicious proposal in github.com/cosmos/cosmos-sdk",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/cosmos/cosmos-sdk",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.47.16-ics-lsm"
+            },
+            {
+              "introduced": "0.50.0-alpha.0"
+            },
+            {
+              "fixed": "0.50.12"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cosmos/cosmos-sdk/x/group",
+            "symbols": [
+              "PercentageDecisionPolicy.Allow"
+            ]
+          },
+          {
+            "path": "github.com/cosmos/cosmos-sdk/x/group/keeper",
+            "symbols": [
+              "Keeper.UpdateGroupMembers"
+            ]
+          },
+          {
+            "path": "github.com/cosmos/cosmos-sdk/x/group/simulation",
+            "symbols": [
+              "SimulateMsgUpdateGroupMembers",
+              "WeightedOperations"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cosmos/cosmos-sdk/commit/0a98b65b24900a0e608866c78f172cf8e4140aea"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.16"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3476",
+    "review_status": "REVIEWED"
+  }
+}

data/osv/GO-2025-3485.json

@@ -0,0 +1,138 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3485",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-27144",
+    "GHSA-c6gw-w398-hv78"
+  ],
+  "summary": "DoS in go-jose Parsing in github.com/go-jose/go-jose",
+  "details": "DoS in go-jose Parsing in github.com/go-jose/go-jose",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/go-jose/go-jose",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/go-jose/go-jose/v3",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.0.4"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/go-jose/go-jose/v3",
+            "symbols": [
+              "ParseDetached",
+              "ParseEncrypted",
+              "ParseSigned",
+              "rawJSONWebEncryption.sanitized",
+              "rawJSONWebSignature.sanitized"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "github.com/go-jose/go-jose/v4",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.0.5"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/go-jose/go-jose/v4",
+            "symbols": [
+              "ParseEncrypted",
+              "ParseEncryptedCompact",
+              "ParseSignedCompact"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "github.com/square/go-jose",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://go.dev/issue/71490"
+    },
+    {
+      "type": "WEB",
+      "url": "https://go.dev/issue/71490"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3485",
+    "review_status": "REVIEWED"
+  }
+}

data/reports/GO-2025-3462.yaml

@@ -0,0 +1,24 @@
+id: GO-2025-3462
+modules:
+    - module: go.temporal.io/api
+      versions:
+        - fixed: 1.44.1
+      vulnerable_at: 1.44.0
+      packages:
+        - package: go.temporal.io/api/proxy
+          symbols:
+            - NewPayloadVisitorInterceptor
+summary: Unencrypted transmission in Temporal api-go library in go.temporal.io/api
+cves:
+    - CVE-2025-1243
+ghsas:
+    - GHSA-q9w6-cwj4-gf4p
+references:
+    - advisory: https://github.com/advisories/GHSA-q9w6-cwj4-gf4p
+    - web: https://github.com/temporalio/api-go/commit/dad8b169ada911d3778e070484d1ae78a58bd22b
+    - web: https://github.com/temporalio/api-go/releases/tag/v1.44.1
+    - web: https://temporal.io/blog/announcing-a-new-operation-workflow-update
+source:
+    id: GHSA-q9w6-cwj4-gf4p
+    created: 2025-02-26T12:35:57.774107-05:00
+review_status: REVIEWED

data/reports/GO-2025-3476.yaml

@@ -0,0 +1,32 @@
+id: GO-2025-3476
+modules:
+    - module: github.com/cosmos/cosmos-sdk
+      versions:
+        - fixed: 0.47.16-ics-lsm
+        - introduced: 0.50.0-alpha.0
+        - fixed: 0.50.12
+      vulnerable_at: 0.50.11
+      packages:
+        - package: github.com/cosmos/cosmos-sdk/x/group
+          symbols:
+            - PercentageDecisionPolicy.Allow
+        - package: github.com/cosmos/cosmos-sdk/x/group/keeper
+          symbols:
+            - Keeper.UpdateGroupMembers
+        - package: github.com/cosmos/cosmos-sdk/x/group/simulation
+          symbols:
+            - SimulateMsgUpdateGroupMembers
+          derived_symbols:
+            - WeightedOperations
+summary: 'Cosmos SDK: Groups module can halt chain when handling a malicious proposal in github.com/cosmos/cosmos-sdk'
+ghsas:
+    - GHSA-x5vx-95h7-rv4p
+references:
+    - advisory: https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p
+    - fix: https://github.com/cosmos/cosmos-sdk/commit/0a98b65b24900a0e608866c78f172cf8e4140aea
+    - web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.16
+    - web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12
+source:
+    id: GHSA-x5vx-95h7-rv4p
+    created: 2025-02-26T12:35:33.327096-05:00
+review_status: REVIEWED

data/reports/GO-2025-3485.yaml

@@ -0,0 +1,47 @@
+id: GO-2025-3485
+modules:
+    - module: github.com/go-jose/go-jose
+      vulnerable_at: 2.6.3+incompatible
+    - module: github.com/go-jose/go-jose/v3
+      versions:
+        - fixed: 3.0.4
+      vulnerable_at: 3.0.3
+      packages:
+        - package: github.com/go-jose/go-jose/v3
+          symbols:
+            - rawJSONWebEncryption.sanitized
+            - rawJSONWebSignature.sanitized
+          derived_symbols:
+            - ParseDetached
+            - ParseEncrypted
+            - ParseSigned
+    - module: github.com/go-jose/go-jose/v4
+      versions:
+        - fixed: 4.0.5
+      vulnerable_at: 4.0.4
+      packages:
+        - package: github.com/go-jose/go-jose/v4
+          symbols:
+            - ParseEncryptedCompact
+            - ParseSignedCompact
+          derived_symbols:
+            - ParseEncrypted
+    - module: github.com/square/go-jose
+      vulnerable_at: 2.6.0+incompatible
+summary: DoS in go-jose Parsing in github.com/go-jose/go-jose
+cves:
+    - CVE-2025-27144
+ghsas:
+    - GHSA-c6gw-w398-hv78
+references:
+    - advisory: https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78
+    - fix: https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22
+    - web: https://github.com/go-jose/go-jose/releases/tag/v4.0.5
+    - web: https://go.dev/issue/71490
+    - web: https://go.dev/issue/71490
+notes:
+    - go-jose/go-jose and square/go-jose are archived, end-of-life, and vulnerable with no fixes.
+source:
+    id: GHSA-c6gw-w398-hv78
+    created: 2025-02-26T12:35:14.227896-05:00
+review_status: REVIEWED