data/reports: add 15 reports

  - data/reports/GO-2024-3161.yaml
  - data/reports/GO-2024-3162.yaml
  - data/reports/GO-2024-3163.yaml
  - data/reports/GO-2024-3166.yaml
  - data/reports/GO-2024-3167.yaml
  - data/reports/GO-2024-3168.yaml
  - data/reports/GO-2024-3169.yaml
  - data/reports/GO-2024-3170.yaml
  - data/reports/GO-2024-3172.yaml
  - data/reports/GO-2024-3173.yaml
  - data/reports/GO-2024-3174.yaml
  - data/reports/GO-2024-3175.yaml
  - data/reports/GO-2024-3179.yaml
  - data/reports/GO-2024-3181.yaml
  - data/reports/GO-2024-3182.yaml

Fixes #3161
Fixes #3162
Fixes #3163
Fixes #3166
Fixes #3167
Fixes #3168
Fixes #3169
Fixes #3170
Fixes #3172
Fixes #3173
Fixes #3174
Fixes #3175
Fixes #3179
Fixes #3181
Fixes #3182

Change-Id: I6f47e813357034a674970920b6f0de6f4abac032
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/619135
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Auto-Submit: Maceo Thompson <[email protected]>

Author: Maceo Thompson

data/osv/GO-2024-3161.json

@@ -0,0 +1,75 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3161",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-22030",
+    "GHSA-h4h5-9833-v2p4"
+  ],
+  "summary": "Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher",
+  "details": "Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.15, from v2.8.0 before v2.8.8, from v2.9.0 before v2.9.2.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/rancher/rancher",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "2.7.0"
+              },
+              {
+                "fixed": "2.7.15"
+              },
+              {
+                "introduced": "2.8.0"
+              },
+              {
+                "fixed": "2.8.8"
+              },
+              {
+                "introduced": "2.9.0"
+              },
+              {
+                "fixed": "2.9.2"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-h4h5-9833-v2p4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rancherlabs/support-tools/tree/master/windows-agent-strict-verify"
+    },
+    {
+      "type": "WEB",
+      "url": "https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/tls-settings"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3161",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-3162.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3162",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-7594",
+    "GHSA-jg74-mwgw-v6x3"
+  ],
+  "summary": "Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault",
+  "details": "Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/hashicorp/vault",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.7.7"
+            },
+            {
+              "fixed": "1.17.6"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-jg74-mwgw-v6x3"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7594"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/70251"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3162",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-3163.json

@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3163",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-47182"
+  ],
+  "summary": "Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle",
+  "details": "Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/amir20/dozzle before v8.5.3.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/amir20/dozzle",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "8.5.3"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47182"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/amir20/dozzle/commit/de79f03aa3dbe5bb1e154a7e8d3dccbd229f3ea3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/amir20/dozzle/security/advisories/GHSA-w7qr-q9fh-fj35"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3163",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-3166.json

@@ -0,0 +1,77 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3166",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-47534",
+    "GHSA-4f8r-qqr9-fq8j"
+  ],
+  "summary": "Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf",
+  "details": "Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/theupdateframework/go-tuf",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/theupdateframework/go-tuf/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8j"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47534"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/theupdateframework/go-tuf/commit/f36420caba9edbfdfd64f95a9554c0836d9cf819"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/theupdateframework/go-tuf/blob/f95222bdd22d2ac4e5b8ed6fe912b645e213c3b5/metadata/metadata.go#L565-L580"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/theupdateframework/tuf-conformance/pull/115"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3166",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-3167.json

@@ -0,0 +1,78 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3167",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-9355",
+    "GHSA-3h3x-2hwv-hr52"
+  ],
+  "summary": "Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl",
+  "details": "Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/golang-fips/openssl",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/golang-fips/openssl/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-3h3x-2hwv-hr52"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2024:7502"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2024:7550"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2024-9355"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3167",
+    "review_status": "UNREVIEWED"
+  }
+}