data/reports: add 3 reports

  - data/reports/GO-2025-3586.yaml
  - data/reports/GO-2025-3587.yaml
  - data/reports/GO-2025-3588.yaml

Fixes #3586
Fixes #3587
Fixes #3588

Change-Id: I5f592926a0a83767eae8114ae44644856dab5780
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/662295
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
Auto-Submit: Neal Patel <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

Author: thatnealpatel

data/osv/GO-2025-3586.json

@@ -0,0 +1,67 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3586",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-23391",
+    "GHSA-8p83-cpfg-fj3g"
+  ],
+  "summary": "Rancher: Restricted Administrator can change Administrator's passwords in github.com/rancher/rancher",
+  "details": "Rancher: Restricted Administrator can change Administrator's passwords in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/rancher/rancher from v2.8.0 before v2.8.14, from v2.9.0 before v2.9.8, from v2.10.0 before v2.10.4.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/rancher/rancher",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "2.8.0"
+              },
+              {
+                "fixed": "2.8.14"
+              },
+              {
+                "introduced": "2.9.0"
+              },
+              {
+                "fixed": "2.9.8"
+              },
+              {
+                "introduced": "2.10.0"
+              },
+              {
+                "fixed": "2.10.4"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-8p83-cpfg-fj3g"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3586",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3587.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3587",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-29868",
+    "GHSA-wqcc-mfhw-53pc"
+  ],
+  "summary": "Apache Answer User Using External Images Potentially Discloses User Information in github.com/apache/answer",
+  "details": "Apache Answer User Using External Images Potentially Discloses User Information in github.com/apache/answer",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/apache/answer",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.4.5"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-wqcc-mfhw-53pc"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29868"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://github.com/apache/answer/issues/1250"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/l7pohw5g03g3qsvrz8pqc9t29mdv5lhf"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3587",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3588.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3588",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-31135",
+    "GHSA-c2c3-pqw5-5p7c"
+  ],
+  "summary": "Go-Guerrilla SMTP Daemon allows the PROXY command to be sent multiple times in github.com/phires/go-guerrilla",
+  "details": "Go-Guerrilla SMTP Daemon allows the PROXY command to be sent multiple times in github.com/phires/go-guerrilla",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/phires/go-guerrilla",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.6.7"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/phires/go-guerrilla/security/advisories/GHSA-c2c3-pqw5-5p7c"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31135"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/phires/go-guerrilla/commit/7673947f2d5204a135d7ae0b7f80759e548abee6"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3588",
+    "review_status": "UNREVIEWED"
+  }
+}

data/reports/GO-2025-3586.yaml

@@ -0,0 +1,22 @@
+id: GO-2025-3586
+modules:
+    - module: github.com/rancher/rancher
+      non_go_versions:
+        - introduced: 2.8.0
+        - fixed: 2.8.14
+        - introduced: 2.9.0
+        - fixed: 2.9.8
+        - introduced: 2.10.0
+        - fixed: 2.10.4
+      vulnerable_at: 1.6.30
+summary: 'Rancher: Restricted Administrator can change Administrator''s passwords in github.com/rancher/rancher'
+cves:
+    - CVE-2025-23391
+ghsas:
+    - GHSA-8p83-cpfg-fj3g
+references:
+    - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-8p83-cpfg-fj3g
+source:
+    id: GHSA-8p83-cpfg-fj3g
+    created: 2025-04-02T11:31:10.729499-04:00
+review_status: UNREVIEWED

data/reports/GO-2025-3587.yaml

@@ -0,0 +1,20 @@
+id: GO-2025-3587
+modules:
+    - module: github.com/apache/answer
+      versions:
+        - fixed: 1.4.5
+      vulnerable_at: 1.4.5-RC1
+summary: Apache Answer User Using External Images Potentially Discloses User Information in github.com/apache/answer
+cves:
+    - CVE-2025-29868
+ghsas:
+    - GHSA-wqcc-mfhw-53pc
+references:
+    - advisory: https://github.com/advisories/GHSA-wqcc-mfhw-53pc
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-29868
+    - report: https://github.com/apache/answer/issues/1250
+    - web: https://lists.apache.org/thread/l7pohw5g03g3qsvrz8pqc9t29mdv5lhf
+source:
+    id: GHSA-wqcc-mfhw-53pc
+    created: 2025-04-02T11:31:04.960681-04:00
+review_status: UNREVIEWED

data/reports/GO-2025-3588.yaml

@@ -0,0 +1,19 @@
+id: GO-2025-3588
+modules:
+    - module: github.com/phires/go-guerrilla
+      versions:
+        - fixed: 1.6.7
+      vulnerable_at: 1.6.6
+summary: Go-Guerrilla SMTP Daemon allows the PROXY command to be sent multiple times in github.com/phires/go-guerrilla
+cves:
+    - CVE-2025-31135
+ghsas:
+    - GHSA-c2c3-pqw5-5p7c
+references:
+    - advisory: https://github.com/phires/go-guerrilla/security/advisories/GHSA-c2c3-pqw5-5p7c
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-31135
+    - fix: https://github.com/phires/go-guerrilla/commit/7673947f2d5204a135d7ae0b7f80759e548abee6
+source:
+    id: GHSA-c2c3-pqw5-5p7c
+    created: 2025-04-02T11:30:59.679338-04:00
+review_status: UNREVIEWED