data/reports: add 5 reports

  - data/reports/GO-2024-2920.yaml
  - data/reports/GO-2024-2921.yaml
  - data/reports/GO-2024-2930.yaml
  - data/reports/GO-2024-2936.yaml
  - data/reports/GO-2024-2943.yaml

Fixes #2920
Fixes #2921
Fixes #2930
Fixes #2936
Fixes #2943

Change-Id: I6de64b6c40310fbc70839bdffd8665a4c639d7b3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595957
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>

Author: tatianab

data/osv/GO-2024-2920.json

@@ -0,0 +1,101 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2920",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2023-49559",
+    "GHSA-2hmf-46v7-v6fx"
+  ],
+  "summary": "Denial of service vulnerability via the parseDirectives function in github.com/vektah/gqlparser",
+  "details": "An issue in vektah gqlparser open-source-library allows a remote attacker to cause a denial of service via a crafted script to the parseDirectives function.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/vektah/gqlparser",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/vektah/gqlparser/parser",
+            "symbols": [
+              "ParseQuery",
+              "ParseSchema",
+              "ParseSchemas",
+              "parser.parseDirectives"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "github.com/vektah/gqlparser/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.5.14"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/vektah/gqlparser/v2/parser",
+            "symbols": [
+              "ParseQuery",
+              "ParseSchema",
+              "ParseSchemas",
+              "parser.parseDirectives"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-2hmf-46v7-v6fx"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/vektah/gqlparser/commit/36a3658873bf5a107f42488dfc392949cdd02977"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/uvzz/d3ed9d4532be16ec1040a2cf3dfec8d1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/99designs/gqlgen/issues/3118"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vektah/gqlparser/blob/master/parser/query.go#L316"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2920",
+    "review_status": "REVIEWED"
+  }
+}

data/osv/GO-2024-2921.json

@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2921",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-5798",
+    "GHSA-32cj-5wx4-gq8p"
+  ],
+  "summary": "HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault",
+  "details": "HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/hashicorp/vault",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.11.0"
+            },
+            {
+              "fixed": "1.16.3"
+            },
+            {
+              "introduced": "1.17.0-rc1"
+            },
+            {
+              "fixed": "1.17.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-32cj-5wx4-gq8p"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5798"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2921",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-2930.json

@@ -0,0 +1,127 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2930",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2023-32191",
+    "GHSA-6gr4-52w6-vmqx"
+  ],
+  "summary": "RKE credentials are stored in the RKE1 Cluster state ConfigMap in github.com/rancher/rke",
+  "details": "When RKE provisions a cluster, it stores the cluster state in a configmap called \"full-cluster-state\" inside the \"kube-system\" namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include sensitive data.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/rancher/rke",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.4.18"
+            },
+            {
+              "fixed": "1.4.19"
+            },
+            {
+              "introduced": "1.5.9"
+            },
+            {
+              "fixed": "1.5.10"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/rancher/rke/k8s",
+            "symbols": [
+              "GetSecret",
+              "GetSecretsList",
+              "GetSystemSecret",
+              "UpdateSecret"
+            ]
+          },
+          {
+            "path": "github.com/rancher/rke/cluster",
+            "symbols": [
+              "Cluster.CheckClusterPorts",
+              "Cluster.CleanDeadLogs",
+              "Cluster.CleanupNodes",
+              "Cluster.ClusterRemove",
+              "Cluster.DeployControlPlane",
+              "Cluster.DeployRestoreCerts",
+              "Cluster.DeployStateFile",
+              "Cluster.DeployWorkerPlane",
+              "Cluster.DisableSecretsEncryption",
+              "Cluster.GetStateFileFromConfigMap",
+              "Cluster.PrePullK8sImages",
+              "Cluster.ReconcileDesiredStateEncryptionConfig",
+              "Cluster.RewriteSecrets",
+              "Cluster.RotateEncryptionKey",
+              "Cluster.RunSELinuxCheck",
+              "Cluster.SetUpHosts",
+              "Cluster.StoreAddonConfigMap",
+              "Cluster.SyncLabelsAndTaints",
+              "Cluster.TunnelHosts",
+              "Cluster.UpdateClusterCurrentState",
+              "Cluster.UpgradeControlPlane",
+              "Cluster.UpgradeWorkerPlane",
+              "ConfigureCluster",
+              "FullState.WriteStateFile",
+              "GetClusterCertsFromKubernetes",
+              "GetK8sVersion",
+              "GetStateFromKubernetes",
+              "ReadStateFile",
+              "RebuildKubeconfig",
+              "RebuildState",
+              "ReconcileCluster",
+              "ReconcileEncryptionProviderConfig",
+              "RestartClusterPods",
+              "SaveFullStateToKubernetes",
+              "buildFreshState"
+            ]
+          },
+          {
+            "path": "github.com/rancher/rke/cmd",
+            "symbols": [
+              "ClusterInit",
+              "ClusterRemove",
+              "ClusterUp",
+              "RestoreEtcdSnapshot",
+              "RestoreEtcdSnapshotFromCli",
+              "RetrieveClusterStateConfigMap",
+              "RotateEncryptionKey",
+              "SnapshotRemoveFromEtcdHosts",
+              "SnapshotSaveEtcdHosts",
+              "SnapshotSaveEtcdHostsFromCli",
+              "getStateFile",
+              "saveClusterState"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/rancher/rke/commit/cf49199481a1891909acb1384eed73a5c987d5bd"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/rancher/rke/commit/f7485b8dce376db0fc15a7c3ceb3de7029c8d0cf"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2930",
+    "review_status": "REVIEWED"
+  }
+}