data/reports: add 5 reports

thatnealpatel · gopherbot · commit aa7c6ae284f3 · 2025-05-06T08:37:19.000-07:00
- data/reports/GO-2025-3656.yaml - data/reports/GO-2025-3661.yaml - data/reports/GO-2025-3662.yaml - data/reports/GO-2025-3663.yaml - data/reports/GO-2025-3665.yaml Fixes #3656 Fixes #3661 Fixes #3662 Fixes #3663 Fixes #3665 Change-Id: Iadf94f7511240c2675cc0582d6d8acdac8165e36 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/670315 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Neal Patel <nealpatel@google.com> Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/data/osv/GO-2025-3656.json b/data/osv/GO-2025-3656.json
@@ -0,0 +1,112 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3656",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-32777",
+    "GHSA-hg79-fw4p-25p8"
+  ],
+  "summary": "Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin in volcano.sh/volcano",
+  "details": "Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin in volcano.sh/volcano",
+  "affected": [
+    {
+      "package": {
+        "name": "volcano.sh/volcano",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.9.1"
+            },
+            {
+              "introduced": "1.10.0-alpha.0"
+            },
+            {
+              "fixed": "1.10.2"
+            },
+            {
+              "introduced": "1.11.0-network-topology-preview.0"
+            },
+            {
+              "fixed": "1.11.0-network-topology-preview.3"
+            },
+            {
+              "introduced": "1.11.0"
+            },
+            {
+              "fixed": "1.11.2"
+            },
+            {
+              "introduced": "1.12.0-alpha.0"
+            },
+            {
+              "fixed": "1.12.0-alpha.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/volcano-sh/volcano/security/advisories/GHSA-hg79-fw4p-25p8"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32777"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/volcano-sh/volcano/commit/45a4347471a5254121d10afef04c6732095fa398"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/volcano-sh/volcano/commit/7103c18de19821cd278f949fa24c13da350a8c5d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/volcano-sh/volcano/commit/735842af59b9be0da5090677db7693c98a798b2a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/volcano-sh/volcano/commit/7c0ea53fa3cfa7a05b5fba7a8af7bfe88adc41c3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/volcano-sh/volcano/commit/d687f75a11fa36f37b54e4b6ff8e49bc0a3ca6b4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.10.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.0-network-topology-preview.3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.12.0-alpha.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.9.1"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3656",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3661.json b/data/osv/GO-2025-3661.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3661",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-4210"
+  ],
+  "summary": "Casdoor SCIM User Creation Endpoint scim.go HandleScim authorization in github.com/casdoor/casdoor",
+  "details": "Casdoor SCIM User Creation Endpoint scim.go HandleScim authorization in github.com/casdoor/casdoor",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/casdoor/casdoor",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4210"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/casdoor/casdoor/commit/3d12ac8dc2282369296c3386815c00a06c6a92fe"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/casdoor/casdoor/releases/tag/v1.812.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.307180"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.307180"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.556201"
+    }
+  ],
+  "credits": [
+    {
+      "name": "krav (VulDB User)"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3661",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3662.json b/data/osv/GO-2025-3662.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3662",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-3879",
+    "GHSA-f9ch-h8j7-8jwg"
+  ],
+  "summary": "Hashicorp Vault Community vulnerable to Incorrect Authorization in github.com/hashicorp/vault",
+  "details": "Hashicorp Vault Community vulnerable to Incorrect Authorization in github.com/hashicorp/vault",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/hashicorp/vault",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.10.0"
+            },
+            {
+              "fixed": "1.19.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-f9ch-h8j7-8jwg"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3879"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2025-07-vault-s-azure-authentication-method-bound-location-restriction-could-be-bypassed-on-login/74716"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3662",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3663.json b/data/osv/GO-2025-3663.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3663",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-4166",
+    "GHSA-gcqf-f89c-68hv"
+  ],
+  "summary": "Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information in github.com/hashicorp/vault",
+  "details": "Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information in github.com/hashicorp/vault",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/hashicorp/vault",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.3.0"
+            },
+            {
+              "fixed": "1.19.3"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-gcqf-f89c-68hv"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4166"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3663",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3665.json b/data/osv/GO-2025-3665.json
@@ -0,0 +1,47 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3665",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-pv22-fqcj-7xwh"
+  ],
+  "summary": "Inspektor Gadget Security Policies Can be Bypassed in github.com/inspektor-gadget/inspektor-gadget",
+  "details": "Inspektor Gadget Security Policies Can be Bypassed in github.com/inspektor-gadget/inspektor-gadget",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/inspektor-gadget/inspektor-gadget",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.31.0"
+            },
+            {
+              "fixed": "0.40.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-pv22-fqcj-7xwh"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/inspektor-gadget/inspektor-gadget/commit/c51d419964f5b6f9344fcad4faba70e2e025212b"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3665",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/reports/GO-2025-3656.yaml b/data/reports/GO-2025-3656.yaml
@@ -0,0 +1,38 @@
+id: GO-2025-3656
+modules:
+    - module: volcano.sh/volcano
+      versions:
+        - fixed: 1.9.1
+        - introduced: 1.10.0-alpha.0
+        - fixed: 1.10.2
+        - introduced: 1.11.0-network-topology-preview.0
+        - fixed: 1.11.0-network-topology-preview.3
+        - introduced: 1.11.0
+        - fixed: 1.11.2
+        - introduced: 1.12.0-alpha.0
+        - fixed: 1.12.0-alpha.2
+      vulnerable_at: 1.12.0-alpha.1
+summary: |-
+    Volcano Scheduler Denial of Service via Unbounded Response from Elastic
+    Service/extender Plugin in volcano.sh/volcano
+cves:
+    - CVE-2025-32777
+ghsas:
+    - GHSA-hg79-fw4p-25p8
+references:
+    - advisory: https://github.com/volcano-sh/volcano/security/advisories/GHSA-hg79-fw4p-25p8
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-32777
+    - web: https://github.com/volcano-sh/volcano/commit/45a4347471a5254121d10afef04c6732095fa398
+    - web: https://github.com/volcano-sh/volcano/commit/7103c18de19821cd278f949fa24c13da350a8c5d
+    - web: https://github.com/volcano-sh/volcano/commit/735842af59b9be0da5090677db7693c98a798b2a
+    - web: https://github.com/volcano-sh/volcano/commit/7c0ea53fa3cfa7a05b5fba7a8af7bfe88adc41c3
+    - web: https://github.com/volcano-sh/volcano/commit/d687f75a11fa36f37b54e4b6ff8e49bc0a3ca6b4
+    - web: https://github.com/volcano-sh/volcano/releases/tag/v1.10.2
+    - web: https://github.com/volcano-sh/volcano/releases/tag/v1.11.0-network-topology-preview.3
+    - web: https://github.com/volcano-sh/volcano/releases/tag/v1.11.2
+    - web: https://github.com/volcano-sh/volcano/releases/tag/v1.12.0-alpha.2
+    - web: https://github.com/volcano-sh/volcano/releases/tag/v1.9.1
+source:
+    id: GHSA-hg79-fw4p-25p8
+    created: 2025-05-05T12:55:57.305718-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3661.yaml b/data/reports/GO-2025-3661.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-3661
+modules:
+    - module: github.com/casdoor/casdoor
+      unsupported_versions:
+        - cve_version_range: affected at 1.811
+      vulnerable_at: 1.904.0
+summary: Casdoor SCIM User Creation Endpoint scim.go HandleScim authorization in github.com/casdoor/casdoor
+cves:
+    - CVE-2025-4210
+credits:
+    - krav (VulDB User)
+references:
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4210
+    - fix: https://github.com/casdoor/casdoor/commit/3d12ac8dc2282369296c3386815c00a06c6a92fe
+    - fix: https://github.com/casdoor/casdoor/releases/tag/v1.812.0
+    - web: https://vuldb.com/?ctiid.307180
+    - web: https://vuldb.com/?id.307180
+    - web: https://vuldb.com/?submit.556201
+source:
+    id: CVE-2025-4210
+    created: 2025-05-05T12:56:06.268616-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3662.yaml b/data/reports/GO-2025-3662.yaml
diff --git a/data/reports/GO-2025-3663.yaml b/data/reports/GO-2025-3663.yaml
diff --git a/data/reports/GO-2025-3665.yaml b/data/reports/GO-2025-3665.yaml
