data/reports: add 4 unreviewed reports

  - data/reports/GO-2024-2993.yaml
  - data/reports/GO-2024-2994.yaml
  - data/reports/GO-2024-2996.yaml
  - data/reports/GO-2024-2997.yaml

Fixes #2993
Fixes #2994
Fixes #2996
Fixes #2997

Change-Id: I4aec2240621abb4771d856a7fb29ee0a5fed7424
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599636
Reviewed-by: Damien Neil <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>

Author: tatianab

data/osv/GO-2024-2993.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2993",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-41111",
+    "GHSA-hc5w-gxxr-w8x8"
+  ],
+  "summary": "Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver",
+  "details": "Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/bishopfox/sliver",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.5.40"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-hc5w-gxxr-w8x8"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41111"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BishopFox/sliver/commit/0deaee625d14c6f05f63c86e5c3b7ae623a1138f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BishopFox/sliver/commit/5016fb8d7cdff38c79e22e8293e58300f8d3bd57"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BishopFox/sliver/issues/65"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BishopFox/sliver/pull/1281"
+    },
+    {
+      "type": "WEB",
+      "url": "https://sliver.sh/docs?name=Multi-player+Mode"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2993",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-2994.json

@@ -0,0 +1,90 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2994",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-5321",
+    "GHSA-82m2-cv7p-4m75"
+  ],
+  "summary": "Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes",
+  "details": "Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes",
+  "affected": [
+    {
+      "package": {
+        "name": "k8s.io/kubernetes",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.27.16"
+            },
+            {
+              "introduced": "1.28.0"
+            },
+            {
+              "fixed": "1.28.12"
+            },
+            {
+              "introduced": "1.29.0"
+            },
+            {
+              "fixed": "1.29.7"
+            },
+            {
+              "introduced": "1.30.0"
+            },
+            {
+              "fixed": "1.30.3"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-82m2-cv7p-4m75"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5321"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/commit/23660a78ae462a6c8c75ac7ffd9af97550dda1aa"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/commit/84beb2915fa28ae477fe0676be8ba94ccd2b811a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/commit/90589b8f63d28bcd3db89749950ebc48ed07c190"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/commit/de2033033b1d202ecaaa79d41861a075df8b49c1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/issues/126161"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/kubernetes-security-announce/c/81c0BHkKNt0"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2994",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-2996.json

@@ -0,0 +1,89 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2996",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-21527"
+  ],
+  "summary": "CVE-2024-21527 in github.com/gotenberg/gotenberg",
+  "details": "CVE-2024-21527 in github.com/gotenberg/gotenberg",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/gotenberg/gotenberg/v7",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/gotenberg/gotenberg/v8",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21527"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/gotenberg/gotenberg/commit/ad152e62e5124b673099a9103eb6e7f933771794"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/filipochnik/bc88a3d1cc17c07cec391ee98e1e6356"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gotenberg/gotenberg/releases/tag/v8.1.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGGOTENBERG-7537081"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESCHROMIUM-7537082"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESWEBHOOK-7537083"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Filip Ochnik"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2996",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-2997.json

@@ -0,0 +1,81 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2997",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-21583"
+  ],
+  "summary": "CVE-2024-21583 in github.com/gitpod-io/gitpod",
+  "details": "CVE-2024-21583 in github.com/gitpod-io/gitpod",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/gitpod-io/gitpod",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21583"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/gitpod-io/gitpod/pull/19973"
+    },
+    {
+      "type": "WEB",
+      "url": "https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=[…]942e-c768d37e9e0c\u0026tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Elliot Ward (Snyk Security Research)"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2997",
+    "review_status": "UNREVIEWED"
+  }
+}

data/reports/GO-2024-2993.yaml

@@ -0,0 +1,25 @@
+id: GO-2024-2993
+modules:
+    - module: github.com/bishopfox/sliver
+      versions:
+        - introduced: 1.5.40
+      unsupported_versions:
+        - last_affected: 1.6.0-dev
+      vulnerable_at: 1.5.42
+summary: Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver
+cves:
+    - CVE-2024-41111
+ghsas:
+    - GHSA-hc5w-gxxr-w8x8
+references:
+    - advisory: https://github.com/BishopFox/sliver/security/advisories/GHSA-hc5w-gxxr-w8x8
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41111
+    - web: https://github.com/BishopFox/sliver/commit/0deaee625d14c6f05f63c86e5c3b7ae623a1138f
+    - web: https://github.com/BishopFox/sliver/commit/5016fb8d7cdff38c79e22e8293e58300f8d3bd57
+    - web: https://github.com/BishopFox/sliver/issues/65
+    - web: https://github.com/BishopFox/sliver/pull/1281
+    - web: https://sliver.sh/docs?name=Multi-player+Mode
+source:
+    id: GHSA-hc5w-gxxr-w8x8
+    created: 2024-07-19T12:19:31.469236-04:00
+review_status: UNREVIEWED

data/reports/GO-2024-2994.yaml

@@ -0,0 +1,30 @@
+id: GO-2024-2994
+modules:
+    - module: k8s.io/kubernetes
+      versions:
+        - fixed: 1.27.16
+        - introduced: 1.28.0
+        - fixed: 1.28.12
+        - introduced: 1.29.0
+        - fixed: 1.29.7
+        - introduced: 1.30.0
+        - fixed: 1.30.3
+      vulnerable_at: 1.30.2
+summary: Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes
+cves:
+    - CVE-2024-5321
+ghsas:
+    - GHSA-82m2-cv7p-4m75
+references:
+    - advisory: https://github.com/advisories/GHSA-82m2-cv7p-4m75
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-5321
+    - web: https://github.com/kubernetes/kubernetes/commit/23660a78ae462a6c8c75ac7ffd9af97550dda1aa
+    - web: https://github.com/kubernetes/kubernetes/commit/84beb2915fa28ae477fe0676be8ba94ccd2b811a
+    - web: https://github.com/kubernetes/kubernetes/commit/90589b8f63d28bcd3db89749950ebc48ed07c190
+    - web: https://github.com/kubernetes/kubernetes/commit/de2033033b1d202ecaaa79d41861a075df8b49c1
+    - web: https://github.com/kubernetes/kubernetes/issues/126161
+    - web: https://groups.google.com/g/kubernetes-security-announce/c/81c0BHkKNt0
+source:
+    id: GHSA-82m2-cv7p-4m75
+    created: 2024-07-19T12:19:24.247679-04:00
+review_status: UNREVIEWED