data/reports: add 4 unreviewed reports

tatianab · gopherbot · commit ba3257785b44 · 2024-07-22T18:24:38.000Z
- data/reports/GO-2024-2993.yaml - data/reports/GO-2024-2994.yaml - data/reports/GO-2024-2996.yaml - data/reports/GO-2024-2997.yaml Fixes #2993 Fixes #2994 Fixes #2996 Fixes #2997 Change-Id: I4aec2240621abb4771d856a7fb29ee0a5fed7424 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599636 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2024-2993.json b/data/osv/GO-2024-2993.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2993",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-41111",
+    "GHSA-hc5w-gxxr-w8x8"
+  ],
+  "summary": "Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver",
+  "details": "Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/bishopfox/sliver",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.5.40"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-hc5w-gxxr-w8x8"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41111"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BishopFox/sliver/commit/0deaee625d14c6f05f63c86e5c3b7ae623a1138f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BishopFox/sliver/commit/5016fb8d7cdff38c79e22e8293e58300f8d3bd57"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BishopFox/sliver/issues/65"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BishopFox/sliver/pull/1281"
+    },
+    {
+      "type": "WEB",
+      "url": "https://sliver.sh/docs?name=Multi-player+Mode"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2993",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2994.json b/data/osv/GO-2024-2994.json
@@ -0,0 +1,90 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2994",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-5321",
+    "GHSA-82m2-cv7p-4m75"
+  ],
+  "summary": "Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes",
+  "details": "Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes",
+  "affected": [
+    {
+      "package": {
+        "name": "k8s.io/kubernetes",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.27.16"
+            },
+            {
+              "introduced": "1.28.0"
+            },
+            {
+              "fixed": "1.28.12"
+            },
+            {
+              "introduced": "1.29.0"
+            },
+            {
+              "fixed": "1.29.7"
+            },
+            {
+              "introduced": "1.30.0"
+            },
+            {
+              "fixed": "1.30.3"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-82m2-cv7p-4m75"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5321"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/commit/23660a78ae462a6c8c75ac7ffd9af97550dda1aa"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/commit/84beb2915fa28ae477fe0676be8ba94ccd2b811a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/commit/90589b8f63d28bcd3db89749950ebc48ed07c190"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/commit/de2033033b1d202ecaaa79d41861a075df8b49c1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/issues/126161"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/kubernetes-security-announce/c/81c0BHkKNt0"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2994",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2996.json b/data/osv/GO-2024-2996.json
@@ -0,0 +1,89 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2996",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-21527"
+  ],
+  "summary": "CVE-2024-21527 in github.com/gotenberg/gotenberg",
+  "details": "CVE-2024-21527 in github.com/gotenberg/gotenberg",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/gotenberg/gotenberg/v7",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/gotenberg/gotenberg/v8",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21527"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/gotenberg/gotenberg/commit/ad152e62e5124b673099a9103eb6e7f933771794"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/filipochnik/bc88a3d1cc17c07cec391ee98e1e6356"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gotenberg/gotenberg/releases/tag/v8.1.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGGOTENBERG-7537081"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESCHROMIUM-7537082"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESWEBHOOK-7537083"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Filip Ochnik"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2996",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2997.json b/data/osv/GO-2024-2997.json
@@ -0,0 +1,81 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2997",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-21583"
+  ],
+  "summary": "CVE-2024-21583 in github.com/gitpod-io/gitpod",
+  "details": "CVE-2024-21583 in github.com/gitpod-io/gitpod",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/gitpod-io/gitpod",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21583"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/gitpod-io/gitpod/pull/19973"
+    },
+    {
+      "type": "WEB",
+      "url": "https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=[…]942e-c768d37e9e0c\u0026tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Elliot Ward (Snyk Security Research)"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2997",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/reports/GO-2024-2993.yaml b/data/reports/GO-2024-2993.yaml
@@ -0,0 +1,25 @@
+id: GO-2024-2993
+modules:
+    - module: github.com/bishopfox/sliver
+      versions:
+        - introduced: 1.5.40
+      unsupported_versions:
+        - last_affected: 1.6.0-dev
+      vulnerable_at: 1.5.42
+summary: Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver
+cves:
+    - CVE-2024-41111
+ghsas:
+    - GHSA-hc5w-gxxr-w8x8
+references:
+    - advisory: https://github.com/BishopFox/sliver/security/advisories/GHSA-hc5w-gxxr-w8x8
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41111
+    - web: https://github.com/BishopFox/sliver/commit/0deaee625d14c6f05f63c86e5c3b7ae623a1138f
+    - web: https://github.com/BishopFox/sliver/commit/5016fb8d7cdff38c79e22e8293e58300f8d3bd57
+    - web: https://github.com/BishopFox/sliver/issues/65
+    - web: https://github.com/BishopFox/sliver/pull/1281
+    - web: https://sliver.sh/docs?name=Multi-player+Mode
+source:
+    id: GHSA-hc5w-gxxr-w8x8
+    created: 2024-07-19T12:19:31.469236-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-2994.yaml b/data/reports/GO-2024-2994.yaml
@@ -0,0 +1,30 @@
+id: GO-2024-2994
+modules:
+    - module: k8s.io/kubernetes
+      versions:
+        - fixed: 1.27.16
+        - introduced: 1.28.0
+        - fixed: 1.28.12
+        - introduced: 1.29.0
+        - fixed: 1.29.7
+        - introduced: 1.30.0
+        - fixed: 1.30.3
+      vulnerable_at: 1.30.2
+summary: Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes
+cves:
+    - CVE-2024-5321
+ghsas:
+    - GHSA-82m2-cv7p-4m75
+references:
+    - advisory: https://github.com/advisories/GHSA-82m2-cv7p-4m75
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-5321
+    - web: https://github.com/kubernetes/kubernetes/commit/23660a78ae462a6c8c75ac7ffd9af97550dda1aa
+    - web: https://github.com/kubernetes/kubernetes/commit/84beb2915fa28ae477fe0676be8ba94ccd2b811a
+    - web: https://github.com/kubernetes/kubernetes/commit/90589b8f63d28bcd3db89749950ebc48ed07c190
+    - web: https://github.com/kubernetes/kubernetes/commit/de2033033b1d202ecaaa79d41861a075df8b49c1
+    - web: https://github.com/kubernetes/kubernetes/issues/126161
+    - web: https://groups.google.com/g/kubernetes-security-announce/c/81c0BHkKNt0
+source:
+    id: GHSA-82m2-cv7p-4m75
+    created: 2024-07-19T12:19:24.247679-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-2996.yaml b/data/reports/GO-2024-2996.yaml
diff --git a/data/reports/GO-2024-2997.yaml b/data/reports/GO-2024-2997.yaml
