Skip to content

Commit

Permalink
data/reports: add 4 NEEDS_REVIEW reports
Browse files Browse the repository at this point in the history
  - data/reports/GO-2024-3122.yaml
  - data/reports/GO-2024-3140.yaml
  - data/reports/GO-2024-3259.yaml
  - data/reports/GO-2024-3265.yaml

Updates #3122
Updates #3140
Updates #3259
Updates #3265

Change-Id: I3fb8a3af0ccd59ed8dd5d130889e10601c0a9472
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/626158
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
  • Loading branch information
tatianab authored and gopherbot committed Nov 20, 2024
1 parent f8934e9 commit 841b6b3
Show file tree
Hide file tree
Showing 8 changed files with 287 additions and 0 deletions.
48 changes: 48 additions & 0 deletions data/osv/GO-2024-3122.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3122",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-45039",
"GHSA-q3hw-3gm4-w5cr"
],
"summary": "gnark's Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark",
"details": "gnark's Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark",
"affected": [
{
"package": {
"name": "github.com/consensys/gnark",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/Consensys/gnark/security/advisories/GHSA-q3hw-3gm4-w5cr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45039"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3122",
"review_status": "UNREVIEWED"
}
}
56 changes: 56 additions & 0 deletions data/osv/GO-2024-3140.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3140",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-8986",
"GHSA-xxxw-3j6h-q7h6"
],
"summary": "Grafana plugin SDK Information Leakage in github.com/grafana/grafana-plugin-sdk-go",
"details": "Grafana plugin SDK Information Leakage in github.com/grafana/grafana-plugin-sdk-go",
"affected": [
{
"package": {
"name": "github.com/grafana/grafana-plugin-sdk-go",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.250.0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-xxxw-3j6h-q7h6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8986"
},
{
"type": "FIX",
"url": "https://github.com/grafana/grafana-plugin-sdk-go/commit/aaa26d1bebaaf6160c37d3f1226a750eab70ca41"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2024-8986"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3140",
"review_status": "UNREVIEWED"
}
}
51 changes: 51 additions & 0 deletions data/osv/GO-2024-3259.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3259",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"GHSA-p7mv-53f2-4cwj"
],
"summary": "CometBFT Vote Extensions: Panic when receiving a Pre-commit with an invalid data in github.com/cometbft/cometbft",
"details": "CometBFT Vote Extensions: Panic when receiving a Pre-commit with an invalid data in github.com/cometbft/cometbft",
"affected": [
{
"package": {
"name": "github.com/cometbft/cometbft",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.38.0"
},
{
"fixed": "0.38.15"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj"
},
{
"type": "WEB",
"url": "https://docs.cometbft.com/v0.38/spec/abci/abci++_basic_concepts"
},
{
"type": "WEB",
"url": "https://github.com/cometbft/cometbft/releases/tag/v0.38.15"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3259",
"review_status": "UNREVIEWED"
}
}
56 changes: 56 additions & 0 deletions data/osv/GO-2024-3265.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3265",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-52009",
"GHSA-gppm-hq3p-h4rp"
],
"summary": "Git credentials are exposed in Atlantis logs in github.com/runatlantis/atlantis",
"details": "Git credentials are exposed in Atlantis logs in github.com/runatlantis/atlantis",
"affected": [
{
"package": {
"name": "github.com/runatlantis/atlantis",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.30.0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp"
},
{
"type": "FIX",
"url": "https://github.com/runatlantis/atlantis/pull/4667"
},
{
"type": "REPORT",
"url": "https://github.com/runatlantis/atlantis/issues/4060"
},
{
"type": "WEB",
"url": "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3265",
"review_status": "UNREVIEWED"
}
}
18 changes: 18 additions & 0 deletions data/reports/GO-2024-3122.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
id: GO-2024-3122
modules:
- module: github.com/consensys/gnark
versions:
- fixed: 0.11.0
vulnerable_at: 0.10.0
summary: gnark's Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark
cves:
- CVE-2024-45039
ghsas:
- GHSA-q3hw-3gm4-w5cr
references:
- advisory: https://github.com/Consensys/gnark/security/advisories/GHSA-q3hw-3gm4-w5cr
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45039
source:
id: GHSA-q3hw-3gm4-w5cr
created: 2024-11-12T11:30:11.924411-05:00
review_status: NEEDS_REVIEW
20 changes: 20 additions & 0 deletions data/reports/GO-2024-3140.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
id: GO-2024-3140
modules:
- module: github.com/grafana/grafana-plugin-sdk-go
versions:
- fixed: 0.250.0
vulnerable_at: 0.249.0
summary: Grafana plugin SDK Information Leakage in github.com/grafana/grafana-plugin-sdk-go
cves:
- CVE-2024-8986
ghsas:
- GHSA-xxxw-3j6h-q7h6
references:
- advisory: https://github.com/advisories/GHSA-xxxw-3j6h-q7h6
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8986
- fix: https://github.com/grafana/grafana-plugin-sdk-go/commit/aaa26d1bebaaf6160c37d3f1226a750eab70ca41
- web: https://grafana.com/security/security-advisories/cve-2024-8986
source:
id: GHSA-xxxw-3j6h-q7h6
created: 2024-11-12T11:30:05.469931-05:00
review_status: NEEDS_REVIEW
18 changes: 18 additions & 0 deletions data/reports/GO-2024-3259.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
id: GO-2024-3259
modules:
- module: github.com/cometbft/cometbft
versions:
- introduced: 0.38.0
- fixed: 0.38.15
vulnerable_at: 0.38.14
summary: 'CometBFT Vote Extensions: Panic when receiving a Pre-commit with an invalid data in github.com/cometbft/cometbft'
ghsas:
- GHSA-p7mv-53f2-4cwj
references:
- advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj
- web: https://docs.cometbft.com/v0.38/spec/abci/abci++_basic_concepts
- web: https://github.com/cometbft/cometbft/releases/tag/v0.38.15
source:
id: GHSA-p7mv-53f2-4cwj
created: 2024-11-12T11:29:13.234193-05:00
review_status: NEEDS_REVIEW
20 changes: 20 additions & 0 deletions data/reports/GO-2024-3265.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
id: GO-2024-3265
modules:
- module: github.com/runatlantis/atlantis
versions:
- fixed: 0.30.0
vulnerable_at: 0.29.0
summary: Git credentials are exposed in Atlantis logs in github.com/runatlantis/atlantis
cves:
- CVE-2024-52009
ghsas:
- GHSA-gppm-hq3p-h4rp
references:
- advisory: https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp
- fix: https://github.com/runatlantis/atlantis/pull/4667
- report: https://github.com/runatlantis/atlantis/issues/4060
- web: https://github.com/runatlantis/atlantis/releases/tag/v0.30.0
source:
id: GHSA-gppm-hq3p-h4rp
created: 2024-11-12T11:29:08.000581-05:00
review_status: NEEDS_REVIEW

0 comments on commit 841b6b3

Please sign in to comment.