data/reports: add 3 unreviewed reports

- data/reports/GO-2025-3456.yaml - data/reports/GO-2025-3457.yaml - data/reports/GO-2025-3458.yaml Fixes #3456 Fixes #3457 Fixes #3458 Change-Id: I27243df631acfadbef2c77f5c66d05c80e0417fd Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/647795 Auto-Submit: Tatiana Bradley <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Damien Neil <[email protected]>
golang · Feb 7, 2025 · 9e81317 · 9e81317
1 parent 702896b
commit 9e81317
Show file tree

Hide file tree

Showing 6 changed files with 259 additions and 0 deletions.
diff --git a/data/osv/GO-2025-3456.json b/data/osv/GO-2025-3456.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3456",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-24786",
+    "GHSA-9r4c-jwx3-3j76"
+  ],
+  "summary": "WhoDB has a path traversal opening Sqlite3 database in github.com/clidey/whodb/core",
+  "details": "WhoDB has a path traversal opening Sqlite3 database in github.com/clidey/whodb/core",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/clidey/whodb/core",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20250127172032-547336ac73c8"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/clidey/whodb/security/advisories/GHSA-9r4c-jwx3-3j76"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24786"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/clidey/whodb/blob/ba6eb81d0ca40baead74bca58b2567166999d6a6/core/src/plugins/sqlite3/db.go#L14-L20"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/clidey/whodb/blob/ba6eb81d0ca40baead74bca58b2567166999d6a6/core/src/plugins/sqlite3/db.go#L26"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/clidey/whodb/commit/547336ac73c8d17929c18c3941c0d5b0099753cc"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3456",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3457.json b/data/osv/GO-2025-3457.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3457",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-24787",
+    "GHSA-c7w4-9wv8-7x7c"
+  ],
+  "summary": "WhoDB allows parameter injection in DB connection URIs leading to local file inclusion in github.com/clidey/whodb/core",
+  "details": "WhoDB allows parameter injection in DB connection URIs leading to local file inclusion in github.com/clidey/whodb/core",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/clidey/whodb/core",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20250127202645-8d67b767e005"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/clidey/whodb/security/advisories/GHSA-c7w4-9wv8-7x7c"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24787"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/clidey/whodb/commit/8d67b767e00552e5eba2b1537179b74bfa662ee1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-sql-driver/mysql/blob/7403860363ca112af503b4612568c3096fecb466/infile.go#L128"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3457",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3458.json b/data/osv/GO-2025-3458.json
@@ -0,0 +1,76 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3458",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-24366",
+    "GHSA-vj7w-3m8c-6vpx"
+  ],
+  "summary": "SFTPGo has insufficient sanitization of user provided rsync command in github.com/drakkan/sftpgo",
+  "details": "SFTPGo has insufficient sanitization of user provided rsync command in github.com/drakkan/sftpgo.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/drakkan/sftpgo",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0.9.5"
+              }
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "github.com/drakkan/sftpgo/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.6.5"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-vj7w-3m8c-6vpx"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/drakkan/sftpgo/commit/b347ab6051f6c501da205c09315fe99cd1fa3ba1"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3458",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/reports/GO-2025-3456.yaml b/data/reports/GO-2025-3456.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-3456
+modules:
+    - module: github.com/clidey/whodb/core
+      versions:
+        - fixed: 0.0.0-20250127172032-547336ac73c8
+summary: WhoDB has a path traversal opening Sqlite3 database in github.com/clidey/whodb/core
+cves:
+    - CVE-2025-24786
+ghsas:
+    - GHSA-9r4c-jwx3-3j76
+references:
+    - advisory: https://github.com/clidey/whodb/security/advisories/GHSA-9r4c-jwx3-3j76
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-24786
+    - web: https://github.com/clidey/whodb/blob/ba6eb81d0ca40baead74bca58b2567166999d6a6/core/src/plugins/sqlite3/db.go#L14-L20
+    - web: https://github.com/clidey/whodb/blob/ba6eb81d0ca40baead74bca58b2567166999d6a6/core/src/plugins/sqlite3/db.go#L26
+    - web: https://github.com/clidey/whodb/commit/547336ac73c8d17929c18c3941c0d5b0099753cc
+notes:
+    - fix: 'github.com/clidey/whodb/core: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+    id: GHSA-9r4c-jwx3-3j76
+    created: 2025-02-07T16:10:07.101671-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3457.yaml b/data/reports/GO-2025-3457.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3457
+modules:
+    - module: github.com/clidey/whodb/core
+      versions:
+        - fixed: 0.0.0-20250127202645-8d67b767e005
+summary: |-
+    WhoDB allows parameter injection in DB connection URIs leading to local file
+    inclusion in github.com/clidey/whodb/core
+cves:
+    - CVE-2025-24787
+ghsas:
+    - GHSA-c7w4-9wv8-7x7c
+references:
+    - advisory: https://github.com/clidey/whodb/security/advisories/GHSA-c7w4-9wv8-7x7c
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-24787
+    - web: https://github.com/clidey/whodb/commit/8d67b767e00552e5eba2b1537179b74bfa662ee1
+    - web: https://github.com/go-sql-driver/mysql/blob/7403860363ca112af503b4612568c3096fecb466/infile.go#L128
+notes:
+    - fix: 'github.com/clidey/whodb/core: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+    id: GHSA-c7w4-9wv8-7x7c
+    created: 2025-02-07T16:10:01.801889-05:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3458.yaml b/data/reports/GO-2025-3458.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-3458
+modules:
+    - module: github.com/drakkan/sftpgo
+      non_go_versions:
+        - introduced: 0.9.5
+      vulnerable_at: 1.2.2
+    - module: github.com/drakkan/sftpgo/v2
+      versions:
+        - fixed: 2.6.5
+      vulnerable_at: 2.6.4
+summary: SFTPGo has insufficient sanitization of user provided rsync command in github.com/drakkan/sftpgo
+cves:
+    - CVE-2025-24366
+ghsas:
+    - GHSA-vj7w-3m8c-6vpx
+references:
+    - advisory: https://github.com/drakkan/sftpgo/security/advisories/GHSA-vj7w-3m8c-6vpx
+    - fix: https://github.com/drakkan/sftpgo/commit/b347ab6051f6c501da205c09315fe99cd1fa3ba1
+source:
+    id: GHSA-vj7w-3m8c-6vpx
+    created: 2025-02-07T16:09:57.042068-05:00
+review_status: UNREVIEWED