data/reports: add 2 unreviewed reports

- data/reports/GO-2024-3203.yaml - data/reports/GO-2024-3204.yaml Fixes #3203 Fixes #3204 Change-Id: I20b2c208153bb39063bb917e6fb98cd225910324 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/620895 Reviewed-by: Maceo Thompson <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Tatiana Bradley <[email protected]>
golang · Oct 17, 2024 · f0a1e14 · f0a1e14
1 parent f65924f
commit f0a1e14
Show file tree

Hide file tree

Showing 4 changed files with 168 additions and 0 deletions.
diff --git a/data/osv/GO-2024-3203.json b/data/osv/GO-2024-3203.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3203",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-9486"
+  ],
+  "summary": "VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder",
+  "details": "VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/kubernetes-sigs/image-builder",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.1.38"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/kubernetes/kubernetes/issues/128006"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9486"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/kubernetes-sigs/image-builder/pull/1595"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Nicolai Rybnikar @rybnico from Rybnikar Enterprises GmbH."
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3203",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-3204.json b/data/osv/GO-2024-3204.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3204",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-9594"
+  ],
+  "summary": "VM images built with Image Builder with some providers use default credentials during builds in github.com/kubernetes-sigs/image-builder",
+  "details": "VM images built with Image Builder with some providers use default credentials during builds in github.com/kubernetes-sigs/image-builder",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/kubernetes-sigs/image-builder",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.1.38"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/kubernetes/kubernetes/issues/128007"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9594"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/kubernetes-sigs/image-builder/pull/1596"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Nicolai Rybnikar @rybnico from Rybnikar Enterprises GmbH."
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3204",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/reports/GO-2024-3203.yaml b/data/reports/GO-2024-3203.yaml
@@ -0,0 +1,24 @@
+id: GO-2024-3203
+modules:
+    - module: github.com/kubernetes-sigs/image-builder
+      versions:
+        - fixed: 0.1.38
+      vulnerable_at: 0.1.37
+summary: |-
+    VM images built with Image Builder and Proxmox provider use default credentials
+    in github.com/kubernetes-sigs/image-builder
+cves:
+    - CVE-2024-9486
+credits:
+    - Nicolai Rybnikar @rybnico from Rybnikar Enterprises GmbH.
+references:
+    - advisory: https://github.com/kubernetes/kubernetes/issues/128006
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9486
+    - fix: https://github.com/kubernetes-sigs/image-builder/pull/1595
+    - web: https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ
+notes:
+    - manually fixed versions (intent was clear but our tooling couldn't handle the specific case)
+source:
+    id: CVE-2024-9486
+    created: 2024-10-17T11:19:36.712539-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-3204.yaml b/data/reports/GO-2024-3204.yaml
@@ -0,0 +1,24 @@
+id: GO-2024-3204
+modules:
+    - module: github.com/kubernetes-sigs/image-builder
+      versions:
+        - fixed: 0.1.38
+      vulnerable_at: 0.1.37
+summary: |-
+    VM images built with Image Builder with some providers use default credentials
+    during builds in github.com/kubernetes-sigs/image-builder
+cves:
+    - CVE-2024-9594
+credits:
+    - Nicolai Rybnikar @rybnico from Rybnikar Enterprises GmbH.
+references:
+    - advisory: https://github.com/kubernetes/kubernetes/issues/128007
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9594
+    - fix: https://github.com/kubernetes-sigs/image-builder/pull/1596
+    - web: https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ
+notes:
+    - manually fixed versions (intent was clear but our tooling couldn't handle the specific case)
+source:
+    id: CVE-2024-9594
+    created: 2024-10-17T11:11:54.722865-04:00
+review_status: UNREVIEWED