diff --git a/data/osv/GO-2024-3203.json b/data/osv/GO-2024-3203.json new file mode 100644 index 00000000..1073bb1a --- /dev/null +++ b/data/osv/GO-2024-3203.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3203", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-9486" + ], + "summary": "VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder", + "details": "VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder", + "affected": [ + { + "package": { + "name": "github.com/kubernetes-sigs/image-builder", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.1.38" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kubernetes/kubernetes/issues/128006" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9486" + }, + { + "type": "FIX", + "url": "https://github.com/kubernetes-sigs/image-builder/pull/1595" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ" + } + ], + "credits": [ + { + "name": "Nicolai Rybnikar @rybnico from Rybnikar Enterprises GmbH." + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3203", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2024-3204.json b/data/osv/GO-2024-3204.json new file mode 100644 index 00000000..424cd545 --- /dev/null +++ b/data/osv/GO-2024-3204.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-3204", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2024-9594" + ], + "summary": "VM images built with Image Builder with some providers use default credentials during builds in github.com/kubernetes-sigs/image-builder", + "details": "VM images built with Image Builder with some providers use default credentials during builds in github.com/kubernetes-sigs/image-builder", + "affected": [ + { + "package": { + "name": "github.com/kubernetes-sigs/image-builder", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.1.38" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/kubernetes/kubernetes/issues/128007" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9594" + }, + { + "type": "FIX", + "url": "https://github.com/kubernetes-sigs/image-builder/pull/1596" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ" + } + ], + "credits": [ + { + "name": "Nicolai Rybnikar @rybnico from Rybnikar Enterprises GmbH." + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3204", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-3203.yaml b/data/reports/GO-2024-3203.yaml new file mode 100644 index 00000000..c2bce19f --- /dev/null +++ b/data/reports/GO-2024-3203.yaml @@ -0,0 +1,24 @@ +id: GO-2024-3203 +modules: + - module: github.com/kubernetes-sigs/image-builder + versions: + - fixed: 0.1.38 + vulnerable_at: 0.1.37 +summary: |- + VM images built with Image Builder and Proxmox provider use default credentials + in github.com/kubernetes-sigs/image-builder +cves: + - CVE-2024-9486 +credits: + - Nicolai Rybnikar @rybnico from Rybnikar Enterprises GmbH. +references: + - advisory: https://github.com/kubernetes/kubernetes/issues/128006 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9486 + - fix: https://github.com/kubernetes-sigs/image-builder/pull/1595 + - web: https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ +notes: + - manually fixed versions (intent was clear but our tooling couldn't handle the specific case) +source: + id: CVE-2024-9486 + created: 2024-10-17T11:19:36.712539-04:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2024-3204.yaml b/data/reports/GO-2024-3204.yaml new file mode 100644 index 00000000..fbc8ea9b --- /dev/null +++ b/data/reports/GO-2024-3204.yaml @@ -0,0 +1,24 @@ +id: GO-2024-3204 +modules: + - module: github.com/kubernetes-sigs/image-builder + versions: + - fixed: 0.1.38 + vulnerable_at: 0.1.37 +summary: |- + VM images built with Image Builder with some providers use default credentials + during builds in github.com/kubernetes-sigs/image-builder +cves: + - CVE-2024-9594 +credits: + - Nicolai Rybnikar @rybnico from Rybnikar Enterprises GmbH. +references: + - advisory: https://github.com/kubernetes/kubernetes/issues/128007 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9594 + - fix: https://github.com/kubernetes-sigs/image-builder/pull/1596 + - web: https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ +notes: + - manually fixed versions (intent was clear but our tooling couldn't handle the specific case) +source: + id: CVE-2024-9594 + created: 2024-10-17T11:11:54.722865-04:00 +review_status: UNREVIEWED