data/reports: add 5 reports

thatnealpatel · gopherbot · commit 0d2bb182eae0 · 2025-05-23T08:18:56.000-07:00
- data/reports/GO-2025-3699.yaml - data/reports/GO-2025-3700.yaml - data/reports/GO-2025-3701.yaml - data/reports/GO-2025-3702.yaml - data/reports/GO-2025-3703.yaml Fixes #3699 Fixes #3700 Fixes #3701 Fixes #3702 Fixes #3703 Change-Id: Id128994ca9efa96807f9501412a4b5fe15010690 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/675635 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Commit-Queue: Neal Patel <nealpatel@google.com> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Neal Patel <nealpatel@google.com>
diff --git a/data/osv/GO-2025-3699.json b/data/osv/GO-2025-3699.json
@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3699",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-47290",
+    "GHSA-cm76-qm8v-3j95"
+  ],
+  "summary": "containerd allows host filesystem access on pull in github.com/containerd/containerd",
+  "details": "containerd allows host filesystem access on pull in github.com/containerd/containerd",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/containerd/containerd",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/containerd/containerd/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "2.1.0"
+            },
+            {
+              "fixed": "2.1.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47290"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/containerd/containerd/commit/cada13298fba85493badb6fecb6ccf80e49673cc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/containerd/containerd/releases/tag/v2.1.1"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3699",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3700.json b/data/osv/GO-2025-3700.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3700",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-48056",
+    "GHSA-274q-79q9-52j7"
+  ],
+  "summary": "Character injection in Hubble CLI in github.com/cilium/hubble",
+  "details": "Character injection in Hubble CLI in github.com/cilium/hubble",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/cilium/hubble",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.17.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/cilium/hubble/security/advisories/GHSA-274q-79q9-52j7"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48056"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cilium/cilium/pull/37401"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3700",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3701.json b/data/osv/GO-2025-3701.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3701",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-47291",
+    "GHSA-cxfp-7pvr-95ff"
+  ],
+  "summary": "containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods. in github.com/containerd/containerd",
+  "details": "containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods. in github.com/containerd/containerd",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/containerd/containerd",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/containerd/containerd/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "2.0.1"
+            },
+            {
+              "fixed": "2.0.5"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47291"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3701",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3702.json b/data/osv/GO-2025-3702.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3702",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-48069",
+    "GHSA-2c47-m757-32g6"
+  ],
+  "summary": "Insufficient input sanitization in ejson2env in github.com/Shopify/ejson2env",
+  "details": "Insufficient input sanitization in ejson2env in github.com/Shopify/ejson2env",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/Shopify/ejson2env",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/Shopify/ejson2env/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.8"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/Shopify/ejson2env/security/advisories/GHSA-2c47-m757-32g6"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48069"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/Shopify/ejson2env/commit/592b3ceea967fee8b064e70983e8cec087b6d840"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3702",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3703.json b/data/osv/GO-2025-3703.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3703",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-5031",
+    "GHSA-pqqp-7cp8-vxvf"
+  ],
+  "summary": "Ackites KillWxapkg Zip Bomb Resource Exhaustion in github.com/Ackites/KillWxapkg",
+  "details": "Ackites KillWxapkg Zip Bomb Resource Exhaustion in github.com/Ackites/KillWxapkg",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/Ackites/KillWxapkg",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-pqqp-7cp8-vxvf"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5031"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://github.com/Ackites/KillWxapkg/issues/86"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.309851"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.309851"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.580524"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3703",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/reports/GO-2025-3699.yaml b/data/reports/GO-2025-3699.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3699
+modules:
+    - module: github.com/containerd/containerd
+      vulnerable_at: 1.7.27
+    - module: github.com/containerd/containerd/v2
+      versions:
+        - introduced: 2.1.0
+        - fixed: 2.1.1
+      vulnerable_at: 2.1.0
+summary: containerd allows host filesystem access on pull in github.com/containerd/containerd
+cves:
+    - CVE-2025-47290
+ghsas:
+    - GHSA-cm76-qm8v-3j95
+references:
+    - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-47290
+    - fix: https://github.com/containerd/containerd/commit/cada13298fba85493badb6fecb6ccf80e49673cc
+    - web: https://github.com/containerd/containerd/releases/tag/v2.1.1
+source:
+    id: GHSA-cm76-qm8v-3j95
+    created: 2025-05-22T12:45:54.914854-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3700.yaml b/data/reports/GO-2025-3700.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-3700
+modules:
+    - module: github.com/cilium/hubble
+      versions:
+        - fixed: 1.17.2
+      vulnerable_at: 1.17.1
+summary: Character injection in Hubble CLI in github.com/cilium/hubble
+cves:
+    - CVE-2025-48056
+ghsas:
+    - GHSA-274q-79q9-52j7
+references:
+    - advisory: https://github.com/cilium/hubble/security/advisories/GHSA-274q-79q9-52j7
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-48056
+    - web: https://github.com/cilium/cilium/pull/37401
+source:
+    id: GHSA-274q-79q9-52j7
+    created: 2025-05-22T12:45:49.667737-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3701.yaml b/data/reports/GO-2025-3701.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3701
+modules:
+    - module: github.com/containerd/containerd
+      vulnerable_at: 1.7.27
+    - module: github.com/containerd/containerd/v2
+      versions:
+        - introduced: 2.0.1
+        - fixed: 2.0.5
+      vulnerable_at: 2.0.4
+summary: |-
+    containerd CRI plugin: Incorrect cgroup hierarchy assignment for containers
+    running in usernamespaced Kubernetes pods. in github.com/containerd/containerd
+cves:
+    - CVE-2025-47291
+ghsas:
+    - GHSA-cxfp-7pvr-95ff
+references:
+    - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-47291
+source:
+    id: GHSA-cxfp-7pvr-95ff
+    created: 2025-05-22T12:45:45.287959-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3702.yaml b/data/reports/GO-2025-3702.yaml
diff --git a/data/reports/GO-2025-3703.yaml b/data/reports/GO-2025-3703.yaml
