Publish Advisories

GHSA-3h3x-2hwv-hr52 GHSA-fhqq-8f65-5xfc GHSA-mc76-5925-c5p6
github · Oct 1, 2024 · 18d113a · 18d113a
1 parent 1747e28
commit 18d113a
Show file tree

Hide file tree

Showing 3 changed files with 113 additions and 13 deletions.
diff --git a/...A-3h3x-2hwv-hr52/GHSA-3h3x-2hwv-hr52.json → ...A-3h3x-2hwv-hr52/GHSA-3h3x-2hwv-hr52.json b/...A-3h3x-2hwv-hr52/GHSA-3h3x-2hwv-hr52.json → ...A-3h3x-2hwv-hr52/GHSA-3h3x-2hwv-hr52.json
@@ -1,20 +1,43 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3h3x-2hwv-hr52",
-  "modified": "2024-10-01T21:31:34Z",
+  "modified": "2024-10-01T22:31:43Z",
   "published": "2024-10-01T21:31:34Z",
   "aliases": [
     "CVE-2024-9355"
   ],
+  "summary": "Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability",
   "details": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/golang-fips/openssl/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.0.3"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
@@ -28,15 +51,19 @@
     {
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/golang-fips/openssl"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-457"
     ],
-    "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-10-01T22:31:42Z",
     "nvd_published_at": "2024-10-01T19:15:09Z"
   }
 }
diff --git a/...A-fhqq-8f65-5xfc/GHSA-fhqq-8f65-5xfc.json → ...A-fhqq-8f65-5xfc/GHSA-fhqq-8f65-5xfc.json b/...A-fhqq-8f65-5xfc/GHSA-fhqq-8f65-5xfc.json → ...A-fhqq-8f65-5xfc/GHSA-fhqq-8f65-5xfc.json
@@ -1,20 +1,62 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fhqq-8f65-5xfc",
-  "modified": "2024-10-01T21:31:35Z",
+  "modified": "2024-10-01T22:32:06Z",
   "published": "2024-10-01T21:31:35Z",
   "aliases": [
     "CVE-2024-9407"
   ],
+  "summary": "Improper Input Validation in Buildah and Podman",
   "details": "A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/containers/buildah"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.37.3"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/containers/podman/v5"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "5.2.3"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
@@ -35,8 +77,8 @@
       "CWE-20"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-10-01T22:32:05Z",
     "nvd_published_at": "2024-10-01T21:15:08Z"
   }
 }
diff --git a/...A-mc76-5925-c5p6/GHSA-mc76-5925-c5p6.json → ...A-mc76-5925-c5p6/GHSA-mc76-5925-c5p6.json b/...A-mc76-5925-c5p6/GHSA-mc76-5925-c5p6.json → ...A-mc76-5925-c5p6/GHSA-mc76-5925-c5p6.json
@@ -1,26 +1,53 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mc76-5925-c5p6",
-  "modified": "2024-10-01T21:31:34Z",
+  "modified": "2024-10-01T22:31:14Z",
   "published": "2024-10-01T21:31:34Z",
   "aliases": [
     "CVE-2024-9341"
   ],
+  "summary": "Link Following in github.com/containers/common",
   "details": "A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/containers/common"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.60.4"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9341"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2024-9341"
@@ -29,6 +56,10 @@
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315691"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/containers/common"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L169"
@@ -43,8 +74,8 @@
       "CWE-59"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-10-01T22:31:13Z",
     "nvd_published_at": "2024-10-01T19:15:09Z"
   }
 }