diff --git a/data/osv/GO-2025-3376.json b/data/osv/GO-2025-3376.json new file mode 100644 index 00000000..1dea133d --- /dev/null +++ b/data/osv/GO-2025-3376.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2025-3376", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2025-22149", + "GHSA-675f-rq2r-jw82" + ], + "summary": "JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh in github.com/MicahParks/jwkset", + "details": "JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh in github.com/MicahParks/jwkset", + "affected": [ + { + "package": { + "name": "github.com/MicahParks/jwkset", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.5.0" + }, + { + "fixed": "0.6.0" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22149" + }, + { + "type": "FIX", + "url": "https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3" + }, + { + "type": "FIX", + "url": "https://github.com/MicahParks/jwkset/pull/41" + }, + { + "type": "REPORT", + "url": "https://github.com/MicahParks/jwkset/issues/40" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3376", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2025-3377.json b/data/osv/GO-2025-3377.json new file mode 100644 index 00000000..d3f1aec5 --- /dev/null +++ b/data/osv/GO-2025-3377.json @@ -0,0 +1,117 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2025-3377", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2025-22449", + "GHSA-q8fg-cp3q-5jwm" + ], + "summary": "Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server", + "details": "Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v9.11.16.", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "9.11.0+incompatible" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "9.11.16" + } + ] + } + ] + } + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "8.0.0-20250102081831-64c566a8280b" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-q8fg-cp3q-5jwm" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22449" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3377", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/osv/GO-2025-3380.json b/data/osv/GO-2025-3380.json new file mode 100644 index 00000000..4a7906ad --- /dev/null +++ b/data/osv/GO-2025-3380.json @@ -0,0 +1,117 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2025-3380", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2025-22445", + "GHSA-7rgp-4j56-fm79" + ], + "summary": "Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server", + "details": "Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .", + "affected": [ + { + "package": { + "name": "github.com/mattermost/mattermost-server", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.3.0+incompatible" + } + ] + } + ], + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + } + ] + } + ] + } + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost-server/v6", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/mattermost/mattermost/server/v8", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "8.0.0-20250102081831-64c566a8280b" + } + ] + } + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-7rgp-4j56-fm79" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22445" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3380", + "review_status": "UNREVIEWED" + } +} \ No newline at end of file diff --git a/data/reports/GO-2025-3376.yaml b/data/reports/GO-2025-3376.yaml new file mode 100644 index 00000000..43c328da --- /dev/null +++ b/data/reports/GO-2025-3376.yaml @@ -0,0 +1,24 @@ +id: GO-2025-3376 +modules: + - module: github.com/MicahParks/jwkset + versions: + - introduced: 0.5.0 + - fixed: 0.6.0 + vulnerable_at: 0.5.21 +summary: |- + JWK Set's HTTP client only overwrites and appends JWK to local cache during + refresh in github.com/MicahParks/jwkset +cves: + - CVE-2025-22149 +ghsas: + - GHSA-675f-rq2r-jw82 +references: + - advisory: https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-22149 + - fix: https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3 + - fix: https://github.com/MicahParks/jwkset/pull/41 + - report: https://github.com/MicahParks/jwkset/issues/40 +source: + id: GHSA-675f-rq2r-jw82 + created: 2025-01-09T14:17:18.394896-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2025-3377.yaml b/data/reports/GO-2025-3377.yaml new file mode 100644 index 00000000..91766bd9 --- /dev/null +++ b/data/reports/GO-2025-3377.yaml @@ -0,0 +1,30 @@ +id: GO-2025-3377 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - introduced: 9.11.0+incompatible + non_go_versions: + - fixed: 9.11.16 + vulnerable_at: 10.4.1+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + versions: + - fixed: 8.0.0-20250102081831-64c566a8280b +summary: Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server +cves: + - CVE-2025-22449 +ghsas: + - GHSA-q8fg-cp3q-5jwm +references: + - advisory: https://github.com/advisories/GHSA-q8fg-cp3q-5jwm + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-22449 + - web: https://mattermost.com/security-updates +notes: + - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed' +source: + id: GHSA-q8fg-cp3q-5jwm + created: 2025-01-09T14:17:14.072367-05:00 +review_status: UNREVIEWED diff --git a/data/reports/GO-2025-3380.yaml b/data/reports/GO-2025-3380.yaml new file mode 100644 index 00000000..245641fc --- /dev/null +++ b/data/reports/GO-2025-3380.yaml @@ -0,0 +1,30 @@ +id: GO-2025-3380 +modules: + - module: github.com/mattermost/mattermost-server + versions: + - fixed: 10.3.0+incompatible + non_go_versions: + - introduced: 10.0.0 + vulnerable_at: 10.3.0-rc4+incompatible + - module: github.com/mattermost/mattermost-server/v5 + vulnerable_at: 5.39.3 + - module: github.com/mattermost/mattermost-server/v6 + vulnerable_at: 6.7.2 + - module: github.com/mattermost/mattermost/server/v8 + versions: + - fixed: 8.0.0-20250102081831-64c566a8280b +summary: Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server +cves: + - CVE-2025-22445 +ghsas: + - GHSA-7rgp-4j56-fm79 +references: + - advisory: https://github.com/advisories/GHSA-7rgp-4j56-fm79 + - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-22445 + - web: https://mattermost.com/security-updates +notes: + - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed' +source: + id: GHSA-7rgp-4j56-fm79 + created: 2025-01-09T14:16:30.962637-05:00 +review_status: UNREVIEWED