data/reports: review GO-2024-3286

tatianab · gopherbot · commit 06de13857780 · 2024-12-13T11:06:25.000-08:00
- data/reports/GO-2024-3286.yaml Fixes #3286 Updates #3301 Change-Id: I9530c44251daaa221d883403800779477cd929de Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635759 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2024-3286.json b/data/osv/GO-2024-3286.json
@@ -40,18 +40,23 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "k8s.io/kubernetes/pkg/volume/git_repo",
+            "symbols": [
+              "validateVolume"
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://github.com/advisories/GHSA-27wf-5967-98gx"
     },
-    {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10220"
-    },
     {
       "type": "WEB",
       "url": "http://www.openwall.com/lists/oss-security/2024/11/20/1"
@@ -71,6 +76,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3286",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/reports/GO-2024-3286.yaml b/data/reports/GO-2024-3286.yaml
@@ -8,19 +8,22 @@ modules:
         - introduced: 1.30.0
         - fixed: 1.30.3
       vulnerable_at: 1.30.2
+      packages:
+        - package: k8s.io/kubernetes/pkg/volume/git_repo
+          symbols:
+            - validateVolume
 summary: Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes
 cves:
     - CVE-2024-10220
 ghsas:
     - GHSA-27wf-5967-98gx
 references:
     - advisory: https://github.com/advisories/GHSA-27wf-5967-98gx
-    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-10220
     - web: http://www.openwall.com/lists/oss-security/2024/11/20/1
     - web: https://github.com/kubernetes/kubernetes/commit/1ab06efe92d8e898ca1931471c9533ce94aba29b
     - web: https://github.com/kubernetes/kubernetes/issues/128885
     - web: https://groups.google.com/g/kubernetes-security-announce/c/ptNgV5Necko
 source:
     id: GHSA-27wf-5967-98gx
-    created: 2024-11-27T13:41:27.937873-05:00
-review_status: UNREVIEWED
+    created: 2024-12-13T09:59:18.294847-05:00
+review_status: REVIEWED

Original file line number	Diff line number	Diff line change
`@@ -40,18 +40,23 @@`
`40`	`40`	`]`
`41`	`41`	`}`
`42`	`42`	`],`
`43`		`- "ecosystem_specific": {}`
	`43`	`+ "ecosystem_specific": {`
	`44`	`+ "imports": [`
	`45`	`+ {`
	`46`	`+ "path": "k8s.io/kubernetes/pkg/volume/git_repo",`
	`47`	`+ "symbols": [`
	`48`	`+ "validateVolume"`
	`49`	`+ ]`
	`50`	`+ }`
	`51`	`+ ]`
	`52`	`+ }`
`44`	`53`	`}`
`45`	`54`	`],`
`46`	`55`	`"references": [`
`47`	`56`	`{`
`48`	`57`	`"type": "ADVISORY",`
`49`	`58`	`"url": "https://github.com/advisories/GHSA-27wf-5967-98gx"`
`50`	`59`	`},`
`51`		`- {`
`52`		`- "type": "ADVISORY",`
`53`		`- "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10220"`
`54`		`- },`
`55`	`60`	`{`
`56`	`61`	`"type": "WEB",`
`57`	`62`	`"url": "http://www.openwall.com/lists/oss-security/2024/11/20/1"`
`@@ -71,6 +76,6 @@`
`71`	`76`	`],`
`72`	`77`	`"database_specific": {`
`73`	`78`	`"url": "https://pkg.go.dev/vuln/GO-2024-3286",`
`74`		`- "review_status": "UNREVIEWED"`
	`79`	`+ "review_status": "REVIEWED"`
`75`	`80`	`}`
`76`	`81`	`}`