data/reports: add 5 unreviewed reports

  - data/reports/GO-2024-3323.yaml
  - data/reports/GO-2024-3324.yaml
  - data/reports/GO-2024-3325.yaml
  - data/reports/GO-2024-3326.yaml
  - data/reports/GO-2024-3327.yaml

Fixes #3323
Fixes #3324
Fixes #3325
Fixes #3326
Fixes #3327

Change-Id: Id66d8abedbc619bdf08e3d66e23f64b2d29610fe
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635223
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>

Author: tatianab

data/osv/GO-2024-3323.json

@@ -0,0 +1,45 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3323",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-55658",
+    "GHSA-25w9-wqfq-gwqx"
+  ],
+  "summary": "SiYuan has an arbitrary file read and path traversal via /api/export/exportResources in github.com/siyuan-note/siyuan/kernel",
+  "details": "SiYuan has an arbitrary file read and path traversal via /api/export/exportResources in github.com/siyuan-note/siyuan/kernel",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/siyuan-note/siyuan/kernel",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-25w9-wqfq-gwqx"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3323",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-3324.json

@@ -0,0 +1,45 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3324",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-55660",
+    "GHSA-4pjc-pwgq-q9jp"
+  ],
+  "summary": "SiYuan has an SSTI via /api/template/renderSprig in github.com/siyuan-note/siyuan/kernel",
+  "details": "SiYuan has an SSTI via /api/template/renderSprig in github.com/siyuan-note/siyuan/kernel",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/siyuan-note/siyuan/kernel",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4pjc-pwgq-q9jp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3324",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-3325.json

@@ -0,0 +1,51 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3325",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-c7xh-gjv4-4jgv"
+  ],
+  "summary": "kcp's impersonation allows access to global administrative groups in github.com/kcp-dev/kcp",
+  "details": "kcp's impersonation allows access to global administrative groups in github.com/kcp-dev/kcp",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/kcp-dev/kcp",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.26.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/kcp-dev/kcp/security/advisories/GHSA-c7xh-gjv4-4jgv"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/kcp-dev/kcp/commit/24ab5d4dc35ddff98a2e5fdc236e1681f03283ec"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/kcp-dev/kcp/pull/3206"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3325",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-3326.json

@@ -0,0 +1,45 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3326",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-55659",
+    "GHSA-fqj6-whhx-47p7"
+  ],
+  "summary": "SiYuan has an arbitrary file write in the host via /api/asset/upload in github.com/siyuan-note/siyuan/kernel",
+  "details": "SiYuan has an arbitrary file write in the host via /api/asset/upload in github.com/siyuan-note/siyuan/kernel",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/siyuan-note/siyuan/kernel",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fqj6-whhx-47p7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3326",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2024-3327.json

@@ -0,0 +1,45 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3327",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-55657",
+    "GHSA-xx68-37v4-4596"
+  ],
+  "summary": "SiYuan has an arbitrary file read via /api/template/render in github.com/siyuan-note/siyuan/kernel",
+  "details": "SiYuan has an arbitrary file read via /api/template/render in github.com/siyuan-note/siyuan/kernel",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/siyuan-note/siyuan/kernel",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xx68-37v4-4596"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3327",
+    "review_status": "UNREVIEWED"
+  }
+}

data/reports/GO-2024-3323.yaml

@@ -0,0 +1,20 @@
+id: GO-2024-3323
+modules:
+    - module: github.com/siyuan-note/siyuan/kernel
+      unsupported_versions:
+        - last_affected: 0.0.0-20241210012039-5129ad926a21
+      vulnerable_at: 0.0.0-20241210012039-5129ad926a21
+summary: |-
+    SiYuan has an arbitrary file read and path traversal via
+    /api/export/exportResources in github.com/siyuan-note/siyuan/kernel
+cves:
+    - CVE-2024-55658
+ghsas:
+    - GHSA-25w9-wqfq-gwqx
+references:
+    - advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-25w9-wqfq-gwqx
+    - web: https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71
+source:
+    id: GHSA-25w9-wqfq-gwqx
+    created: 2024-12-11T16:19:40.86191-05:00
+review_status: UNREVIEWED

data/reports/GO-2024-3324.yaml

@@ -0,0 +1,18 @@
+id: GO-2024-3324
+modules:
+    - module: github.com/siyuan-note/siyuan/kernel
+      unsupported_versions:
+        - last_affected: 0.0.0-20241210012039-5129ad926a21
+      vulnerable_at: 0.0.0-20241210012039-5129ad926a21
+summary: SiYuan has an SSTI via /api/template/renderSprig in github.com/siyuan-note/siyuan/kernel
+cves:
+    - CVE-2024-55660
+ghsas:
+    - GHSA-4pjc-pwgq-q9jp
+references:
+    - advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4pjc-pwgq-q9jp
+    - web: https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71
+source:
+    id: GHSA-4pjc-pwgq-q9jp
+    created: 2024-12-11T16:19:37.997496-05:00
+review_status: UNREVIEWED

data/reports/GO-2024-3325.yaml

@@ -0,0 +1,17 @@
+id: GO-2024-3325
+modules:
+    - module: github.com/kcp-dev/kcp
+      versions:
+        - fixed: 0.26.1
+      vulnerable_at: 0.26.0
+summary: kcp's impersonation allows access to global administrative groups in github.com/kcp-dev/kcp
+ghsas:
+    - GHSA-c7xh-gjv4-4jgv
+references:
+    - advisory: https://github.com/kcp-dev/kcp/security/advisories/GHSA-c7xh-gjv4-4jgv
+    - fix: https://github.com/kcp-dev/kcp/commit/24ab5d4dc35ddff98a2e5fdc236e1681f03283ec
+    - fix: https://github.com/kcp-dev/kcp/pull/3206
+source:
+    id: GHSA-c7xh-gjv4-4jgv
+    created: 2024-12-11T16:19:33.742126-05:00
+review_status: UNREVIEWED

data/reports/GO-2024-3326.yaml

@@ -0,0 +1,18 @@
+id: GO-2024-3326
+modules:
+    - module: github.com/siyuan-note/siyuan/kernel
+      unsupported_versions:
+        - last_affected: 0.0.0-20241210012039-5129ad926a21
+      vulnerable_at: 0.0.0-20241210012039-5129ad926a21
+summary: SiYuan has an arbitrary file write in the host via /api/asset/upload in github.com/siyuan-note/siyuan/kernel
+cves:
+    - CVE-2024-55659
+ghsas:
+    - GHSA-fqj6-whhx-47p7
+references:
+    - advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fqj6-whhx-47p7
+    - web: https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71
+source:
+    id: GHSA-fqj6-whhx-47p7
+    created: 2024-12-11T16:19:31.153727-05:00
+review_status: UNREVIEWED

data/reports/GO-2024-3327.yaml

@@ -0,0 +1,18 @@
+id: GO-2024-3327
+modules:
+    - module: github.com/siyuan-note/siyuan/kernel
+      unsupported_versions:
+        - last_affected: 0.0.0-20241210012039-5129ad926a21
+      vulnerable_at: 0.0.0-20241210012039-5129ad926a21
+summary: SiYuan has an arbitrary file read via /api/template/render in github.com/siyuan-note/siyuan/kernel
+cves:
+    - CVE-2024-55657
+ghsas:
+    - GHSA-xx68-37v4-4596
+references:
+    - advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xx68-37v4-4596
+    - web: https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71
+source:
+    id: GHSA-xx68-37v4-4596
+    created: 2024-12-11T16:19:27.888293-05:00
+review_status: UNREVIEWED