data/reports: add 5 reports

zpavlinovic · gopherbot · commit e67c5e3cb1fd · 2025-01-16T13:49:03.000-08:00
- data/reports/GO-2025-3397.yaml - data/reports/GO-2025-3398.yaml - data/reports/GO-2025-3399.yaml - data/reports/GO-2025-3400.yaml - data/reports/GO-2025-3401.yaml Fixes #3397 Fixes #3398 Fixes #3399 Fixes #3400 Fixes #3401 Change-Id: I398589c537648b827d78fe884001d702b03cf17e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/642605 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Auto-Submit: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/data/osv/GO-2025-3397.json b/data/osv/GO-2025-3397.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3397",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-36402",
+    "GHSA-8vmr-h7h5-cqhg"
+  ],
+  "summary": "matrix-media-repo (MMR) allows unauthenticated writes to the media repository, which may allow planting of problematic content in github.com/t2bot/matrix-media-repo",
+  "details": "matrix-media-repo (MMR) allows unauthenticated writes to the media repository, which may allow planting of problematic content in github.com/t2bot/matrix-media-repo",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/t2bot/matrix-media-repo",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.3.5"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-8vmr-h7h5-cqhg"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3397",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3398.json b/data/osv/GO-2025-3398.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3398",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-52791",
+    "GHSA-gp86-q8hg-fpxj"
+  ],
+  "summary": "matrix-media-repo (MMR) allows a denial of service through memory exhaustion in github.com/t2bot/matrix-media-repo",
+  "details": "matrix-media-repo (MMR) allows a denial of service through memory exhaustion in github.com/t2bot/matrix-media-repo",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/t2bot/matrix-media-repo",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.3.8"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-gp86-q8hg-fpxj"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3398",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3399.json b/data/osv/GO-2025-3399.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3399",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-52602",
+    "GHSA-r6jg-jfv6-2fjv"
+  ],
+  "summary": "Matrix Media Repo (MMR) allows Server-Side Request Forgery (SSRF) on redirects and federation in github.com/t2bot/matrix-media-repo",
+  "details": "Matrix Media Repo (MMR) allows Server-Side Request Forgery (SSRF) on redirects and federation in github.com/t2bot/matrix-media-repo",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/t2bot/matrix-media-repo",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.3.8"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-r6jg-jfv6-2fjv"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3399",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3400.json b/data/osv/GO-2025-3400.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3400",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-56515",
+    "GHSA-rcxc-wjgw-579r"
+  ],
+  "summary": "Matrix Media Repo (MMR) allows untrusted file formats can be thumbnailed, invoking potentially further untrusted decoders in github.com/t2bot/matrix-media-repo",
+  "details": "Matrix Media Repo (MMR) allows untrusted file formats can be thumbnailed, invoking potentially further untrusted decoders in github.com/t2bot/matrix-media-repo",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/t2bot/matrix-media-repo",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.3.8"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-rcxc-wjgw-579r"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3400",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-3401.json b/data/osv/GO-2025-3401.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3401",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-36403",
+    "GHSA-vc2m-hw89-qjxf"
+  ],
+  "summary": "matrix-media-repo (MMR) allows denial of service/high operating costs through unauthenticated downloads in github.com/t2bot/matrix-media-repo",
+  "details": "matrix-media-repo (MMR) allows denial of service/high operating costs through unauthenticated downloads in github.com/t2bot/matrix-media-repo",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/t2bot/matrix-media-repo",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.3.5"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-vc2m-hw89-qjxf"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3401",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/reports/GO-2025-3397.yaml b/data/reports/GO-2025-3397.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3397
+modules:
+    - module: github.com/t2bot/matrix-media-repo
+      versions:
+        - fixed: 1.3.5
+      vulnerable_at: 1.3.4
+summary: |-
+    matrix-media-repo (MMR) allows unauthenticated writes to the media repository,
+    which may allow planting of problematic content in github.com/t2bot/matrix-media-repo
+cves:
+    - CVE-2024-36402
+ghsas:
+    - GHSA-8vmr-h7h5-cqhg
+references:
+    - advisory: https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-8vmr-h7h5-cqhg
+    - web: https://github.com/matrix-org/matrix-spec-proposals/pull/3916
+source:
+    id: GHSA-8vmr-h7h5-cqhg
+    created: 2025-01-16T21:30:59.197777983Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3398.yaml b/data/reports/GO-2025-3398.yaml
@@ -0,0 +1,18 @@
+id: GO-2025-3398
+modules:
+    - module: github.com/t2bot/matrix-media-repo
+      versions:
+        - fixed: 1.3.8
+      vulnerable_at: 1.3.7
+summary: matrix-media-repo (MMR) allows a denial of service through memory exhaustion in github.com/t2bot/matrix-media-repo
+cves:
+    - CVE-2024-52791
+ghsas:
+    - GHSA-gp86-q8hg-fpxj
+references:
+    - advisory: https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-gp86-q8hg-fpxj
+    - web: https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8
+source:
+    id: GHSA-gp86-q8hg-fpxj
+    created: 2025-01-16T21:30:55.53433568Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3399.yaml b/data/reports/GO-2025-3399.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3399
+modules:
+    - module: github.com/t2bot/matrix-media-repo
+      versions:
+        - fixed: 1.3.8
+      vulnerable_at: 1.3.7
+summary: |-
+    Matrix Media Repo (MMR) allows Server-Side Request Forgery (SSRF) on redirects
+    and federation in github.com/t2bot/matrix-media-repo
+cves:
+    - CVE-2024-52602
+ghsas:
+    - GHSA-r6jg-jfv6-2fjv
+references:
+    - advisory: https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-r6jg-jfv6-2fjv
+    - web: https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8
+source:
+    id: GHSA-r6jg-jfv6-2fjv
+    created: 2025-01-16T21:30:51.885337875Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3400.yaml b/data/reports/GO-2025-3400.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3400
+modules:
+    - module: github.com/t2bot/matrix-media-repo
+      versions:
+        - fixed: 1.3.8
+      vulnerable_at: 1.3.7
+summary: |-
+    Matrix Media Repo (MMR) allows untrusted file formats can be thumbnailed,
+    invoking potentially further untrusted decoders in github.com/t2bot/matrix-media-repo
+cves:
+    - CVE-2024-56515
+ghsas:
+    - GHSA-rcxc-wjgw-579r
+references:
+    - advisory: https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-rcxc-wjgw-579r
+    - web: https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8
+source:
+    id: GHSA-rcxc-wjgw-579r
+    created: 2025-01-16T21:30:47.989848281Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3401.yaml b/data/reports/GO-2025-3401.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-3401
+modules:
+    - module: github.com/t2bot/matrix-media-repo
+      versions:
+        - fixed: 1.3.5
+      vulnerable_at: 1.3.4
+summary: |-
+    matrix-media-repo (MMR) allows denial of service/high operating costs through
+    unauthenticated downloads in github.com/t2bot/matrix-media-repo
+cves:
+    - CVE-2024-36403
+ghsas:
+    - GHSA-vc2m-hw89-qjxf
+references:
+    - advisory: https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-vc2m-hw89-qjxf
+source:
+    id: GHSA-vc2m-hw89-qjxf
+    created: 2025-01-16T21:30:44.369927323Z
+review_status: UNREVIEWED
