data/reports: add 13 reports

  - data/reports/GO-2025-3603.yaml
  - data/reports/GO-2025-3604.yaml
  - data/reports/GO-2025-3608.yaml
  - data/reports/GO-2025-3609.yaml
  - data/reports/GO-2025-3610.yaml
  - data/reports/GO-2025-3611.yaml
  - data/reports/GO-2025-3612.yaml
  - data/reports/GO-2025-3615.yaml
  - data/reports/GO-2025-3618.yaml
  - data/reports/GO-2025-3619.yaml
  - data/reports/GO-2025-3620.yaml
  - data/reports/GO-2025-3621.yaml
  - data/reports/GO-2025-3622.yaml

Fixes #3603
Fixes #3604
Fixes #3608
Fixes #3609
Fixes #3610
Fixes #3611
Fixes #3612
Fixes #3615
Fixes #3618
Fixes #3619
Fixes #3620
Fixes #3621
Fixes #3622

Change-Id: Ie86f18261a2e27e719b6b83100c20a83c688d9d4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/665975
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
Auto-Submit: Neal Patel <[email protected]>
Commit-Queue: Neal Patel <[email protected]>

Author: thatnealpatel

data/osv/GO-2025-3603.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3603",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-1386",
+    "GHSA-m454-3xv7-qj85"
+  ],
+  "summary": "Query smuggling in ch-go library in github.com/ClickHouse/ch-go",
+  "details": "Query smuggling in ch-go library in github.com/ClickHouse/ch-go",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/ClickHouse/ch-go",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.65.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/ClickHouse/ch-go/security/advisories/GHSA-m454-3xv7-qj85"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1386"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/ClickHouse/ch-go/commit/0e835663df32b09b828528c07a5507686e6d975e"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3603",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3604.json

@@ -0,0 +1,103 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3604",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-24866",
+    "GHSA-xfq9-hh5x-xfq9"
+  ],
+  "summary": "Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server",
+  "details": "Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "9.11.0+incompatible"
+            },
+            {
+              "fixed": "9.11.9+incompatible"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server/v5",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server/v6",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost/server/v8",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-xfq9-hh5x-xfq9"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24866"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3604",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3608.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3608",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-32445",
+    "GHSA-hmp7-x699-cvhq"
+  ],
+  "summary": "Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR in github.com/argoproj/argo-events",
+  "details": "Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR in github.com/argoproj/argo-events",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/argoproj/argo-events",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.9.6"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/argoproj/argo-events/security/advisories/GHSA-hmp7-x699-cvhq"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32445"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/argoproj/argo-events/commit/18412293a699f559848b00e6e459c9ce2de0d3e2"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/argoproj/argo-events/pull/3528"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3608",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3609.json

@@ -0,0 +1,122 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3609",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-32093",
+    "GHSA-322v-vh2g-qvpv"
+  ],
+  "summary": "Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server",
+  "details": "Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "9.11.0+incompatible"
+            },
+            {
+              "fixed": "9.11.10+incompatible"
+            },
+            {
+              "introduced": "10.4.0+incompatible"
+            },
+            {
+              "fixed": "10.4.4+incompatible"
+            },
+            {
+              "introduced": "10.5.0+incompatible"
+            },
+            {
+              "fixed": "10.5.2+incompatible"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server/v5",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server/v6",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost/server/v8",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.0.0-20250227102013-aa4623a93199"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-322v-vh2g-qvpv"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32093"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/aa4623a9319943d9f54383b22b55e7d06a324e20"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3609",
+    "review_status": "UNREVIEWED"
+  }
+}