diff --git a/data/anchore/2024/CVE-2024-36620.json b/data/anchore/2024/CVE-2024-36620.json new file mode 100644 index 00000000..3a6001e4 --- /dev/null +++ b/data/anchore/2024/CVE-2024-36620.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "mitre", + "cveId": "CVE-2024-36620", + "description": "moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2", + "https://github.com/moby/moby/blob/v26.0.2/daemon/images/image_history.go#L48", + "https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://pkg.go.dev", + "cpes": [ + "cpe:2.3:a:docker:docker:*:*:*:*:*:go:*:*", + "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:go:*:*" + ], + "packageName": "github.com/docker/docker", + "packageType": "go-module", + "product": "moby", + "repo": "https://github.com/moby/moby", + "vendor": "moby", + "versions": [ + { + "lessThan": "26.1.0", + "status": "affected", + "version": "25.0.0-beta.1", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://github.com/advisories/GHSA-q59j-vv4j-v33c" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-36621.json b/data/anchore/2024/CVE-2024-36621.json new file mode 100644 index 00000000..2b26c99c --- /dev/null +++ b/data/anchore/2024/CVE-2024-36621.json @@ -0,0 +1,70 @@ +{ + "additionalMetadata": { + "cna": "mitre", + "cveId": "CVE-2024-36621", + "description": "moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gist.github.com/1047524396/5d44459edab5fafcdf86b43909b81135", + "https://github.com/moby/moby/blob/v25.0.5/builder/builder-next/adapters/snapshot/layer.go#L24", + "https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e" + ], + "toDos": [ + "Monitor for 24.x release (fix has been merged, just not released) https://github.com/moby/moby/commit/b8bc11af709b47987ab2aade1d571e3028f434bc" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://pkg.go.dev", + "cpes": [ + "cpe:2.3:a:docker:docker:*:*:*:*:*:go:*:*", + "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:go:*:*" + ], + "packageName": "github.com/docker/docker", + "packageType": "go-module", + "product": "moby", + "repo": "https://github.com/moby/moby", + "vendor": "moby", + "versions": [ + { + "lessThan": "26.0.0-rc2", + "status": "affected", + "version": "26.0.0-rc1", + "versionType": "custom" + }, + { + "lessThan": "25.0.5", + "status": "affected", + "version": "24", + "versionType": "custom" + }, + { + "lessThan": "23.0.11", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://github.com/moby/moby/pull/47523" + }, + { + "url": "https://github.com/moby/moby/pull/47527" + }, + { + "url": "https://github.com/moby/moby/pull/47528" + }, + { + "url": "https://github.com/moby/moby/pull/47529" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-36623.json b/data/anchore/2024/CVE-2024-36623.json new file mode 100644 index 00000000..692e700e --- /dev/null +++ b/data/anchore/2024/CVE-2024-36623.json @@ -0,0 +1,55 @@ +{ + "additionalMetadata": { + "cna": "mitre", + "cveId": "CVE-2024-36623", + "description": "moby v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gist.github.com/1047524396/c192c0159a19bf58a4373b696467dc29", + "https://github.com/moby/moby/blob/v25.0.3/pkg/streamformatter/streamformatter.go#L115", + "https://github.com/moby/moby/commit/5689dabfb357b673abdb4391eef426f297d7d1bb" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://pkg.go.dev", + "cpes": [ + "cpe:2.3:a:docker:docker:*:*:*:*:*:go:*:*", + "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:go:*:*" + ], + "packageName": "github.com/docker/docker", + "packageType": "go-module", + "product": "moby", + "repo": "https://github.com/moby/moby", + "vendor": "moby", + "versions": [ + { + "lessThan": "26.0.0-rc1", + "status": "affected", + "version": "0", + "versionType": "custom" + }, + { + "lessThan": "25.0.4", + "status": "affected", + "version": "25", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://github.com/moby/moby/commit/3fa0cedce310398b3b39db7cf7d3550e9a39ec00" + }, + { + "url": "https://github.com/moby/moby/pull/47484" + } + ] + } +} \ No newline at end of file