data/reports: add 6 reports

  - data/reports/GO-2025-3645.yaml
  - data/reports/GO-2025-3646.yaml
  - data/reports/GO-2025-3647.yaml
  - data/reports/GO-2025-3648.yaml
  - data/reports/GO-2025-3649.yaml
  - data/reports/GO-2025-3650.yaml

Fixes #3645
Fixes #3646
Fixes #3647
Fixes #3648
Fixes #3649
Fixes #3650

Change-Id: I92892fe49dd61cbf3d95e2f65e304a96fff4a715
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/668935
Auto-Submit: Neal Patel <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

Author: thatnealpatel

data/osv/GO-2025-3645.json

@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3645",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2019-11243",
+    "GHSA-gc2p-g4fg-29vh"
+  ],
+  "summary": "Kubernetes did not effectively clear service account credentials in k8s.io/kubernetes",
+  "details": "Kubernetes did not effectively clear service account credentials in k8s.io/kubernetes",
+  "affected": [
+    {
+      "package": {
+        "name": "k8s.io/kubernetes",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.12.0"
+            },
+            {
+              "fixed": "1.12.5"
+            },
+            {
+              "introduced": "1.13.0"
+            },
+            {
+              "fixed": "1.13.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-gc2p-g4fg-29vh"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11243"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/issues/76797"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20190509-0002"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3645",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3646.json

@@ -0,0 +1,79 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3646",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-46599",
+    "GHSA-864f-7xjm-2jp2"
+  ],
+  "summary": "CNCF K3s Kubernetes kubelet configuration exposes credentials in github.com/k3s-io/k3s",
+  "details": "CNCF K3s Kubernetes kubelet configuration exposes credentials in github.com/k3s-io/k3s.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/k3s-io/k3s from v1.32.0-rc1 before v1.32.4-rc1.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/k3s-io/k3s",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "1.32.0-rc1"
+              },
+              {
+                "fixed": "1.32.4-rc1"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-864f-7xjm-2jp2"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46599"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/k3s-io/k3s/commit/097b63e588e3c844cdf9b967bcd0a69f4fc0aa0a"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://github.com/k3s-io/k3s/issues/12164"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/f1veT/BUG/issues/2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/k3s-io/k3s/compare/v1.32.3+k3s1...v1.32.4-rc1+k3s1"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3646",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3647.json

@@ -0,0 +1,67 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3647",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-22031",
+    "GHSA-8h6m-wv39-239m"
+  ],
+  "summary": "Rancher users who can create Projects can gain access to arbitrary projects in github.com/rancher/rancher",
+  "details": "Rancher users who can create Projects can gain access to arbitrary projects in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/rancher/rancher from v2.8.0 before v2.9.9, from v2.10.0 before v2.10.5, from v2.11.0 before v2.11.1.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/rancher/rancher",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "2.8.0"
+              },
+              {
+                "fixed": "2.9.9"
+              },
+              {
+                "introduced": "2.10.0"
+              },
+              {
+                "fixed": "2.10.5"
+              },
+              {
+                "introduced": "2.11.0"
+              },
+              {
+                "fixed": "2.11.1"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-8h6m-wv39-239m"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3647",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3648.json

@@ -0,0 +1,87 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3648",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2023-32198",
+    "GHSA-95fc-g4gj-mqmx"
+  ],
+  "summary": "Steve doesn’t verify a server’s certificate and is susceptible to man-in-the-middle (MitM) attacks in github.com/rancher/stev",
+  "details": "Steve doesn’t verify a server’s certificate and is susceptible to man-in-the-middle (MitM) attacks in github.com/rancher/stev.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/rancher/steve from v0.3.0 before v0.3.3.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/rancher/steve",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0.3.0"
+              },
+              {
+                "fixed": "0.3.3"
+              }
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "github.com/rancher/steve",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.2.0"
+            },
+            {
+              "fixed": "0.2.1"
+            },
+            {
+              "introduced": "0.4.0"
+            },
+            {
+              "fixed": "0.4.4"
+            },
+            {
+              "introduced": "0.5.0"
+            },
+            {
+              "fixed": "0.5.13"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/rancher/steve/security/advisories/GHSA-95fc-g4gj-mqmx"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3648",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3649.json

@@ -0,0 +1,80 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3649",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-23390",
+    "GHSA-xgpc-q899-67p8"
+  ],
+  "summary": "Fleet doesn’t validate a server’s certificate when connecting through SSH in github.com/rancher/fleet",
+  "details": "Fleet doesn’t validate a server’s certificate when connecting through SSH in github.com/rancher/fleet",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/rancher/fleet",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.9.0-rc.1"
+            },
+            {
+              "fixed": "0.10.12"
+            },
+            {
+              "introduced": "0.11.0"
+            },
+            {
+              "fixed": "0.11.7"
+            },
+            {
+              "introduced": "0.12.0"
+            },
+            {
+              "fixed": "0.12.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/rancher/fleet/security/advisories/GHSA-xgpc-q899-67p8"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/rancher/fleet/pull/3571"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/rancher/fleet/pull/3572"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/rancher/fleet/pull/3573"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rancher/fleet/releases/tag/v0.10.12"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rancher/fleet/releases/tag/v0.11.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rancher/fleet/releases/tag/v0.12.2"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3649",
+    "review_status": "UNREVIEWED"
+  }
+}