data/reports: add 19 reports

  - data/reports/GO-2025-3979.yaml
  - data/reports/GO-2025-3981.yaml
  - data/reports/GO-2025-3982.yaml
  - data/reports/GO-2025-3983.yaml
  - data/reports/GO-2025-3984.yaml
  - data/reports/GO-2025-3985.yaml
  - data/reports/GO-2025-3986.yaml
  - data/reports/GO-2025-3989.yaml
  - data/reports/GO-2025-3990.yaml
  - data/reports/GO-2025-3991.yaml
  - data/reports/GO-2025-3992.yaml
  - data/reports/GO-2025-3993.yaml
  - data/reports/GO-2025-3994.yaml
  - data/reports/GO-2025-3995.yaml
  - data/reports/GO-2025-3996.yaml
  - data/reports/GO-2025-3997.yaml
  - data/reports/GO-2025-3998.yaml
  - data/reports/GO-2025-4018.yaml
  - data/reports/GO-2025-4019.yaml

Fixes #3979
Fixes #3981
Fixes #3982
Fixes #3983
Fixes #3984
Fixes #3985
Fixes #3986
Fixes #3989
Fixes #3990
Fixes #3991
Fixes #3992
Fixes #3993
Fixes #3994
Fixes #3995
Fixes #3996
Fixes #3997
Fixes #3998
Fixes #4018
Fixes #4019

Change-Id: I5e2e6c611b668c8b227cbc5907681deba187347a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/711220
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Markus Kusano <[email protected]>

Author: ethanalee-work

data/osv/GO-2025-3979.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3979",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-59824",
+    "GHSA-hqrf-67pm-wgfq"
+  ],
+  "summary": "Omni Wireguard SideroLink potential escape in github.com/siderolabs/omni",
+  "details": "Omni Wireguard SideroLink potential escape in github.com/siderolabs/omni",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/siderolabs/omni",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.48.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/siderolabs/omni/security/advisories/GHSA-hqrf-67pm-wgfq"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59824"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/siderolabs/omni/commit/a5efd816a239e6c9e5ea7c0d43c02c04504d7b60"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3979",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3981.json

@@ -0,0 +1,140 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3981",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-59823",
+    "GHSA-227x-7mh8-3cf6"
+  ],
+  "summary": "Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning in github.com/gardener/gardener-extension-provider-aws",
+  "details": "Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning in github.com/gardener/gardener-extension-provider-aws",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/gardener/gardener-extension-provider-aws",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.64.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/gardener/gardener-extension-provider-azure",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.55.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/gardener/gardener-extension-provider-gcp",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.46.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/gardener/gardener-extension-provider-openstack",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.49.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59823"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/gardener/gardener-extension-provider-aws/commit/cb5045fc146248296994804bbfe27bd896938bf2"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/gardener/gardener-extension-provider-azure/commit/4573a4404969f89781ed6cf72e90554bc6ae2020"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/gardener/gardener-extension-provider-gcp/commit/51111b4f60c33c60dfdf18b1fc50f7ec8d8f70ac"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/gardener/gardener-extension-provider-openstack/commit/2ed6f0fe1be90fbef5d6093eb0b8325c8421b8d8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3981",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3982.json

@@ -0,0 +1,81 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3982",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-54468",
+    "GHSA-mjcp-rj3c-36fr"
+  ],
+  "summary": "Rancher sends sensitive information to external services through the `/meta/proxy` endpoint in github.com/rancher/rancher",
+  "details": "Rancher sends sensitive information to external services through the `/meta/proxy` endpoint in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/rancher/rancher from v2.9.0 before v2.9.12, from v2.10.0 before v2.10.10, from v2.11.0 before v2.11.6, from v2.12.0 before v2.12.2.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/rancher/rancher",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "2.9.0"
+              },
+              {
+                "fixed": "2.9.12"
+              },
+              {
+                "introduced": "2.10.0"
+              },
+              {
+                "fixed": "2.10.10"
+              },
+              {
+                "introduced": "2.11.0"
+              },
+              {
+                "fixed": "2.11.6"
+              },
+              {
+                "introduced": "2.12.0"
+              },
+              {
+                "fixed": "2.12.2"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-mjcp-rj3c-36fr"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54468"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54468"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3982",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3983.json

@@ -0,0 +1,81 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3983",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-58260",
+    "GHSA-q82v-h4rq-5c86"
+  ],
+  "summary": "Rancher update on users can deny the service to the admin in github.com/rancher/rancher",
+  "details": "Rancher update on users can deny the service to the admin in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/rancher/rancher from v2.9.0 before v2.9.12, from v2.10.0 before v2.10.10, from v2.11.0 before v2.11.6, from v2.12.0 before v2.12.2.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/rancher/rancher",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "2.9.0"
+              },
+              {
+                "fixed": "2.9.12"
+              },
+              {
+                "introduced": "2.10.0"
+              },
+              {
+                "fixed": "2.10.10"
+              },
+              {
+                "introduced": "2.11.0"
+              },
+              {
+                "fixed": "2.11.6"
+              },
+              {
+                "introduced": "2.12.0"
+              },
+              {
+                "fixed": "2.12.2"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-q82v-h4rq-5c86"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58260"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-58260"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3983",
+    "review_status": "UNREVIEWED"
+  }
+}