Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-65v8-6pvw-jwvq #1716

Closed
GoVulnBot opened this issue Apr 11, 2023 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-65v8-6pvw-jwvq #1716

GoVulnBot opened this issue Apr 11, 2023 · 3 comments
Assignees
@timothy-king
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-65v8-6pvw-jwvq, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/answerdev/answer 1.0.8 < 1.0.8

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/answerdev/answer
    versions:
      - fixed: 1.0.8
    packages:
      - package: github.com/answerdev/answer
summary: Answer vulnerable to Insertion of Sensitive Information Into Sent Data
description: answerdev/answer is an open-source knowledge-based community software.
    Answer prior to 1.0.8 does not strip EXIF geolocation data from user-uploaded
    logos. As a result, anyone can get sensitive information like a user's device
    ID, geolocation, system information, system version, etc.
cves:
  - CVE-2023-1975
ghsas:
  - GHSA-65v8-6pvw-jwvq
references:
  - web: https://nvd.nist.gov/vuln/detail/CVE-2023-1975
  - fix: https://github.com/answerdev/answer/commit/ac3f2f047ee00b4edaea7530e570ab67ff87cd6a
  - web: https://huntr.dev/bounties/829cab7a-4ed7-465c-aa96-29f4f73dbfff
  - advisory: https://github.com/advisories/GHSA-65v8-6pvw-jwvq
@timothy-king timothy-king self-assigned this Apr 11, 2023
@timothy-king timothy-king added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Apr 11, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/483975 mentions this issue: data/excluded: batch add GO-2023-1719, GO-2023-1718, GO-2023-1716

@GoVulnBot GoVulnBot mentioned this issue May 11, 2023
Closed
This was referenced Aug 3, 2023
Closed
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Sep 8, 2023
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606785 mentions this issue: data/reports: unexclude 20 reports (5)

gopherbot pushed a commit that referenced this issue Aug 20, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (5)
5ea5cbb 
  - data/reports/GO-2023-1700.yaml
  - data/reports/GO-2023-1701.yaml
  - data/reports/GO-2023-1707.yaml
  - data/reports/GO-2023-1708.yaml
  - data/reports/GO-2023-1716.yaml
  - data/reports/GO-2023-1718.yaml
  - data/reports/GO-2023-1719.yaml
  - data/reports/GO-2023-1721.yaml
  - data/reports/GO-2023-1723.yaml
  - data/reports/GO-2023-1730.yaml
  - data/reports/GO-2023-1735.yaml
  - data/reports/GO-2023-1738.yaml
  - data/reports/GO-2023-1747.yaml
  - data/reports/GO-2023-1754.yaml
  - data/reports/GO-2023-1758.yaml
  - data/reports/GO-2023-1761.yaml
  - data/reports/GO-2023-1763.yaml
  - data/reports/GO-2023-1764.yaml
  - data/reports/GO-2023-1768.yaml
  - data/reports/GO-2023-1774.yaml

Updates #1700
Updates #1701
Updates #1707
Updates #1708
Updates #1716
Updates #1718
Updates #1719
Updates #1721
Updates #1723
Updates #1730
Updates #1735
Updates #1738
Updates #1747
Updates #1754
Updates #1758
Updates #1761
Updates #1763
Updates #1764
Updates #1768
Updates #1774

Change-Id: I3fc567427d68e095cc62ea48dc9b284b2414a372
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606785
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@timothy-king timothy-king

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timothy-king @gopherbot @GoVulnBot