Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-pfw6-5rx3-xh3c #2593

Closed
GoVulnBot opened this issue Feb 29, 2024 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-pfw6-5rx3-xh3c #2593

GoVulnBot opened this issue Feb 29, 2024 · 3 comments
Assignees
@jba
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-pfw6-5rx3-xh3c, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/mattermost/mattermost/server/v8 8.1.9 < 8.1.9

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/mattermost/mattermost/server/v8
      versions:
        - fixed: 8.1.9
      packages:
        - package: github.com/mattermost/mattermost/server/v8
    - module: github.com/mattermost/mattermost/server/v8
      versions:
        - introduced: 9.2.0
          fixed: 9.2.5
      packages:
        - package: github.com/mattermost/mattermost/server/v8
    - module: github.com/mattermost/mattermost/server/v8
      versions:
        - introduced: 9.3.0
          fixed: 9.3.1
      packages:
        - package: github.com/mattermost/mattermost/server/v8
    - module: github.com/mattermost/mattermost/server/v8
      versions:
        - introduced: 9.4.0
          fixed: 9.4.2
      packages:
        - package: github.com/mattermost/mattermost/server/v8
summary: Mattermost fails to check the "invite_guest" permission
cves:
    - CVE-2024-1888
ghsas:
    - GHSA-pfw6-5rx3-xh3c
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2024-1888
    - web: https://mattermost.com/security-updates
    - advisory: https://github.com/advisories/GHSA-pfw6-5rx3-xh3c
@jba jba self-assigned this Mar 1, 2024
@jba jba added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Mar 2, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/569495 mentions this issue: data/excluded: batch add 11 excluded reports

@GoVulnBot GoVulnBot mentioned this issue Mar 10, 2024
Closed
This was referenced Apr 5, 2024
Closed
Closed
Closed
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592778 mentions this issue: data/reports: unexclude 80 reports

gopherbot pushed a commit that referenced this issue Jun 28, 2024
@tatianab
data/reports: unexclude 80 reports
e116d8a 
  - data/reports/GO-2024-2521.yaml
  - data/reports/GO-2024-2434.yaml
  - data/reports/GO-2024-2537.yaml
  - data/reports/GO-2024-2432.yaml
  - data/reports/GO-2024-2483.yaml
  - data/reports/GO-2024-2480.yaml
  - data/reports/GO-2024-2433.yaml
  - data/reports/GO-2024-2530.yaml
  - data/reports/GO-2024-2556.yaml
  - data/reports/GO-2024-2472.yaml
  - data/reports/GO-2024-2540.yaml
  - data/reports/GO-2024-2560.yaml
  - data/reports/GO-2024-2561.yaml
  - data/reports/GO-2024-2590.yaml
  - data/reports/GO-2024-2428.yaml
  - data/reports/GO-2024-2508.yaml
  - data/reports/GO-2024-2592.yaml
  - data/reports/GO-2024-2511.yaml
  - data/reports/GO-2024-2491.yaml
  - data/reports/GO-2024-2479.yaml
  - data/reports/GO-2024-2509.yaml
  - data/reports/GO-2024-2589.yaml
  - data/reports/GO-2024-2496.yaml
  - data/reports/GO-2024-2505.yaml
  - data/reports/GO-2024-2558.yaml
  - data/reports/GO-2024-2430.yaml
  - data/reports/GO-2024-2594.yaml
  - data/reports/GO-2024-2431.yaml
  - data/reports/GO-2024-2488.yaml
  - data/reports/GO-2024-2495.yaml
  - data/reports/GO-2024-2557.yaml
  - data/reports/GO-2024-2442.yaml
  - data/reports/GO-2024-2593.yaml
  - data/reports/GO-2024-2512.yaml
  - data/reports/GO-2024-2528.yaml
  - data/reports/GO-2024-2529.yaml
  - data/reports/GO-2024-2588.yaml
  - data/reports/GO-2024-2562.yaml
  - data/reports/GO-2024-2441.yaml
  - data/reports/GO-2024-2591.yaml
  - data/reports/GO-2024-2477.yaml
  - data/reports/GO-2024-2448.yaml
  - data/reports/GO-2024-2510.yaml
  - data/reports/GO-2024-2564.yaml
  - data/reports/GO-2024-2476.yaml
  - data/reports/GO-2024-2527.yaml
  - data/reports/GO-2024-2481.yaml
  - data/reports/GO-2024-2445.yaml
  - data/reports/GO-2024-2457.yaml
  - data/reports/GO-2024-2446.yaml
  - data/reports/GO-2024-2447.yaml
  - data/reports/GO-2024-2501.yaml
  - data/reports/GO-2024-2440.yaml
  - data/reports/GO-2024-2500.yaml
  - data/reports/GO-2024-2444.yaml
  - data/reports/GO-2024-2550.yaml
  - data/reports/GO-2024-2523.yaml
  - data/reports/GO-2024-2516.yaml
  - data/reports/GO-2024-2531.yaml
  - data/reports/GO-2024-2595.yaml
  - data/reports/GO-2024-2520.yaml
  - data/reports/GO-2024-2582.yaml
  - data/reports/GO-2024-2485.yaml
  - data/reports/GO-2024-2541.yaml
  - data/reports/GO-2024-2563.yaml
  - data/reports/GO-2024-2532.yaml
  - data/reports/GO-2024-2450.yaml
  - data/reports/GO-2024-2515.yaml
  - data/reports/GO-2024-2499.yaml
  - data/reports/GO-2024-2514.yaml
  - data/reports/GO-2024-2535.yaml
  - data/reports/GO-2024-2458.yaml
  - data/reports/GO-2024-2449.yaml
  - data/reports/GO-2024-2549.yaml
  - data/reports/GO-2024-2517.yaml
  - data/reports/GO-2024-2478.yaml
  - data/reports/GO-2024-2559.yaml
  - data/reports/GO-2024-2486.yaml
  - data/reports/GO-2024-2513.yaml
  - data/reports/GO-2024-2565.yaml

Updates #2521
Updates #2434
Updates #2537
Updates #2432
Updates #2483
Updates #2480
Updates #2433
Updates #2530
Updates #2556
Updates #2472
Updates #2540
Updates #2560
Updates #2561
Updates #2590
Updates #2428
Updates #2508
Updates #2592
Updates #2511
Updates #2491
Updates #2479
Updates #2509
Updates #2589
Updates #2496
Updates #2505
Updates #2558
Updates #2430
Updates #2594
Updates #2431
Updates #2488
Updates #2495
Updates #2557
Updates #2442
Updates #2593
Updates #2512
Updates #2528
Updates #2529
Updates #2588
Updates #2562
Updates #2441
Updates #2591
Updates #2477
Updates #2448
Updates #2510
Updates #2564
Updates #2476
Updates #2527
Updates #2481
Updates #2445
Updates #2457
Updates #2446
Updates #2447
Updates #2501
Updates #2440
Updates #2500
Updates #2444
Updates #2550
Updates #2523
Updates #2516
Updates #2531
Updates #2595
Updates #2520
Updates #2582
Updates #2485
Updates #2541
Updates #2563
Updates #2532
Updates #2450
Updates #2515
Updates #2499
Updates #2514
Updates #2535
Updates #2458
Updates #2449
Updates #2549
Updates #2517
Updates #2478
Updates #2559
Updates #2486
Updates #2513
Updates #2565

Change-Id: I9920757c40e457cb5d033ef0e0a99deb6a5c29b5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592778
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
This was referenced Aug 2, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606358 mentions this issue: data/reports: regenerate 50 reports

gopherbot pushed a commit that referenced this issue Aug 19, 2024
@tatianab @gopherbot
data/reports: regenerate 50 reports
08b42c7 
  - data/reports/GO-2024-2428.yaml
  - data/reports/GO-2024-2442.yaml
  - data/reports/GO-2024-2444.yaml
  - data/reports/GO-2024-2445.yaml
  - data/reports/GO-2024-2446.yaml
  - data/reports/GO-2024-2447.yaml
  - data/reports/GO-2024-2448.yaml
  - data/reports/GO-2024-2449.yaml
  - data/reports/GO-2024-2450.yaml
  - data/reports/GO-2024-2478.yaml
  - data/reports/GO-2024-2485.yaml
  - data/reports/GO-2024-2486.yaml
  - data/reports/GO-2024-2488.yaml
  - data/reports/GO-2024-2499.yaml
  - data/reports/GO-2024-2501.yaml
  - data/reports/GO-2024-2505.yaml
  - data/reports/GO-2024-2508.yaml
  - data/reports/GO-2024-2509.yaml
  - data/reports/GO-2024-2511.yaml
  - data/reports/GO-2024-2513.yaml
  - data/reports/GO-2024-2514.yaml
  - data/reports/GO-2024-2515.yaml
  - data/reports/GO-2024-2517.yaml
  - data/reports/GO-2024-2519.yaml
  - data/reports/GO-2024-2520.yaml
  - data/reports/GO-2024-2523.yaml
  - data/reports/GO-2024-2540.yaml
  - data/reports/GO-2024-2541.yaml
  - data/reports/GO-2024-2566.yaml
  - data/reports/GO-2024-2568.yaml
  - data/reports/GO-2024-2569.yaml
  - data/reports/GO-2024-2576.yaml
  - data/reports/GO-2024-2578.yaml
  - data/reports/GO-2024-2579.yaml
  - data/reports/GO-2024-2580.yaml
  - data/reports/GO-2024-2582.yaml
  - data/reports/GO-2024-2588.yaml
  - data/reports/GO-2024-2589.yaml
  - data/reports/GO-2024-2590.yaml
  - data/reports/GO-2024-2591.yaml
  - data/reports/GO-2024-2592.yaml
  - data/reports/GO-2024-2593.yaml
  - data/reports/GO-2024-2594.yaml
  - data/reports/GO-2024-2595.yaml
  - data/reports/GO-2024-2597.yaml
  - data/reports/GO-2024-2629.yaml
  - data/reports/GO-2024-2635.yaml
  - data/reports/GO-2024-2636.yaml
  - data/reports/GO-2024-2637.yaml
  - data/reports/GO-2024-2641.yaml

Updates #2428
Updates #2442
Updates #2444
Updates #2445
Updates #2446
Updates #2447
Updates #2448
Updates #2449
Updates #2450
Updates #2478
Updates #2485
Updates #2486
Updates #2488
Updates #2499
Updates #2501
Updates #2505
Updates #2508
Updates #2509
Updates #2511
Updates #2513
Updates #2514
Updates #2515
Updates #2517
Updates #2519
Updates #2520
Updates #2523
Updates #2540
Updates #2541
Updates #2566
Updates #2568
Updates #2569
Updates #2576
Updates #2578
Updates #2579
Updates #2580
Updates #2582
Updates #2588
Updates #2589
Updates #2590
Updates #2591
Updates #2592
Updates #2593
Updates #2594
Updates #2595
Updates #2597
Updates #2629
Updates #2635
Updates #2636
Updates #2637
Updates #2641

Change-Id: If02ad5ae2b621addda56b45d8c84b0476a12737b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606358
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This was referenced Aug 22, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Sep 27, 2024
Closed
This was referenced Oct 28, 2024
Closed
Closed
Closed
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@jba jba

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @jba @GoVulnBot