x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-67fw-w8f2-88wp #3026

GoVulnBot · 2024-08-02T14:02:56Z

Advisory GHSA-67fw-w8f2-88wp references a vulnerability in the following Go modules:

Module
github.com/casdoor/casdoor

Description:
An issue discovered in casdoor v1.636.0 allows attackers to obtain sensitive information via the ssh.InsecureIgnoreHostKey() method.

References:

Cross references:

github.com/casdoor/casdoor appears in 4 other report(s):
- data/excluded/GO-2022-0303.yaml (x/vulndb: potential Go vuln in github.com/casdoor/casdoor: CVE-2022-24124 #303) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1006.yaml (x/vulndb: potential Go vuln in github.com/casdoor/casdoor: CVE-2022-38638, GHSA-9vm3-r8gq-cr6x #1006) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1153.yaml (x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-f93f-55c2-8c89 #1153) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1868.yaml (x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-rwcp-qrwg-56cg #1868) EFFECTIVELY_PRIVATE

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/casdoor/casdoor
      non_go_versions:
        - introduced: TODO (earliest fixed "", vuln range ">= 1.541.0, <= 1.636.0")
      vulnerable_at: 1.659.0
summary: casdoor's use of`ssh.InsecureIgnoreHostKey()` disables host key verification in github.com/casdoor/casdoor
cves:
    - CVE-2024-41264
ghsas:
    - GHSA-67fw-w8f2-88wp
references:
    - advisory: https://github.com/advisories/GHSA-67fw-w8f2-88wp
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41264
    - web: https://gist.github.com/nyxfqq/33ceaccbc9b05d439a944c2b55fa1c0f
    - web: https://github.com/casdoor/casdoor/blob/v1.636.0/object/viaSSHDialer.go
source:
    id: GHSA-67fw-w8f2-88wp
    created: 2024-08-02T14:02:56.414611863Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-08-05T21:15:42Z

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports

tatianab added the triaged label Aug 3, 2024

gopherbot closed this as completed in 7162f20 Aug 6, 2024

This was referenced Aug 22, 2024

x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-gv2p-4mvg-g32h #3086

Closed

x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-mchx-7j67-8mcf #3087

Closed

GoVulnBot mentioned this issue May 2, 2025

x/vulndb: potential Go vuln in github.com/casdoor/casdoor: CVE-2025-4210 #3661

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-67fw-w8f2-88wp #3026

x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-67fw-w8f2-88wp #3026

GoVulnBot commented Aug 2, 2024

gopherbot commented Aug 5, 2024

x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-67fw-w8f2-88wp #3026

x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-67fw-w8f2-88wp #3026

Comments

GoVulnBot commented Aug 2, 2024

gopherbot commented Aug 5, 2024