Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-826h-p4c3-477p #3338

Closed
GoVulnBot opened this issue Dec 16, 2024 · 1 comment
Labels

Comments

@GoVulnBot
Copy link

Advisory GHSA-826h-p4c3-477p references a vulnerability in the following Go modules:

Module
github.com/mattermost/mattermost-server
github.com/mattermost/mattermost-server/v5
github.com/mattermost/mattermost-server/v6
github.com/mattermost/mattermost/server/v8

Description:
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/mattermost/mattermost-server
      versions:
        - introduced: 9.5.0+incompatible
        - fixed: 9.5.13+incompatible
        - introduced: 9.11.0+incompatible
        - fixed: 9.11.5+incompatible
        - introduced: 10.0.0+incompatible
        - fixed: 10.0.3+incompatible
        - introduced: 10.1.0+incompatible
        - fixed: 10.1.3+incompatible
      vulnerable_at: 10.1.3-rc1+incompatible
    - module: github.com/mattermost/mattermost-server/v5
      vulnerable_at: 5.39.3
    - module: github.com/mattermost/mattermost-server/v6
      vulnerable_at: 6.7.2
    - module: github.com/mattermost/mattermost/server/v8
      vulnerable_at: 8.0.0-20241216173104-f556965a3258
summary: Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server
cves:
    - CVE-2024-48872
ghsas:
    - GHSA-826h-p4c3-477p
references:
    - advisory: https://github.com/advisories/GHSA-826h-p4c3-477p
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-48872
    - web: https://mattermost.com/security-updates
source:
    id: GHSA-826h-p4c3-477p
    created: 2024-12-16T20:03:16.147318114Z
review_status: UNREVIEWED

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/636717 mentions this issue: data/reports: add 6 unreviewed reports

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants