Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fx48-xv6q-6gp3 #2591

Closed
GoVulnBot opened this issue Feb 29, 2024 · 3 comments
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-fx48-xv6q-6gp3, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/mattermost/mattermost/server/v8 8.1.9 < 8.1.9

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/mattermost/mattermost/server/v8
      versions:
        - fixed: 8.1.9
      packages:
        - package: github.com/mattermost/mattermost/server/v8
    - module: github.com/mattermost/mattermost/server/v8
      versions:
        - introduced: 9.2.0
          fixed: 9.2.5
      packages:
        - package: github.com/mattermost/mattermost/server/v8
    - module: github.com/mattermost/mattermost/server/v8
      versions:
        - introduced: 9.3.0
          fixed: 9.3.1
      packages:
        - package: github.com/mattermost/mattermost/server/v8
summary: Mattermost post fetching without auditing in compliance export
cves:
    - CVE-2024-1887
ghsas:
    - GHSA-fx48-xv6q-6gp3
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2024-1887
    - web: https://mattermost.com/security-updates
    - advisory: https://github.com/advisories/GHSA-fx48-xv6q-6gp3

@jba jba self-assigned this Mar 1, 2024
@jba jba added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Mar 2, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/569495 mentions this issue: data/excluded: batch add 11 excluded reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592778 mentions this issue: data/reports: unexclude 80 reports

gopherbot pushed a commit that referenced this issue Jun 28, 2024
  - data/reports/GO-2024-2521.yaml
  - data/reports/GO-2024-2434.yaml
  - data/reports/GO-2024-2537.yaml
  - data/reports/GO-2024-2432.yaml
  - data/reports/GO-2024-2483.yaml
  - data/reports/GO-2024-2480.yaml
  - data/reports/GO-2024-2433.yaml
  - data/reports/GO-2024-2530.yaml
  - data/reports/GO-2024-2556.yaml
  - data/reports/GO-2024-2472.yaml
  - data/reports/GO-2024-2540.yaml
  - data/reports/GO-2024-2560.yaml
  - data/reports/GO-2024-2561.yaml
  - data/reports/GO-2024-2590.yaml
  - data/reports/GO-2024-2428.yaml
  - data/reports/GO-2024-2508.yaml
  - data/reports/GO-2024-2592.yaml
  - data/reports/GO-2024-2511.yaml
  - data/reports/GO-2024-2491.yaml
  - data/reports/GO-2024-2479.yaml
  - data/reports/GO-2024-2509.yaml
  - data/reports/GO-2024-2589.yaml
  - data/reports/GO-2024-2496.yaml
  - data/reports/GO-2024-2505.yaml
  - data/reports/GO-2024-2558.yaml
  - data/reports/GO-2024-2430.yaml
  - data/reports/GO-2024-2594.yaml
  - data/reports/GO-2024-2431.yaml
  - data/reports/GO-2024-2488.yaml
  - data/reports/GO-2024-2495.yaml
  - data/reports/GO-2024-2557.yaml
  - data/reports/GO-2024-2442.yaml
  - data/reports/GO-2024-2593.yaml
  - data/reports/GO-2024-2512.yaml
  - data/reports/GO-2024-2528.yaml
  - data/reports/GO-2024-2529.yaml
  - data/reports/GO-2024-2588.yaml
  - data/reports/GO-2024-2562.yaml
  - data/reports/GO-2024-2441.yaml
  - data/reports/GO-2024-2591.yaml
  - data/reports/GO-2024-2477.yaml
  - data/reports/GO-2024-2448.yaml
  - data/reports/GO-2024-2510.yaml
  - data/reports/GO-2024-2564.yaml
  - data/reports/GO-2024-2476.yaml
  - data/reports/GO-2024-2527.yaml
  - data/reports/GO-2024-2481.yaml
  - data/reports/GO-2024-2445.yaml
  - data/reports/GO-2024-2457.yaml
  - data/reports/GO-2024-2446.yaml
  - data/reports/GO-2024-2447.yaml
  - data/reports/GO-2024-2501.yaml
  - data/reports/GO-2024-2440.yaml
  - data/reports/GO-2024-2500.yaml
  - data/reports/GO-2024-2444.yaml
  - data/reports/GO-2024-2550.yaml
  - data/reports/GO-2024-2523.yaml
  - data/reports/GO-2024-2516.yaml
  - data/reports/GO-2024-2531.yaml
  - data/reports/GO-2024-2595.yaml
  - data/reports/GO-2024-2520.yaml
  - data/reports/GO-2024-2582.yaml
  - data/reports/GO-2024-2485.yaml
  - data/reports/GO-2024-2541.yaml
  - data/reports/GO-2024-2563.yaml
  - data/reports/GO-2024-2532.yaml
  - data/reports/GO-2024-2450.yaml
  - data/reports/GO-2024-2515.yaml
  - data/reports/GO-2024-2499.yaml
  - data/reports/GO-2024-2514.yaml
  - data/reports/GO-2024-2535.yaml
  - data/reports/GO-2024-2458.yaml
  - data/reports/GO-2024-2449.yaml
  - data/reports/GO-2024-2549.yaml
  - data/reports/GO-2024-2517.yaml
  - data/reports/GO-2024-2478.yaml
  - data/reports/GO-2024-2559.yaml
  - data/reports/GO-2024-2486.yaml
  - data/reports/GO-2024-2513.yaml
  - data/reports/GO-2024-2565.yaml

Updates #2521
Updates #2434
Updates #2537
Updates #2432
Updates #2483
Updates #2480
Updates #2433
Updates #2530
Updates #2556
Updates #2472
Updates #2540
Updates #2560
Updates #2561
Updates #2590
Updates #2428
Updates #2508
Updates #2592
Updates #2511
Updates #2491
Updates #2479
Updates #2509
Updates #2589
Updates #2496
Updates #2505
Updates #2558
Updates #2430
Updates #2594
Updates #2431
Updates #2488
Updates #2495
Updates #2557
Updates #2442
Updates #2593
Updates #2512
Updates #2528
Updates #2529
Updates #2588
Updates #2562
Updates #2441
Updates #2591
Updates #2477
Updates #2448
Updates #2510
Updates #2564
Updates #2476
Updates #2527
Updates #2481
Updates #2445
Updates #2457
Updates #2446
Updates #2447
Updates #2501
Updates #2440
Updates #2500
Updates #2444
Updates #2550
Updates #2523
Updates #2516
Updates #2531
Updates #2595
Updates #2520
Updates #2582
Updates #2485
Updates #2541
Updates #2563
Updates #2532
Updates #2450
Updates #2515
Updates #2499
Updates #2514
Updates #2535
Updates #2458
Updates #2449
Updates #2549
Updates #2517
Updates #2478
Updates #2559
Updates #2486
Updates #2513
Updates #2565

Change-Id: I9920757c40e457cb5d033ef0e0a99deb6a5c29b5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592778
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606358 mentions this issue: data/reports: regenerate 50 reports

gopherbot pushed a commit that referenced this issue Aug 19, 2024
  - data/reports/GO-2024-2428.yaml
  - data/reports/GO-2024-2442.yaml
  - data/reports/GO-2024-2444.yaml
  - data/reports/GO-2024-2445.yaml
  - data/reports/GO-2024-2446.yaml
  - data/reports/GO-2024-2447.yaml
  - data/reports/GO-2024-2448.yaml
  - data/reports/GO-2024-2449.yaml
  - data/reports/GO-2024-2450.yaml
  - data/reports/GO-2024-2478.yaml
  - data/reports/GO-2024-2485.yaml
  - data/reports/GO-2024-2486.yaml
  - data/reports/GO-2024-2488.yaml
  - data/reports/GO-2024-2499.yaml
  - data/reports/GO-2024-2501.yaml
  - data/reports/GO-2024-2505.yaml
  - data/reports/GO-2024-2508.yaml
  - data/reports/GO-2024-2509.yaml
  - data/reports/GO-2024-2511.yaml
  - data/reports/GO-2024-2513.yaml
  - data/reports/GO-2024-2514.yaml
  - data/reports/GO-2024-2515.yaml
  - data/reports/GO-2024-2517.yaml
  - data/reports/GO-2024-2519.yaml
  - data/reports/GO-2024-2520.yaml
  - data/reports/GO-2024-2523.yaml
  - data/reports/GO-2024-2540.yaml
  - data/reports/GO-2024-2541.yaml
  - data/reports/GO-2024-2566.yaml
  - data/reports/GO-2024-2568.yaml
  - data/reports/GO-2024-2569.yaml
  - data/reports/GO-2024-2576.yaml
  - data/reports/GO-2024-2578.yaml
  - data/reports/GO-2024-2579.yaml
  - data/reports/GO-2024-2580.yaml
  - data/reports/GO-2024-2582.yaml
  - data/reports/GO-2024-2588.yaml
  - data/reports/GO-2024-2589.yaml
  - data/reports/GO-2024-2590.yaml
  - data/reports/GO-2024-2591.yaml
  - data/reports/GO-2024-2592.yaml
  - data/reports/GO-2024-2593.yaml
  - data/reports/GO-2024-2594.yaml
  - data/reports/GO-2024-2595.yaml
  - data/reports/GO-2024-2597.yaml
  - data/reports/GO-2024-2629.yaml
  - data/reports/GO-2024-2635.yaml
  - data/reports/GO-2024-2636.yaml
  - data/reports/GO-2024-2637.yaml
  - data/reports/GO-2024-2641.yaml

Updates #2428
Updates #2442
Updates #2444
Updates #2445
Updates #2446
Updates #2447
Updates #2448
Updates #2449
Updates #2450
Updates #2478
Updates #2485
Updates #2486
Updates #2488
Updates #2499
Updates #2501
Updates #2505
Updates #2508
Updates #2509
Updates #2511
Updates #2513
Updates #2514
Updates #2515
Updates #2517
Updates #2519
Updates #2520
Updates #2523
Updates #2540
Updates #2541
Updates #2566
Updates #2568
Updates #2569
Updates #2576
Updates #2578
Updates #2579
Updates #2580
Updates #2582
Updates #2588
Updates #2589
Updates #2590
Updates #2591
Updates #2592
Updates #2593
Updates #2594
Updates #2595
Updates #2597
Updates #2629
Updates #2635
Updates #2636
Updates #2637
Updates #2641

Change-Id: If02ad5ae2b621addda56b45d8c84b0476a12737b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606358
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants