x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-9fpw-c9x7-cv3j

[GoVulnBot]

Advisory GHSA-9fpw-c9x7-cv3j references a vulnerability in the following Go modules:

Module
github.com/mattermost/mattermost-server
github.com/mattermost/mattermost-server/v5
github.com/mattermost/mattermost-server/v6
github.com/mattermost/mattermost/server/v8

Description:
Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.

References:

• ADVISORY: GHSA-9fpw-c9x7-cv3j
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41926
• WEB: https://mattermost.com/security-updates

Cross references:

• github.com/mattermost/mattermost-server appears in 29 other report(s):
  • data/excluded/GO-2022-0601.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-gwpf-95jc-63rv #601) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1126.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-5jph-wrq7-v9hf #1126) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1127.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-v42f-hq78-8c5m #1127) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1710.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-3wq5-3f56-v5xc #1710) EFFECTIVELY_PRIVATE
  • data/reports/GO-2024-2444.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-9w97-9rqx-8v4j #2444)
  • data/reports/GO-2024-2446.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-h3gq-j7p9-x3p4 #2446)
  • data/reports/GO-2024-2448.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-q7rx-w656-fwmv #2448)
  • data/reports/GO-2024-2450.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w88v-pjr8-cmv2 #2450)
  • data/reports/GO-2024-2541.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-32h7-7j94-8fc2 #2541)
  • data/reports/GO-2024-2566.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r833-w756-h5p2 #2566)
  • data/reports/GO-2024-2588.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-3g35-v53r-gpxc #2588)
  • data/reports/GO-2024-2589.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-6mx3-9qfh-77gj #2589)
  • data/reports/GO-2024-2590.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-7v3v-984v-h74r #2590)
  • data/reports/GO-2024-2591.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fx48-xv6q-6gp3 #2591)
  • data/reports/GO-2024-2592.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-hwjf-4667-gqwx #2592)
  • data/reports/GO-2024-2593.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-pfw6-5rx3-xh3c #2593)
  • data/reports/GO-2024-2594.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-vm9m-57jr-4pxh #2594)
  • data/reports/GO-2024-2595.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xgxj-j98c-59rv #2595)
  • data/reports/GO-2024-2635.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r4fm-g65h-cr54 #2635)
  • data/reports/GO-2024-2695.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-mcw6-3256-64gg #2695)
  • data/reports/GO-2024-2696.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-wp43-vprh-c3w5 #2696)
  • data/reports/GO-2024-2706.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w67v-ph4x-f48q #2706)
  • data/reports/GO-2024-2707.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xp9j-8p68-9q93 #2707)
  • data/reports/GO-2024-2793.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-5fh7-7mw7-mmx5 #2793)
  • data/reports/GO-2024-2794.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-5qx9-9ffj-5r8f #2794)
  • data/reports/GO-2024-2795.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-8f99-g2pj-x8w3 #2795)
  • data/reports/GO-2024-2796.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-p2wq-4ggp-45f3 #2796)
  • data/reports/GO-2024-2797.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-vx97-8q8q-qgq5 #2797)
  • data/reports/GO-2024-2798.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-wj37-mpq9-xrcm #2798)
• github.com/mattermost/mattermost-server/v5 appears in 21 other report(s):
  • data/excluded/GO-2022-0604.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v5: GHSA-hv5f-73mr-7vvj #604) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0616.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v5: GHSA-qggc-pj29-j27m #616) EFFECTIVELY_PRIVATE
  • data/reports/GO-2024-2444.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-9w97-9rqx-8v4j #2444)
  • data/reports/GO-2024-2446.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-h3gq-j7p9-x3p4 #2446)
  • data/reports/GO-2024-2448.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-q7rx-w656-fwmv #2448)
  • data/reports/GO-2024-2450.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w88v-pjr8-cmv2 #2450)
  • data/reports/GO-2024-2541.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-32h7-7j94-8fc2 #2541)
  • data/reports/GO-2024-2566.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r833-w756-h5p2 #2566)
  • data/reports/GO-2024-2588.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-3g35-v53r-gpxc #2588)
  • data/reports/GO-2024-2589.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-6mx3-9qfh-77gj #2589)
  • data/reports/GO-2024-2590.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-7v3v-984v-h74r #2590)
  • data/reports/GO-2024-2591.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fx48-xv6q-6gp3 #2591)
  • data/reports/GO-2024-2592.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-hwjf-4667-gqwx #2592)
  • data/reports/GO-2024-2593.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-pfw6-5rx3-xh3c #2593)
  • data/reports/GO-2024-2594.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-vm9m-57jr-4pxh #2594)
  • data/reports/GO-2024-2595.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xgxj-j98c-59rv #2595)
  • data/reports/GO-2024-2635.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r4fm-g65h-cr54 #2635)
  • data/reports/GO-2024-2695.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-mcw6-3256-64gg #2695)
  • data/reports/GO-2024-2696.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-wp43-vprh-c3w5 #2696)
  • data/reports/GO-2024-2706.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w67v-ph4x-f48q #2706)
  • data/reports/GO-2024-2707.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xp9j-8p68-9q93 #2707)
• github.com/mattermost/mattermost-server/v6 appears in 47 other report(s):
  • data/excluded/GO-2022-0540.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-7ggc-5r84-xf54 #540) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0576.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-32rp-q37p-jg6w #576) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0595.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-f37q-q7p2-ccfc #595) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0599.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-fxwj-v664-wv5g #599) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1028.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-m7w4-q5vg-5xfp #1028) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1711.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-63f2-6959-2pxj #1711) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1712.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-8jhh-3jf2-pfwr #1712) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1727.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-9hj7-v56g-rhf6 #1727) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1778.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-7g2v-2frm-rg94 #1778) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1873.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-455c-vqrf-mghr #1873) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2007.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-6xjj-v76v-fwpj #2007) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2008.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-9rww-66w7-7vjx #2008) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2009.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-g3v6-r8p9-wxg9 #2009) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2010.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-p267-jjfq-pphf #2010) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2087.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-33r7-wjfc-7w98 #2087) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2089.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-9hwp-cj7m-wjw4 #2089) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2090.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-h69v-mvh9-hfrq #2090) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2091.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-h8wh-f7gw-fwpr #2091) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2093.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-rp65-jpc7-8h8p #2093) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2358.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-3487-3j7c-7gwj #2358) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2359.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-4ghx-8jw8-p76q #2359) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2360.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-85jj-c9jr-9jhx #2360) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2361.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-c37r-v8jx-7cv2 #2361) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2362.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-j4c3-3h73-74m9 #2362) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2363.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-jcgv-3pfq-j4hr #2363) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2364.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-jj46-9cgh-qmfx #2364) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2365.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-jjr7-372r-cx7x #2365) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2366.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-p5pr-vm3j-jxxf #2366) EFFECTIVELY_PRIVATE
  • data/reports/GO-2024-2444.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-9w97-9rqx-8v4j #2444)
  • data/reports/GO-2024-2446.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-h3gq-j7p9-x3p4 #2446)
  • data/reports/GO-2024-2448.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-q7rx-w656-fwmv #2448)
  • data/reports/GO-2024-2450.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w88v-pjr8-cmv2 #2450)
  • data/reports/GO-2024-2541.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-32h7-7j94-8fc2 #2541)
  • data/reports/GO-2024-2566.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r833-w756-h5p2 #2566)
  • data/reports/GO-2024-2588.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-3g35-v53r-gpxc #2588)
  • data/reports/GO-2024-2589.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-6mx3-9qfh-77gj #2589)
  • data/reports/GO-2024-2590.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-7v3v-984v-h74r #2590)
  • data/reports/GO-2024-2591.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fx48-xv6q-6gp3 #2591)
  • data/reports/GO-2024-2592.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-hwjf-4667-gqwx #2592)
  • data/reports/GO-2024-2593.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-pfw6-5rx3-xh3c #2593)
  • data/reports/GO-2024-2594.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-vm9m-57jr-4pxh #2594)
  • data/reports/GO-2024-2595.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xgxj-j98c-59rv #2595)
  • data/reports/GO-2024-2635.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r4fm-g65h-cr54 #2635)
  • data/reports/GO-2024-2695.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-mcw6-3256-64gg #2695)
  • data/reports/GO-2024-2696.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-wp43-vprh-c3w5 #2696)
  • data/reports/GO-2024-2706.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w67v-ph4x-f48q #2706)
  • data/reports/GO-2024-2707.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xp9j-8p68-9q93 #2707)
• github.com/mattermost/mattermost/server/v8 appears in 23 other report(s):
  • data/excluded/GO-2023-2182.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r67m-mf7v-qp7j #2182) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2183.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w496-f5qq-m58j #2183) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2184.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xvq6-h898-wcj8 #2184) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2390.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-63cv-4pc2-4fcf #2390) EFFECTIVELY_PRIVATE
  • data/reports/GO-2024-2444.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-9w97-9rqx-8v4j #2444)
  • data/reports/GO-2024-2446.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-h3gq-j7p9-x3p4 #2446)
  • data/reports/GO-2024-2448.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-q7rx-w656-fwmv #2448)
  • data/reports/GO-2024-2450.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w88v-pjr8-cmv2 #2450)
  • data/reports/GO-2024-2541.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-32h7-7j94-8fc2 #2541)
  • data/reports/GO-2024-2566.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r833-w756-h5p2 #2566)
  • data/reports/GO-2024-2588.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-3g35-v53r-gpxc #2588)
  • data/reports/GO-2024-2589.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-6mx3-9qfh-77gj #2589)
  • data/reports/GO-2024-2590.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-7v3v-984v-h74r #2590)
  • data/reports/GO-2024-2591.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fx48-xv6q-6gp3 #2591)
  • data/reports/GO-2024-2592.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-hwjf-4667-gqwx #2592)
  • data/reports/GO-2024-2593.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-pfw6-5rx3-xh3c #2593)
  • data/reports/GO-2024-2594.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-vm9m-57jr-4pxh #2594)
  • data/reports/GO-2024-2595.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xgxj-j98c-59rv #2595)
  • data/reports/GO-2024-2635.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r4fm-g65h-cr54 #2635)
  • data/reports/GO-2024-2695.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-mcw6-3256-64gg #2695)
  • data/reports/GO-2024-2696.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-wp43-vprh-c3w5 #2696)
  • data/reports/GO-2024-2706.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w67v-ph4x-f48q #2706)
  • data/reports/GO-2024-2707.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xp9j-8p68-9q93 #2707)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/mattermost/mattermost-server
      versions:
        - introduced: 9.5.0+incompatible
        - fixed: 9.5.7+incompatible
      non_go_versions:
        - introduced: TODO (earliest fixed "9.9.1", vuln range "= 9.9.0")
      vulnerable_at: 9.5.7-rc3+incompatible
    - module: github.com/mattermost/mattermost-server/v5
      vulnerable_at: 5.39.3
    - module: github.com/mattermost/mattermost-server/v6
      vulnerable_at: 6.7.2
    - module: github.com/mattermost/mattermost/server/v8
      vulnerable_at: 8.0.0-20240801225330-6956923b6aed
summary: |-
    Mattermost allows remote actor to set arbitrary RemoteId values for synced
    users in github.com/mattermost/mattermost-server
cves:
    - CVE-2024-41926
ghsas:
    - GHSA-9fpw-c9x7-cv3j
references:
    - advisory: https://github.com/advisories/GHSA-9fpw-c9x7-cv3j
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41926
    - web: https://mattermost.com/security-updates
notes:
    - fix: 'module merge error: could not merge versions of module github.com/mattermost/mattermost-server: invalid or non-canonical semver version (found TODO (earliest fixed "9.9.1", vuln range "= 9.9.0"))'
source:
    id: GHSA-9fpw-c9x7-cv3j
    created: 2024-08-02T02:02:47.474737477Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603715 mentions this issue: data/reports: add 20 unreviewed reports

[gopherbot]

Change https://go.dev/cl/603716 mentions this issue: data/reports: add 19 unreviewed reports