Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6w5w-wx8w-2cq9 #1252

Closed
GoVulnBot opened this issue Dec 30, 2022 · 5 comments
Closed
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-6w5w-wx8w-2cq9, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/usememos/memos <= 0.9.0

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - {}
    packages:
      - package: github.com/usememos/memos
description: usememos/memos 0.9.0 and prior is vulnerable to full account takeover
    via changing user name, email address, and display name.
cves:
  - CVE-2022-4809
ghsas:
  - GHSA-6w5w-wx8w-2cq9

@zpavlinovic zpavlinovic self-assigned this Jan 3, 2023
@zpavlinovic zpavlinovic added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. duplicate labels Jan 3, 2023
@zpavlinovic
Copy link
Contributor

Binary where packages with fix are not imported by anyone.

@tatianab tatianab self-assigned this Jul 28, 2023
@tatianab
Copy link
Contributor

Needs excluded report

@tatianab tatianab reopened this Jul 28, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/513918 mentions this issue: data/excluded: batch add 26 excluded reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592836 mentions this issue: data/reports: unexclude 25 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607233 mentions this issue: data/reports: unexclude 20 reports (31)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
  - data/reports/GO-2022-1219.yaml
  - data/reports/GO-2022-1220.yaml
  - data/reports/GO-2022-1225.yaml
  - data/reports/GO-2022-1235.yaml
  - data/reports/GO-2022-1236.yaml
  - data/reports/GO-2022-1239.yaml
  - data/reports/GO-2022-1240.yaml
  - data/reports/GO-2022-1243.yaml
  - data/reports/GO-2022-1244.yaml
  - data/reports/GO-2022-1245.yaml
  - data/reports/GO-2022-1248.yaml
  - data/reports/GO-2022-1250.yaml
  - data/reports/GO-2022-1251.yaml
  - data/reports/GO-2022-1252.yaml
  - data/reports/GO-2022-1253.yaml
  - data/reports/GO-2022-1256.yaml
  - data/reports/GO-2022-1257.yaml
  - data/reports/GO-2022-1259.yaml
  - data/reports/GO-2022-1260.yaml
  - data/reports/GO-2022-1261.yaml

Updates #1219
Updates #1220
Updates #1225
Updates #1235
Updates #1236
Updates #1239
Updates #1240
Updates #1243
Updates #1244
Updates #1245
Updates #1248
Updates #1250
Updates #1251
Updates #1252
Updates #1253
Updates #1256
Updates #1257
Updates #1259
Updates #1260
Updates #1261

Change-Id: Ica30c989e0f295a3b92b2b355787ffcc1d04dcf4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607233
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

4 participants