x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j2gj-g3p9-7mrr

GoVulnBot commented 1 year ago

In GitHub Security Advisory GHSA-j2gj-g3p9-7mrr, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/usememos/memos	0.13.2	< 0.13.2

Cross references:

Module github.com/usememos/memos appears in issue #1173 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1189 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1190 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1191 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1192 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1205 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1215 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1216 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1217 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1218 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1219 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1220 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1225 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1226 NOT_GO_CODE
Module github.com/usememos/memos appears in issue #1228 NOT_GO_CODE
Module github.com/usememos/memos appears in issue #1235 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1236 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1239 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1240 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1243 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1244 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1245 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1248 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1250 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1251 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1252 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1253 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1254 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1255 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1256 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1257 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1258 NOT_GO_CODE
Module github.com/usememos/memos appears in issue #1259 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1260 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1261 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1262 NOT_GO_CODE
Module github.com/usememos/memos appears in issue #1263 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1264 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1265 NOT_GO_CODE
Module github.com/usememos/memos appears in issue #1266 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1270 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1271 NOT_GO_CODE
Module github.com/usememos/memos appears in issue #1272 NOT_GO_CODE
Module github.com/usememos/memos appears in issue #1285 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1286 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1291 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1292 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1449 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1460 NOT_GO_CODE
Module github.com/usememos/memos appears in issue #1461 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1462 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1465 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1467 NOT_GO_CODE
Module github.com/usememos/memos appears in issue #1469 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue #1566

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/usememos/memos
      versions:
        - fixed: 0.13.2
      vulnerable_at: 0.13.1
      packages:
        - package: github.com/usememos/memos
summary: Account TakeOver Due to Improper Handling of JWT Tokens in usememos/memos
description: |-
    Improper Access Control in GitHub repository usememos/memos prior to 0.13.2. As
    of commit `c9aa2eeb9` access tokens which fail validation are rejected.
cves:
    - CVE-2023-4696
ghsas:
    - GHSA-j2gj-g3p9-7mrr
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2023-4696
    - fix: https://github.com/usememos/memos/commit/c9aa2eeb9852047e4f41915eb30726bd25f07ecd
    - web: https://huntr.dev/bounties/4747a485-77c3-4bb5-aab0-21253ef303ca
    - advisory: https://github.com/advisories/GHSA-j2gj-g3p9-7mrr

gopherbot commented 1 year ago

Change https://go.dev/cl/527176 mentions this issue: data/excluded: batch add 14 excluded reports

gopherbot commented 5 months ago

Change https://go.dev/cl/592762 mentions this issue: data/reports: unexclude 75 reports

gopherbot commented 2 months ago

Change https://go.dev/cl/606790 mentions this issue: data/reports: unexclude 20 reports (10)

golang / vulndb

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j2gj-g3p9-7mrr #2038