Closed GoVulnBot closed 1 month ago
Advisory GHSA-6mvp-gh77-7vwh references a vulnerability in the following Go modules:
Description: Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K.
References:
Cross references:
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING modules: - module: github.com/mattermost/mattermost-server vulnerable_at: 10.1.2+incompatible - module: github.com/mattermost/mattermost-server/v5 vulnerable_at: 5.39.3 - module: github.com/mattermost/mattermost-server/v6 vulnerable_at: 6.7.2 - module: github.com/mattermost/mattermost/server/v8 versions: - fixed: 8.0.0-20240813135334-8f3a13122f55 summary: Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server cves: - CVE-2024-10241 ghsas: - GHSA-6mvp-gh77-7vwh references: - advisory: https://github.com/advisories/GHSA-6mvp-gh77-7vwh - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-10241 - web: https://mattermost.com/security-updates notes: - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed' source: id: GHSA-6mvp-gh77-7vwh created: 2024-10-29T17:03:13.497600641Z review_status: UNREVIEWED
Change https://go.dev/cl/623735 mentions this issue: data/reports: add GO-2024-3232
data/reports: add GO-2024-3232
Advisory GHSA-6mvp-gh77-7vwh references a vulnerability in the following Go modules:
Description: Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K.
References:
Cross references:
See doc/quickstart.md for instructions on how to triage this report.