x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-762v-rq7q-ff97

[GoVulnBot]

Advisory GHSA-762v-rq7q-ff97 references a vulnerability in the following Go modules:

Module
github.com/mattermost/mattermost-server
github.com/mattermost/mattermost-server/v5
github.com/mattermost/mattermost-server/v6
github.com/mattermost/mattermost/server/v8

Description: Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by sending a specially crafted request to Playbooks.

References:

• ADVISORY: https://github.com/advisories/GHSA-762v-rq7q-ff97
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-47401
• WEB: https://mattermost.com/security-updates

Cross references:

• github.com/mattermost/mattermost-server appears in 54 other report(s):
  • data/excluded/GO-2022-0601.yaml (https://github.com/golang/vulndb/issues/601) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1126.yaml (https://github.com/golang/vulndb/issues/1126) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1127.yaml (https://github.com/golang/vulndb/issues/1127) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1710.yaml (https://github.com/golang/vulndb/issues/1710) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-0540.yaml (https://github.com/golang/vulndb/issues/540)
  • data/reports/GO-2022-0576.yaml (https://github.com/golang/vulndb/issues/576)
  • data/reports/GO-2022-0595.yaml (https://github.com/golang/vulndb/issues/595)
  • data/reports/GO-2022-0599.yaml (https://github.com/golang/vulndb/issues/599)
  • data/reports/GO-2022-0604.yaml (https://github.com/golang/vulndb/issues/604)
  • data/reports/GO-2022-0616.yaml (https://github.com/golang/vulndb/issues/616)
  • data/reports/GO-2023-1939.yaml (https://github.com/golang/vulndb/issues/1939)
  • data/reports/GO-2024-2444.yaml (https://github.com/golang/vulndb/issues/2444)
  • data/reports/GO-2024-2446.yaml (https://github.com/golang/vulndb/issues/2446)
  • data/reports/GO-2024-2448.yaml (https://github.com/golang/vulndb/issues/2448)
  • data/reports/GO-2024-2450.yaml (https://github.com/golang/vulndb/issues/2450)
  • data/reports/GO-2024-2541.yaml (https://github.com/golang/vulndb/issues/2541)
  • data/reports/GO-2024-2566.yaml (https://github.com/golang/vulndb/issues/2566)
  • data/reports/GO-2024-2588.yaml (https://github.com/golang/vulndb/issues/2588)
  • data/reports/GO-2024-2589.yaml (https://github.com/golang/vulndb/issues/2589)
  • data/reports/GO-2024-2590.yaml (https://github.com/golang/vulndb/issues/2590)
  • data/reports/GO-2024-2591.yaml (https://github.com/golang/vulndb/issues/2591)
  • data/reports/GO-2024-2592.yaml (https://github.com/golang/vulndb/issues/2592)
  • data/reports/GO-2024-2593.yaml (https://github.com/golang/vulndb/issues/2593)
  • data/reports/GO-2024-2594.yaml (https://github.com/golang/vulndb/issues/2594)
  • data/reports/GO-2024-2595.yaml (https://github.com/golang/vulndb/issues/2595)
  • data/reports/GO-2024-2635.yaml (https://github.com/golang/vulndb/issues/2635)
  • data/reports/GO-2024-2695.yaml (https://github.com/golang/vulndb/issues/2695)
  • data/reports/GO-2024-2696.yaml (https://github.com/golang/vulndb/issues/2696)
  • data/reports/GO-2024-2706.yaml (https://github.com/golang/vulndb/issues/2706)
  • data/reports/GO-2024-2707.yaml (https://github.com/golang/vulndb/issues/2707)
  • data/reports/GO-2024-2793.yaml (https://github.com/golang/vulndb/issues/2793)
  • data/reports/GO-2024-2794.yaml (https://github.com/golang/vulndb/issues/2794)
  • data/reports/GO-2024-2795.yaml (https://github.com/golang/vulndb/issues/2795)
  • data/reports/GO-2024-2796.yaml (https://github.com/golang/vulndb/issues/2796)
  • data/reports/GO-2024-2797.yaml (https://github.com/golang/vulndb/issues/2797)
  • data/reports/GO-2024-2798.yaml (https://github.com/golang/vulndb/issues/2798)
  • data/reports/GO-2024-3020.yaml (https://github.com/golang/vulndb/issues/3020)
  • data/reports/GO-2024-3022.yaml (https://github.com/golang/vulndb/issues/3022)
  • data/reports/GO-2024-3023.yaml (https://github.com/golang/vulndb/issues/3023)
  • data/reports/GO-2024-3024.yaml (https://github.com/golang/vulndb/issues/3024)
  • data/reports/GO-2024-3025.yaml (https://github.com/golang/vulndb/issues/3025)
  • data/reports/GO-2024-3028.yaml (https://github.com/golang/vulndb/issues/3028)
  • data/reports/GO-2024-3030.yaml (https://github.com/golang/vulndb/issues/3030)
  • data/reports/GO-2024-3031.yaml (https://github.com/golang/vulndb/issues/3031)
  • data/reports/GO-2024-3032.yaml (https://github.com/golang/vulndb/issues/3032)
  • data/reports/GO-2024-3089.yaml (https://github.com/golang/vulndb/issues/3089)
  • data/reports/GO-2024-3090.yaml (https://github.com/golang/vulndb/issues/3090)
  • data/reports/GO-2024-3091.yaml (https://github.com/golang/vulndb/issues/3091)
  • data/reports/GO-2024-3092.yaml (https://github.com/golang/vulndb/issues/3092)
  • data/reports/GO-2024-3093.yaml (https://github.com/golang/vulndb/issues/3093)
  • data/reports/GO-2024-3094.yaml (https://github.com/golang/vulndb/issues/3094)
  • data/reports/GO-2024-3096.yaml (https://github.com/golang/vulndb/issues/3096)
  • data/reports/GO-2024-3097.yaml (https://github.com/golang/vulndb/issues/3097)
  • data/reports/GO-2024-3164.yaml (https://github.com/golang/vulndb/issues/3164)
• github.com/mattermost/mattermost-server/v5 appears in 44 other report(s):
  • data/reports/GO-2022-0540.yaml (https://github.com/golang/vulndb/issues/540)
  • data/reports/GO-2022-0576.yaml (https://github.com/golang/vulndb/issues/576)
  • data/reports/GO-2022-0595.yaml (https://github.com/golang/vulndb/issues/595)
  • data/reports/GO-2022-0599.yaml (https://github.com/golang/vulndb/issues/599)
  • data/reports/GO-2022-0604.yaml (https://github.com/golang/vulndb/issues/604)
  • data/reports/GO-2022-0616.yaml (https://github.com/golang/vulndb/issues/616)
  • data/reports/GO-2023-1939.yaml (https://github.com/golang/vulndb/issues/1939)
  • data/reports/GO-2024-2444.yaml (https://github.com/golang/vulndb/issues/2444)
  • data/reports/GO-2024-2446.yaml (https://github.com/golang/vulndb/issues/2446)
  • data/reports/GO-2024-2448.yaml (https://github.com/golang/vulndb/issues/2448)
  • data/reports/GO-2024-2450.yaml (https://github.com/golang/vulndb/issues/2450)
  • data/reports/GO-2024-2541.yaml (https://github.com/golang/vulndb/issues/2541)
  • data/reports/GO-2024-2566.yaml (https://github.com/golang/vulndb/issues/2566)
  • data/reports/GO-2024-2588.yaml (https://github.com/golang/vulndb/issues/2588)
  • data/reports/GO-2024-2589.yaml (https://github.com/golang/vulndb/issues/2589)
  • data/reports/GO-2024-2590.yaml (https://github.com/golang/vulndb/issues/2590)
  • data/reports/GO-2024-2591.yaml (https://github.com/golang/vulndb/issues/2591)
  • data/reports/GO-2024-2592.yaml (https://github.com/golang/vulndb/issues/2592)
  • data/reports/GO-2024-2593.yaml (https://github.com/golang/vulndb/issues/2593)
  • data/reports/GO-2024-2594.yaml (https://github.com/golang/vulndb/issues/2594)
  • data/reports/GO-2024-2595.yaml (https://github.com/golang/vulndb/issues/2595)
  • data/reports/GO-2024-2635.yaml (https://github.com/golang/vulndb/issues/2635)
  • data/reports/GO-2024-2695.yaml (https://github.com/golang/vulndb/issues/2695)
  • data/reports/GO-2024-2696.yaml (https://github.com/golang/vulndb/issues/2696)
  • data/reports/GO-2024-2706.yaml (https://github.com/golang/vulndb/issues/2706)
  • data/reports/GO-2024-2707.yaml (https://github.com/golang/vulndb/issues/2707)
  • data/reports/GO-2024-3020.yaml (https://github.com/golang/vulndb/issues/3020)
  • data/reports/GO-2024-3022.yaml (https://github.com/golang/vulndb/issues/3022)
  • data/reports/GO-2024-3023.yaml (https://github.com/golang/vulndb/issues/3023)
  • data/reports/GO-2024-3024.yaml (https://github.com/golang/vulndb/issues/3024)
  • data/reports/GO-2024-3025.yaml (https://github.com/golang/vulndb/issues/3025)
  • data/reports/GO-2024-3028.yaml (https://github.com/golang/vulndb/issues/3028)
  • data/reports/GO-2024-3030.yaml (https://github.com/golang/vulndb/issues/3030)
  • data/reports/GO-2024-3031.yaml (https://github.com/golang/vulndb/issues/3031)
  • data/reports/GO-2024-3032.yaml (https://github.com/golang/vulndb/issues/3032)
  • data/reports/GO-2024-3089.yaml (https://github.com/golang/vulndb/issues/3089)
  • data/reports/GO-2024-3090.yaml (https://github.com/golang/vulndb/issues/3090)
  • data/reports/GO-2024-3091.yaml (https://github.com/golang/vulndb/issues/3091)
  • data/reports/GO-2024-3092.yaml (https://github.com/golang/vulndb/issues/3092)
  • data/reports/GO-2024-3093.yaml (https://github.com/golang/vulndb/issues/3093)
  • data/reports/GO-2024-3094.yaml (https://github.com/golang/vulndb/issues/3094)
  • data/reports/GO-2024-3096.yaml (https://github.com/golang/vulndb/issues/3096)
  • data/reports/GO-2024-3097.yaml (https://github.com/golang/vulndb/issues/3097)
  • data/reports/GO-2024-3164.yaml (https://github.com/golang/vulndb/issues/3164)
• github.com/mattermost/mattermost-server/v6 appears in 66 other report(s):
  • data/excluded/GO-2022-1028.yaml (https://github.com/golang/vulndb/issues/1028) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1711.yaml (https://github.com/golang/vulndb/issues/1711) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1712.yaml (https://github.com/golang/vulndb/issues/1712) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1727.yaml (https://github.com/golang/vulndb/issues/1727) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1778.yaml (https://github.com/golang/vulndb/issues/1778) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1873.yaml (https://github.com/golang/vulndb/issues/1873) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2007.yaml (https://github.com/golang/vulndb/issues/2007) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2008.yaml (https://github.com/golang/vulndb/issues/2008) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2009.yaml (https://github.com/golang/vulndb/issues/2009) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2010.yaml (https://github.com/golang/vulndb/issues/2010) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2087.yaml (https://github.com/golang/vulndb/issues/2087) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2089.yaml (https://github.com/golang/vulndb/issues/2089) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2090.yaml (https://github.com/golang/vulndb/issues/2090) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2091.yaml (https://github.com/golang/vulndb/issues/2091) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2093.yaml (https://github.com/golang/vulndb/issues/2093) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2358.yaml (https://github.com/golang/vulndb/issues/2358) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2359.yaml (https://github.com/golang/vulndb/issues/2359) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2360.yaml (https://github.com/golang/vulndb/issues/2360) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2361.yaml (https://github.com/golang/vulndb/issues/2361) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2362.yaml (https://github.com/golang/vulndb/issues/2362) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2363.yaml (https://github.com/golang/vulndb/issues/2363) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2364.yaml (https://github.com/golang/vulndb/issues/2364) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2365.yaml (https://github.com/golang/vulndb/issues/2365) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2366.yaml (https://github.com/golang/vulndb/issues/2366) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-0540.yaml (https://github.com/golang/vulndb/issues/540)
  • data/reports/GO-2022-0576.yaml (https://github.com/golang/vulndb/issues/576)
  • data/reports/GO-2022-0595.yaml (https://github.com/golang/vulndb/issues/595)
  • data/reports/GO-2022-0599.yaml (https://github.com/golang/vulndb/issues/599)
  • data/reports/GO-2022-0616.yaml (https://github.com/golang/vulndb/issues/616)
  • data/reports/GO-2024-2444.yaml (https://github.com/golang/vulndb/issues/2444)
  • data/reports/GO-2024-2446.yaml (https://github.com/golang/vulndb/issues/2446)
  • data/reports/GO-2024-2448.yaml (https://github.com/golang/vulndb/issues/2448)
  • data/reports/GO-2024-2450.yaml (https://github.com/golang/vulndb/issues/2450)
  • data/reports/GO-2024-2541.yaml (https://github.com/golang/vulndb/issues/2541)
  • data/reports/GO-2024-2566.yaml (https://github.com/golang/vulndb/issues/2566)
  • data/reports/GO-2024-2588.yaml (https://github.com/golang/vulndb/issues/2588)
  • data/reports/GO-2024-2589.yaml (https://github.com/golang/vulndb/issues/2589)
  • data/reports/GO-2024-2590.yaml (https://github.com/golang/vulndb/issues/2590)
  • data/reports/GO-2024-2591.yaml (https://github.com/golang/vulndb/issues/2591)
  • data/reports/GO-2024-2592.yaml (https://github.com/golang/vulndb/issues/2592)
  • data/reports/GO-2024-2593.yaml (https://github.com/golang/vulndb/issues/2593)
  • data/reports/GO-2024-2594.yaml (https://github.com/golang/vulndb/issues/2594)
  • data/reports/GO-2024-2595.yaml (https://github.com/golang/vulndb/issues/2595)
  • data/reports/GO-2024-2635.yaml (https://github.com/golang/vulndb/issues/2635)
  • data/reports/GO-2024-2695.yaml (https://github.com/golang/vulndb/issues/2695)
  • data/reports/GO-2024-2696.yaml (https://github.com/golang/vulndb/issues/2696)
  • data/reports/GO-2024-2706.yaml (https://github.com/golang/vulndb/issues/2706)
  • data/reports/GO-2024-2707.yaml (https://github.com/golang/vulndb/issues/2707)
  • data/reports/GO-2024-3020.yaml (https://github.com/golang/vulndb/issues/3020)
  • data/reports/GO-2024-3022.yaml (https://github.com/golang/vulndb/issues/3022)
  • data/reports/GO-2024-3023.yaml (https://github.com/golang/vulndb/issues/3023)
  • data/reports/GO-2024-3024.yaml (https://github.com/golang/vulndb/issues/3024)
  • data/reports/GO-2024-3025.yaml (https://github.com/golang/vulndb/issues/3025)
  • data/reports/GO-2024-3028.yaml (https://github.com/golang/vulndb/issues/3028)
  • data/reports/GO-2024-3030.yaml (https://github.com/golang/vulndb/issues/3030)
  • data/reports/GO-2024-3031.yaml (https://github.com/golang/vulndb/issues/3031)
  • data/reports/GO-2024-3032.yaml (https://github.com/golang/vulndb/issues/3032)
  • data/reports/GO-2024-3089.yaml (https://github.com/golang/vulndb/issues/3089)
  • data/reports/GO-2024-3090.yaml (https://github.com/golang/vulndb/issues/3090)
  • data/reports/GO-2024-3091.yaml (https://github.com/golang/vulndb/issues/3091)
  • data/reports/GO-2024-3092.yaml (https://github.com/golang/vulndb/issues/3092)
  • data/reports/GO-2024-3093.yaml (https://github.com/golang/vulndb/issues/3093)
  • data/reports/GO-2024-3094.yaml (https://github.com/golang/vulndb/issues/3094)
  • data/reports/GO-2024-3096.yaml (https://github.com/golang/vulndb/issues/3096)
  • data/reports/GO-2024-3097.yaml (https://github.com/golang/vulndb/issues/3097)
  • data/reports/GO-2024-3164.yaml (https://github.com/golang/vulndb/issues/3164)
• github.com/mattermost/mattermost/server/v8 appears in 41 other report(s):
  • data/excluded/GO-2023-2182.yaml (https://github.com/golang/vulndb/issues/2182) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2183.yaml (https://github.com/golang/vulndb/issues/2183) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2184.yaml (https://github.com/golang/vulndb/issues/2184) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2390.yaml (https://github.com/golang/vulndb/issues/2390) EFFECTIVELY_PRIVATE
  • data/reports/GO-2024-2444.yaml (https://github.com/golang/vulndb/issues/2444)
  • data/reports/GO-2024-2446.yaml (https://github.com/golang/vulndb/issues/2446)
  • data/reports/GO-2024-2448.yaml (https://github.com/golang/vulndb/issues/2448)
  • data/reports/GO-2024-2450.yaml (https://github.com/golang/vulndb/issues/2450)
  • data/reports/GO-2024-2541.yaml (https://github.com/golang/vulndb/issues/2541)
  • data/reports/GO-2024-2566.yaml (https://github.com/golang/vulndb/issues/2566)
  • data/reports/GO-2024-2588.yaml (https://github.com/golang/vulndb/issues/2588)
  • data/reports/GO-2024-2589.yaml (https://github.com/golang/vulndb/issues/2589)
  • data/reports/GO-2024-2590.yaml (https://github.com/golang/vulndb/issues/2590)
  • data/reports/GO-2024-2591.yaml (https://github.com/golang/vulndb/issues/2591)
  • data/reports/GO-2024-2592.yaml (https://github.com/golang/vulndb/issues/2592)
  • data/reports/GO-2024-2593.yaml (https://github.com/golang/vulndb/issues/2593)
  • data/reports/GO-2024-2594.yaml (https://github.com/golang/vulndb/issues/2594)
  • data/reports/GO-2024-2595.yaml (https://github.com/golang/vulndb/issues/2595)
  • data/reports/GO-2024-2635.yaml (https://github.com/golang/vulndb/issues/2635)
  • data/reports/GO-2024-2695.yaml (https://github.com/golang/vulndb/issues/2695)
  • data/reports/GO-2024-2696.yaml (https://github.com/golang/vulndb/issues/2696)
  • data/reports/GO-2024-2706.yaml (https://github.com/golang/vulndb/issues/2706)
  • data/reports/GO-2024-2707.yaml (https://github.com/golang/vulndb/issues/2707)
  • data/reports/GO-2024-3020.yaml (https://github.com/golang/vulndb/issues/3020)
  • data/reports/GO-2024-3022.yaml (https://github.com/golang/vulndb/issues/3022)
  • data/reports/GO-2024-3023.yaml (https://github.com/golang/vulndb/issues/3023)
  • data/reports/GO-2024-3024.yaml (https://github.com/golang/vulndb/issues/3024)
  • data/reports/GO-2024-3025.yaml (https://github.com/golang/vulndb/issues/3025)
  • data/reports/GO-2024-3028.yaml (https://github.com/golang/vulndb/issues/3028)
  • data/reports/GO-2024-3030.yaml (https://github.com/golang/vulndb/issues/3030)
  • data/reports/GO-2024-3031.yaml (https://github.com/golang/vulndb/issues/3031)
  • data/reports/GO-2024-3032.yaml (https://github.com/golang/vulndb/issues/3032)
  • data/reports/GO-2024-3089.yaml (https://github.com/golang/vulndb/issues/3089)
  • data/reports/GO-2024-3090.yaml (https://github.com/golang/vulndb/issues/3090)
  • data/reports/GO-2024-3091.yaml (https://github.com/golang/vulndb/issues/3091)
  • data/reports/GO-2024-3092.yaml (https://github.com/golang/vulndb/issues/3092)
  • data/reports/GO-2024-3093.yaml (https://github.com/golang/vulndb/issues/3093)
  • data/reports/GO-2024-3094.yaml (https://github.com/golang/vulndb/issues/3094)
  • data/reports/GO-2024-3096.yaml (https://github.com/golang/vulndb/issues/3096)
  • data/reports/GO-2024-3097.yaml (https://github.com/golang/vulndb/issues/3097)
  • data/reports/GO-2024-3164.yaml (https://github.com/golang/vulndb/issues/3164)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/mattermost/mattermost-server
      vulnerable_at: 10.1.2+incompatible
    - module: github.com/mattermost/mattermost-server/v5
      vulnerable_at: 5.39.3
    - module: github.com/mattermost/mattermost-server/v6
      vulnerable_at: 6.7.2
    - module: github.com/mattermost/mattermost/server/v8
      versions:
        - fixed: 8.0.0-20240926115259-20ed58906adc
summary: |-
    Mattermost Server vulnerable to application crash from attacker-generated large
    response in github.com/mattermost/mattermost-server
cves:
    - CVE-2024-47401
ghsas:
    - GHSA-762v-rq7q-ff97
references:
    - advisory: https://github.com/advisories/GHSA-762v-rq7q-ff97
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47401
    - web: https://mattermost.com/security-updates
notes:
    - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
source:
    id: GHSA-762v-rq7q-ff97
    created: 2024-10-29T17:04:24.116985369Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/623640 mentions this issue: data/reports: add 9 unreviewed reports