Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j593-h5v3-45x6 #1220

Closed
GoVulnBot opened this issue Dec 30, 2022 · 4 comments
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-j593-h5v3-45x6, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/usememos/memos <= 0.9.0

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - {}
    packages:
      - package: github.com/usememos/memos
description: usememos/memos 0.9.0 and prior has endpoint that leaks user information
    like names, email, role, and OpenID to an authenticated user. A patch is available
    at commit 05b41804e33a34102f1f75bb2d69195dda6a1210 on the `main` branch.
cves:
  - CVE-2022-4734
ghsas:
  - GHSA-j593-h5v3-45x6

@zpavlinovic zpavlinovic self-assigned this Jan 3, 2023
@zpavlinovic zpavlinovic added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jan 3, 2023
@zpavlinovic
Copy link
Contributor

Binary where packages with fix are not imported by anyone.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/460419 mentions this issue: data/excluded: batch add GO-2022-1253, GO-2022-1251, GO-2022-1250, GO-2022-1248, GO-2022-1245, GO-2022-1243, GO-2022-1240, GO-2022-1239, GO-2022-1236, GO-2022-1235, GO-2022-1225, GO-2022-1220, GO-2022-1219, GO-2022-1218, GO-2022-1216, GO-2022-1208, GO-2022-1206, GO-2022-1204, GO-2022-1200, GO-2022-1192, GO-2022-1190, GO-2022-1189, GO-2022-1258, GO-2022-1226, GO-2022-1214, GO-2022-1210, GO-2022-1212

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592836 mentions this issue: data/reports: unexclude 25 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607233 mentions this issue: data/reports: unexclude 20 reports (31)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
  - data/reports/GO-2022-1219.yaml
  - data/reports/GO-2022-1220.yaml
  - data/reports/GO-2022-1225.yaml
  - data/reports/GO-2022-1235.yaml
  - data/reports/GO-2022-1236.yaml
  - data/reports/GO-2022-1239.yaml
  - data/reports/GO-2022-1240.yaml
  - data/reports/GO-2022-1243.yaml
  - data/reports/GO-2022-1244.yaml
  - data/reports/GO-2022-1245.yaml
  - data/reports/GO-2022-1248.yaml
  - data/reports/GO-2022-1250.yaml
  - data/reports/GO-2022-1251.yaml
  - data/reports/GO-2022-1252.yaml
  - data/reports/GO-2022-1253.yaml
  - data/reports/GO-2022-1256.yaml
  - data/reports/GO-2022-1257.yaml
  - data/reports/GO-2022-1259.yaml
  - data/reports/GO-2022-1260.yaml
  - data/reports/GO-2022-1261.yaml

Updates #1219
Updates #1220
Updates #1225
Updates #1235
Updates #1236
Updates #1239
Updates #1240
Updates #1243
Updates #1244
Updates #1245
Updates #1248
Updates #1250
Updates #1251
Updates #1252
Updates #1253
Updates #1256
Updates #1257
Updates #1259
Updates #1260
Updates #1261

Change-Id: Ica30c989e0f295a3b92b2b355787ffcc1d04dcf4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607233
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants