x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-9hj7-v56g-rhf6

[GoVulnBot]

In GitHub Security Advisory GHSA-9hj7-v56g-rhf6, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/mattermost/mattermost-server/v6	7.1.6	>= 6.0.0, <= 6.7.2

Cross references:

• Module github.com/mattermost/mattermost-server/v6 appears in issue x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-7ggc-5r84-xf54 #540 EFFECTIVELY_PRIVATE
• Module github.com/mattermost/mattermost-server/v6 appears in issue x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-32rp-q37p-jg6w #576 EFFECTIVELY_PRIVATE
• Module github.com/mattermost/mattermost-server/v6 appears in issue x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-f37q-q7p2-ccfc #595 EFFECTIVELY_PRIVATE
• Module github.com/mattermost/mattermost-server/v6 appears in issue x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-fxwj-v664-wv5g #599 EFFECTIVELY_PRIVATE
• Module github.com/mattermost/mattermost-server/v6 appears in issue x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-m7w4-q5vg-5xfp #1028 EFFECTIVELY_PRIVATE
• Module github.com/mattermost/mattermost-server/v6 appears in issue x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-63f2-6959-2pxj #1711 EFFECTIVELY_PRIVATE
• Module github.com/mattermost/mattermost-server/v6 appears in issue x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-8jhh-3jf2-pfwr #1712 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/mattermost/mattermost-server/v6
    versions:
      - introduced: TODO (earliest fixed "7.1.6", vuln range ">= 6.0.0, <= 6.7.2")
    packages:
      - package: github.com/mattermost/mattermost-server/v6
  - module: github.com/mattermost/mattermost-server/v6
    versions:
      - introduced: TODO (earliest fixed "7.1.6", vuln range ">= 5.0.0, <= 5.39.3")
    packages:
      - package: github.com/mattermost/mattermost-server/v5
  - module: github.com/mattermost/mattermost-server/v6
    versions:
      - introduced: TODO (earliest fixed "7.1.6", vuln range ">= 7.1.0, <= 7.1.5")
    packages:
      - package: github.com/mattermost/mattermost-server
  - module: github.com/mattermost/mattermost-server/v6
    versions:
      - introduced: TODO (earliest fixed "7.7.2", vuln range ">= 7.7.0, <= 7.7.1")
    packages:
      - package: github.com/mattermost/mattermost-server
  - module: github.com/mattermost/mattermost-server/v6
    versions:
      - introduced: TODO (earliest fixed "7.1.6", vuln range ">= 3.3.0, <= 4.10.10")
    packages:
      - package: github.com/mattermost/mattermost-server
summary: Mattermost fails to properly authentication inviter's permissions to private
    channel
description: |-
    When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.

    [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00137
cves:
  - CVE-2023-1774
ghsas:
  - GHSA-9hj7-v56g-rhf6
references:
  - web: https://nvd.nist.gov/vuln/detail/CVE-2023-1774
  - web: https://mattermost.com/security-updates/
  - advisory: https://github.com/advisories/GHSA-9hj7-v56g-rhf6

[gopherbot]

Change https://go.dev/cl/485916 mentions this issue: data/excluded: batch add GO-2023-1729, GO-2023-1728, GO-2023-1727, GO-2023-1723, GO-2023-1721, GO-2023-1720