Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-mq4x-r2w3-j7mr #2637

Closed
GoVulnBot opened this issue Mar 11, 2024 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-mq4x-r2w3-j7mr #2637

GoVulnBot opened this issue Mar 11, 2024 · 3 comments
Assignees
@tatianab
Labels
triaged

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-mq4x-r2w3-j7mr, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/zitadel/zitadel 2.45.1 >= 2.45.0, < 2.45.1

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/zitadel/zitadel
      versions:
        - introduced: 2.45.0
          fixed: 2.45.1
      packages:
        - package: github.com/zitadel/zitadel
    - module: github.com/zitadel/zitadel
      versions:
        - fixed: 2.44.3
      packages:
        - package: github.com/zitadel/zitadel
summary: Account Takeover via Session Fixation in Zitadel [Bypassing MFA]
cves:
    - CVE-2024-28197
ghsas:
    - GHSA-mq4x-r2w3-j7mr
references:
    - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr
    - fix: https://github.com/zitadel/zitadel/commit/d4c553b75a214e41299af010ef4b26174a0f802c
    - fix: https://github.com/zitadel/zitadel/commit/e82cb51eb819c6cdba8123c9c34c5739b46b29eb
    - advisory: https://github.com/advisories/GHSA-mq4x-r2w3-j7mr
@tatianab tatianab self-assigned this Mar 12, 2024
@tatianab tatianab mentioned this issue Apr 3, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/582358 mentions this issue: data/reports: batch add 11 unreviewed reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/590278 mentions this issue: data/reports: add 48 unreviewed reports

@GoVulnBot GoVulnBot mentioned this issue Jul 3, 2024
Closed
This was referenced Jul 31, 2024
Closed
Closed
This was referenced Jul 31, 2024
Open
Open
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606358 mentions this issue: data/reports: regenerate 50 reports

gopherbot pushed a commit that referenced this issue Aug 19, 2024
@tatianab @gopherbot
data/reports: regenerate 50 reports
08b42c7 
  - data/reports/GO-2024-2428.yaml
  - data/reports/GO-2024-2442.yaml
  - data/reports/GO-2024-2444.yaml
  - data/reports/GO-2024-2445.yaml
  - data/reports/GO-2024-2446.yaml
  - data/reports/GO-2024-2447.yaml
  - data/reports/GO-2024-2448.yaml
  - data/reports/GO-2024-2449.yaml
  - data/reports/GO-2024-2450.yaml
  - data/reports/GO-2024-2478.yaml
  - data/reports/GO-2024-2485.yaml
  - data/reports/GO-2024-2486.yaml
  - data/reports/GO-2024-2488.yaml
  - data/reports/GO-2024-2499.yaml
  - data/reports/GO-2024-2501.yaml
  - data/reports/GO-2024-2505.yaml
  - data/reports/GO-2024-2508.yaml
  - data/reports/GO-2024-2509.yaml
  - data/reports/GO-2024-2511.yaml
  - data/reports/GO-2024-2513.yaml
  - data/reports/GO-2024-2514.yaml
  - data/reports/GO-2024-2515.yaml
  - data/reports/GO-2024-2517.yaml
  - data/reports/GO-2024-2519.yaml
  - data/reports/GO-2024-2520.yaml
  - data/reports/GO-2024-2523.yaml
  - data/reports/GO-2024-2540.yaml
  - data/reports/GO-2024-2541.yaml
  - data/reports/GO-2024-2566.yaml
  - data/reports/GO-2024-2568.yaml
  - data/reports/GO-2024-2569.yaml
  - data/reports/GO-2024-2576.yaml
  - data/reports/GO-2024-2578.yaml
  - data/reports/GO-2024-2579.yaml
  - data/reports/GO-2024-2580.yaml
  - data/reports/GO-2024-2582.yaml
  - data/reports/GO-2024-2588.yaml
  - data/reports/GO-2024-2589.yaml
  - data/reports/GO-2024-2590.yaml
  - data/reports/GO-2024-2591.yaml
  - data/reports/GO-2024-2592.yaml
  - data/reports/GO-2024-2593.yaml
  - data/reports/GO-2024-2594.yaml
  - data/reports/GO-2024-2595.yaml
  - data/reports/GO-2024-2597.yaml
  - data/reports/GO-2024-2629.yaml
  - data/reports/GO-2024-2635.yaml
  - data/reports/GO-2024-2636.yaml
  - data/reports/GO-2024-2637.yaml
  - data/reports/GO-2024-2641.yaml

Updates #2428
Updates #2442
Updates #2444
Updates #2445
Updates #2446
Updates #2447
Updates #2448
Updates #2449
Updates #2450
Updates #2478
Updates #2485
Updates #2486
Updates #2488
Updates #2499
Updates #2501
Updates #2505
Updates #2508
Updates #2509
Updates #2511
Updates #2513
Updates #2514
Updates #2515
Updates #2517
Updates #2519
Updates #2520
Updates #2523
Updates #2540
Updates #2541
Updates #2566
Updates #2568
Updates #2569
Updates #2576
Updates #2578
Updates #2579
Updates #2580
Updates #2582
Updates #2588
Updates #2589
Updates #2590
Updates #2591
Updates #2592
Updates #2593
Updates #2594
Updates #2595
Updates #2597
Updates #2629
Updates #2635
Updates #2636
Updates #2637
Updates #2641

Change-Id: If02ad5ae2b621addda56b45d8c84b0476a12737b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606358
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This was referenced Sep 19, 2024
Open
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot