x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-65v8-6pvw-jwvq #1716

GoVulnBot · 2023-04-11T22:01:22Z

In GitHub Security Advisory GHSA-65v8-6pvw-jwvq, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/answerdev/answer	1.0.8	< 1.0.8

Cross references:

Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-65px-4cpf-697r #1541 EFFECTIVELY_PRIVATE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-4cwh-8w4g-jxxh #1550 NOT_IMPORTABLE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-hjmr-xm25-36mh #1551 NOT_IMPORTABLE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-p7wj-c85f-xq9h #1552 EFFECTIVELY_PRIVATE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-qx34-47fc-vv79 #1553 NOT_IMPORTABLE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-rmw8-7823-wp7f #1554 EFFECTIVELY_PRIVATE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-6cvf-m58q-h9wf #1592 NOT_IMPORTABLE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-6c32-3x46-m9rh #1612 NOT_IMPORTABLE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-55vm-3vq3-4jpc #1613 NOT_IMPORTABLE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-5w78-v688-cx9q #1614 NOT_IMPORTABLE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-8jh8-33f5-cgfp #1615 NOT_IMPORTABLE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-9v4v-9fj5-p982 #1616 NOT_IMPORTABLE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-ff27-hrmr-ggpj #1617 NOT_IMPORTABLE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-h85v-cx5m-78wj #1618 NOT_IMPORTABLE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-qrwm-xqfr-4vhv #1619 NOT_IMPORTABLE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-vxhr-p2vp-7gf8 #1620 NOT_IMPORTABLE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-6x5v-cxpp-pc5x #1654 EFFECTIVELY_PRIVATE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-79hx-g43v-xfmr #1655 EFFECTIVELY_PRIVATE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-83qr-c7m9-wmgw #1656 EFFECTIVELY_PRIVATE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-g44v-6qfm-f6ch #1657 EFFECTIVELY_PRIVATE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-h2wg-83fc-xvm9 #1658 EFFECTIVELY_PRIVATE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-hwj7-frgj-7829 #1659 EFFECTIVELY_PRIVATE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-r95w-7cpx-h5mx #1660 EFFECTIVELY_PRIVATE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-rvjp-8qj4-8p29 #1661 EFFECTIVELY_PRIVATE
Module github.com/answerdev/answer appears in issue x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-xvfj-84vc-hrmf #1662 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/answerdev/answer
    versions:
      - fixed: 1.0.8
    packages:
      - package: github.com/answerdev/answer
summary: Answer vulnerable to Insertion of Sensitive Information Into Sent Data
description: answerdev/answer is an open-source knowledge-based community software.
    Answer prior to 1.0.8 does not strip EXIF geolocation data from user-uploaded
    logos. As a result, anyone can get sensitive information like a user's device
    ID, geolocation, system information, system version, etc.
cves:
  - CVE-2023-1975
ghsas:
  - GHSA-65v8-6pvw-jwvq
references:
  - web: https://nvd.nist.gov/vuln/detail/CVE-2023-1975
  - fix: https://github.com/answerdev/answer/commit/ac3f2f047ee00b4edaea7530e570ab67ff87cd6a
  - web: https://huntr.dev/bounties/829cab7a-4ed7-465c-aa96-29f4f73dbfff
  - advisory: https://github.com/advisories/GHSA-65v8-6pvw-jwvq

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-04-12T16:43:45Z

Change https://go.dev/cl/483975 mentions this issue: data/excluded: batch add GO-2023-1719, GO-2023-1718, GO-2023-1716

gopherbot · 2024-06-14T17:52:00Z

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

gopherbot · 2024-08-20T16:52:45Z

Change https://go.dev/cl/606785 mentions this issue: data/reports: unexclude 20 reports (5)

- data/reports/GO-2023-1700.yaml - data/reports/GO-2023-1701.yaml - data/reports/GO-2023-1707.yaml - data/reports/GO-2023-1708.yaml - data/reports/GO-2023-1716.yaml - data/reports/GO-2023-1718.yaml - data/reports/GO-2023-1719.yaml - data/reports/GO-2023-1721.yaml - data/reports/GO-2023-1723.yaml - data/reports/GO-2023-1730.yaml - data/reports/GO-2023-1735.yaml - data/reports/GO-2023-1738.yaml - data/reports/GO-2023-1747.yaml - data/reports/GO-2023-1754.yaml - data/reports/GO-2023-1758.yaml - data/reports/GO-2023-1761.yaml - data/reports/GO-2023-1763.yaml - data/reports/GO-2023-1764.yaml - data/reports/GO-2023-1768.yaml - data/reports/GO-2023-1774.yaml Updates #1700 Updates #1701 Updates #1707 Updates #1708 Updates #1716 Updates #1718 Updates #1719 Updates #1721 Updates #1723 Updates #1730 Updates #1735 Updates #1738 Updates #1747 Updates #1754 Updates #1758 Updates #1761 Updates #1763 Updates #1764 Updates #1768 Updates #1774 Change-Id: I3fc567427d68e095cc62ea48dc9b284b2414a372 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606785 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

timothy-king self-assigned this Apr 11, 2023

timothy-king added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Apr 11, 2023

gopherbot closed this as completed in 59728fd Apr 12, 2023

GoVulnBot mentioned this issue May 11, 2023

x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-qmqw-r4x6-3w2q #1774

Closed

GoVulnBot mentioned this issue Sep 8, 2023

x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-pj2h-85jq-g5vg #2051

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-65v8-6pvw-jwvq #1716

x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-65v8-6pvw-jwvq #1716

GoVulnBot commented Apr 11, 2023

gopherbot commented Apr 12, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-65v8-6pvw-jwvq #1716

x/vulndb: potential Go vuln in github.com/answerdev/answer: GHSA-65v8-6pvw-jwvq #1716

Comments

GoVulnBot commented Apr 11, 2023

gopherbot commented Apr 12, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024