data/reports: add 5 reports
- data/reports/GO-2025-3724.yaml
- data/reports/GO-2025-3728.yaml
- data/reports/GO-2025-3729.yaml
- data/reports/GO-2025-3730.yaml
- data/reports/GO-2025-3731.yaml
Fixes golang/vulndb#3724
Fixes golang/vulndb#3728
Fixes golang/vulndb#3729
Fixes golang/vulndb#3730
Fixes golang/vulndb#3731
Change-Id: I4a8fc2991f2d971cec8ae1831e4791388cb4da9a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/678496
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Neal Patel <nealpatel@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/data/osv/GO-2025-3724.json b/data/osv/GO-2025-3724.json
new file mode 100644
index 0000000..ab4961f
--- /dev/null
+++ b/data/osv/GO-2025-3724.json
@@ -0,0 +1,128 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3724",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-3913",
+ "GHSA-4mmr-2w8p-whcr"
+ ],
+ "summary": "Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server",
+ "details": "Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.0.0-rc1+incompatible"
+ },
+ {
+ "fixed": "9.11.13+incompatible"
+ },
+ {
+ "introduced": "10.5.0-rc1+incompatible"
+ },
+ {
+ "fixed": "10.5.4+incompatible"
+ },
+ {
+ "introduced": "10.6.0-rc1+incompatible"
+ },
+ {
+ "fixed": "10.6.3+incompatible"
+ },
+ {
+ "introduced": "10.7.0-rc1+incompatible"
+ },
+ {
+ "fixed": "10.7.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250412152950-02c76784380a"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-4mmr-2w8p-whcr"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3913"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/02c76784380acb6802601bd24c205553b9a5a1be"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3724",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3728.json b/data/osv/GO-2025-3728.json
new file mode 100644
index 0000000..6f6af8d
--- /dev/null
+++ b/data/osv/GO-2025-3728.json
@@ -0,0 +1,122 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3728",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-3611",
+ "GHSA-86jg-35xj-3vv5"
+ ],
+ "summary": "Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server",
+ "details": "Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.0.0-rc1+incompatible"
+ },
+ {
+ "fixed": "9.11.13+incompatible"
+ },
+ {
+ "introduced": "10.0.0-rc1+incompatible"
+ },
+ {
+ "fixed": "10.5.4+incompatible"
+ },
+ {
+ "introduced": "10.6.0-rc1+incompatible"
+ },
+ {
+ "fixed": "10.7.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250414154356-6f33b721de76"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-86jg-35xj-3vv5"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3611"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/6f33b721de76b39a7714bfe0d5e9c1306869a3e3"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3728",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3729.json b/data/osv/GO-2025-3729.json
new file mode 100644
index 0000000..b107117
--- /dev/null
+++ b/data/osv/GO-2025-3729.json
@@ -0,0 +1,128 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3729",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-2571",
+ "GHSA-8cgx-9ccj-3gwr"
+ ],
+ "summary": "Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server",
+ "details": "Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.0.0-rc1+incompatible"
+ },
+ {
+ "fixed": "9.11.13+incompatible"
+ },
+ {
+ "introduced": "10.0.0-rc1+incompatible"
+ },
+ {
+ "fixed": "10.5.4+incompatible"
+ },
+ {
+ "introduced": "10.6.0-rc1+incompatible"
+ },
+ {
+ "fixed": "10.6.3+incompatible"
+ },
+ {
+ "introduced": "10.7.0-rc1+incompatible"
+ },
+ {
+ "fixed": "10.7.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250414095146-04676582cdd2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-8cgx-9ccj-3gwr"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2571"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/04676582cdd26f4fdfa78fcf60a7f8745e6b27f5"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3729",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3730.json b/data/osv/GO-2025-3730.json
new file mode 100644
index 0000000..c289465
--- /dev/null
+++ b/data/osv/GO-2025-3730.json
@@ -0,0 +1,122 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3730",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-1792",
+ "GHSA-hc6v-386m-93pq"
+ ],
+ "summary": "Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server",
+ "details": "Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.0.0-rc1+incompatible"
+ },
+ {
+ "fixed": "9.11.13+incompatible"
+ },
+ {
+ "introduced": "10.0.0-rc1+incompatible"
+ },
+ {
+ "fixed": "10.5.4+incompatible"
+ },
+ {
+ "introduced": "10.6.0-rc1+incompatible"
+ },
+ {
+ "fixed": "10.7.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250414110750-c23f44fe8ed0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-hc6v-386m-93pq"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1792"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/c23f44fe8ed02f71d506f99adc30ad34c58c89d1"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3730",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3731.json b/data/osv/GO-2025-3731.json
new file mode 100644
index 0000000..64f78ca
--- /dev/null
+++ b/data/osv/GO-2025-3731.json
@@ -0,0 +1,128 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3731",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-3230",
+ "GHSA-mc2f-jgj6-6cp3"
+ ],
+ "summary": "Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server",
+ "details": "Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.0.0-rc1+incompatible"
+ },
+ {
+ "fixed": "9.11.13+incompatible"
+ },
+ {
+ "introduced": "10.0.0-rc1+incompatible"
+ },
+ {
+ "fixed": "10.5.4+incompatible"
+ },
+ {
+ "introduced": "10.6.0-rc1+incompatible"
+ },
+ {
+ "fixed": "10.6.3+incompatible"
+ },
+ {
+ "introduced": "10.7.0-rc1+incompatible"
+ },
+ {
+ "fixed": "10.7.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250402193107-65343f84a783"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-mc2f-jgj6-6cp3"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3230"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/65343f84a7830fa8078fe3df879fca924e4fac01"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3731",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3724.yaml b/data/reports/GO-2025-3724.yaml
new file mode 100644
index 0000000..6be919c
--- /dev/null
+++ b/data/reports/GO-2025-3724.yaml
@@ -0,0 +1,36 @@
+id: GO-2025-3724
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.0.0-rc1+incompatible
+ - fixed: 9.11.13+incompatible
+ - introduced: 10.5.0-rc1+incompatible
+ - fixed: 10.5.4+incompatible
+ - introduced: 10.6.0-rc1+incompatible
+ - fixed: 10.6.3+incompatible
+ - introduced: 10.7.0-rc1+incompatible
+ - fixed: 10.7.1+incompatible
+ vulnerable_at: 10.7.0+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250412152950-02c76784380a
+summary: Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-3913
+ghsas:
+ - GHSA-4mmr-2w8p-whcr
+references:
+ - advisory: https://github.com/advisories/GHSA-4mmr-2w8p-whcr
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-3913
+ - web: https://github.com/mattermost/mattermost/commit/02c76784380acb6802601bd24c205553b9a5a1be
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-4mmr-2w8p-whcr
+ created: 2025-06-03T13:39:33.308212-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3728.yaml b/data/reports/GO-2025-3728.yaml
new file mode 100644
index 0000000..e277b33
--- /dev/null
+++ b/data/reports/GO-2025-3728.yaml
@@ -0,0 +1,36 @@
+id: GO-2025-3728
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.0.0-rc1+incompatible
+ - fixed: 9.11.13+incompatible
+ - introduced: 10.0.0-rc1+incompatible
+ - fixed: 10.5.4+incompatible
+ - introduced: 10.6.0-rc1+incompatible
+ - fixed: 10.7.1+incompatible
+ vulnerable_at: 10.7.0+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250414154356-6f33b721de76
+summary: |-
+ Mattermost fails to properly enforce access control restrictions for System
+ Manager roles in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-3611
+ghsas:
+ - GHSA-86jg-35xj-3vv5
+references:
+ - advisory: https://github.com/advisories/GHSA-86jg-35xj-3vv5
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-3611
+ - web: https://github.com/mattermost/mattermost/commit/6f33b721de76b39a7714bfe0d5e9c1306869a3e3
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-86jg-35xj-3vv5
+ created: 2025-06-03T13:39:42.915668-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3729.yaml b/data/reports/GO-2025-3729.yaml
new file mode 100644
index 0000000..4c53cda
--- /dev/null
+++ b/data/reports/GO-2025-3729.yaml
@@ -0,0 +1,36 @@
+id: GO-2025-3729
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.0.0-rc1+incompatible
+ - fixed: 9.11.13+incompatible
+ - introduced: 10.0.0-rc1+incompatible
+ - fixed: 10.5.4+incompatible
+ - introduced: 10.6.0-rc1+incompatible
+ - fixed: 10.6.3+incompatible
+ - introduced: 10.7.0-rc1+incompatible
+ - fixed: 10.7.1+incompatible
+ vulnerable_at: 10.7.0+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250414095146-04676582cdd2
+summary: Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-2571
+ghsas:
+ - GHSA-8cgx-9ccj-3gwr
+references:
+ - advisory: https://github.com/advisories/GHSA-8cgx-9ccj-3gwr
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-2571
+ - web: https://github.com/mattermost/mattermost/commit/04676582cdd26f4fdfa78fcf60a7f8745e6b27f5
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-8cgx-9ccj-3gwr
+ created: 2025-06-03T13:39:48.975074-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3730.yaml b/data/reports/GO-2025-3730.yaml
new file mode 100644
index 0000000..e49e466
--- /dev/null
+++ b/data/reports/GO-2025-3730.yaml
@@ -0,0 +1,34 @@
+id: GO-2025-3730
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.0.0-rc1+incompatible
+ - fixed: 9.11.13+incompatible
+ - introduced: 10.0.0-rc1+incompatible
+ - fixed: 10.5.4+incompatible
+ - introduced: 10.6.0-rc1+incompatible
+ - fixed: 10.7.1+incompatible
+ vulnerable_at: 10.7.0+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250414110750-c23f44fe8ed0
+summary: Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-1792
+ghsas:
+ - GHSA-hc6v-386m-93pq
+references:
+ - advisory: https://github.com/advisories/GHSA-hc6v-386m-93pq
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-1792
+ - web: https://github.com/mattermost/mattermost/commit/c23f44fe8ed02f71d506f99adc30ad34c58c89d1
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-hc6v-386m-93pq
+ created: 2025-06-03T13:39:54.790032-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3731.yaml b/data/reports/GO-2025-3731.yaml
new file mode 100644
index 0000000..c33604e
--- /dev/null
+++ b/data/reports/GO-2025-3731.yaml
@@ -0,0 +1,38 @@
+id: GO-2025-3731
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.0.0-rc1+incompatible
+ - fixed: 9.11.13+incompatible
+ - introduced: 10.0.0-rc1+incompatible
+ - fixed: 10.5.4+incompatible
+ - introduced: 10.6.0-rc1+incompatible
+ - fixed: 10.6.3+incompatible
+ - introduced: 10.7.0-rc1+incompatible
+ - fixed: 10.7.1+incompatible
+ vulnerable_at: 10.7.0+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250402193107-65343f84a783
+summary: |-
+ Mattermost fails to properly invalidate personal access tokens upon user
+ deactivation in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-3230
+ghsas:
+ - GHSA-mc2f-jgj6-6cp3
+references:
+ - advisory: https://github.com/advisories/GHSA-mc2f-jgj6-6cp3
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-3230
+ - web: https://github.com/mattermost/mattermost/commit/65343f84a7830fa8078fe3df879fca924e4fac01
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-mc2f-jgj6-6cp3
+ created: 2025-06-03T13:40:00.859902-04:00
+review_status: UNREVIEWED
