x/vulndb: potential Go vuln in github.com/nothub/mrpack-install: GHSA-r887-gfxh-m9rr #1543

GoVulnBot · 2023-02-08T19:01:18Z

In GitHub Security Advisory GHSA-r887-gfxh-m9rr, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/nothub/mrpack-install	0.16.3	<= 0.16.2

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/nothub/mrpack-install
    versions:
      - introduced: TODO (earliest fixed "0.16.3", vuln range "<= 0.16.2")
    packages:
      - package: github.com/nothub/mrpack-install
description: |
    ### Impact
    Importing a malicious `.mrpack` file can cause path traversal while downloading files.
    This can lead to scripts or config files being placed or replaced at arbitrary locations, without the user noticing.

    ### Patches
    No patches yet.

    ### Workarounds
    Avoid importing `.mrpack` files from untrusted sources.

    ### References
    https://docs.modrinth.com/docs/modpacks/format_definition/#files
ghsas:
  - GHSA-r887-gfxh-m9rr

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-02-10T19:56:25Z

Change https://go.dev/cl/467396 mentions this issue: data/excluded: batch add excluded reports

gopherbot · 2024-06-14T17:46:04Z

Change https://go.dev/cl/592759 mentions this issue: data/reports: unexclude 75 reports

gopherbot · 2024-08-20T16:57:59Z

Change https://go.dev/cl/606782 mentions this issue: data/reports: unexclude 20 reports (2)

- data/reports/GO-2023-1512.yaml - data/reports/GO-2023-1520.yaml - data/reports/GO-2023-1524.yaml - data/reports/GO-2023-1527.yaml - data/reports/GO-2023-1533.yaml - data/reports/GO-2023-1541.yaml - data/reports/GO-2023-1542.yaml - data/reports/GO-2023-1543.yaml - data/reports/GO-2023-1544.yaml - data/reports/GO-2023-1550.yaml - data/reports/GO-2023-1551.yaml - data/reports/GO-2023-1552.yaml - data/reports/GO-2023-1553.yaml - data/reports/GO-2023-1554.yaml - data/reports/GO-2023-1555.yaml - data/reports/GO-2023-1560.yaml - data/reports/GO-2023-1577.yaml - data/reports/GO-2023-1581.yaml - data/reports/GO-2023-1582.yaml - data/reports/GO-2023-1583.yaml Updates #1512 Updates #1520 Updates #1524 Updates #1527 Updates #1533 Updates #1541 Updates #1542 Updates #1543 Updates #1544 Updates #1550 Updates #1551 Updates #1552 Updates #1553 Updates #1554 Updates #1555 Updates #1560 Updates #1577 Updates #1581 Updates #1582 Updates #1583 Change-Id: I6a2829acd39b6e598b81e8138e6d126128073198 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606782 Auto-Submit: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>

tatianab self-assigned this Feb 10, 2023

tatianab added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Feb 10, 2023

gopherbot closed this as completed in a662819 Feb 10, 2023

GoVulnBot mentioned this issue Jun 26, 2023

x/vulndb: potential Go vuln in github.com/nothub/mrpack-install: CVE-2023-25307 #1870

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/nothub/mrpack-install: GHSA-r887-gfxh-m9rr #1543

x/vulndb: potential Go vuln in github.com/nothub/mrpack-install: GHSA-r887-gfxh-m9rr #1543

GoVulnBot commented Feb 8, 2023

gopherbot commented Feb 10, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in github.com/nothub/mrpack-install: GHSA-r887-gfxh-m9rr #1543

x/vulndb: potential Go vuln in github.com/nothub/mrpack-install: GHSA-r887-gfxh-m9rr #1543

Comments

GoVulnBot commented Feb 8, 2023

gopherbot commented Feb 10, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024