CVE-2017-18874
published 2020-06-19CVE-2017-18874: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory…
PriorityP432medium6.5CVSS 3.1
AVNACLPRHUINSUCHIHAN
EPSS
1.23%
65.3th percentile
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 0 < 4.1.2-0.20171004201910-6be8113eb60 | 4.1.2-0.20171004201910-6be8113eb60 |
| github.com | mattermost_mattermost-server | >= 4.2.0-rc1 < 4.2.1-0.20171004194140-6d3cb2ce07fc | 4.2.1-0.20171004194140-6d3cb2ce07fc |
| github.com | mattermost_mattermost-server | >= 4.2.0-rc1+incompatible < 4.2.0+incompatible | 4.2.0+incompatible |
| github.com | mattermost_mattermost-server | >= 4.3.0-rc1 < 4.3.0 | 4.3.0 |
| github.com | mattermost_mattermost-server | >= 4.3.0-rc1+incompatible < 4.3.0+incompatible | 4.3.0+incompatible |
| mattermost | mattermost_server | < 4.1.2 | 4.1.2 |
| mattermost | mattermost_server | — | — |
| mattermost | mattermost_server | >= 4.2.0 < 4.2.1 | 4.2.1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Mattermost Server is vulnerable to Directory Traversal by System Admins in github.com/mattermost/mattermost-server
osv·2025-12-15
CVE-2017-18874 Mattermost Server is vulnerable to Directory Traversal by System Admins in github.com/mattermost/mattermost-server
Mattermost Server is vulnerable to Directory Traversal by System Admins in github.com/mattermost/mattermost-server
Mattermost Server is vulnerable to Directory Traversal by System Admins in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/mattermost/mattermost-server before v4.1.2-0.20171004201910-6be8113eb60, before v4.2.1-0.20171004194140-6d3cb2ce07fc.
OSV
Mattermost Server is vulnerable to Directory Traversal by System Admins
osv·2022-05-24
CVE-2017-18874 [MEDIUM] Mattermost Server is vulnerable to Directory Traversal by System Admins
Mattermost Server is vulnerable to Directory Traversal by System Admins
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal.
GHSA
Mattermost Server is vulnerable to Directory Traversal by System Admins
ghsa·2022-05-24
CVE-2017-18874 [MEDIUM] CWE-22 Mattermost Server is vulnerable to Directory Traversal by System Admins
Mattermost Server is vulnerable to Directory Traversal by System Admins
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-06-19
Published