CVE-2017-18875
published 2020-06-19CVE-2017-18875: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files.
PriorityP425medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EPSS
0.72%
49.5th percentile
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 0 < 4.1.2-0.20171004201910-6be8113eb60c | 4.1.2-0.20171004201910-6be8113eb60c |
| github.com | mattermost_mattermost-server | >= 4.2.0-rc1.0.20171004154238-fadd9514f6e7 < 4.2.1-0.20171004194140-6d3cb2ce07fc | 4.2.1-0.20171004194140-6d3cb2ce07fc |
| github.com | mattermost_mattermost-server | >= 4.3.0-rc1 < 4.3.0 | 4.3.0 |
| github.com | mattermost_mattermost-server | >= 4.3.0-rc1+incompatible < 4.3.0+incompatible | 4.3.0+incompatible |
| mattermost | mattermost_server | < 4.1.2 | 4.1.2 |
| mattermost | mattermost_server | — | — |
| mattermost | mattermost_server | >= 4.2.0 < 4.2.1 | 4.2.1 |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Mattermost Server does not prevent System Admin from arbitrary file creation in github.com/mattermost/mattermost-server
osv·2025-12-08
CVE-2017-18875 Mattermost Server does not prevent System Admin from arbitrary file creation in github.com/mattermost/mattermost-server
Mattermost Server does not prevent System Admin from arbitrary file creation in github.com/mattermost/mattermost-server
Mattermost Server does not prevent System Admin from arbitrary file creation in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/mattermost/mattermost-server before v4.1.2-0.20171004201910-6be8113eb60c, from v4.2.0-rc1.0.20171004154238-fadd9514f6e7 before v4.2.1-0.20171004194140-6d3cb2ce07fc.
OSV
Mattermost Server does not prevent System Admin from arbitrary file creation
osv·2022-05-24
CVE-2017-18875 [MEDIUM] Mattermost Server does not prevent System Admin from arbitrary file creation
Mattermost Server does not prevent System Admin from arbitrary file creation
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files.
GHSA
Mattermost Server does not prevent System Admin from arbitrary file creation
ghsa·2022-05-24
CVE-2017-18875 [MEDIUM] CWE-22 Mattermost Server does not prevent System Admin from arbitrary file creation
Mattermost Server does not prevent System Admin from arbitrary file creation
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-06-19
Published