CVE-2024-1942 — Improper Access Control in Mattermost Mattermost-server

CWE-284 — Improper Access Control5 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 54.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedFeb 29

Latest updateJun 28

Description

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server8.1.0 — 8.1.9+2

▶Gogithub.com/mattermost_mattermost-server9.2.0+incompatible — 9.2.5+incompatible+1

▶Gogithub.com/mattermost_mattermost_server_v89.3.0 — 9.3.1+2

▶CVEListV5mattermost/mattermost9.2.0 — 9.2.4+2

🔴Vulnerability Details

OSV

Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server↗2024-06-28

▶

GHSA

Mattermost allows attackers access to posts in channels they are not a member of↗2024-02-29

▶

CVEList

CVE-2024-1942: Mattermost versions 8↗2024-02-29

▶

OSV

Mattermost allows attackers access to posts in channels they are not a member of↗2024-02-29

▶