CVE-2024-23488Improper Access Control in Mattermost Mattermost-server

CWE-284Improper Access Control5 documents4 sources
Severity
4.3MEDIUMNVD
CNA3.1
EPSS
0.2%
top 58.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedFeb 29
Latest updateJun 28

Description

Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels” option is disabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server9.0.09.4.2+1
Gogithub.com/mattermost_mattermost-server9.0.0+incompatible9.4.2+incompatible
CVEListV5mattermost/mattermost8.1.8+1

🔴Vulnerability Details

4
OSV
Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server2024-06-28
GHSA
Mattermost fails to properly restrict the access of files attached to posts2024-02-29
CVEList
Files of archived channels accessible with the “Allow users to view archived channels” option disabled2024-02-29
OSV
Mattermost fails to properly restrict the access of files attached to posts2024-02-29
CVE-2024-23488 — Improper Access Control | cvebase