CVE-2024-32046 — Sensitive Information Exposure in Mattermost Mattermost-server

CWE-200 — Sensitive Information Exposure CWE-209 — Information Exposure via Error Message7 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 73.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Mattermost Server Mattermost

Timeline

PublishedApr 26

Latest updateJun 5

Description

Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDmattermost/mattermost_server8.1.0 — 8.1.12+3

▶Gogithub.com/mattermost_mattermost-server8.1.0 — 8.1.12+7

▶CVEListV5mattermost/mattermost9.5.0 — 9.5.2+3

🔴Vulnerability Details

OSV

Mattermost's detailed error messages reveal the full file path in github.com/mattermost/mattermost-server↗2024-06-05

▶

GHSA

Mattermost's detailed error messages reveal the full file path↗2024-04-26

▶

OSV

Mattermost's detailed error messages reveal the full file path↗2024-04-26

▶

CVEList

Detailed error discloses full file path with dev mode off↗2024-04-26

▶

📋Vendor Advisories

Red Hat

mattermost: allows an attacker to get information about the server such as the full path were files are stored↗2024-04-26

▶

🕵️Threat Intelligence

Tenable

Microsoft’s May 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-30051, CVE-2024-30040)↗2024-05-14

▶