CVE-2024-42000 — Incorrect Authorization in Server

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

4.3MEDIUMNVD

CNA2.7

EPSS

0.2%

top 59.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mattermost Server Mattermost

Timeline

PublishedNov 9

Description

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to /api/v4/channels.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDmattermost/mattermost_server9.5.0 — 9.5.10+3

▶CVEListV5mattermost/mattermost9.10.0 — 9.10.2+3

🔴Vulnerability Details

GHSA

GHSA-hpq2-jq6g-6g73: Mattermost versions 9↗2024-11-09

▶

CVEList

Unauthorized Access to view channels' details↗2024-11-09

▶