CVE-2024-42406 — Improper Access Control in Server

CWE-284 — Improper Access Control3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 48.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mattermost Server Mattermost

Timeline

PublishedSep 26

Description

Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶NVDmattermost/mattermost_server9.5.0 — 9.5.9+3

▶CVEListV5mattermost/mattermost9.10.0 — 9.10.1+3

🔴Vulnerability Details

GHSA

GHSA-v53q-gwp7-274v: Mattermost versions 9↗2024-09-26

▶

CVEList

Unauthorized access on archived channels↗2024-09-26

▶