CVE-2024-52032 — Sensitive Information Exposure in Server

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 37.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mattermost Server Mattermost

Timeline

PublishedNov 9

Description

Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in channel switcher which allows an attacker to get private channels names of channels that they are not a member of, when Elasticsearch v8 was enabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.3+1

▶CVEListV5mattermost/mattermost9.11.0 — 9.11.2+1

🔴Vulnerability Details

CVEList

Private channel names leaking when Elasticsearch is enabled↗2024-11-09

▶

GHSA

GHSA-69ww-qqv6-w3gj: Mattermost versions 10↗2024-11-09

▶