CVE-2024-42406

Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allowsan attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
MattermostCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
VendorProductVersion
mattermostmattermost_server
9.5.0 ≤
𝑥
< 9.5.9
mattermostmattermost_server
9.9.0 ≤
𝑥
< 9.9.3
mattermostmattermost_server
9.10.0 ≤
𝑥
< 9.10.2
mattermostmattermost_server
9.11.0
mattermostmattermost_server
9.11.0:rc1
mattermostmattermost_server
9.11.0:rc2
mattermostmattermost_server
9.11.0:rc3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://mattermost.com/security-updates