CVE-2024-42406

EUVD-2024-39606
Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
MattermostCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Affected Products (NVD)
VendorProductVersion
mattermostmattermost_server
9.5.0 ≤
𝑥
< 9.5.9
mattermostmattermost_server
9.9.0 ≤
𝑥
< 9.9.3
mattermostmattermost_server
9.10.0 ≤
𝑥
< 9.10.2
mattermostmattermost_server
9.11.0
mattermostmattermost_server
9.11.0:rc1
mattermostmattermost_server
9.11.0:rc2
mattermostmattermost_server
9.11.0:rc3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://mattermost.com/security-updates