CVE-2023-6459

2023-12-0609:15:09

CWE-200

Mattermost

web.nvd.nist.gov

cve-2023-6459

mattermost

endpoint

/metrics

security vulnerability

channelids

nvd

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.

Affected configurations

Nvd

Node

mattermostmattermost_serverRange<7.8.14

mattermostmattermost_serverRange8.0.0–8.1.5

VendorProductVersionCPE
mattermostmattermost_server*cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mattermost	mattermost_server	*	cpe:2.3:a:mattermost:mattermost_server::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "7.8.13",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "8.1.4",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "8.1.5"
      },
      {
        "status": "unaffected",
        "version": "7.8.14"
      }
    ]
  }
]