Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability

2023-11-2712:30:54

CWE-200

GitHub Advisory Database

github.com

mattermost

unauthorized access

archived channels

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

14.2%

JSON

Mattermost fails to check whether the “Allow users to view archived channels” setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the “Allow users to view archived channels” setting is disabled.

Affected configurations

Vulners

Node

github.com\/mattermost\/mattermostserver\/v6Range<7.8.13

github.com\/mattermost\/mattermostserverRange<8.1.4

github.com\/mattermost\/mattermostserverRange<9.0.2

github.com\/mattermost\/mattermostserverRange<9.1.1

CPENameOperatorVersion
github.com/mattermost/mattermost-server/v6lt7.8.13
github.com/mattermost/mattermost/server/v8lt8.1.4
github.com/mattermost/mattermost/server/v8lt9.0.2
github.com/mattermost/mattermost/server/v8lt9.1.1

Name	Operator	Version
github.com/mattermost/mattermost-server/v6	lt	7.8.13
github.com/mattermost/mattermost/server/v8	lt	8.1.4
github.com/mattermost/mattermost/server/v8	lt	9.0.2
github.com/mattermost/mattermost/server/v8	lt	9.1.1