Lucene search
+L

103 matches found

nvd
nvd
added 2025/08/21 8:15 a.m.9 views

CVE-2025-49222

Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 9.11.x = 9.11.17, 10.9.x = 10.9.2, 10.10.x = 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in...

6.8CVSS0.00281EPSS
Exploits0References1
cve
cve
added 2025/08/21 7:59 a.m.24 views

CVE-2025-49222

Mattermost CVE-2025-49222 affects Mattermost Server versions 9.11.x, 10.5.x, 10.8.x, 10.9.x, and 10.10.x, where upload type validation in remote cluster upload sessions can be bypassed, allowing a system admin to upload non‑attachment file types that may be placed in arbitrary filesystem director...

6.8CVSS6.8AI score0.00281EPSS
Exploits0References1Affected Software1
ptsecurity
ptsecurity
added 2025/08/21 12:0 a.m.9 views

PT-2025-34201 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.8.x through 10.8.3 Mattermost versions 10.5.x through 10.5.8 Mattermost versions 9.11.x through 9.11.17 Mattermost versions 10.9.x through 10.9.2 Mattermost versions 10.10.x through 10.10.0 Description: The Mattermost...

6.8CVSS7.2AI score0.00281EPSS
Exploits0References10
nessus
nessus
added 2025/08/10 12:0 a.m.4 views

Linux Distros Unpatched Vulnerability : CVE-2024-23451

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and...

6.5CVSS6.4AI score0.00435EPSS
Exploits0References2
snyk
snyk
added 2025/07/18 12:30 p.m.2 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the invite mechanism for remote clusters. An attacker can send unauthorized synchronization payloads by intercepting both the invite and password during the invitation process. Remediation Upgrad...

3.1CVSS7.2AI score0.00175EPSS
Exploits0References2
ibm
ibm
added 2025/01/28 10:8 p.m.26 views

Security Bulletin: IBM Watson CP4D Data Stores is vulnerable to Elastic Elasticsearch sensitive information disclosure vulnerabilitiy( CVE-2024-23451)

Summary Potential Elastic Elasticsearch sensitive information disclosure vulnerabilitiy CVE-2024-23451 has been identified that may affect IBM Watson CP4D Data Stores. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-23451...

6.5CVSS8.4AI score0.00435EPSS
Exploits0Affected Software1
veracode
veracode
added 2024/07/04 9:32 a.m.14 views

Improper Authentication

Mattermost is vulnerable to Improper Authentication. The vulnerability is caused by the use of constant-time comparison for remote cluster tokens, possibly allowing an attacker to retrieve the token during comparison due to the timing discrepancy...

8.1CVSS7AI score0.00379EPSS
Exploits0References3Affected Software1
nvd
nvd
added 2024/07/03 9:15 a.m.23 views

CVE-2024-39830

Mattermost versions 9.8.x = 9.8.0, 9.7.x = 9.7.4, 9.6.x = 9.6.2 and 9.5.x = 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token...

8.1CVSS0.00379EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2024/07/03 8:32 a.m.21 views

CVE-2024-39830 Timing attack during remote cluster token comparison when shared channels are enabled

Mattermost versions 9.8.x = 9.8.0, 9.7.x = 9.7.4, 9.6.x = 9.6.2 and 9.5.x = 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token...

8.1CVSS6.9AI score0.00379EPSS
Exploits0References1
cve
cve
added 2024/07/03 8:32 a.m.75 views

CVE-2024-39830

Mattermost CVE-2024-39830 affects Mattermost server versions 9.8.x through 9.5.x (specific fixes: 9.8.0, 9.7.4, 9.6.2, 9.5.5 and earlier). The root cause is non-constant time comparison for remote cluster tokens during remote cluster token checks when shared channels are enabled, which can allow ...

8.1CVSS6.7AI score0.00379EPSS
Exploits0References1Affected Software1
cvelist
cvelist
added 2024/07/03 8:32 a.m.30 views

CVE-2024-39830 Timing attack during remote cluster token comparison when shared channels are enabled

Mattermost versions 9.8.x = 9.8.0, 9.7.x = 9.7.4, 9.6.x = 9.6.2 and 9.5.x = 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token...

8.1CVSS0.00379EPSS
Exploits0References1
osv
osv
added 2024/07/03 8:32 a.m.9 views

CVE-2024-39830 Timing attack during remote cluster token comparison when shared channels are enabled

Mattermost versions 9.8.x = 9.8.0, 9.7.x = 9.7.4, 9.6.x = 9.6.2 and 9.5.x = 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token...

8.1CVSS6AI score0.00379EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2024/07/03 12:0 a.m.6 views

PT-2024-28468 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.5.x through 9.5.5 Mattermost version 9.8.0 Description: The issue allows a high-privileged attacker with access to the audit logs to read message contents due to the failure to sanitize the RemoteClusterFrame payloads...

2.7CVSS7AI score0.00337EPSS
Exploits0References3
github
github
added 2024/06/12 3:31 p.m.44 views

Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...

6.5CVSS7AI score0.00456EPSS
Exploits0References3Affected Software1
cvelist
cvelist
added 2024/06/12 1:58 p.m.27 views

CVE-2024-23445 Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...

6.5CVSS0.00456EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2024/06/12 1:58 p.m.16 views

CVE-2024-23445 Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...

6.5CVSS7.3AI score0.00456EPSS
Exploits0References1
osv
osv
added 2024/05/14 7:16 a.m.26 views

BIT-ELASTICSEARCH-2024-23451 Elasticsearch Incorrect Authorization in the Remote Cluster Security API key based security model

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to...

6.5CVSS5.6AI score0.00435EPSS
Exploits0References2
bdu_fstec
bdu_fstec
added 2024/04/06 12:0 a.m.11 views

The vulnerability of the Elasticsearch search system’s Remote Cluster Security component, related to incorrect authentication, allows a perpetrator to gain access to protected information.

The vulnerability of the Elasticsearch search system component related to Remote Cluster Security is linked to improper authentication. Exploiting this vulnerability can allow a malicious actor to gain access to protected information...

4.6CVSS5.9AI score0.00435EPSS
Exploits0References2Affected Software1
veracode
veracode
added 2024/03/29 10:11 a.m.13 views

Improper Authorization

org.elasticsearch:elasticsearch is vulnerable to Improper Authorization. The vulnerability is due to the improper validation of API key permissions, allowing a malicious user with a valid API key for a remote cluster configured with new Remote Cluster Security to read arbitrary documents from any...

6.5CVSS6.5AI score0.00435EPSS
Exploits0References3Affected Software1
redhatcve
redhatcve
added 2024/03/27 7:36 p.m.72 views

CVE-2024-23451

An incorrect authorization flaw was found in the API key based security model for Remote Cluster Security in the elasticsearch package. A malicious user with a valid API key can leverage this issue to gain access to read any documents from any index in the remote cluster, exposing possible...

4.4CVSS7AI score0.00435EPSS
Exploits0References4
Rows per page
Query Builder