MattermostVULNRICHMENT:CVE-2024-32046CVE-2024-32046 Detailed error discloses full file path with dev mode off
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
AI Score
Confidence
Low
EPSS
Percentile
9.0%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"vendor": "mattermost",
"product": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.6.x"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"vendor": "mattermost",
"product": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.5.x"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"vendor": "mattermost",
"product": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.4.x"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"vendor": "mattermost",
"product": "mattermost",
"versions": [
{
"status": "affected",
"version": "8.1.x"
}
],
"defaultStatus": "unknown"
}
]References
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
AI Score
Confidence
Low
EPSS
Percentile
9.0%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial