CVE-2024-42406

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-42406
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42406.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-42406
Aliases
Published
2024-09-26T08:15:05Z
Modified
2024-10-08T04:23:30.660804Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.

References

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost
Events
Type
GIT
Repo
https://github.com/mattermost/mattermost-server
Events

Affected versions

@mattermost/client@9.*

@mattermost/client@9.5.0
@mattermost/client@9.9.0

@mattermost/types@9.*

@mattermost/types@9.5.0
@mattermost/types@9.9.0

v9.*

v9.5.0
v9.5.0-rc3
v9.5.1
v9.5.1-rc1
v9.5.2
v9.5.3
v9.5.3-rc1
v9.5.3-rc2
v9.5.3-rc3
v9.5.4
v9.5.4-rc1
v9.5.4-rc2
v9.5.5
v9.5.5-rc1
v9.5.6
v9.5.6-rc1
v9.5.6-rc2
v9.5.7
v9.5.7-rc1
v9.5.7-rc2
v9.5.7-rc3
v9.5.8
v9.5.8-rc1
v9.5.8-rc2
v9.9.0
v9.9.0-rc4
v9.9.1
v9.9.1-rc1
v9.9.1-rc2
v9.9.1-rc3
v9.9.1-rc4
v9.9.2
v9.9.2-rc1
v9.9.2-rc2