GHSA-5fwx-p6xh-vjrh

Source

https://github.com/advisories/GHSA-5fwx-p6xh-vjrh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-5fwx-p6xh-vjrh/GHSA-5fwx-p6xh-vjrh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5fwx-p6xh-vjrh

Aliases

Related

Published

2025-02-24T09:35:48Z

Modified

2025-03-03T19:42:03.529497Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Mattermost allows reading arbitrary files related to importing boards

Details

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.

Database specific

{
    "nvd_published_at": "2025-02-24T08:15:10Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-24T18:28:16Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Go

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.0-20250122165010-4ed702ccff4e

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

9.11.0-rc1

Fixed

9.11.8

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.2.0-rc1

Fixed

10.2.3

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.3.0-rc1

Fixed

10.3.3

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.4.0-rc1

Fixed

10.4.2