GHSA-jwfv-5hwq-f97r

Source

https://github.com/advisories/GHSA-jwfv-5hwq-f97r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jwfv-5hwq-f97r/GHSA-jwfv-5hwq-f97r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jwfv-5hwq-f97r

Aliases

Published

2022-05-24T17:21:06Z

Modified

2025-12-09T17:42:26.234451Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Mattermost Server exposes team invite IDs through API endpoints

Details

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200"
    ],
    "nvd_published_at": "2020-06-19T19:15:00Z",
    "github_reviewed_at": "2025-12-03T19:31:49Z",
    "severity": "MODERATE"
}

References

Affected packages

Go

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.10.3

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

4.0.0

Fixed

4.0.4

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

4.0.5-rc1

Fixed

4.1.0