GHSA-vx97-8q8q-qgq5

Suggest an improvement
Source
https://github.com/advisories/GHSA-vx97-8q8q-qgq5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-vx97-8q8q-qgq5/GHSA-vx97-8q8q-qgq5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vx97-8q8q-qgq5
Aliases
Published
2024-04-26T09:30:34Z
Modified
2024-06-05T16:43:18.884911Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Mattermost's detailed error messages reveal the full file path
Details

Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored

Database specific
{
    "nvd_published_at": "2024-04-26T09:15:12Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-26T19:10:55Z"
}
References

Affected packages

Go / github.com/mattermost/mattermost-server

Package

Name
github.com/mattermost/mattermost-server
View open source insights on deps.dev
Purl
pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type
SEMVER
Events
Introduced
8.1.0
Fixed
8.1.12

Database specific

{
    "last_known_affected_version_range": "<= 8.1.11"
}

Go / github.com/mattermost/mattermost-server

Package

Name
github.com/mattermost/mattermost-server
View open source insights on deps.dev
Purl
pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type
SEMVER
Events
Introduced
9.5.0
Fixed
9.5.3

Database specific

{
    "last_known_affected_version_range": "<= 9.5.2"
}

Go / github.com/mattermost/mattermost-server

Package

Name
github.com/mattermost/mattermost-server
View open source insights on deps.dev
Purl
pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type
SEMVER
Events
Introduced
9.6.0-rc1
Fixed
9.6.1

Database specific

{
    "last_known_affected_version_range": "<= 9.6.0"
}

Go / github.com/mattermost/mattermost-server

Package

Name
github.com/mattermost/mattermost-server
View open source insights on deps.dev
Purl
pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type
SEMVER
Events
Introduced
9.4.0
Fixed
9.4.5

Database specific

{
    "last_known_affected_version_range": "<= 9.4.4"
}