GHSA-vx97-8q8q-qgq5

Source

https://github.com/advisories/GHSA-vx97-8q8q-qgq5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-vx97-8q8q-qgq5/GHSA-vx97-8q8q-qgq5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vx97-8q8q-qgq5

Aliases

CVE-2024-32046
GO-2024-2797

Published

2024-04-26T09:30:34Z

Modified

2024-06-05T16:43:18.884911Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Mattermost's detailed error messages reveal the full file path

Details

Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored

Database specific

{
    "nvd_published_at": "2024-04-26T09:15:12Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-26T19:10:55Z"
}

References

Affected packages

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

8.1.0

Fixed

8.1.12

Database specific

{
    "last_known_affected_version_range": "<= 8.1.11"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.5.0

Fixed

9.5.3

Database specific

{
    "last_known_affected_version_range": "<= 9.5.2"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.6.0-rc1

Fixed

9.6.1

Database specific

{
    "last_known_affected_version_range": "<= 9.6.0"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.4.0

Fixed

9.4.5

Database specific

{
    "last_known_affected_version_range": "<= 9.4.4"
}