CVE-2020-14457

Vulnerability

Details

CVE-2020-14457 is an information disclosure vulnerability in Mattermost Server versions prior to 5.20.0. The root cause lies in the WebSocket event handler for update_team, which broadcasts team details to all connected users regardless of their membership status in that team [1]. This means that any authenticated user, even those who are not members of a particular team, can receive updates about that team's configuration and metadata.

Exploitation

To exploit this vulnerability, an attacker only needs to be an authenticated user on the Mattermost instance. No special privileges or network position is required beyond having a valid session. The attacker simply listens to the WebSocket events; when a team update occurs (e.g., name change, description change), the update_team event is sent to all connected clients, including non-members [3]. This is a passive information gathering technique.

Impact

The impact is the unintended disclosure of team details such as the team's display name, description, and possibly other configuration fields. While this does not directly lead to code execution or privilege escalation, it can aid an attacker in reconnaissance, allowing them to map out team structures and gather sensitive information that may be used in social engineering or further attacks.

Mitigation

The vulnerability was addressed in Mattermost Server version 5.20.0. The fix, implemented in pull request #13848, restricts the update_team event broadcast to only team members [3]. Users are strongly advised to upgrade to the latest version. Mattermost's security update page provides guidance on staying current with patches [4].