VYPR
Unrated severityNVD Advisory· Published Nov 9, 2024· Updated Nov 12, 2024

Unauthorized Access to view channels' details

CVE-2024-42000

Description

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels  which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to /api/v4/channels.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Mattermost/Mattermostllm-fuzzy2 versions
    >=9.5.0, <=9.5.9 || >=9.10.0, <=9.10.2 || >=9.11.0, <=9.11.1 || >=10.0.0, <=10.0.0+ 1 more
    • (no CPE)range: >=9.5.0, <=9.5.9 || >=9.10.0, <=9.10.2 || >=9.11.0, <=9.11.1 || >=10.0.0, <=10.0.0
    • (no CPE)range: 9.10.0
  • osv-coords
    Range: >= 9.5.0, < 9.5.10

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.