Unrated severityNVD Advisory· Published Nov 9, 2024· Updated Nov 12, 2024
Unauthorized Access to view channels' details
CVE-2024-42000
Description
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to /api/v4/channels.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3>=9.5.0, <=9.5.9 || >=9.10.0, <=9.10.2 || >=9.11.0, <=9.11.1 || >=10.0.0, <=10.0.0+ 1 more
- (no CPE)range: >=9.5.0, <=9.5.9 || >=9.10.0, <=9.10.2 || >=9.11.0, <=9.11.1 || >=10.0.0, <=10.0.0
- (no CPE)range: 9.10.0
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.