Moderate severityNVD Advisory· Published Apr 16, 2025· Updated Apr 17, 2025
Unauthorized View Access to Archived Channel Member Info
CVE-2025-2564
Description
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 10.5.0, < 10.5.2 | 10.5.2 |
github.com/mattermost/mattermost/server/v8Go | >= 10.4.0, < 10.4.4 | 10.4.4 |
github.com/mattermost/mattermost/server/v8Go | >= 9.11.0, < 9.11.10 | 9.11.10 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250314142426-c049748b8863 | 8.0.0-20250314142426-c049748b8863 |
Affected products
1- Range: 10.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-mj2p-v2c2-vh4vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-2564ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.