PT-2024-13521 · Mattermost · Mattermost

Vultza

Published

2024-01-02

Updated

2024-06-28

CVE-2023-47858

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Mattermost versions prior to 7.8.10 Mattermost versions prior to 8.1.1

Description The issue arises from the failure to properly verify permissions needed for viewing archived public channels. This allows a member of one team to obtain details about the archived public channels of another team via the "GET /api/v4/teams//channels/deleted" endpoint.

Recommendations For versions prior to 7.8.10, update to version 7.8.10 or later. For versions prior to 8.1.1, update to version 8.1.1 or later. As a temporary workaround, consider restricting access to the "GET /api/v4/teams//channels/deleted" endpoint until a patch is available.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

BIT-MATTERMOST-2023-47858

CVE-2023-47858

GHSA-W88V-PJR8-CMV2

GO-2024-2450

Affected Products

Mattermost

PT-2024-13521 · Mattermost · Mattermost

CVE-2023-47858

Weakness Enumeration

Related Identifiers

Affected Products

References · 13