CVE-2024-23493

Name of the Vulnerable Software and Affected Versions Mattermost versions prior to v8.1.9

Description The issue is related to a lack of proper authorization in requests fetching team-associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team they are not a member of. This can be exploited by a remote attacker to gain unauthorized access to user information. The vulnerable endpoint is related to the /plugins/playbooks/api/v0/telemetry/run/ component.

Recommendations For Mattermost versions prior to v8.1.9, update to version v8.1.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable /plugins/playbooks/api/v0/telemetry/run/ endpoint until a patch is available. Avoid using this endpoint to fetch team-associated AD/LDAP groups until the issue is resolved.