PT-2024-24375 · Mattermost · Mattermost
Grzegorz Misiun
·
Published
2024-04-26
·
Updated
2024-06-05
·
CVE-2024-32046
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 8.1.x through 8.1.11
Mattermost versions 9.4.x through 9.4.4
Mattermost versions 9.5.x through 9.5.2
Mattermost versions 9.6.x through 9.6.0
Description
The issue allows an attacker to obtain information about the server, including the full path where files are stored, due to detailed error messages not being removed in API requests even when developer mode is off.
Recommendations
For versions 8.1.x through 8.1.11, update to a version later than 8.1.11 to resolve the issue.
For versions 9.4.x through 9.4.4, update to a version later than 9.4.4 to resolve the issue.
For versions 9.5.x through 9.5.2, update to a version later than 9.5.2 to resolve the issue.
For versions 9.6.x through 9.6.0, update to a version later than 9.6.0 to resolve the issue.
As a temporary workaround, consider restricting access to API endpoints that may reveal detailed error messages until a patch is available.
Fix
Generation of Error Message Containing Sensitive Information
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mattermost