PT-2024-24990 · Mattermost · Mattermost
Juho Forsén
·
Published
2024-08-22
·
Updated
2024-08-30
·
CVE-2024-32939
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 9.8.x through 9.8.2
Mattermost versions 9.5.x through 9.5.7
Mattermost versions 9.9.x through 9.9.1
Mattermost versions 9.10.x through 9.10.0
Description
The issue arises when shared channels are enabled in Mattermost, causing it to fail to redact remote users' original email addresses stored in user props. This occurs even when email addresses are otherwise configured not to be visible in the local server.
Recommendations
For Mattermost versions 9.8.x through 9.8.2, update to a version later than 9.8.2 to resolve the issue.
For Mattermost versions 9.5.x through 9.5.7, update to a version later than 9.5.7 to resolve the issue.
For Mattermost versions 9.9.x through 9.9.1, update to a version later than 9.9.1 to resolve the issue.
For Mattermost versions 9.10.x through 9.10.0, update to a version later than 9.10.0 to resolve the issue.
As a temporary workaround, consider disabling shared channels until a patch is available.
Fix
Cleartext Storage of Sensitive Information
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mattermost