CVE-2024-34029

Name of the Vulnerable Software and Affected Versions Mattermost versions 8.1.x through 8.1.12 Mattermost versions 9.5.x through 9.5.3 Mattermost versions 9.7.x through 9.7.1

Description The issue is related to a failure in performing proper authorization checks in the "/api/v4/groups//channels//link" endpoint. This allows a user to determine the members of an AD/LDAP group linked to a team by adding the group to a channel, even if the user has no access to the team.

Recommendations For versions 8.1.x through 8.1.12, update to a version that includes the fix for this issue. For versions 9.5.x through 9.5.3, update to a version that includes the fix for this issue. For versions 9.7.x through 9.7.1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the "/api/v4/groups//channels//link" endpoint until a patch is available.