CVE-2024-42000

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.5.x through 9.5.9 Mattermost versions 9.10.x through 9.10.2 Mattermost versions 9.11.x through 9.11.1 Mattermost versions 10.0.x through 10.0.0

Description The issue allows a User or System Manager with "Read Groups" permission but no access to channels to retrieve details about private channels they are not a member of by sending a request to "/api/v4/channels". This is due to a request authorization issue in the affected Mattermost versions.

Recommendations For versions 9.5.x through 9.5.9, upgrade to a version higher than 9.5.9 to resolve the issue. For versions 9.10.x through 9.10.2, upgrade to a version higher than 9.10.2 to resolve the issue. For versions 9.11.x through 9.11.1, upgrade to a version higher than 9.11.1 to resolve the issue. For versions 10.0.x through 10.0.0, upgrade to a version higher than 10.0.0 to resolve the issue.