CVE-2024-52032

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.11.x through 9.11.2 Mattermost versions 10.0.x through 10.0.0

Description The issue arises when searching for channel names in the channel switcher, allowing an attacker to obtain private channel names they are not a member of, when Elasticsearch v8 is enabled. This occurs due to a failure to properly query ElasticSearch.

Recommendations For versions 9.11.x through 9.11.2, update to a version later than 9.11.2 to resolve the issue. For versions 10.0.x through 10.0.0, update to a version later than 10.0.0 to resolve the issue. As a temporary workaround, consider disabling Elasticsearch v8 until a patch is available.