CVE-2021-37864 LOW

CVE-2021-37864: Users can view the contents of an archived channel when access is explicitly denied by the system admin

Vendor Mattermost
Product Mattermost
Weakness CWE-284
Published January 18, 2022
Last update December 6, 2024

CVSS base score

2.6/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs.

Key dates

02Disclosure timeline

January 18, 2022 CVE published
December 6, 2024 Record updated