CVE-2024-42000 LOW

CVE-2024-42000: Unauthorized Access to view channels' details

Vendor Mattermost
Product Mattermost
Weakness CWE-863 · Incorrect authorization
Published November 9, 2024
Last update November 12, 2024

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels  which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to /api/v4/channels.

Key dates

02Disclosure timeline

November 9, 2024 CVE published
November 12, 2024 Record updated