CVE-2024-1942
Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server
4.3
MEDIUM
CVSS 3.1
EPSS 0.23%
Description
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.
How to fix CVE-2024-1942
To remediate CVE-2024-1942, upgrade the affected package to a fixed version below.
- —upgrade to 8.1.9 or later
- —upgrade to 9.2.5+incompatible or later
- —no fix listed
- —no fix listed
- —upgrade to 9.3.1 or later
- —no fix listed
Is CVE-2024-1942 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- >= 8.1.0, < 8.1.9, >= 9.2.0, < 9.2.5 | >= 9.3.0, <= 9.3.0
- >= 9.2.0+incompatible, < 9.2.5+incompatible, >= 9.3.0+incompatible, < 9.3.1+incompatible
- from 0
- from 0
- >= 9.3.0, < 9.3.1
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |