GoogleOSV:GHSA-VX97-8Q8Q-QGQ5Mattermost's detailed error messages reveal the full file path
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%
Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored
References
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/2a48b5b3428cae494452125401e4f72780543ac8
github.com/mattermost/mattermost/commit/93738756ff79777c6e340c8de63a7b4b0f881d27
github.com/mattermost/mattermost/commit/aa222c66b799c12e32eeb8eae6f555bf6140375b
github.com/mattermost/mattermost/commit/c84c25b20c8b8726a2f126ae9370a72498096172
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2024-32046
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%