CVE-2017-18912

EPSS 0.73%

Mattermost Server allows an attacker to specify a full pathname of a log file in github.com/mattermost/mattermost-server

Published: 5/24/2022Modified: 2/19/2026

Description

Mattermost Server allows an attacker to specify a full pathname of a log file in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.7.4-0.20170404171331-0b5c0794fdcb.

Affected packages (2)

Go/github.com/mattermost/mattermost-serverfrom 0, < 3.7.4-0.20170404171331-0b5c0794fdcb
Go/github.com/mattermost/mattermost-serverfrom 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

References (5)

ADVISORYhttps://github.com/advisories/GHSA-m2ch-x2q7-2284
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-18912
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://github.com/mattermost/mattermost/commit/0b5c0794fdcbb551c1233dcdfbdf5c7deb585fd6
WEBhttps://mattermost.com/security-updates