CVE-2024-23488

LOW3.1EPSS 0.20%

Mattermost fails to properly restrict the access of files attached to posts

發布日:2024/2/29修改日:2026/2/4

也稱為:GHSA-xgxj-j98c-59rvCGA-6vx5-5gq4-gxqwGO-2024-2595

描述

Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels” option is disabled.

受影響套件(5)

Go/github.com/mattermost/mattermost-server>= 9.0.0+incompatible, < 9.4.2+incompatible
Go/github.com/mattermost/mattermost-server/v5from 0
Go/github.com/mattermost/mattermost-server/v6from 0
Go/github.com/mattermost/mattermost/server/v8>= 9.0.0, < 9.4.2
Go/github.com/mattermost/mattermost/server/v8from 0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	LOW3.1	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(4)

ADVISORYhttps://github.com/advisories/GHSA-xgxj-j98c-59rv
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-23488
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://mattermost.com/security-updates