2277327 – (CVE-2024-32046) CVE-2024-32046 mattermost: allows an attacker to get information about the server such as the full path were files are stored

Bug 2277327 (CVE-2024-32046) - CVE-2024-32046 mattermost: allows an attacker to get information about the server such as the full path were files are stored

Summary: CVE-2024-32046 mattermost: allows an attacker to get information about the se...

Keywords:
Status:	NEW
Alias:	CVE-2024-32046
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2277328 2277329
Blocks:	2277330
TreeView+	depends on / blocked

Reported:	2024-04-26 11:01 UTC by Rohit Keshri
Modified:	2024-04-26 13:30 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:	A flaw was found in Mattermost, where it fails to remove detailed error messages in API requests even if the developer mode is off. This flaw allows an attacker to obtain information about the server, such as the full path where files are stored.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-04-26 11:01:31 UTC

Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored

https://mattermost.com/security-updates

Comment 1 Rohit Keshri 2024-04-26 11:03:41 UTC

Created purple-mattermost tracking bugs for this issue:

Affects: epel-all [bug 2277328]
Affects: fedora-all [bug 2277329]

Note You need to log in before you can comment on or make changes to this bug.