Bug 2277327 (CVE-2024-32046) - CVE-2024-32046 mattermost: allows an attacker to get information about the server such as the full path were files are stored
Summary: CVE-2024-32046 mattermost: allows an attacker to get information about the se...
Keywords:
Status: NEW
Alias: CVE-2024-32046
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2277328 2277329
Blocks: 2277330
TreeView+ depends on / blocked
 
Reported: 2024-04-26 11:01 UTC by Rohit Keshri
Modified: 2024-05-30 22:23 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A flaw was found in Mattermost, where it fails to remove detailed error messages in API requests even if the developer mode is off. This flaw allows an attacker to obtain information about the server, such as the full path where files are stored.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Rohit Keshri 2024-04-26 11:01:31 UTC
Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored

https://mattermost.com/security-updates

Comment 1 Rohit Keshri 2024-04-26 11:03:41 UTC
Created purple-mattermost tracking bugs for this issue:

Affects: epel-all [bug 2277328]
Affects: fedora-all [bug 2277329]


Note You need to log in before you can comment on or make changes to this bug.