CVE-2024-32046 – github.com/mattermost/mattermost-server

Package

Manager: go
Name: github.com/mattermost/mattermost-server
Vulnerable Version: >=8.1.0 <8.1.12 || >=9.5.0 <9.5.3 || >=9.6.0-rc1 <9.6.1 || >=9.4.0 <9.4.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00097 pctl0.27749

Details

Mattermost's detailed error messages reveal the full file path Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored

Metadata

Created: 2024-04-26T09:30:34Z
Modified: 2024-04-26T19:10:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-vx97-8q8q-qgq5/GHSA-vx97-8q8q-qgq5.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-vx97-8q8q-qgq5
Finding: F308
Auto approve: 1