CVE-2023-47858

Summary

Mattermost fails to properly verify the permissions needed for viewing archived public channels,  allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 9.2.2affected
MattermostMattermost0 <= 9.1.3affected
MattermostMattermost0 <= 9.0.4affected
MattermostMattermost0 <= 8.1.6affected
MattermostMattermost8.1.7unaffected
MattermostMattermost9.0.5unaffected
MattermostMattermost9.1.4unaffected
MattermostMattermost9.2.3unaffected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References