CVE-2024-23493

Summary

Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of. 

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 9.4.1affected
MattermostMattermost0 <= 9.3.0affected
MattermostMattermost0 <= 9.2.5affected
MattermostMattermost0 <= 8.1.8affected
MattermostMattermost9.5.0unaffected
MattermostMattermost9.4.2unaffected
MattermostMattermost9.3.1unaffected
MattermostMattermost9.2.5unaffected
MattermostMattermost8.1.9unaffected

Weaknesses

  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References