CVE-2024-32046

Summary

Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.6.0affected
MattermostMattermost9.5.0 <= 9.5.2affected
MattermostMattermost9.4.0 <= 9.4.4affected
MattermostMattermost8.1.0 <= 8.1.11affected
MattermostMattermost9.7.0unaffected
MattermostMattermost9.6.1unaffected
MattermostMattermost9.5.3unaffected
MattermostMattermost9.4.5unaffected
MattermostMattermost8.1.12unaffected

Weaknesses

  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References