{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-42406", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2024-09-23T07:55:36.322Z", "datePublished": "2024-09-26T08:04:22.939Z", "dateUpdated": "2024-09-26T13:11:34.682Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"status": "affected", "version": "9.11.0"}, {"lessThanOrEqual": "9.10.1", "status": "affected", "version": "9.10.0", "versionType": "semver"}, {"lessThanOrEqual": "9.9.2", "status": "affected", "version": "9.9.0", "versionType": "semver"}, {"lessThanOrEqual": "9.5.8", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"status": "unaffected", "version": "10.0.0"}, {"status": "unaffected", "version": "9.11.1"}, {"status": "unaffected", "version": "9.10.2"}, {"status": "unaffected", "version": "9.9.3"}, {"status": "unaffected", "version": "9.5.9"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Daniel Espino Garcia"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost versions 9.11.x &lt;= 9.11.0, 9.10.x &lt;= 9.10.1, 9.9.x &lt;= 9.9.2 and 9.5.x &lt;= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows&nbsp;an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.</p>"}], "value": "Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows\u00a0an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-09-26T08:04:22.939Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost to versions 10.0.0, 9.11.1, 9.10.2, 9.9.3, 9.5.9 or higher.</p>"}], "value": "Update Mattermost to versions 10.0.0, 9.11.1, 9.10.2, 9.9.3, 9.5.9 or higher."}], "source": {"advisory": "MMSA-2024-00351", "defect": ["https://mattermost.atlassian.net/browse/MM-58491"], "discovery": "INTERNAL"}, "title": "Unauthorized access on archived channels", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-26T13:11:20.126365Z", "id": "CVE-2024-42406", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T13:11:34.682Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-42406", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-26T13:11:20.126365Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T13:11:28.447Z"}}], "cna": {"title": "Unauthorized access on archived channels", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-58491"], "advisory": "MMSA-2024-00351", "discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Daniel Espino Garcia"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "9.11.0"}, {"status": "affected", "version": "9.10.0", "versionType": "semver", "lessThanOrEqual": "9.10.1"}, {"status": "affected", "version": "9.9.0", "versionType": "semver", "lessThanOrEqual": "9.9.2"}, {"status": "affected", "version": "9.5.0", "versionType": "semver", "lessThanOrEqual": "9.5.8"}, {"status": "unaffected", "version": "10.0.0"}, {"status": "unaffected", "version": "9.11.1"}, {"status": "unaffected", "version": "9.10.2"}, {"status": "unaffected", "version": "9.9.3"}, {"status": "unaffected", "version": "9.5.9"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 10.0.0, 9.11.1, 9.10.2, 9.9.3, 9.5.9 or higher.", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost to versions 10.0.0, 9.11.1, 9.10.2, 9.9.3, 9.5.9 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows\u00a0an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost versions 9.11.x &lt;= 9.11.0, 9.10.x &lt;= 9.10.1, 9.9.x &lt;= 9.9.2 and 9.5.x &lt;= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows&nbsp;an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-09-26T08:04:22.939Z"}}}, "cveMetadata": {"cveId": "CVE-2024-42406", "state": "PUBLISHED", "dateUpdated": "2024-09-26T13:11:34.682Z", "dateReserved": "2024-09-23T07:55:36.322Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2024-09-26T08:04:22.939Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC97EDD1-AD9D-484B-99B0-D49541EFBA52", "versionEndExcluding": "9.5.9", "versionStartIncluding": "9.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "20276949-478F-4F2C-9D07-F9B3C04CADD9", "versionEndExcluding": "9.9.3", "versionStartIncluding": "9.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AE34CB3-C7F7-4AAD-888E-5057ACBE9BC4", "versionEndExcluding": "9.10.2", "versionStartIncluding": "9.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.11.0:-:*:*:*:*:*:*", "matchCriteriaId": "E7436086-F0AC-4AB8-B611-7B8E1AE2E4F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.11.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "D5310C1D-DA5F-46B5-BA33-F7C3D6A63C2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.11.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "BCE22F86-00E2-42E0-8343-D3AD818AA943", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.11.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "641065E7-F36F-42F3-A098-B7131DB0D2F5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows\u00a0an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files."}, {"lang": "es", "value": "Las versiones 9.11.x &lt;= 9.11.0, 9.10.x &lt;= 9.10.1, 9.9.x &lt;= 9.9.2 y 9.5.x &lt;= 9.5.8 de Mattermost no autorizan correctamente las solicitudes cuando la visualizaci\u00f3n de canales archivados est\u00e1 deshabilitada, lo que permite a un atacante recuperar informaci\u00f3n de publicaciones y archivos sobre canales archivados. Algunos ejemplos son las publicaciones marcadas o no le\u00eddas, as\u00ed como los archivos."}], "id": "CVE-2024-42406", "lastModified": "2024-10-01T11:15:48.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2024-09-26T08:15:05.810", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}