ElasticSearch query vulnerability
CVE-2024-52032

4.3MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 9 November 2024

Summary

Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in channel switcher which allows an attacker to get private channels names of channels that they are not a member of, when Elasticsearch v8 was enabled.

Affected Version(s)

Mattermost 10.0.0

Mattermost 9.11.0 <= 9.11.2

Mattermost 10.1.0

References

https://mattermost.com/security-updates

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 9, 2024
Vulnerability Reserved
Nov 5, 2024

Credit

Adrian (thiefmaster)