CVE-2024-42000

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to /api/v4/channels.

Published: Nov 9, 2024
Updated: May 4, 2025
CVE: CVE-2024-42000
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
mattermost / mattermost_server	10.0.0	10.0.0.x
mattermost / mattermost_server	10.0.0-rc1	10.0.0-rc1.x
mattermost / mattermost_server	10.0.0-rc2	10.0.0-rc2.x
mattermost / mattermost_server	10.0.0-rc3	10.0.0-rc3.x
mattermost / mattermost_server	10.0.0-rc4	10.0.0-rc4.x
mattermost / mattermost_server	9.11.0	9.11.2
mattermost / mattermost_server	9.10.0	9.10.3
mattermost / mattermost_server	9.5.0	9.5.10

https://mattermost.com/security-updates

Vulnerability Database

289,697

CVE-2024-42000