CVE-2024-32939

Published: Aug 22, 2024Modified: Aug 23, 2024

3.7

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.2 / Impact: 1.4

Source: NVD

Description

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server."

Affected (4)

Products: Mattermost: Mattermost

Mattermost

1 product

Mattermost

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Mattermost Mattermost	From 9.10.0 to 9.10.1
Mattermost Mattermost	From 9.5.0 to 9.5.8
Mattermost Mattermost	From 9.8.0 to 9.8.3
Mattermost Mattermost	From 9.9.0 to 9.9.2

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-312

Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

References (1)

https://mattermost.com/security-updates

Source: responsibledisclosure@mattermost.com

Vendor Advisory

Timeline

No history available yet.