CVE-2024-23488

Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels” option is disabled.

CVSS v3 3.1 LOW

3.1^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://mattermost.com/security-updates	Vendor Advisory
https://mattermost.com/security-updates	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::

History

12 May 2025, 13:34

Type	Values Removed	Values Added
CPE		cpe:2.3:a:mattermost:mattermost_server::::::::
First Time		Mattermost Mattermost mattermost Server
CWE		NVD-CWE-noinfo
References	~~() https://mattermost.com/security-updates -~~	() https://mattermost.com/security-updates - Vendor Advisory

21 Nov 2024, 08:57

Type	Values Removed	Values Added
References	~~() https://mattermost.com/security-updates -~~	() https://mattermost.com/security-updates -

29 Feb 2024, 13:49

Type	Values Removed	Values Added
Summary		(es) Mattermost no logra restringir adecuadamente el acceso a los archivos adjuntos a las publicaciones en un canal archivado, lo que hace que los miembros puedan acceder a los archivos de los canales archivados incluso si la opción "Permitir a los usuarios ver canales archivados" está deshabilitada.

29 Feb 2024, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-29 08:15

Updated : 2025-05-12 13:34

NVD link : CVE-2024-23488

Mitre link : CVE-2024-23488

CVE.ORG link : CVE-2024-23488

JSON object : View

Products Affected

mattermost

mattermost_server

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

{"id": "CVE-2024-23488", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-02-29T08:15:47.110", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["Vendor Advisory"], "source": "responsibledisclosure@mattermost.com"}, {"url": "https://mattermost.com/security-updates", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the \u201cAllow users to view archived channels\u201d option is disabled.\n\n"}, {"lang": "es", "value": "Mattermost no logra restringir adecuadamente el acceso a los archivos adjuntos a las publicaciones en un canal archivado, lo que hace que los miembros puedan acceder a los archivos de los canales archivados incluso si la opci\u00f3n \"Permitir a los usuarios ver canales archivados\" est\u00e1 deshabilitada."}], "lastModified": "2025-05-12T13:34:26.177", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EEF3AB70-F893-4C93-B1A6-C6B82F2C1816", "versionEndExcluding": "8.1.9"}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6319D6D5-E6CD-488D-991C-A3B43C2A7572", "versionEndExcluding": "9.4.2", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "responsibledisclosure@mattermost.com"}