CVE-2024-32046: Mattermost's detailed error messages reveal the full file path
Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored
References
- github.com/advisories/GHSA-vx97-8q8q-qgq5
- github.com/mattermost/mattermost
- github.com/mattermost/mattermost/commit/2a48b5b3428cae494452125401e4f72780543ac8
- github.com/mattermost/mattermost/commit/93738756ff79777c6e340c8de63a7b4b0f881d27
- github.com/mattermost/mattermost/commit/aa222c66b799c12e32eeb8eae6f555bf6140375b
- github.com/mattermost/mattermost/commit/c84c25b20c8b8726a2f126ae9370a72498096172
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2024-32046
Detect and mitigate CVE-2024-32046 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →