CVE-2024-10241: Mattermost Server allows user to get private channel names

October 29, 2024

Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K.

References

github.com/advisories/GHSA-6mvp-gh77-7vwh
github.com/mattermost/mattermost
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2024-10241

Detect and mitigate CVE-2024-10241 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →