CVE-2021-37864: Users can view the contents of an archived channel when access is explicitly denied by the system admin
First published: Tue Jan 18 2022(Updated: )
Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs.
Credit: responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mattermost Mattermost | <=6.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-37864?
CVE-2021-37864 is a vulnerability in Mattermost 6.1 and earlier versions that allows authenticated users to view contents of archived channels even when this is denied by system administrators.
How does CVE-2021-37864 impact Mattermost?
CVE-2021-37864 allows authenticated users to bypass permissions and view the contents of archived channels in Mattermost.
What is the severity of CVE-2021-37864?
CVE-2021-37864 has a severity score of 6.5, which is considered medium.
How can I fix CVE-2021-37864 in Mattermost?
To fix CVE-2021-37864, it is recommended to upgrade Mattermost to a version that is not affected by this vulnerability.
Where can I find more information about CVE-2021-37864?
More information about CVE-2021-37864 can be found at the following link: https://mattermost.com/security-updates/
- collector/nvd-index
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/title
- agent/severity
- agent/author
- agent/softwarecombine
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- agent/type
- vendor/mattermost
- canonical/mattermost mattermost
- version/mattermost mattermost/6.1