First published: Fri Aug 11 2023(Updated: )
Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message
Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com
Affected Software | Affected Version | How to fix |
---|---|---|
Mattermost Mattermost | >=7.8.0<7.8.8 | |
Mattermost Mattermost | >=7.9.0<7.9.6 | |
Mattermost Mattermost | >=7.10.0<7.10.4 | |
go/github.com/mattermost/mattermost-server/v6 | <=7.8.7 | 7.8.8 |
go/github.com/mattermost/mattermost-server/v6 | >=7.10.0<=7.10.3 | 7.10.4 |
go/github.com/mattermost/mattermost-server/v6 | >=7.9.0<=7.9.5 | 7.9.6 |
>=7.8.0<7.8.8 | ||
>=7.9.0<7.9.6 | ||
>=7.10.0<7.10.4 |
Update Mattermost Server to versions 7.10.4, 7.9.6, 7.8.8 or higher
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-4105 is a vulnerability in Mattermost that allows a simple user to access and download attachments of deleted messages in a thread.
The severity of CVE-2023-4105 is medium with a CVSS score of 4.3.
CVE-2023-4105 allows a simple user to still access and download attachments of deleted messages in a thread.
Mattermost versions 7.8.7 through 7.8.8, 7.9.0 through 7.9.6, and 7.10.0 through 7.10.4 are affected by CVE-2023-4105.
To fix CVE-2023-4105, upgrade to Mattermost version 7.8.8, 7.9.6, or 7.10.4.