First published: Wed Dec 06 2023(Updated: )
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal.
Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/mattermost/mattermost/server | >=9.1.0<9.1.2 | 9.1.2 |
go/github.com/mattermost/mattermost/server/v8 | >=9.0.0<9.0.3 | 9.0.3 |
go/github.com/mattermost/mattermost/server/v8 | <8.1.5 | 8.1.5 |
go/github.com/mattermost/mattermost-server/v6 | <7.8.14 | 7.8.14 |
Mattermost Mattermost Server | <7.8.14 | |
Mattermost Mattermost Server | >=8.0.0<8.1.5 | |
Mattermost Mattermost Server | >=9.0.0<9.0.3 | |
Mattermost Mattermost Server | >=9.1.0<9.1.2 |
Update Mattermost Server to versions 9.1.2, 9.0.3, 8.1.5, 7.8.14 or higher.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2023-6458.
The severity of CVE-2023-6458 is high with a severity value of 7.1.
CVE-2023-6458 is a client-side path traversal vulnerability in the Mattermost webapp that allows an attacker to perform a client-side path traversal by exploiting the lack of route parameters validation in /<TEAM_NAME>/channels/<CHANNEL_NAME>.
The affected software versions are 9.1.0 and 9.1.2 on GitHub.com/mattermost/mattermost/server/v, 9.0.0 and 9.0.3 on GitHub.com/mattermost/mattermost/server/v8, 8.1.5 on GitHub.com/mattermost/mattermost/server/v8, and 7.8.14 on GitHub.com/mattermost/mattermost-server/v6.
To fix CVE-2023-6458, update Mattermost to version 9.1.2, 9.0.3, 8.1.5, or 7.8.14, depending on the affected software version.