CVE-2024-1949: Infoleak
First published: Thu Feb 29 2024(Updated: )
A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts.
Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/mattermost/mattermost/server/v8 | <8.1.9 | 8.1.9 |
| go/github.com/mattermost/mattermost/server/v8 | >=9.0.0<9.4.2 | 9.4.2 |
| Mattermost Mattermost Server | >=8.1.0<8.1.9 | |
| Mattermost Mattermost Server | >=9.4.0<9.4.2 | |
| >=8.1.0<8.1.9 | ||
| >=9.4.0<9.4.2 |
Remedy
Update Mattermost Server to versions 9.5 ( 2024), 9.4.2, 8.1.9 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/remedy
- agent/weakness
- agent/first-publish-date
- agent/type
- agent/description
- agent/severity
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-3g35-v53r-gpxc
- alias/CVE-2024-1949
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- agent/trending
- agent/tags
- collector/github-advisory
- agent/source
- vendor/mattermost
- canonical/mattermost mattermost server
- version/mattermost mattermost server/8.1.0
- version/mattermost mattermost server/9.4.0
- package-manager/go