GHSA-wwhj-pw6h-f8hw
First published: Mon Apr 14 2025(Updated: )
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/mattermost/mattermost/server/v8 | <8.0.0-20250213231113-68c11e9ecb71 | 8.0.0-20250213231113-68c11e9ecb71 |
| go/github.com/mattermost/mattermost/server/v8 | >=9.11.0<9.11.10 | 9.11.10 |
| go/github.com/mattermost/mattermost/server/v8 | >=10.5.0<10.5.2 | 10.5.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of GHSA-wwhj-pw6h-f8hw?
GHSA-wwhj-pw6h-f8hw is classified as a high severity vulnerability due to the potential unauthorized access to deleted file metadata.
How do I fix GHSA-wwhj-pw6h-f8hw?
To fix GHSA-wwhj-pw6h-f8hw, upgrade to Mattermost version 10.5.2, 9.11.10, or any version from 8.0.0-20250213231113-68c11e9ecb71.
What versions are affected by GHSA-wwhj-pw6h-f8hw?
Mattermost versions 10.5.x up to 10.5.1 and 9.11.x up to 9.11.9 are affected by GHSA-wwhj-pw6h-f8hw.
What is the impact of GHSA-wwhj-pw6h-f8hw?
GHSA-wwhj-pw6h-f8hw allows attackers to retrieve metadata of deleted files by exploiting bookmark creation.
Is there a known workaround for GHSA-wwhj-pw6h-f8hw?
There are no known workarounds for GHSA-wwhj-pw6h-f8hw; upgrading to a secure version is the recommended action.
- agent/weakness
- agent/severity
- agent/source
- agent/softwarecombine
- agent/type
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-wwhj-pw6h-f8hw
- alias/CVE-2025-2424
- agent/software-canonical-lookup
- agent/tags
- agent/event
- package-manager/go