{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32046", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2024-04-10T09:53:47.691Z", "datePublished": "2024-04-26T08:24:50.696Z", "dateUpdated": "2024-08-02T02:06:42.822Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"status": "affected", "version": "9.6.0"}, {"lessThanOrEqual": "9.5.2", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"lessThanOrEqual": "9.4.4", "status": "affected", "version": "9.4.0", "versionType": "semver"}, {"lessThanOrEqual": "8.1.11", "status": "affected", "version": "8.1.0", "versionType": "semver"}, {"status": "unaffected", "version": "9.7.0"}, {"status": "unaffected", "version": "9.6.1"}, {"status": "unaffected", "version": "9.5.3"}, {"status": "unaffected", "version": "9.4.5"}, {"status": "unaffected", "version": "8.1.12"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Grzegorz Misiun from ING"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost versions 9.6.x &lt;= 9.6.0, 9.5.x &lt;= 9.5.2, 9.4.x &lt;= 9.4.4 and 8.1.x &lt;= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored</p>"}], "value": "Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-04-26T08:24:50.696Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.</p>"}], "value": "Update Mattermost to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.\n\n"}], "source": {"advisory": "MMSA-2024-00317", "defect": ["https://mattermost.atlassian.net/browse/MM-57069"], "discovery": "EXTERNAL"}, "title": "Detailed error discloses full file path with dev mode off", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32046", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-26T19:11:02.512965Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "9.6.x"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "9.5.x"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "9.4.x"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "8.1.x"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:50:31.884Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:06:42.822Z"}, "title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:06:42.822Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32046", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-26T19:11:02.512965Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "9.6.x"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "9.5.x"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "9.4.x"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "8.1.x"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-26T19:10:10.687Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Detailed error discloses full file path with dev mode off", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-57069"], "advisory": "MMSA-2024-00317", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Grzegorz Misiun from ING"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "9.6.0"}, {"status": "affected", "version": "9.5.0", "versionType": "semver", "lessThanOrEqual": "9.5.2"}, {"status": "affected", "version": "9.4.0", "versionType": "semver", "lessThanOrEqual": "9.4.4"}, {"status": "affected", "version": "8.1.0", "versionType": "semver", "lessThanOrEqual": "8.1.11"}, {"status": "unaffected", "version": "9.7.0"}, {"status": "unaffected", "version": "9.6.1"}, {"status": "unaffected", "version": "9.5.3"}, {"status": "unaffected", "version": "9.4.5"}, {"status": "unaffected", "version": "8.1.12"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost versions 9.6.x &lt;= 9.6.0, 9.5.x &lt;= 9.5.2, 9.4.x &lt;= 9.4.4 and 8.1.x &lt;= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-04-26T08:24:50.696Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32046", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:06:42.822Z", "dateReserved": "2024-04-10T09:53:47.691Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2024-04-26T08:24:50.696Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "78A6C1F3-95B8-4231-B5D8-C8BB65EA9BFB", "versionEndExcluding": "8.1.12", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "3AB75A52-8C4A-44EC-AC33-B97F122FC6CA", "versionEndExcluding": "9.4.5", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4846F2D-56D5-4D24-BF0D-2075072A6ADF", "versionEndExcluding": "9.5.3", "versionStartIncluding": "9.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4540F56-1DA0-407F-A909-335D8DF3193C", "versionEndExcluding": "9.6.1", "versionStartIncluding": "9.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored\n\n"}, {"lang": "es", "value": "Las versiones de Mattermost 9.6.x &lt;= 9.6.0, 9.5.x &lt;= 9.5.2, 9.4.x &lt;= 9.4.4 y 8.1.x &lt;= 8.1.11 no eliminan mensajes de error detallados en las solicitudes de API, incluso si el desarrollador El modo est\u00e1 desactivado, lo que permite a un atacante obtener informaci\u00f3n sobre el servidor, como la ruta completa donde se almacenan los archivos."}], "id": "CVE-2024-32046", "lastModified": "2025-05-12T13:39:45.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-26T09:15:12.157", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "mattermost: allows an attacker to get information about the server such as the full path were files are stored", "id": "2277327", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2277327"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-200", "details": ["Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored", "A flaw was found in Mattermost, where it fails to remove detailed error messages in API requests even if the developer mode is off. This flaw allows an attacker to obtain information about the server, such as the full path where files are stored."], "name": "CVE-2024-32046", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/acm-grafana-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-docs-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-scanner-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-scanner-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2024-04-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-32046\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-32046\nhttps://mattermost.com/security-updates"], "threat_severity": "Low"}