Описание
Mattermost allows reading arbitrary files
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.
Пакеты
github.com/mattermost/mattermost/server/v8
< 8.0.0-20250122165010-4ed702ccff4e
8.0.0-20250122165010-4ed702ccff4e
github.com/mattermost/mattermost/server/v8
>= 9.11.0-rc1, < 9.11.8
9.11.8
github.com/mattermost/mattermost/server/v8
>= 10.2.0-rc1, < 10.2.3
10.2.3
github.com/mattermost/mattermost/server/v8
>= 10.3.0-rc1, < 10.3.3
10.3.3
github.com/mattermost/mattermost/server/v8
>= 10.4.0-rc1, < 10.4.2
10.4.2
Связанные уязвимости
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3 ...
Уязвимость приложения для обмена мгновенными сообщениями Mattermost, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации