Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.
Mattermost Server improperly validates input data during patch operations and board duplication in the Boards module. An attacker, being a logged-in user, can create a specially crafted block containing path traversal sequences (e.g., '../'), and then duplicate it. Due to insufficient path validation, the server reads the file indicated by the attacker from outside the allowed directory. This allows access to any files available to the server process.
An authenticated attacker can read arbitrary files on the server, including configuration files, private keys, credentials, or other sensitive resources accessible to the Mattermost Server process.
Mattermost Server should be updated to versions higher than 10.4.1, 10.3.2, 10.2.2 (10.x branch) and 9.11.7 (9.11.x branch). Detailed information about patches is available at: https://mattermost.com/security-updates
Mattermost Server in versions: 10.4.x <= 10.4.1, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 and 9.11.x <= 9.11.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMattermost Server
APPMattermost9.11.0 – 9.11.8 (bez)10.2.0 – 10.2.3 (bez)10.3.0 – 10.3.3 (bez)10.4.0 – 10.4.2 (bez)
Related vulnerabilities
Mattermost Server: przejęcie konta przez błędną walidację OAuth state token
Mattermost Server — przejęcie konta przez błąd weryfikacji tokenu OAuth (account takeover)
Mattermost Server: path traversal w ekstraktorze archiwów umożliwia RCE
Mattermost Server — path traversal przy imporcie tablic (Boards)
SQL Injection w Mattermost Server — podatność przy zmianie kolejności tablic