Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.
Mattermost Server incorrectly validates board blocks during the import process. An attacker can prepare a specially crafted import archive containing paths that reference locations outside the allowed directory (path traversal). After importing and then exporting such an archive in the Boards module, it is possible to read any file accessible to the server process on the host.
An attacker with regular user privileges can read any file on the server, including configuration files containing credentials, private keys, or other sensitive information, which may lead to further system compromise.
Mattermost Server should be updated to versions higher than 10.4.1, 10.3.2, 10.2.2, or 9.11.7 according to information published by the vendor at https://mattermost.com/security-updates
Mattermost Server in versions: 10.4.x <= 10.4.1, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2, 9.11.x <= 9.11.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMattermost Server
APPMattermost9.11.0 – 9.11.8 (bez)10.2.0 – 10.2.3 (bez)10.3.0 – 10.3.3 (bez)10.4.0 – 10.4.2 (bez)
Related vulnerabilities
Mattermost Server: przejęcie konta przez błędną walidację OAuth state token
Mattermost Server — przejęcie konta przez błąd weryfikacji tokenu OAuth (account takeover)
Mattermost Server: path traversal w ekstraktorze archiwów umożliwia RCE
SQL Injection w Mattermost Server — podatność przy zmianie kolejności tablic
Mattermost Server: path traversal przy duplikowaniu bloków w Boards