Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.
Mattermost Server does not sanitize file names when unpacking uploaded archives. An attacker with an account in the system can upload a specially crafted archive in which file names contain path traversal sequences (e.g., '../../'). During unpacking, the server saves files outside the intended target directory — in any location on the file system accessible to the server process. The vulnerability is active only when two configuration options are enabled simultaneously: FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true, which are active by default.
An authenticated attacker can overwrite or place arbitrary files on the server, which may lead to remote code execution (RCE) and thus complete takeover of the server instance, data disclosure, and violation of system integrity and availability.
Mattermost Server should be updated to versions higher than those indicated above (according to vendor references: https://mattermost.com/security-updates). As a temporary workaround, until a patch is applied, archive content extraction can be disabled by setting FileSettings.ExtractContent = false, which deactivates the vulnerable mechanism.
Mattermost Server in versions: 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 — with default configuration (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMattermost Server
APPMattermost10.8.09.11.0 – 9.11.16 (bez)10.5.0 – 10.5.6 (bez)10.6.0 – 10.6.6 (bez)10.7.0 – 10.7.3 (bez)
Related vulnerabilities
Mattermost Server — przejęcie konta przez błąd weryfikacji tokenu OAuth (account takeover)
Mattermost Server: przejęcie konta przez błędną walidację OAuth state token
SQL Injection w Mattermost Server — podatność przy zmianie kolejności tablic
Mattermost Server: path traversal przy duplikowaniu bloków w Boards
Mattermost Server — path traversal przy imporcie tablic (Boards)