Upstream information

CVE-2025-20051 at MITRE

Description

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having critical severity.

CVSS v3 Scores
  CNA (Mattermost) National Vulnerability Database
Base Score 9.9 6.5
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network Network
Attack Complexity Low Low
Privileges Required Low Low
User Interaction None None
Scope Changed Unchanged
Confidentiality Impact High High
Integrity Impact High None
Availability Impact High None
CVSSv3 Version 3.1 3.1
No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.5
  • update-alternatives >= 1.22.0-slfo.1.1_2.1
openSUSE Tumbleweed
  • govulncheck-vulndb >= 0.0.20250312T181707-1.1
Patchnames:
openSUSE-Tumbleweed-2025-14889


SUSE Timeline for this CVE

CVE page created: Mon Feb 24 10:00:53 2025
CVE page last modified: Sat Sep 6 12:40:00 2025