{"id":"GHSA-63cv-4pc2-4fcf","summary":"Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability","details":"Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.\n\n","aliases":["BIT-mattermost-2023-6459","CVE-2023-6459"],"modified":"2026-02-04T02:42:34.661540Z","published":"2023-12-06T09:30:17Z","related":["CGA-rvwq-mq34-6ghh"],"database_specific":{"cwe_ids":["CWE-200"],"nvd_published_at":"2023-12-06T09:15:09Z","severity":"MODERATE","github_reviewed_at":"2023-12-08T21:57:14Z","github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6459"},{"type":"PACKAGE","url":"https://github.com/mattermost/mattermost"},{"type":"WEB","url":"https://mattermost.com/security-updates"}],"affected":[{"package":{"name":"github.com/mattermost/mattermost-server/v6","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost-server/v6"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"7.8.14"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-63cv-4pc2-4fcf/GHSA-63cv-4pc2-4fcf.json"}},{"package":{"name":"github.com/mattermost/mattermost/server/v8","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"8.1.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-63cv-4pc2-4fcf/GHSA-63cv-4pc2-4fcf.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}