CVE-2025-0503 (GCVE-0-2025-0503)

Vulnerability from cvelistv5 – Published: 2025-02-14 17:52 – Updated: 2025-02-14 18:09
VLAI?
Title
Leaked User IDs and Metadata of Deleted DMs
Summary
Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.
Severity ?
3.1 (Low)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
Impacted products
Vendor Product Version
Mattermost Mattermost Affected: 9.11.0 , ≤ 9.11.6 (semver)
Unaffected: 10.4.0
Unaffected: 9.11.7
Create a notification for this product.
Credits
Devin Binnie
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-0503",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-14T18:08:53.800772Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-14T18:09:02.166Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mattermost",
          "vendor": "Mattermost",
          "versions": [
            {
              "lessThanOrEqual": "9.11.6",
              "status": "affected",
              "version": "9.11.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "10.4.0"
            },
            {
              "status": "unaffected",
              "version": "9.11.7"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Devin Binnie"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMattermost versions 9.11.x \u0026lt;= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Mattermost versions 9.11.x \u003c= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-14T17:52:17.895Z",
        "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "shortName": "Mattermost"
      },
      "references": [
        {
          "url": "https://mattermost.com/security-updates"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUpdate Mattermost to versions 10.4.0, 9.11.7 or higher.\u003c/p\u003e"
            }
          ],
          "value": "Update Mattermost to versions 10.4.0, 9.11.7 or higher."
        }
      ],
      "source": {
        "advisory": "MMSA-2024-00413",
        "defect": [
          "https://mattermost.atlassian.net/browse/MM-62201"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Leaked User IDs and Metadata of Deleted DMs",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
    "assignerShortName": "Mattermost",
    "cveId": "CVE-2025-0503",
    "datePublished": "2025-02-14T17:52:17.895Z",
    "dateReserved": "2025-01-15T18:13:55.213Z",
    "dateUpdated": "2025-02-14T18:09:02.166Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-0503\",\"sourceIdentifier\":\"responsibledisclosure@mattermost.com\",\"published\":\"2025-02-14T18:15:23.870\",\"lastModified\":\"2025-09-29T18:11:58.467\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mattermost versions 9.11.x \u003c= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.\"},{\"lang\":\"es\",\"value\":\"Las versiones 9.11.x \u0026lt;= 9.11.6 de Mattermost no pueden filtrar los mensajes directos del endpoint de canales eliminados, lo que permite a un atacante inferir las identificaciones de usuario y otros metadatos de los mensajes directos eliminados si alguien hab\u00eda marcado manualmente los mensajes directos como eliminados en la base de datos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-754\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.11.0\",\"versionEndExcluding\":\"9.11.7\",\"matchCriteriaId\":\"DA9C4D79-7816-45EA-9F2D-B49965DED6B4\"}]}]}],\"references\":[{\"url\":\"https://mattermost.com/security-updates\",\"source\":\"responsibledisclosure@mattermost.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-0503\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-14T18:08:53.800772Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-14T18:08:57.286Z\"}}], \"cna\": {\"title\": \"Leaked User IDs and Metadata of Deleted DMs\", \"source\": {\"defect\": [\"https://mattermost.atlassian.net/browse/MM-62201\"], \"advisory\": \"MMSA-2024-00413\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Devin Binnie\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Mattermost\", \"product\": \"Mattermost\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.11.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.11.6\"}, {\"status\": \"unaffected\", \"version\": \"10.4.0\"}, {\"status\": \"unaffected\", \"version\": \"9.11.7\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update Mattermost to versions 10.4.0, 9.11.7 or higher.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUpdate Mattermost to versions 10.4.0, 9.11.7 or higher.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://mattermost.com/security-updates\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mattermost versions 9.11.x \u003c= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eMattermost versions 9.11.x \u0026lt;= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.\u003cbr\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-754\", \"description\": \"CWE-754: Improper Check for Unusual or Exceptional Conditions\"}]}], \"providerMetadata\": {\"orgId\": \"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee\", \"shortName\": \"Mattermost\", \"dateUpdated\": \"2025-02-14T17:52:17.895Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-0503\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-14T18:09:02.166Z\", \"dateReserved\": \"2025-01-15T18:13:55.213Z\", \"assignerOrgId\": \"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee\", \"datePublished\": \"2025-02-14T17:52:17.895Z\", \"assignerShortName\": \"Mattermost\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.