CVE-2021-37864: 
Mattermost vulnerability analysis and mitigation

Mattermost version 6.1 and earlier contains a permission validation vulnerability identified as CVE-2021-37864. The vulnerability was disclosed on January 18, 2022, affecting the Mattermost platform's channel viewing functionality. The issue specifically relates to insufficient permission validation when accessing archived channels (NVD).

The vulnerability stems from improper access control (CWE-284) and incorrect authorization (CWE-863) mechanisms in the Mattermost platform. The issue received a CVSS v3.1 base score of 6.5 (MEDIUM) from NIST NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, while Mattermost, Inc. assessed it with a lower score of 2.6 (LOW) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows authenticated users to view contents of archived channels even when this access is explicitly denied by system administrators. This is achieved by directly accessing the APIs, bypassing the intended access controls (NVD).

Users should upgrade to a version newer than Mattermost 6.1 to address this vulnerability. The fix was made available through Mattermost's security updates (Vendor Advisory).