CVE-2023-47858: 
Chainguard vulnerability analysis and mitigation

Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams//channels/deleted endpoint. The vulnerability, identified as CVE-2023-47858, was discovered in December 2023 and affects multiple versions of Mattermost Server (NVD).

The vulnerability is classified as a medium severity issue with a CVSS v3.1 base score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). It is categorized as CWE-284 (Improper Access Control). The vulnerability affects Mattermost Server versions up to 8.1.7, 9.0.0 to 9.0.5, 9.1.0 to 9.1.4, and 9.2.0 to 9.2.3 (NVD).

The vulnerability allows unauthorized access to archived public channels across different teams, potentially exposing sensitive information. The impact is primarily limited to confidentiality breaches, with no direct effect on system integrity or availability (NVD).

The vulnerability has been patched in Mattermost Server versions 8.1.7, 9.0.5, 9.1.4, and 9.2.3. Users are advised to upgrade to these or later versions to mitigate the security risk (Mattermost Advisory).