CVE-2023-48732: 
Chainguard vulnerability analysis and mitigation

Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel. This vulnerability (CVE-2023-48732) was discovered and disclosed on January 2, 2024, affecting Mattermost Server versions up to (excluding) 8.1.7 (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 MEDIUM with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability is network accessible (AV:N), requires low attack complexity (AC:L), needs low privileges (PR:L), requires no user interaction (UI:N), has unchanged scope (S:U), with low confidentiality impact (C:L), and no impact on integrity (I:N) or availability (A:N) (NVD).

The primary impact of this vulnerability is the potential exposure of sensitive information, specifically who was notified about a post, to all users in the channel regardless of their need to know this information. This represents a confidentiality breach in the system's notification mechanism (NVD).

Users should upgrade to Mattermost Server version 8.1.7 or later to address this vulnerability. This version contains the necessary fixes to properly scope WebSocket responses for user notifications (Vendor Advisory).