Exposure of ChannelIDs in Mattermost's /metrics Endpoint

Exposure of ChannelIDs in Mattermost's /metrics Endpoint

CVE-2023-6459 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.

Learn more about our Web Application Penetration Testing UK.