Lucene search

GitHub Advisory DatabaseGHSA-5263-PM2H-M7HW

HistoryAug 22, 2024 - 9:30 a.m.

Mattermost doesn't restrict which roles can promote a user as system admin

2024-08-2209:30:32

CWE-284

GitHub Advisory Database

github.com

mattermost

unauthorized promotion

system admin

software

security vulnerability

version 9.9.x

version 9.5.x

version 9.10.x

version 9.8.x

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the manage_system permission, effectively becoming a System Admin.

Affected configurations

Vulners

Node

mattermostmattermostRange9.8.0–9.8.3

mattermostmattermostRange9.10.0–9.10.1

mattermostmattermostRange9.5.0–9.5.8

mattermostmattermostRange9.9.0–9.9.2

VendorProductVersionCPE
mattermostmattermost*cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mattermost	mattermost	*	cpe:2.3:a:mattermost:mattermost::::::::

References

github.com/advisories/GHSA-5263-pm2h-m7hw

mattermost.com/security-updates

nvd.nist.gov/vuln/detail/CVE-2024-8071

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

Related for GHSA-5263-PM2H-M7HW