Lucene search

GitHub Advisory DatabaseGHSA-5FH7-7MW7-MMX5

HistoryApr 26, 2024 - 9:30 a.m.

Mattermost allows team admins to promote guests to team admins

2024-04-2609:30:35

CWE-284

GitHub Advisory Database

github.com

mattermost

role validation

vulnerability

versions 9.6.0

9.5.x

8.1.x

team admins

guests

http requests

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

Affected configurations

Vulners

Node

github.com\/mattermost\/mattermostserverRange≤8.1.11

github.com\/mattermost\/mattermostserverRange≤9.5.2

CPENameOperatorVersion
github.com/mattermost/mattermost-serverle8.1.11
github.com/mattermost/mattermost-serverle9.5.2

CPE	Name	Operator	Version
	github.com/mattermost/mattermost-server	le	8.1.11
	github.com/mattermost/mattermost-server	le	9.5.2

References

github.com/advisories/GHSA-5fh7-7mw7-mmx5

github.com/mattermost/mattermost/commit/1e3497e0595bb4f9908c94dd9d4685d48556b7e8

github.com/mattermost/mattermost/commit/f0872dd4e4ba34f061aa6982a71c7c29532aac2e

mattermost.com/security-updates

nvd.nist.gov/vuln/detail/CVE-2024-4195

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for GHSA-5FH7-7MW7-MMX5