Lucene search

K
githubGitHub Advisory DatabaseGHSA-7V3V-984V-H74R
HistoryFeb 29, 2024 - 9:30 a.m.

Mattermost leaks details of AD/LDAP groups of a teams

2024-02-2909:30:34
CWE-200
GitHub Advisory Database
github.com
6
mattermost
authorization
vulnerability
ad
ldap
groups

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

0

Percentile

9.0%

Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of.

Affected configurations

Vulners
Node
mattermostmattermostRange<8.1.9
OR
mattermostmattermostRange9.2.09.2.5
OR
mattermostmattermostRange9.3.09.3.1
OR
mattermostmattermostRange9.4.09.4.2
VendorProductVersionCPE
mattermostmattermost*cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

0

Percentile

9.0%