Lucene search

GitHub Advisory DatabaseGHSA-PFW6-5RX3-XH3C

HistoryFeb 29, 2024 - 9:30 a.m.

Mattermost fails to check the "invite_guest" permission

2024-02-2909:30:34

CWE-284

GitHub Advisory Database

github.com

mattermost

permission

vulnerability

invitation

guests

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

9.0%

JSON

Mattermost fails to check the “invite_guest” permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server

Affected configurations

Vulners

Node

mattermostmattermostRange<8.1.9

mattermostmattermostRange9.2.0–9.2.5

mattermostmattermostRange9.3.0–9.3.1

mattermostmattermostRange9.4.0–9.4.2

VendorProductVersionCPE
mattermostmattermost*cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mattermost	mattermost	*	cpe:2.3:a:mattermost:mattermost::::::::

References

github.com/advisories/GHSA-pfw6-5rx3-xh3c

mattermost.com/security-updates

nvd.nist.gov/vuln/detail/CVE-2024-1888

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for GHSA-PFW6-5RX3-XH3C