Lucene search

GitHub Advisory DatabaseGHSA-VG67-CHM7-8M3J

HistoryAug 01, 2024 - 3:32 p.m.

Mattermost allows remote actor to create/update/delete posts in arbitrary channels

2024-08-0115:32:23

CWE-284

GitHub Advisory Database

github.com

mattermost

remote

actor

posts

channels

software

security

vulnerability

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

AI Score

Confidence

High

EPSS

0.001

Percentile

16.8%

JSON

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels

Affected configurations

Vulners

Node

mattermostmattermostMatch9.9.0

mattermostmattermostRange9.8.0–9.8.2

mattermostmattermostRange9.7.0–9.7.6

mattermostmattermostRange9.5.0–9.5.7

VendorProductVersionCPE
mattermostmattermost9.9.0cpe:2.3:a:mattermost:mattermost:9.9.0:*:*:*:*:*:*:*
mattermostmattermost*cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mattermost	mattermost	9.9.0	cpe:2.3:a:mattermost:mattermost:9.9.0:::::::*
mattermost	mattermost	*	cpe:2.3:a:mattermost:mattermost::::::::

References

github.com/advisories/GHSA-vg67-chm7-8m3j

mattermost.com/security-updates

nvd.nist.gov/vuln/detail/CVE-2024-41144

pkg.go.dev/vuln/GO-2024-3023

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

AI Score

Confidence

High

EPSS

0.001

Percentile

16.8%

JSON

Related for GHSA-VG67-CHM7-8M3J