4.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
7 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams
endpointΒ allowingΒ a team admin to get the invite ID of their team, thus allowing them to invite users, even if the βAdd Membersβ permission was explicitly removed from team admins.
github.com/advisories/GHSA-w67v-ph4x-f48q
github.com/mattermost/mattermost/commit/0dc03fbc6e3c9afb14137e72ab3fa6f5a0125b9c
github.com/mattermost/mattermost/commit/5cce9fed7363386afebd81a58fb5fab7d2729c8f
github.com/mattermost/mattermost/commit/a5784f34ba6592c6454b8742f24af9d06279e347
github.com/mattermost/mattermost/commit/dd3fe2991a70a41790d6bef5d31afc5957525f3c
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2024-29221
4.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
7 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%