Lucene search

[email protected]NVD:CVE-2024-8071

HistoryAug 22, 2024 - 7:15 a.m.

CVE-2024-8071

2024-08-2207:15:04

CWE-284

[email protected]

web.nvd.nist.gov

mattermost

unauthorized access

role promotion

system admin

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

20.0%

JSON

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the manage_system permission, effectively becoming a System Admin.

Affected configurations

Nvd

Node

mattermostmattermostRange9.5.0–9.5.8

mattermostmattermostRange9.8.0–9.8.3

mattermostmattermostRange9.9.0–9.9.2

mattermostmattermostRange9.10.0–9.10.1

VendorProductVersionCPE
mattermostmattermost*cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mattermost	mattermost	*	cpe:2.3:a:mattermost:mattermost::::::::

References

mattermost.com/security-updates

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

20.0%

JSON

Related for NVD:CVE-2024-8071

osv3 github1 veracode1 cve1 vulnrichment1 cvelist1