Lucene search

GoogleOSV:GHSA-5263-PM2H-M7HW

HistoryAug 22, 2024 - 9:30 a.m.

Mattermost doesn't restrict which roles can promote a user as system admin

2024-08-2209:30:32

Google

osv.dev

mattermost

security vulnerability

user promotion

system admin

software

version 9.9.x

version 9.5.x

version 9.10.x

version 9.8.x

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

20.0%

JSON

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the manage_system permission, effectively becoming a System Admin.

References

github.com/mattermost/mattermost

mattermost.com/security-updates

nvd.nist.gov/vuln/detail/CVE-2024-8071

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

20.0%

JSON

Related for OSV:GHSA-5263-PM2H-M7HW