GoogleOSV:GHSA-W67V-PH4X-F48QMattermost Server Improper Access Control
4.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpointΒ allowingΒ a team admin to get the invite ID of their team, thus allowing them to invite users, even if the βAdd Membersβ permission was explicitly removed from team admins.
References
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/0dc03fbc6e3c9afb14137e72ab3fa6f5a0125b9c
github.com/mattermost/mattermost/commit/5cce9fed7363386afebd81a58fb5fab7d2729c8f
github.com/mattermost/mattermost/commit/a5784f34ba6592c6454b8742f24af9d06279e347
github.com/mattermost/mattermost/commit/dd3fe2991a70a41790d6bef5d31afc5957525f3c
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2024-29221
Related
4.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%