Veracode Vulnerability DatabaseVERACODE:41052Missing Authorization
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.0004 Low
EPSS
Percentile
13.9%
github.com/mattermost/mattermost-server is vulnerable to Missing Authorization. The vulnerability exists because the library does not verify whether the requestor is a system admin or not before allowing install requests to the Apps, allowing regular users to send malicious install requests to the Apps through the /install API endpoint.
References
github.com/advisories/GHSA-8jf2-78m7-7f8v
github.com/mattermost/mattermost/commit/764be50e128c9befee60f5a74ce1f86d7435d6c2
github.com/mattermost/mattermost/commit/99c2af632fe7c36c1273cabd25c21c3ceb7d21d4
github.com/mattermost/mattermost/commit/eb0bfd6f6d712fae76be4aad1a09b13f1deba231
github.com/mattermost/mattermost/commit/eb0bfd6f6d712fae76be4aad1a09b13f1deba231
mattermost.com/security-updates/
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.0004 Low
EPSS
Percentile
13.9%