Lucene search

Veracode Vulnerability DatabaseVERACODE:48413

HistoryAug 08, 2024 - 5:39 a.m.

Improper Access Control

2024-08-0805:39:04

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

improper access control

shared channels

attacker

local admin

mattermost server

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

20.1%

JSON

github.com/mattermost/mattermost-server is vulnerable to Improper Access Control. The vulnerability is due to the failure to disallow unsolicited invites when shared channels are enabled, This allowing an attacker to send an invite with the ID of an existing local channel, causing that local channel to become shared without the consent of the local admin.

References

github.com/advisories/GHSA-q22q-2rrf-m27p

mattermost.com/security-updates

mattermost.com/security-updates/

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

20.1%

JSON

Related for VERACODE:48413