Lucene search

MattermostVULNRICHMENT:CVE-2024-5272

HistoryMay 26, 2024 - 1:29 p.m.

CVE-2024-5272 Run Details leak to guest via webhook event "custom_playbooks_playbook_run_updated"

2024-05-2613:29:57

CWE-284

Mattermost

github.com

mattermost versions

restrict audience

webhook event

guest access

playbook run

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

9.0%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the “custom_playbooks_playbook_run_updated” webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
    ],
    "vendor": "mattermost",
    "product": "mattermost",
    "versions": [
      {
        "status": "affected",
        "version": "9.5.0",
        "versionType": "custom",
        "lessThanOrEqual": "9.5.3"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
    ],
    "vendor": "mattermost",
    "product": "mattermost",
    "versions": [
      {
        "status": "affected",
        "version": "9.6.0",
        "versionType": "custom",
        "lessThanOrEqual": "9.6.1"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
    ],
    "vendor": "mattermost",
    "product": "mattermost",
    "versions": [
      {
        "status": "affected",
        "version": "8.1.0",
        "versionType": "custom",
        "lessThanOrEqual": "8.1.12"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
    ],
    "vendor": "mattermost",
    "product": "mattermost",
    "versions": [
      {
        "status": "unaffected",
        "version": "9.7.0"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
    ],
    "vendor": "mattermost",
    "product": "mattermost",
    "versions": [
      {
        "status": "unaffected",
        "version": "9.5.4"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
    ],
    "vendor": "mattermost",
    "product": "mattermost",
    "versions": [
      {
        "status": "unaffected",
        "version": "9.6.2"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
    ],
    "vendor": "mattermost",
    "product": "mattermost",
    "versions": [
      {
        "status": "unaffected",
        "version": "8.1.13"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

mattermost.com/security-updates

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

9.0%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-5272