CVE-2024-1888Improper Access Control in Mattermost Mattermost-server

CWE-284Improper Access Control5 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 70.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedFeb 29
Latest updateJun 28

Description

Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server9.2.09.2.5+3
Gogithub.com/mattermost_mattermost-server9.2.0+incompatible9.2.5+incompatible+2
CVEListV5mattermost/mattermost9.4.1+3

🔴Vulnerability Details

4
OSV
Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server2024-06-28
CVEList
Existing server guests invited to the team by members without "invite_guest" permission2024-02-29
GHSA
Mattermost fails to check the "invite_guest" permission2024-02-29
OSV
Mattermost fails to check the "invite_guest" permission2024-02-29
CVE-2024-1888 — Improper Access Control | cvebase