CVE-2024-2447 — Improper Access Control in Mattermost Mattermost-server

CWE-284 — Improper Access Control CWE-346 — Origin Validation Error6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 65.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedApr 5

Latest updateJun 5

Description

Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDmattermost/mattermost_server8.1.0 — 8.1.11+3

▶Gogithub.com/mattermost_mattermost-server9.3.0+incompatible — 9.3.3+incompatible+2

▶Gogithub.com/mattermost_mattermost_server_v88.1.0 — 8.1.11+3

▶CVEListV5mattermost/mattermost9.5.0 — 9.5.1+3

🔴Vulnerability Details

OSV

Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server↗2024-06-05

▶

GHSA

Mattermost fails to authenticate the source of certain types of post actions↗2024-04-05

▶

CVEList

CVE-2024-2447: Mattermost versions 8↗2024-04-05

▶

OSV

Mattermost fails to authenticate the source of certain types of post actions↗2024-04-05

▶