CVE-2024-2450 — Improper Authentication in Server

CWE-287 — Improper Authentication CWE-306 — Missing Authentication for Critical Function3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 57.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mattermost Server Mattermost

Timeline

PublishedMar 15

Description

Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDmattermost/mattermost_server8.1.0 — 8.1.10+4

▶CVEListV5mattermost/mattermost9.4.0 — 9.4.2+4

🔴Vulnerability Details

GHSA

GHSA-33qh-fj99-2gvg: Mattermost versions 8↗2024-03-15

▶

CVEList

CVE-2024-2450: Mattermost versions 8↗2024-03-15

▶