CVE-2024-29221 — Improper Access Control in Mattermost Mattermost-server

CWE-284 — Improper Access Control5 documents4 sources

Severity

3.8LOWNVD

CNA4.7

EPSS

0.1%

top 80.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedApr 5

Latest updateJun 5

Description

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages4 packages

▶NVDmattermost/mattermost_server8.1.0 — 8.1.11+3

▶Gogithub.com/mattermost_mattermost-server9.3.0+incompatible — 9.3.3+incompatible+2

▶Gogithub.com/mattermost_mattermost_server_v88.1.0 — 8.1.11+3

▶CVEListV5mattermost/mattermost9.5.0 — 9.5.1+3

🔴Vulnerability Details

OSV

Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server↗2024-06-05

▶

GHSA

Mattermost Server Improper Access Control↗2024-04-05

▶

OSV

Mattermost Server Improper Access Control↗2024-04-05

▶

CVEList

Invite ID available to team admins even without the "Add Members" permission↗2024-04-05

▶