CVE-2024-32045 — Improper Access Control in Server

CWE-284 — Improper Access Control CWE-639 — Authorization Bypass Through User-Controlled Key2 documents2 sources

Severity

5.9MEDIUMNVD

EPSS

0.3%

top 49.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mattermost Server Mattermost

Timeline

PublishedMay 26

Description

Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:NExploitability: 1.6 | Impact: 4.2

Affected Packages2 packages

▶NVDmattermost/mattermost_server8.1.0 — 8.1.13+2

▶CVEListV5mattermost/mattermost9.5.0 — 9.5.3+2

🔴Vulnerability Details

CVEList

Playbook run link to private channel grants channel access↗2024-05-26

▶