CVE-2024-4195 — Improper Access Control in Mattermost Mattermost-server

CWE-284 — Improper Access Control6 documents5 sources

Severity

2.7LOWNVD

EPSS

0.1%

top 65.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Mattermost Server Mattermost

Timeline

PublishedApr 26

Latest updateJun 5

Description

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages3 packages

▶NVDmattermost/mattermost_server8.1.0 — 8.1.12+1

▶Gogithub.com/mattermost_mattermost-server9.5.0 — 9.5.3+3

▶CVEListV5mattermost/mattermost9.5.0 — 9.5.2+2

🔴Vulnerability Details

OSV

Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server↗2024-06-05

▶

OSV

Mattermost allows team admins to promote guests to team admins↗2024-04-26

▶

GHSA

Mattermost allows team admins to promote guests to team admins↗2024-04-26

▶

CVEList

CVE-2024-4195: Mattermost versions 9↗2024-04-26

▶

📋Vendor Advisories

Red Hat

mattermost: fail to fully validate role changes leading to promote guests to team admins↗2024-04-26

▶