CVE-2024-8071Improper Access Control in Mattermost Mattermost-server

CWE-284Improper Access Control5 documents4 sources
Severity
7.2HIGHNVD
CNA4.7
EPSS
0.1%
top 68.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost
Timeline
PublishedAug 22
Latest updateAug 30

Description

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission, effectively becoming a System Admin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

NVDmattermost/mattermost9.5.09.5.8+3
Gogithub.com/mattermost_mattermost-server9.5.0+incompatible9.5.8+incompatible+3
CVEListV5mattermost/mattermost9.9.09.9.1+3

🔴Vulnerability Details

4
OSV
Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server2024-08-30
OSV
Mattermost doesn't restrict which roles can promote a user as system admin2024-08-22
GHSA
Mattermost doesn't restrict which roles can promote a user as system admin2024-08-22
CVEList
System Role with edit access to permissions can elevate themselves to system admin2024-08-22
CVE-2024-8071 — Improper Access Control | cvebase