cbcvebase.
CVE-2024-8071
published 2024-08-22

CVE-2024-8071: Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which…

PriorityP341high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.34%
26.3th percentile
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission, effectively becoming a System Admin.

Affected

16 ranges
VendorProductVersion rangeFixed in
github.commattermost_mattermost-server>= 9.10.0+incompatible < 9.10.1+incompatible9.10.1+incompatible
github.commattermost_mattermost-server>= 9.5.0+incompatible < 9.5.8+incompatible9.5.8+incompatible
github.commattermost_mattermost-server>= 9.8.0+incompatible < 9.8.3+incompatible9.8.3+incompatible
github.commattermost_mattermost-server>= 9.9.0+incompatible < 9.9.2+incompatible9.9.2+incompatible
github.commattermost_mattermost_server_v8>= 9.10.0 < 9.10.19.10.1
github.commattermost_mattermost_server_v8>= 9.5.0 < 9.5.89.5.8
github.commattermost_mattermost_server_v8>= 9.8.0 < 9.8.39.8.3
github.commattermost_mattermost_server_v8>= 9.9.0 < 9.9.29.9.2
mattermostmattermost
mattermostmattermost>= 9.10.0 < 9.10.19.10.1
mattermostmattermost>= 9.5.0 < 9.5.89.5.8
mattermostmattermost9.5.0 – 9.5.7
mattermostmattermost>= 9.8.0 < 9.8.39.8.3
mattermostmattermost9.8.0 – 9.8.2
mattermostmattermost>= 9.9.0 < 9.9.29.9.2
mattermostmattermost9.9.0 – 9.9.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.