CVE-2024-8071

Published: Aug 22, 2024Modified: Aug 23, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission, effectively becoming a System Admin.

Affected (4)

Products: Mattermost: Mattermost

Mattermost

1 product

Mattermost

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Mattermost Mattermost	From 9.10.0 to 9.10.1
Mattermost Mattermost	From 9.5.0 to 9.5.8
Mattermost Mattermost	From 9.8.0 to 9.8.3
Mattermost Mattermost	From 9.9.0 to 9.9.2

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (1)

https://mattermost.com/security-updates

Source: responsibledisclosure@mattermost.com

Vendor Advisory

Timeline

No history available yet.