CVE-2024-29215

Name of the Vulnerable Software and Affected Versions Mattermost versions 8.1.x through 8.1.12 Mattermost versions 9.5.x through 9.5.3 Mattermost versions 9.6.x through 9.6.1 Mattermost versions 9.7.x through 9.7.1

Description The issue is related to a failure in enforcing proper access control, allowing a user to run a slash command in a channel they are not a member of. This can be achieved by linking a playbook run to that channel and running a slash command as a playbook task command.

Recommendations For versions 8.1.x through 8.1.12, consider restricting access to the playbook run feature to prevent exploitation. For versions 9.5.x through 9.5.3, restrict access to the slash command feature in channels where the user is not a member. For versions 9.6.x through 9.6.1, avoid using the playbook task command to run slash commands in channels where the user is not a member. For versions 9.7.x through 9.7.1, consider disabling the linking of playbook runs to channels where the user is not a member as a temporary workaround.