PT-2024-22819 · Mattermost · Mattermost Server
Omar Ahmed
·
Published
2024-04-05
·
Updated
2024-12-16
·
CVE-2024-29221
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Mattermost Server versions 8.1.x through 8.1.10
Mattermost Server versions 9.3.x through 9.3.2
Mattermost Server versions 9.4.x through 9.4.3
Mattermost Server versions 9.5.x through 9.5.1
Description
The issue is related to improper access control in the Mattermost Server, specifically in the "/api/v4/users/me/teams" endpoint, allowing a team admin to get the invite ID of their team and invite users even if the "Add Members" permission was explicitly removed from team admins.
Recommendations
For Mattermost Server versions 8.1.x through 8.1.10, update to version 8.1.11 or later.
For Mattermost Server versions 9.3.x through 9.3.2, update to version 9.3.3 or later.
For Mattermost Server versions 9.4.x through 9.4.3, update to version 9.4.4 or later.
For Mattermost Server versions 9.5.x through 9.5.1, update to version 9.5.2 or later.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost Server