PT-2024-29675 · Mattermost · Mattermost

Juho Nurminen

Published

2024-04-26

Updated

2024-06-05

CVE-2024-4198

CVSS v3.1

2.7

Low

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 8.1.x through 8.1.11 Mattermost versions 9.5.x through 9.5.2 Mattermost version 9.6.0

Description The issue arises from the failure to fully validate role changes, allowing an attacker authenticated as a team admin to demote users to guest via crafted HTTP requests.

Recommendations For Mattermost versions 8.1.x through 8.1.11, update to version 8.1.12 or later. For Mattermost versions 9.5.x through 9.5.2, update to version 9.5.3 or later. For Mattermost version 9.6.0, consider disabling role change functionality until a patch is available.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2024-4198

GHSA-5QX9-9FFJ-5R8F

GO-2024-2794

Affected Products

Mattermost

PT-2024-29675 · Mattermost · Mattermost

CVE-2024-4198

Weakness Enumeration

Related Identifiers

Affected Products

References · 12