CVE-2024-8071

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.8.x through 9.8.2 Mattermost versions 9.5.x through 9.5.7 Mattermost versions 9.9.x through 9.9.1 Mattermost versions 9.10.x through 9.10.0

Description: The issue arises from the failure to restrict which roles can promote a user as a system admin. This allows a System Role with edit access to the permissions section of the system console to update their role to include the manage system permission, effectively becoming a System Admin.

Recommendations: For Mattermost versions 9.8.x through 9.8.2, update to a version that includes the necessary restrictions on role promotion. For Mattermost versions 9.5.x through 9.5.7, update to a version that includes the necessary restrictions on role promotion. For Mattermost versions 9.9.x through 9.9.1, update to a version that includes the necessary restrictions on role promotion. For Mattermost versions 9.10.x through 9.10.0, update to a version that includes the necessary restrictions on role promotion. As a temporary workaround, consider restricting access to the system console's permissions section to prevent unauthorized role updates.