CVE-2024-4195 – github.com/mattermost/mattermost-server

Package

Manager: go
Name: github.com/mattermost/mattermost-server
Vulnerable Version: >=9.5.0 <9.5.3 || >=8.1.0 <8.1.12

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00139 pctl0.34577

Details

Mattermost allows team admins to promote guests to team admins Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

Metadata

Created: 2024-04-26T09:30:35Z
Modified: 2024-04-26T19:06:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-5fh7-7mw7-mmx5/GHSA-5fh7-7mw7-mmx5.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-5fh7-7mw7-mmx5
Finding: F039
Auto approve: 1