CVE-2024-4198 – github.com/mattermost/mattermost-server

Package

Manager: go
Name: github.com/mattermost/mattermost-server
Vulnerable Version: >=9.6.0-rc1 <9.6.1 || >=9.5.0 <9.5.3 || >=8.1.0 <8.1.12

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00138 pctl0.34472

Details

Mattermost fails to fully validate role changes Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

Metadata

Created: 2024-04-26T09:30:34Z
Modified: 2024-04-26T19:09:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-5qx9-9ffj-5r8f/GHSA-5qx9-9ffj-5r8f.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-5qx9-9ffj-5r8f
Finding: F039
Auto approve: 1