CVE-2024-29221

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-29221

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-29221.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-29221

Aliases

Published

2024-04-05T09:15:09Z

Modified

2025-01-15T05:14:04.660668Z

Severity

3.8 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type: GIT
Repo: https://github.com/mattermost/mattermost
Events: Introduced

7bf5dcb8fb7f05db9a7a6a9be608ac0fe1405351

Fixed

51fdf7ee51c379a80fe852f24f69e463386581d3

Type: GIT
Repo: https://github.com/mattermost/mattermost-server
Events: Introduced

baa88a2450d49dfea42990861283b5ed9d469edf

Fixed

e5c9444615dc54f49c7c716dce2bbaf81d8cb188

Affected versions

@mattermost/client@9.*

@mattermost/client@9.3.0

@mattermost/client@9.4.0

@mattermost/types@9.*

@mattermost/types@9.3.0

@mattermost/types@9.4.0

v9.*

v9.3.0

v9.3.0-rc2

v9.3.1

v9.3.1-rc1

v9.3.1-rc2

v9.3.2

v9.3.2-rc1

v9.4.0

v9.4.0-rc4

v9.4.1

v9.4.2

v9.4.2-rc1

v9.4.2-rc2

v9.4.3

v9.4.3-rc1