CVE-2024-4198

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-4198
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4198.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-4198
Aliases
Published
2024-04-26T09:15:13.097Z
Modified
2026-04-10T05:15:58.448446Z
Severity
  • 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

References

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost-server
Events
Introduced
096c9ea12a2144f832e330e9a0f4d3862ca20b9f
Fixed
c91d188755c63cc41237105b5f871a341e5faafd
Introduced
99d819d25d0b16b3faed901b1fe5c41de7655e9c
Fixed
baf02ba4e27d641a53785ab0c6bc9a9870b237a6
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
9fc0f464a376499ca5859944483f09a32370a85a
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
d80b9a3f7666acaa3e2c17d9cc2a39d92b2f77f3
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
a914a4f25c46193cfa3f3e02eee8f532d9b58f7d
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
9fc0f464a376499ca5859944483f09a32370a85a
Database specific 
{
    "versions": [
        {
            "introduced": "8.1.0"
        },
        {
            "fixed": "8.1.12"
        },
        {
            "introduced": "9.5.0"
        },
        {
            "fixed": "9.5.3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.6.0-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.6.0-rc1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.6.0-rc2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.6.0-rc3"
        }
    ]
}

Affected versions

@mattermost/client@8.*
@mattermost/client@8.1.1
@mattermost/client@9.*
@mattermost/client@9.5.0
@mattermost/client@9.6.0
@mattermost/types@8.*
@mattermost/types@8.1.1
@mattermost/types@9.*
@mattermost/types@9.5.0
@mattermost/types@9.6.0
Other
cloud-2022-07-20-1
cloud-2022-08-10-1
cloud-2022-09-08-1
cloud-2022-10-06-1
cloud-2022-11-11-1
cloud-2022-11-24-1
server/public/v0.*
server/public/v0.0.10
server/public/v0.0.11
server/public/v0.0.12
server/public/v0.0.13
server/public/v0.0.5
server/public/v0.0.6
server/public/v0.0.7
server/public/v0.0.8
server/public/v0.0.9
v0.*
v0.5.0
v4.*
v4.10.0-rc1
v4.2.0-rc1
v4.3.0-rc1
v4.4.0-rc1
v4.5.0-rc1
v4.6.0-rc1
v4.6.0-rc2
v4.7.0-rc1
v4.8.0-rc1
v4.9.0-rc1
v5.*
v5.0.0-rc1
v5.1.0-rc1
v5.2.0-rc1
v5.2.0-rc2
v8.*
v8.1.0
v8.1.0-rc2
v8.1.1
v8.1.1-rc1
v8.1.1-rc2
v8.1.10
v8.1.10-rc1
v8.1.11
v8.1.11-rc1
v8.1.12-rc1
v8.1.12-rc2
v8.1.12-rc3
v8.1.2
v8.1.2-rc1
v8.1.2-rc2
v8.1.3
v8.1.3-rc1
v8.1.3-rc2
v8.1.4
v8.1.4-rc1
v8.1.4-rc2
v8.1.5
v8.1.5-rc1
v8.1.5-rc2
v8.1.6
v8.1.6-rc1
v8.1.7
v8.1.7-rc1
v8.1.7-rc2
v8.1.7-rc3
v8.1.8
v8.1.8-rc1
v8.1.8-rc2
v8.1.9
v8.1.9-rc1
v8.1.9-rc2
v9.*
v9.5.0
v9.5.0-rc3
v9.5.1
v9.5.1-rc1
v9.5.2
v9.5.3-rc1
v9.5.3-rc2
v9.5.3-rc3
v9.6.0
v9.6.0-rc1
v9.6.0-rc2
v9.6.0-rc3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4198.json"