CVE-2024-50052

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type

GIT

Repo

https://github.com/mattermost/mattermost-server

Events

Introduced

99d819d25d0b16b3faed901b1fe5c41de7655e9c

Fixed

4fdd366df05a110b843b3419002458bc3e5f135e

Introduced

60c5bb46dfa8192efa5a13c746423f0e7696b8bc

Fixed

49df0979aa1393fb3bb598dabf9c4bcc89f65244

Introduced

0bc2ddd42375a75ab14e63f038165150d4f07659

Fixed

cc5085e380c524570cce4dbad1795e4a1773fdf7

Database specific

{
    "versions": [
        {
            "introduced": "9.5.0"
        },
        {
            "fixed": "9.5.10"
        },
        {
            "introduced": "9.10.0"
        },
        {
            "fixed": "9.10.3"
        },
        {
            "introduced": "9.11.0"
        },
        {
            "fixed": "9.11.2"
        }
    ]
}

Affected versions

@mattermost/client@9.*

@mattermost/client@9.10.0

@mattermost/client@9.11.0

@mattermost/client@9.5.0

@mattermost/types@9.*

@mattermost/types@9.10.0

@mattermost/types@9.11.0

@mattermost/types@9.5.0

v9.*

v9.10.0

v9.10.0-rc3

v9.10.1

v9.10.1-rc1

v9.10.1-rc2

v9.10.1-rc3

v9.10.2

v9.10.2-rc1

v9.10.3-rc1

v9.10.3-rc2

v9.11.0

v9.11.0-rc3

v9.11.1

v9.11.1-rc1

v9.11.2-rc1

v9.11.2-rc2

v9.5.0

v9.5.0-rc3

v9.5.1

v9.5.1-rc1

v9.5.10-rc1

v9.5.10-rc2

v9.5.2

v9.5.3

v9.5.3-rc1

v9.5.3-rc2

v9.5.3-rc3

v9.5.4

v9.5.4-rc1

v9.5.4-rc2

v9.5.5

v9.5.5-rc1

v9.5.6

v9.5.6-rc1

v9.5.6-rc2

v9.5.7

v9.5.7-rc1

v9.5.7-rc2

v9.5.7-rc3

v9.5.8

v9.5.8-rc1

v9.5.8-rc2

v9.5.9

v9.5.9-rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50052.json"