GHSA-5fh7-7mw7-mmx5

Source

https://github.com/advisories/GHSA-5fh7-7mw7-mmx5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-5fh7-7mw7-mmx5/GHSA-5fh7-7mw7-mmx5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5fh7-7mw7-mmx5

Aliases

CVE-2024-4195
GO-2024-2793

Published

2024-04-26T09:30:35Z

Modified

2024-06-05T16:43:09.434336Z

Severity

2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Mattermost allows team admins to promote guests to team admins

Details

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

Database specific

{
    "nvd_published_at": "2024-04-26T09:15:12Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-26T19:06:43Z"
}

References

Affected packages

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.5.0

Fixed

9.5.3

Database specific

{
    "last_known_affected_version_range": "<= 9.5.2"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

8.1.0

Fixed

8.1.12

Database specific

{
    "last_known_affected_version_range": "<= 8.1.11"
}