GHSA-5qx9-9ffj-5r8f

Suggest an improvement
Source
https://github.com/advisories/GHSA-5qx9-9ffj-5r8f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-5qx9-9ffj-5r8f/GHSA-5qx9-9ffj-5r8f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5qx9-9ffj-5r8f
Aliases
Published
2024-04-26T09:30:34Z
Modified
2024-06-05T16:43:09.574277Z
Severity
  • 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Mattermost fails to fully validate role changes
Details

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

Database specific 
{
    "nvd_published_at": "2024-04-26T09:15:13Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-26T19:09:03Z"
}
References

Affected packages

Go / github.com/mattermost/mattermost-server

Package

Name
github.com/mattermost/mattermost-server
View open source insights on deps.dev
Purl
pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type
SEMVER
Events
Introduced
9.6.0-rc1
Fixed
9.6.1

Database specific 

{
    "last_known_affected_version_range": "<= 9.6.0"
}

Go / github.com/mattermost/mattermost-server

Package

Name
github.com/mattermost/mattermost-server
View open source insights on deps.dev
Purl
pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type
SEMVER
Events
Introduced
9.5.0
Fixed
9.5.3

Database specific 

{
    "last_known_affected_version_range": "<= 9.5.2"
}

Go / github.com/mattermost/mattermost-server

Package

Name
github.com/mattermost/mattermost-server
View open source insights on deps.dev
Purl
pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type
SEMVER
Events
Introduced
8.1.0
Fixed
8.1.12

Database specific 

{
    "last_known_affected_version_range": "<= 8.1.11"
}