GHSA-w67v-ph4x-f48q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w67v-ph4x-f48q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-w67v-ph4x-f48q/GHSA-w67v-ph4x-f48q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w67v-ph4x-f48q
- Aliases
- Published
- 2024-04-05T09:30:39Z
- Modified
- 2024-12-16T13:41:52.517664Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Mattermost Server Improper Access Control
- Details
-
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the
/api/v4/users/me/teamsendpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins. - Database specific
{ "nvd_published_at": "2024-04-05T09:15:09Z", "github_reviewed_at": "2024-04-05T17:04:41Z", "cwe_ids": [ "CWE-284" ], "severity": "MODERATE", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-29221
- https://github.com/mattermost/mattermost/commit/0dc03fbc6e3c9afb14137e72ab3fa6f5a0125b9c
- https://github.com/mattermost/mattermost/commit/5cce9fed7363386afebd81a58fb5fab7d2729c8f
- https://github.com/mattermost/mattermost/commit/a5784f34ba6592c6454b8742f24af9d06279e347
- https://github.com/mattermost/mattermost/commit/dd3fe2991a70a41790d6bef5d31afc5957525f3c
- https://github.com/mattermost/mattermost
- https://mattermost.com/security-updates
- https://pkg.go.dev/vuln/GO-2024-2706
Affected packages
Go
github.com/mattermost/mattermost/server/v8
Package
- Name
- github.com/mattermost/mattermost/server/v8
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/mattermost/mattermost/server/v8
github.com/mattermost/mattermost/server/v8
Package
- Name
- github.com/mattermost/mattermost/server/v8
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/mattermost/mattermost/server/v8
github.com/mattermost/mattermost/server/v8
Package
- Name
- github.com/mattermost/mattermost/server/v8
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/mattermost/mattermost/server/v8
github.com/mattermost/mattermost/server/v8
Package
- Name
- github.com/mattermost/mattermost/server/v8
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/mattermost/mattermost/server/v8