Mattermost Server Improper Access Control

GHSA-w67v-ph4x-f48q · BIT-mattermost-2024-29221 · CVE-2024-29221 · GO-2024-2706

Published Apr 5, 2024 · Modified Dec 16, 2024

Description

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-29221
WEB https://github.com/mattermost/mattermost/commit/0dc03fbc6e3c9afb14137e72ab3fa6f5a0125b9c
WEB https://github.com/mattermost/mattermost/commit/5cce9fed7363386afebd81a58fb5fab7d2729c8f
WEB https://github.com/mattermost/mattermost/commit/a5784f34ba6592c6454b8742f24af9d06279e347
WEB https://github.com/mattermost/mattermost/commit/dd3fe2991a70a41790d6bef5d31afc5957525f3c
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates
WEB https://pkg.go.dev/vuln/GO-2024-2706

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes