CVE-2024-8071

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission, effectively becoming a System Admin.
References
Link Resource
https://mattermost.com/security-updates Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

History

23 Aug 2024, 15:34

Type Values Removed Values Added
CPE cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 4.7
v2 : unknown
v3 : 7.2
First Time Mattermost mattermost
Mattermost
CWE NVD-CWE-Other
References () https://mattermost.com/security-updates - () https://mattermost.com/security-updates - Vendor Advisory

22 Aug 2024, 12:48

Type Values Removed Values Added
Summary
  • (es) Las versiones de Mattermost 9.9.x &lt;= 9.9.1, 9.5.x &lt;= 9.5.7, 9.10.x &lt;= 9.10.0 y 9.8.x &lt;= 9.8.2 no restringen qué roles pueden promover a un usuario como administrador del sistema y cuáles permite que una función del sistema con acceso de edición a la sección de permisos de la consola del sistema actualice su función (por ejemplo, miembro) para incluir el permiso `manage_system`, convirtiéndose efectivamente en un administrador del sistema.

22 Aug 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-22 07:15

Updated : 2024-08-23 15:34


NVD link : CVE-2024-8071

Mitre link : CVE-2024-8071

CVE.ORG link : CVE-2024-8071


JSON object : View

Products Affected

mattermost

  • mattermost
CWE
NVD-CWE-Other CWE-284

Improper Access Control