GHSA-5fh7-7mw7-mmx5

Source

https://github.com/advisories/GHSA-5fh7-7mw7-mmx5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-5fh7-7mw7-mmx5/GHSA-5fh7-7mw7-mmx5.json

Aliases

CVE-2024-4195

Published

2024-04-26T09:30:35Z

Modified

2024-04-26T19:26:47.224823Z

Summary

Mattermost allows team admins to promote guests to team admins

Details

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

References

Affected packages

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.5.0

Fixed

9.5.3

Database specific

{
    "last_known_affected_version_range": "<= 9.5.2"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

8.1.0

Fixed

8.1.12

Database specific

{
    "last_known_affected_version_range": "<= 8.1.11"
}