GHSA-5qx9-9ffj-5r8f

Source

https://github.com/advisories/GHSA-5qx9-9ffj-5r8f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-5qx9-9ffj-5r8f/GHSA-5qx9-9ffj-5r8f.json

Aliases

CVE-2024-4198

Published

2024-04-26T09:30:34Z

Modified

2024-04-26T19:26:47.292715Z

Summary

Mattermost fails to fully validate role changes

Details

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

References

Affected packages

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.6.0-rc1

Fixed

9.6.1

Database specific

{
    "last_known_affected_version_range": "<= 9.6.0"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.5.0

Fixed

9.5.3

Database specific

{
    "last_known_affected_version_range": "<= 9.5.2"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

8.1.0

Fixed

8.1.12

Database specific

{
    "last_known_affected_version_range": "<= 8.1.11"
}