CVE-2024-2447: Mattermost fails to authenticate the source of certain types of post actions

April 5, 2024 (updated November 18, 2024)

Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.

References

github.com/advisories/GHSA-wp43-vprh-c3w5
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2024-2447

Code Behaviors & Features

Detect and mitigate CVE-2024-2447 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →