CVE-2024-29221: Mattermost Server Improper Access Control
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams
endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the “Add Members” permission was explicitly removed from team admins.
References
- github.com/advisories/GHSA-w67v-ph4x-f48q
- github.com/mattermost/mattermost
- github.com/mattermost/mattermost/commit/0dc03fbc6e3c9afb14137e72ab3fa6f5a0125b9c
- github.com/mattermost/mattermost/commit/5cce9fed7363386afebd81a58fb5fab7d2729c8f
- github.com/mattermost/mattermost/commit/a5784f34ba6592c6454b8742f24af9d06279e347
- github.com/mattermost/mattermost/commit/dd3fe2991a70a41790d6bef5d31afc5957525f3c
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2024-29221
Detect and mitigate CVE-2024-29221 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →