CVE-2024-50052: Mattermost server allows authenticated user to delete arbitrary post

October 29, 2024 (updated November 4, 2024)

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.

References

github.com/advisories/GHSA-g376-m3h3-mj4r
github.com/mattermost/mattermost
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2024-50052

Code Behaviors & Features

Detect and mitigate CVE-2024-50052 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →