2277334 – (CVE-2024-4198) CVE-2024-4198 mattermost: fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest

Bug 2277334 (CVE-2024-4198) - CVE-2024-4198 mattermost: fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest

Summary: CVE-2024-4198 mattermost: fail to fully validate role changes which allows an...

Keywords:
Status:	NEW
Alias:	CVE-2024-4198
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2277335 2277336
Blocks:	2277330
TreeView+	depends on / blocked

Reported:	2024-04-26 11:24 UTC by Rohit Keshri
Modified:	2024-04-26 13:36 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:	A flaw was found in Mattermost, where it failed to fully validate role changes. This flaw allows an attacker authenticated as team admin to demote users to guests via crafted HTTP requests.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-04-26 11:24:38 UTC

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

https://mattermost.com/security-updates

Comment 1 Rohit Keshri 2024-04-26 11:27:04 UTC

Created purple-mattermost tracking bugs for this issue:

Affects: epel-all [bug 2277335]
Affects: fedora-all [bug 2277336]

Note You need to log in before you can comment on or make changes to this bug.