2307318 – (CVE-2024-43780) CVE-2024-43780 mattermost: permission enforcing failure allows a guest user with read access to upload files to a channel

Bug 2307318 (CVE-2024-43780) - CVE-2024-43780 mattermost: permission enforcing failure allows a guest user with read access to upload files to a channel

Summary: CVE-2024-43780 mattermost: permission enforcing failure allows a guest user w...

Keywords:
Status:	NEW
Alias:	CVE-2024-43780
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2307354 2307355 2307356 2307357 2311655 2350675
Blocks:
TreeView+	depends on / blocked

Reported:	2024-08-22 16:20 UTC by OSIDB Bzimport
Modified:	2025-04-18 08:27 UTC (History)
CC List:	21 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-08-22 16:20:47 UTC

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.

Comment 1 Jonathan Wright 2024-12-15 10:01:01 UTC

mattermost is not a fedora/rhel package.  Why does this bz exist?

Note You need to log in before you can comment on or make changes to this bug.

amctagga
anjoseph
aoconnor
bniver
caswilli
flucifre
gmeno
gparvin
jonathan
jprabhak
kaycoth
lbainbri
mbenjamin
mhackett
njean
owatkins
pahickey
rhaigner
sostapov
vereddy
wtam