CVE-2024-29221

Summary

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.5.0 <= 9.5.1affected
MattermostMattermost9.4.0 <= 9.4.3affected
MattermostMattermost9.3.0 <= 9.3.2affected
MattermostMattermost8.1.0 <= 8.1.10affected
MattermostMattermost9.6.0unaffected
MattermostMattermost9.5.2unaffected
MattermostMattermost9.4.4unaffected
MattermostMattermost9.3.3unaffected
MattermostMattermost8.1.11unaffected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References