CVE-2024-43813 - Vulnerability Details - OpenCVE

Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mattermost	Mattermost

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost::::::::
	cpe:2.3:a:mattermost:mattermost::::::::

No data.

References

Link	Providers
https://mattermost.com/security-updates

History

Fri, 23 Aug 2024 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:mattermost:mattermost::::::::
Vendors & Products		Mattermost Mattermost mattermost

Thu, 22 Aug 2024 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 22 Aug 2024 06:45:00 +0000

Type	Values Removed	Values Added
Description		Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user.
Title		IDOR when marking read a user's channel
Weaknesses		CWE-284
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2024-08-22T06:30:58.923Z

Updated: 2024-08-22T19:53:37.226Z

Reserved: 2024-08-20T16:09:35.890Z

Link: CVE-2024-43813

Vulnrichment

Updated: 2024-08-22T19:53:33.945Z

NVD

Status : Analyzed

Published: 2024-08-22T07:15:04.620

Modified: 2024-08-23T15:35:12.617

Link: CVE-2024-43813

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-43813", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2024-08-20T16:09:35.890Z", "datePublished": "2024-08-22T06:30:58.923Z", "dateUpdated": "2024-08-22T19:53:37.226Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "9.5.7", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"status": "affected", "version": "9.10.0"}, {"status": "unaffected", "version": "9.11.0"}, {"status": "unaffected", "version": "9.5.8"}, {"status": "unaffected", "version": "9.10.1"}]}], "credits": [{"lang": "en", "type": "finder", "value": "DoyenSec"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user.</p>"}], "value": "Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows\u00a0any authenticated user, including guests, to mark any channel inside any team as read for any user."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-08-22T06:30:58.923Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher.</p>"}], "value": "Update Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher."}], "source": {"advisory": "MMSA-2024-00364", "defect": ["https://mattermost.atlassian.net/browse/MM-58836"], "discovery": "EXTERNAL"}, "title": "IDOR when marking read a user's channel", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-22T19:53:22.385207Z", "id": "CVE-2024-43813", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T19:53:37.226Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43813", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-22T19:53:22.385207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T19:53:33.945Z"}}], "cna": {"title": "IDOR when marking read a user's channel", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-58836"], "advisory": "MMSA-2024-00364", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "DoyenSec"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "9.5.0", "versionType": "semver", "lessThanOrEqual": "9.5.7"}, {"status": "affected", "version": "9.10.0"}, {"status": "unaffected", "version": "9.11.0"}, {"status": "unaffected", "version": "9.5.8"}, {"status": "unaffected", "version": "9.10.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher.", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows\u00a0any authenticated user, including guests, to mark any channel inside any team as read for any user.", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-08-22T06:30:58.923Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43813", "state": "PUBLISHED", "dateUpdated": "2024-08-22T19:53:37.226Z", "dateReserved": "2024-08-20T16:09:35.890Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2024-08-22T06:30:58.923Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*", "matchCriteriaId": "7FEEA8D7-745A-49FF-8B01-CA0D1D820D48", "versionEndExcluding": "9.5.8", "versionStartIncluding": "9.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*", "matchCriteriaId": "0CA40F21-914D-4891-A578-02E6F35FE249", "versionEndExcluding": "9.10.1", "versionStartIncluding": "9.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows\u00a0any authenticated user, including guests, to mark any channel inside any team as read for any user."}, {"lang": "es", "value": "Las versiones 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 de Mattermost no aplican controles de acceso adecuados que permiten a cualquier usuario autenticado, incluidos los invitados, marcar cualquier canal dentro de cualquier equipo como le\u00eddo para cualquier usuario."}], "id": "CVE-2024-43813", "lastModified": "2024-08-23T15:35:12.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2024-08-22T07:15:04.620", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}