CVE-2024-40884 - OpenCVE

Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://mattermost.com/security-updates
https://nvd.nist.gov/vuln/detail/CVE-2024-40884
https://www.cve.org/CVERecord?id=CVE-2024-40884

History

Fri, 23 Aug 2024 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 22 Aug 2024 23:30:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-40884 https://www.cve.org/CVERecord?id=CVE-2024-40884
Metrics	threat_severity `None`	threat_severity `Low`

Thu, 22 Aug 2024 15:30:00 +0000

Type	Values Removed	Values Added
Description		Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.
Title		Unauthorized disabling of invite URL
Weaknesses		CWE-284
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2024-08-22T15:17:10.938Z

Updated: 2024-08-22T18:08:37.730Z

Reserved: 2024-08-16T17:27:00.338Z

Link: CVE-2024-40884

Vulnrichment

Updated: 2024-08-22T18:08:33.413Z

NVD

Status : Awaiting Analysis

Published: 2024-08-22T16:15:08.797

Modified: 2024-08-23T16:18:28.547

Link: CVE-2024-40884

Redhat

Severity : Low

Publid Date: 2024-08-22T16:15:08Z

Links: CVE-2024-40884 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40884", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2024-08-16T17:27:00.338Z", "datePublished": "2024-08-22T15:17:10.938Z", "dateUpdated": "2024-08-22T18:08:37.730Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "9.5.7", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"status": "affected", "version": "9.10.0"}, {"status": "unaffected", "version": "9.11.0"}, {"status": "unaffected", "version": "9.5.8"}, {"status": "unaffected", "version": "9.10.1"}]}], "credits": [{"lang": "en", "type": "finder", "value": "omar ahmed (omar-ahmed)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without \"Add Team Members\" permission to disable the invite URL.</p>"}], "value": "Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without \"Add Team Members\" permission to disable the invite URL."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-08-22T15:17:10.938Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher.</p>"}], "value": "Update Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher."}], "source": {"advisory": "MMSA-2024-00352", "defect": ["https://mattermost.atlassian.net/browse/MM-58556"], "discovery": "EXTERNAL"}, "title": "Unauthorized disabling of invite URL", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-22T18:06:51.539483Z", "id": "CVE-2024-40884", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T18:08:37.730Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40884", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-22T18:06:51.539483Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T18:08:33.413Z"}}], "cna": {"title": "Unauthorized disabling of invite URL", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-58556"], "advisory": "MMSA-2024-00352", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "omar ahmed (omar-ahmed)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "9.5.0", "versionType": "semver", "lessThanOrEqual": "9.5.7"}, {"status": "affected", "version": "9.10.0"}, {"status": "unaffected", "version": "9.11.0"}, {"status": "unaffected", "version": "9.5.8"}, {"status": "unaffected", "version": "9.10.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher.", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without \"Add Team Members\" permission to disable the invite URL.", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without \"Add Team Members\" permission to disable the invite URL.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-08-22T15:17:10.938Z"}}}, "cveMetadata": {"cveId": "CVE-2024-40884", "state": "PUBLISHED", "dateUpdated": "2024-08-22T18:08:37.730Z", "dateReserved": "2024-08-16T17:27:00.338Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2024-08-22T15:17:10.938Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"bugzilla": {"description": "mattermost: permission enforcing failure allows a team admin user without \"Add Team Members\" permission to disable the invite URL", "id": "2307315", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2307315"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-284", "details": ["Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without \"Add Team Members\" permission to disable the invite URL."], "name": "CVE-2024-40884", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/acm-grafana-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-central-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-scanner-v4-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Fix deferred", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Fix deferred", "package_name": "rhceph/rhceph-6-dashboard-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Fix deferred", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/dex-rhel8", "product_name": "Red Hat OpenShift GitOps"}], "public_date": "2024-08-22T16:15:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-40884\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40884\nhttps://mattermost.com/security-updates"], "threat_severity": "Low"}