{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22449", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2025-01-08T11:07:12.574Z", "datePublished": "2025-01-09T06:54:53.029Z", "dateUpdated": "2025-01-09T15:29:20.571Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "9.11.5", "status": "affected", "version": "9.11.0", "versionType": "semver"}, {"status": "unaffected", "version": "10.3.0"}, {"status": "unaffected", "version": "9.11.6"}]}], "credits": [{"lang": "en", "type": "finder", "value": "omar ahmed (omar-ahmed)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Mattermost versions 9.11.x &lt;= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the \"allow_open_invite\" field via making their team public.</span><br>"}], "value": "Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the \"allow_open_invite\" field via making their team public."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-01-09T06:54:53.029Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost to versions 10.3.0, 9.11.6 or higher.</p>"}], "value": "Update Mattermost to versions 10.3.0, 9.11.6 or higher."}], "source": {"advisory": "MMSA-2024-00378", "defect": ["https://mattermost.atlassian.net/browse/MM-59539"], "discovery": "EXTERNAL"}, "title": "Access control flaw for team admins allows unauthorized team additions", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-09T15:29:05.476785Z", "id": "CVE-2025-22449", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T15:29:20.571Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-22449", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-09T15:29:05.476785Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T15:29:11.020Z"}}], "cna": {"title": "Access control flaw for team admins allows unauthorized team additions", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-59539"], "advisory": "MMSA-2024-00378", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "omar ahmed (omar-ahmed)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.8, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "9.11.0", "versionType": "semver", "lessThanOrEqual": "9.11.5"}, {"status": "unaffected", "version": "10.3.0"}, {"status": "unaffected", "version": "9.11.6"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 10.3.0, 9.11.6 or higher.", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost to versions 10.3.0, 9.11.6 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the \"allow_open_invite\" field via making their team public.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Mattermost versions 9.11.x &lt;= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the \"allow_open_invite\" field via making their team public.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-01-09T06:54:53.029Z"}}}, "cveMetadata": {"cveId": "CVE-2025-22449", "state": "PUBLISHED", "dateUpdated": "2025-01-09T15:29:20.571Z", "dateReserved": "2025-01-08T11:07:12.574Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2025-01-09T06:54:53.029Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "61B308B7-C55B-4250-BAA0-BF949DF9EA63", "versionEndExcluding": "9.11.6", "versionStartIncluding": "9.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the \"allow_open_invite\" field via making their team public."}, {"lang": "es", "value": "Las versiones 9.11.x &lt;= 9.11.5 de Mattermost no aplican los permisos de invitaci\u00f3n, lo que permite a los administradores de equipo, sin permiso para invitar usuarios a su equipo, invitar a los usuarios actualizando el campo \"allow_open_invite\" haciendo p\u00fablico su equipo."}], "id": "CVE-2025-22449", "lastModified": "2025-09-29T17:44:58.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 2.5, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2025-01-09T07:15:28.777", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{"bugzilla": {"description": "mattermost: Access control flaw for team admins allows unauthorized team additions", "id": "2336638", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2336638"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-863", "details": ["Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the \"allow_open_invite\" field via making their team public.", "A flaw was found in Mattermost. In certain versions, Mattermost fails to enforce invite permissions, which allows team admins with no permissions to invite users to their team by updating the \"allow_open_invite\" field via making their team public."], "name": "CVE-2025-22449", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/acm-grafana-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-central-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-v4-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Not affected", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Not affected", "package_name": "rhceph/rhceph-6-dashboard-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:8", "fix_state": "Not affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 8"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/dex-rhel8", "product_name": "Red Hat OpenShift GitOps"}], "public_date": "2025-01-09T06:54:53Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22449\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22449\nhttps://mattermost.com/security-updates"], "threat_severity": "Low"}

{"created": "2025-07-12T15:26:19.944399+00:00", "updated": "2025-07-12T15:26:19.944449+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$mattermost"]}