Authorization Bypass Through User-Controlled Key

CVE-2024-32045

Medium

5.9/10

Summary

Mattermost versions 8.1.x prior to 8.1.13-rc1, 9.5.x prior to 9.5.4-rc1, and 9.6.x prior to 9.6.2-rc1, fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of. This issue affects github.com/mattermost/mattermost-plugin-playbook versions prior to v1.36.1--pre-release, 1.36.1 through 1.39.1.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-639 - Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

MMSA-2023-00294
Pull request

Advisory Timeline

Published May 26, 2024

Authorization Bypass Through User-Controlled Key

CVE-2024-32045

Summary

CWE-639 - Authorization Bypass Through User-Controlled Key

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS