CVE-2024-32045 MEDIUM

CVE-2024-32045: Playbook run link to private channel grants channel access

Vendor Mattermost
Product Mattermost
Weakness CWE-284
Published May 26, 2024
Last update August 2, 2024
View on NVD All CVEs

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of.

Key dates

02Disclosure timeline

May 26, 2024 CVE published
August 2, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-35213 Orion User setting Improper Access Control Privilege Escalation Vulnerability CVE-2019-1890 Cisco Nexus 9000 Series Fabric Switches ACI Mode Fabric Infrastructure VLAN Unauthorized Access Vulnerability CVE-2024-42406 Unauthorized access on archived channels CVE-2026-5124 osrg GoBGP BGP Header bgp.go BGPHeader.DecodeFromBytes access control CVE-2026-34444 Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr