CVE-2024-12247 (GCVE-0-2024-12247)
Vulnerability from cvelistv5
Published
2024-12-05 15:20
Modified
2024-12-05 16:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.7.0 ≤ 9.7.5 Version: 9.8.0 ≤ 9.8.2 Version: 9.9.0 ≤ 9.9.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12247",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T16:58:43.853029Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T16:58:59.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.9.2",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "9.7.6"
},
{
"status": "unaffected",
"version": "9.8.3"
},
{
"status": "unaffected",
"version": "9.9.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Leandro Chaves (brdoors3)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.2 and 9.9.x \u0026lt;= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.2 and 9.9.x \u003c= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T15:20:49.383Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.7.6, 9.8.3, 9.9.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.0.0, 9.7.6, 9.8.3, 9.9.3 or higher."
}
],
"source": {
"advisory": "MMSA-2023-00259",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54740"
],
"discovery": "EXTERNAL"
},
"title": "Improper propagation of permission scheme updates across cluster nodes",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-12247",
"datePublished": "2024-12-05T15:20:49.383Z",
"dateReserved": "2024-12-05T15:06:26.110Z",
"dateUpdated": "2024-12-05T16:58:59.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-12247\",\"sourceIdentifier\":\"responsibledisclosure@mattermost.com\",\"published\":\"2024-12-05T16:15:25.243\",\"lastModified\":\"2024-12-05T16:15:25.243\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mattermost versions 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.2 and 9.9.x \u003c= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.\"},{\"lang\":\"es\",\"value\":\"Las versiones 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.2 y 9.9.x \u0026lt;= 9.9.2 de Mattermost no logran propagar correctamente las actualizaciones del esquema de permisos entre los nodos del cl\u00faster, lo que permite que un usuario conserve los permisos antiguos, incluso si se ha actualizado el esquema de permisos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.2,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"references\":[{\"url\":\"https://mattermost.com/security-updates\",\"source\":\"responsibledisclosure@mattermost.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-12247\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-05T16:58:43.853029Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-05T16:58:49.999Z\"}}], \"cna\": {\"title\": \"Improper propagation of permission scheme updates across cluster nodes\", \"source\": {\"defect\": [\"https://mattermost.atlassian.net/browse/MM-54740\"], \"advisory\": \"MMSA-2023-00259\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Leandro Chaves (brdoors3)\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Mattermost\", \"product\": \"Mattermost\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.7.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.7.5\"}, {\"status\": \"affected\", \"version\": \"9.8.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.8.2\"}, {\"status\": \"affected\", \"version\": \"9.9.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.9.2\"}, {\"status\": \"unaffected\", \"version\": \"10.0.0\"}, {\"status\": \"unaffected\", \"version\": \"9.7.6\"}, {\"status\": \"unaffected\", \"version\": \"9.8.3\"}, {\"status\": \"unaffected\", \"version\": \"9.9.3\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update Mattermost to versions 10.0.0, 9.7.6, 9.8.3, 9.9.3 or higher.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.7.6, 9.8.3, 9.9.3 or higher.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://mattermost.com/security-updates\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mattermost versions 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.2 and 9.9.x \u003c= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eMattermost versions 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.2 and 9.9.x \u0026lt;= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee\", \"shortName\": \"Mattermost\", \"dateUpdated\": \"2024-12-05T15:20:49.383Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-12247\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-05T16:58:59.768Z\", \"dateReserved\": \"2024-12-05T15:06:26.110Z\", \"assignerOrgId\": \"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee\", \"datePublished\": \"2024-12-05T15:20:49.383Z\", \"assignerShortName\": \"Mattermost\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…