CVE-2025-3611 (GCVE-0-2025-3611)
Vulnerability from cvelistv5
Published
2025-05-30 14:22
Modified
2025-05-30 14:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.
References
| ► | URL | Tags | |
|---|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 10.7.0 ≤ Version: 10.5.0 ≤ 10.5.3 Version: 9.11.0 ≤ 9.11.12 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3611",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T14:37:28.621750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:37:42.109Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "10.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.5.3",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.11.12",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.8.0"
},
{
"status": "unaffected",
"version": "10.7.1"
},
{
"status": "unaffected",
"version": "10.5.4"
},
{
"status": "unaffected",
"version": "9.11.13"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "hackit_bharat"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 10.7.x \u0026lt;= 10.7.0, 10.5.x \u0026lt;= 10.5.3, 9.11.x \u0026lt;= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with \u0027No access\u0027 to Teams in the System Console.\u003c/p\u003e"
}
],
"value": "Mattermost versions 10.7.x \u003c= 10.7.0, 10.5.x \u003c= 10.5.3, 9.11.x \u003c= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with \u0027No access\u0027 to Teams in the System Console."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:22:09.854Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.8.0, 10.7.1, 10.5.4, 9.11.13 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.8.0, 10.7.1, 10.5.4, 9.11.13 or higher."
}
],
"source": {
"advisory": "MMSA-2025-00462",
"defect": [
"https://mattermost.atlassian.net/browse/MM-63377"
],
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in Mattermost allows System Managers to view team details despite role restrictions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-3611",
"datePublished": "2025-05-30T14:22:09.854Z",
"dateReserved": "2025-04-14T20:40:50.972Z",
"dateUpdated": "2025-05-30T14:37:42.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-3611\",\"sourceIdentifier\":\"responsibledisclosure@mattermost.com\",\"published\":\"2025-05-30T15:15:41.197\",\"lastModified\":\"2025-07-08T17:11:34.797\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mattermost versions 10.7.x \u003c= 10.7.0, 10.5.x \u003c= 10.5.3, 9.11.x \u003c= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with \u0027No access\u0027 to Teams in the System Console.\"},{\"lang\":\"es\",\"value\":\"Las versiones de Mattermost 10.7.x \u0026lt;= 10.7.0, 10.5.x \u0026lt;= 10.5.3, 9.11.x \u0026lt;= 9.11.12 no aplican correctamente las restricciones de control de acceso para los roles de administrador del sistema, lo que permite que los usuarios autenticados con privilegios de administrador del sistema vean detalles del equipo a los que no deber\u00edan tener acceso a trav\u00e9s de solicitudes de API directas a los endpoints del equipo, incluso cuando est\u00e1n configurados expl\u00edcitamente con \\\"Sin acceso\\\" a los equipos en la Consola del sistema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.11.0\",\"versionEndExcluding\":\"9.11.13\",\"matchCriteriaId\":\"BC431F02-E096-4994-9CB3-AC2DB1C7FAB5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.5.0\",\"versionEndExcluding\":\"10.5.4\",\"matchCriteriaId\":\"6EB2F235-4072-4E5E-914C-07829E12A481\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:10.7.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"555B766B-E5A3-4369-A2A7-4C77F246AFB0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:10.7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E70B3C8-33ED-4C9D-BDE0-0CCADB68207B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:10.7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7D2A4C91-AE3A-462B-A162-1C82B717D504\"}]}]}],\"references\":[{\"url\":\"https://mattermost.com/security-updates\",\"source\":\"responsibledisclosure@mattermost.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-3611\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-30T14:37:28.621750Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-30T14:37:32.312Z\"}}], \"cna\": {\"title\": \"Improper Access Control in Mattermost allows System Managers to view team details despite role restrictions\", \"source\": {\"defect\": [\"https://mattermost.atlassian.net/browse/MM-63377\"], \"advisory\": \"MMSA-2025-00462\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"hackit_bharat\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Mattermost\", \"product\": \"Mattermost\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.7.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"10.5.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.5.3\"}, {\"status\": \"affected\", \"version\": \"9.11.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.11.12\"}, {\"status\": \"unaffected\", \"version\": \"10.8.0\"}, {\"status\": \"unaffected\", \"version\": \"10.7.1\"}, {\"status\": \"unaffected\", \"version\": \"10.5.4\"}, {\"status\": \"unaffected\", \"version\": \"9.11.13\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update Mattermost to versions 10.8.0, 10.7.1, 10.5.4, 9.11.13 or higher.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUpdate Mattermost to versions 10.8.0, 10.7.1, 10.5.4, 9.11.13 or higher.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://mattermost.com/security-updates\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mattermost versions 10.7.x \u003c= 10.7.0, 10.5.x \u003c= 10.5.3, 9.11.x \u003c= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with \u0027No access\u0027 to Teams in the System Console.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eMattermost versions 10.7.x \u0026lt;= 10.7.0, 10.5.x \u0026lt;= 10.5.3, 9.11.x \u0026lt;= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with \u0027No access\u0027 to Teams in the System Console.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee\", \"shortName\": \"Mattermost\", \"dateUpdated\": \"2025-05-30T14:22:09.854Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-3611\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-30T14:37:42.109Z\", \"dateReserved\": \"2025-04-14T20:40:50.972Z\", \"assignerOrgId\": \"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee\", \"datePublished\": \"2025-05-30T14:22:09.854Z\", \"assignerShortName\": \"Mattermost\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…