csaf_opensuse - opensuse-su-2025:14644-1

opensuse-su-2025:14644-1

Vulnerability from csaf_opensuse

Published

2025-01-14 00:00

Modified

2025-01-14 00:00

Summary

govulncheck-vulndb-0.0.20250109T194159-1.1 on GA media

Notes

Title of the patch

govulncheck-vulndb-0.0.20250109T194159-1.1 on GA media

Description of the patch

These are all security issues fixed in the govulncheck-vulndb-0.0.20250109T194159-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-14644

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "govulncheck-vulndb-0.0.20250109T194159-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the govulncheck-vulndb-0.0.20250109T194159-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-14644",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14644-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:14644-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L4N4W6VRBQ6LXRMKE4XQATP6QUUXHQOR/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:14644-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L4N4W6VRBQ6LXRMKE4XQATP6QUUXHQOR/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-20033 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-20033/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22149 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22149/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22445 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22445/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22449 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22449/"
      }
    ],
    "title": "govulncheck-vulndb-0.0.20250109T194159-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-01-14T00:00:00Z",
      "generator": {
        "date": "2025-01-14T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:14644-1",
      "initial_release_date": "2025-01-14T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-01-14T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64",
                  "product_id": "govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le",
                  "product_id": "govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250109T194159-1.1.s390x",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250109T194159-1.1.s390x",
                  "product_id": "govulncheck-vulndb-0.0.20250109T194159-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64",
                  "product_id": "govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250109T194159-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.s390x"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250109T194159-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-20033",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-20033"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Mattermost versions 10.2.0, 9.11.x \u003c= 9.11.5, 10.0.x \u003c= 10.0.3, 10.1.x \u003c= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-20033",
          "url": "https://www.suse.com/security/cve/CVE-2025-20033"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-14T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-20033"
    },
    {
      "cve": "CVE-2025-22149",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22149"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project\u0027s provided HTTP client\u0027s local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22149",
          "url": "https://www.suse.com/security/cve/CVE-2025-22149"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-14T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-22149"
    },
    {
      "cve": "CVE-2025-22445",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22445"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Mattermost versions 10.x \u003c= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22445",
          "url": "https://www.suse.com/security/cve/CVE-2025-22445"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-14T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-22445"
    },
    {
      "cve": "CVE-2025-22449",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22449"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Mattermost versions 9.11.x \u003c= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the \"allow_open_invite\" field via making their team public.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22449",
          "url": "https://www.suse.com/security/cve/CVE-2025-22449"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-14T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-22449"
    }
  ]
}

CVE-2025-22149 (GCVE-0-2025-22149)

Vulnerability from cvelistv5

Published

2025-01-09 17:22

Modified

2025-05-23 19:56

Severity ?

2.1 (Low) - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-672 - Operation on a Resource after Expiration or Release

Summary

JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).

References

►

URL

Tags

	https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82	x_refsource_CONFIRM
	https://github.com/MicahParks/jwkset/issues/40	x_refsource_MISC
	https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	MicahParks	jwkset	Version: >= 0.5.0, < 0.6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22149",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-09T18:08:52.573069Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T18:09:01.964Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-23T19:56:35.937Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-22149-detect-jwkset-vulnerability-in-go-projects-1"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-22149-mitigate-jwkset-vulnerability-in-go-projects"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jwkset",
          "vendor": "MicahParks",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.5.0, \u003c 0.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project\u0027s provided HTTP client\u0027s local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value)."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-672",
              "description": "CWE-672: Operation on a Resource after Expiration or Release",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-09T17:22:59.757Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82"
        },
        {
          "name": "https://github.com/MicahParks/jwkset/issues/40",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/MicahParks/jwkset/issues/40"
        },
        {
          "name": "https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3"
        }
      ],
      "source": {
        "advisory": "GHSA-675f-rq2r-jw82",
        "discovery": "UNKNOWN"
      },
      "title": "JWK Set\u0027s HTTP client only overwrites and appends JWK to local cache during refresh"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-22149",
    "datePublished": "2025-01-09T17:22:59.757Z",
    "dateReserved": "2024-12-30T03:00:33.654Z",
    "dateUpdated": "2025-05-23T19:56:35.937Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22449 (GCVE-0-2025-22449)

Vulnerability from cvelistv5

Published

2025-01-09 06:54

Modified

2025-01-09 15:29

Severity ?

3.8 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-863 - Incorrect Authorization

Summary

Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

References

►

URL

Tags

https://mattermost.com/security-updates

Impacted products

	Vendor	Product	Version
	Mattermost	Mattermost	Version: 9.11.0 ≤ 9.11.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22449",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-09T15:29:05.476785Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T15:29:20.571Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mattermost",
          "vendor": "Mattermost",
          "versions": [
            {
              "lessThanOrEqual": "9.11.5",
              "status": "affected",
              "version": "9.11.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "10.3.0"
            },
            {
              "status": "unaffected",
              "version": "9.11.6"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "omar ahmed (omar-ahmed)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMattermost versions 9.11.x \u0026lt;= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the \"allow_open_invite\" field via making their team public.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "Mattermost versions 9.11.x \u003c= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the \"allow_open_invite\" field via making their team public."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-09T06:54:53.029Z",
        "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "shortName": "Mattermost"
      },
      "references": [
        {
          "url": "https://mattermost.com/security-updates"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUpdate Mattermost to versions 10.3.0, 9.11.6 or higher.\u003c/p\u003e"
            }
          ],
          "value": "Update Mattermost to versions 10.3.0, 9.11.6 or higher."
        }
      ],
      "source": {
        "advisory": "MMSA-2024-00378",
        "defect": [
          "https://mattermost.atlassian.net/browse/MM-59539"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Access control flaw for team admins allows unauthorized team additions",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
    "assignerShortName": "Mattermost",
    "cveId": "CVE-2025-22449",
    "datePublished": "2025-01-09T06:54:53.029Z",
    "dateReserved": "2025-01-08T11:07:12.574Z",
    "dateUpdated": "2025-01-09T15:29:20.571Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22445 (GCVE-0-2025-22445)

Vulnerability from cvelistv5

Published

2025-01-09 06:55

Modified

2025-01-09 15:46

Severity ?

3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-754 - Improper Check for Unusual or Exceptional Conditions

Summary

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

References

►

URL

Tags

https://mattermost.com/security-updates

Impacted products

	Vendor	Product	Version
	Mattermost	Mattermost	Version: 10.0.* ≤ 10.2.*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22445",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-09T15:46:31.155550Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T15:46:51.120Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mattermost",
          "vendor": "Mattermost",
          "versions": [
            {
              "lessThanOrEqual": "10.2.*",
              "status": "affected",
              "version": "10.0.*",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "10.3.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Leandro Chaves (brdoors3)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMattermost versions 10.x \u0026lt;= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.\u003c/p\u003e"
            }
          ],
          "value": "Mattermost versions 10.x \u003c= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-09T06:55:13.389Z",
        "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "shortName": "Mattermost"
      },
      "references": [
        {
          "url": "https://mattermost.com/security-updates"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUpdate Mattermost to versions 10.3.0 or higher.\u003c/p\u003e"
            }
          ],
          "value": "Update Mattermost to versions 10.3.0 or higher."
        }
      ],
      "source": {
        "advisory": "MMSA-2024-00400",
        "defect": [
          "https://mattermost.atlassian.net/browse/MM-61469"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Misleading UI for undefined admin console settings in Calls causes security confusion",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
    "assignerShortName": "Mattermost",
    "cveId": "CVE-2025-22445",
    "datePublished": "2025-01-09T06:55:13.389Z",
    "dateReserved": "2025-01-08T11:07:12.595Z",
    "dateUpdated": "2025-01-09T15:46:51.120Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20033 (GCVE-0-2025-20033)

Vulnerability from cvelistv5

Published

2025-01-09 06:55

Modified

2025-01-09 15:05

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-1287 - Improper Validation of Specified Type of Input

Summary

Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.

References

►

URL

Tags

https://mattermost.com/security-updates

Impacted products

	Vendor	Product	Version
	Mattermost	Mattermost	Version: 10.2.0 Version: 9.11.0 ≤ 9.11.5 Version: 10.0.0 ≤ 10.0.3 Version: 10.1.0 ≤ 10.1.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20033",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-09T15:05:02.977878Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T15:05:20.599Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mattermost",
          "vendor": "Mattermost",
          "versions": [
            {
              "status": "affected",
              "version": "10.2.0"
            },
            {
              "lessThanOrEqual": "9.11.5",
              "status": "affected",
              "version": "9.11.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.0.3",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.3",
              "status": "affected",
              "version": "10.1.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "10.3.0"
            },
            {
              "status": "unaffected",
              "version": "10.2.1"
            },
            {
              "status": "unaffected",
              "version": "9.11.6"
            },
            {
              "status": "unaffected",
              "version": "10.0.4"
            },
            {
              "status": "unaffected",
              "version": "10.1.4"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "c0rydoras (c0rydoras)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMattermost versions 10.2.0, 9.11.x \u0026lt;= 9.11.5, 10.0.x \u0026lt;= 10.0.3, 10.1.x \u0026lt;= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.\u003c/p\u003e"
            }
          ],
          "value": "Mattermost versions 10.2.0, 9.11.x \u003c= 9.11.5, 10.0.x \u003c= 10.0.3, 10.1.x \u003c= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1287",
              "description": "CWE-1287: Improper Validation of Specified Type of Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-09T06:55:02.063Z",
        "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "shortName": "Mattermost"
      },
      "references": [
        {
          "url": "https://mattermost.com/security-updates"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUpdate Mattermost to versions 10.3.0, 10.2.1, 9.11.6, 10.0.4, 10.1.4 or higher.\u003c/p\u003e"
            }
          ],
          "value": "Update Mattermost to versions 10.3.0, 10.2.1, 9.11.6, 10.0.4, 10.1.4 or higher."
        }
      ],
      "source": {
        "advisory": "MMSA-2024-00396",
        "defect": [
          "https://mattermost.atlassian.net/browse/MM-61296"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "DoS via custom post type for sysconsole plugin readers",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
    "assignerShortName": "Mattermost",
    "cveId": "CVE-2025-20033",
    "datePublished": "2025-01-09T06:55:02.063Z",
    "dateReserved": "2025-01-08T11:07:12.589Z",
    "dateUpdated": "2025-01-09T15:05:20.599Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

opensuse-su-2025:14644-1

Vulnerability from csaf_opensuse

CVE-2025-22149 (GCVE-0-2025-22149)

Vulnerability from cvelistv5

CVE-2025-22449 (GCVE-0-2025-22449)

Vulnerability from cvelistv5

CVE-2025-22445 (GCVE-0-2025-22445)

Vulnerability from cvelistv5

CVE-2025-20033 (GCVE-0-2025-20033)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature