CVE-2024-2447
Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server
6.5
MEDIUM
CVSS 3.1
EPSS 0.14%
Description
Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.
How to fix CVE-2024-2447
To remediate CVE-2024-2447, upgrade the affected package to a fixed version below.
- —upgrade to 8.1.11 or later
- —upgrade to 9.3.3+incompatible or later
- —no fix listed
- —no fix listed
- —upgrade to 8.1.11 or later
- —no fix listed
Is CVE-2024-2447 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- >= 8.1.0, < 8.1.11, >= 9.3.0, < 9.3.3, >= 9.4.0, < 9.4.4, >= 9.5.0, < 9.5.2
- >= 9.3.0+incompatible, < 9.3.3+incompatible, >= 9.4.0+incompatible, < 9.4.4+incompatible, >= 9.5.0+incompatible, < 9.5.2+incompatible
- from 0
- from 0
- >= 8.1.0, < 8.1.11
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |