CVE-2024-29221
Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server
4.7
MEDIUM
CVSS 3.1
EPSS 0.06%
Description
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.
How to fix CVE-2024-29221
To remediate CVE-2024-29221, upgrade the affected package to a fixed version below.
- —upgrade to 8.1.11 or later
- —upgrade to 9.3.3+incompatible or later
- —no fix listed
- —no fix listed
- —upgrade to 8.1.11 or later
- —no fix listed
Is CVE-2024-29221 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- >= 8.1.0, < 8.1.11, >= 9.3.0, < 9.3.3, >= 9.4.0, < 9.4.4, >= 9.5.0, < 9.5.2
- >= 9.3.0+incompatible, < 9.3.3+incompatible, >= 9.4.0+incompatible, < 9.4.4+incompatible, >= 9.5.0+incompatible, < 9.5.2+incompatible
- from 0
- from 0
- >= 8.1.0, < 8.1.11
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |