Multiple vulnerabilities in Mattermost, Mattermost Server
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2019-20881 CVE-2019-20882 CVE-2019-20883 CVE-2019-20884 CVE-2019-20885 CVE-2019-20886 |
| CWE-ID | CWE-522 CWE-276 CWE-732 CWE-200 CWE-269 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Mattermost Server Client/Desktop applications / Messaging software |
| Vendor | Mattermost, Inc. |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Insufficiently protected credentials
EUVDB-ID: #VU34222
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-20881
CWE-ID:
CWE-522 - Insufficiently Protected Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.
MitigationInstall update from vendor's website.
Vulnerable software versionsMattermost Server:
CPE2.3 External linkshttps://mattermost.com/security-updates/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Incorrect default permissions
EUVDB-ID: #VU34223
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-20882
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team.
MitigationInstall update from vendor's website.
Vulnerable software versionsMattermost Server:
CPE2.3 External linkshttps://mattermost.com/security-updates/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Incorrect permission assignment for critical resource
EUVDB-ID: #VU34224
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-20883
CWE-ID:
CWE-732 - Incorrect Permission Assignment for Critical Resource
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to manipulate data.
An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post.
MitigationInstall update from vendor's website.
Vulnerable software versionsMattermost Server:
CPE2.3 External linkshttps://mattermost.com/security-updates/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Incorrect permission assignment for critical resource
EUVDB-ID: #VU34225
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-20884
CWE-ID:
CWE-732 - Incorrect Permission Assignment for Critical Resource
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post.
MitigationInstall update from vendor's website.
Vulnerable software versionsMattermost Server:
CPE2.3 External linkshttps://mattermost.com/security-updates/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Information disclosure
EUVDB-ID: #VU34226
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-20885
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.
MitigationInstall update from vendor's website.
Vulnerable software versionsMattermost Server:
CPE2.3 External linkshttps://mattermost.com/security-updates/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper Privilege Management
EUVDB-ID: #VU34227
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-20886
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.
MitigationInstall update from vendor's website.
Vulnerable software versionsMattermost Server:
CPE2.3 External linkshttps://mattermost.com/security-updates/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
