SB2020061955 - Multiple vulnerabilities in Mattermost, Mattermost Server

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Insufficiently protected credentials (CVE-ID: CVE-2019-20881)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.

2) Incorrect default permissions (CVE-ID: CVE-2019-20882)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team.

3) Incorrect permission assignment for critical resource (CVE-ID: CVE-2019-20883)

The vulnerability allows a remote authenticated user to manipulate data.

An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post.

4) Incorrect permission assignment for critical resource (CVE-ID: CVE-2019-20884)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post.

5) Information disclosure (CVE-ID: CVE-2019-20885)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.

6) Improper Privilege Management (CVE-ID: CVE-2019-20886)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.

Remediation

Install update from vendor's website.

References

• https://mattermost.com/security-updates/