Incorrect permission assignment for critical resource in Mattermost Server - CVE-2017-18872

 

Incorrect permission assignment for critical resource in Mattermost Server - CVE-2017-18872

Published: June 19, 2020 / Updated: July 17, 2020


Vulnerability identifier: #VU30219
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-18872
CWE-ID: CWE-732
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Mattermost, Inc.
Affected software:
Mattermost Server

Detailed vulnerability description

The vulnerability allows a remote authenticated user to manipulate data.

An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider.


How to mitigate CVE-2017-18872

Install update from vendor's website.

Sources