Main Vulnerability Database Vulnerabilities #VU30238

Incorrect permission assignment for critical resource in Mattermost Server - CVE-2019-20887

Published: June 19, 2020 / Updated: July 17, 2020

Vulnerability identifier: #VU30238

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-20887

CWE-ID: CWE-732

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mattermost Server

Software vendor:
Mattermost, Inc.

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts.

Remediation

Install update from vendor's website.

External links

https://mattermost.com/security-updates/

Incorrect permission assignment for critical resource in Mattermost Server - CVE-2019-20887

Description

Remediation

External links

Please verify you're human