Incorrect permission assignment for critical resource in Mattermost Server - CVE-2019-20887

 

Incorrect permission assignment for critical resource in Mattermost Server - CVE-2019-20887

Published: June 19, 2020 / Updated: July 17, 2020


Vulnerability identifier: #VU30238
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-20887
CWE-ID: CWE-732
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Mattermost, Inc.
Affected software:
Mattermost Server

Detailed vulnerability description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts.


How to mitigate CVE-2019-20887

Install update from vendor's website.

Sources