Incorrect permission assignment for critical resource in Mattermost Server

#VU30205 Incorrect permission assignment for critical resource in Mattermost Server

Published: 2020-06-19 | Updated: 2020-07-17

Vulnerability identifier: #VU30205

Vulnerability risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18894

CWE-ID: CWE-732

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mattermost Server
Client/Desktop applications / Messaging software

Vendor: Mattermost, Inc.

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Mattermost Server: 4.1.0

External links
http://mattermost.com/security-updates/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Mattermost, Mattermost Server