CVE-2024-12247 (GCVE-0-2024-12247)
Vulnerability from cvelistv5 – Published: 2024-12-05 15:20 – Updated: 2024-12-05 16:58
VLAI?
Title
Improper propagation of permission scheme updates across cluster nodes
Summary
Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.
Severity ?
4.6 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
9.7.0 , ≤ 9.7.5
(semver)
Affected: 9.8.0 , ≤ 9.8.2 (semver) Affected: 9.9.0 , ≤ 9.9.2 (semver) Unaffected: 10.0.0 Unaffected: 9.7.6 Unaffected: 9.8.3 Unaffected: 9.9.3 |
Credits
Leandro Chaves (brdoors3)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12247",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T16:58:43.853029Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T16:58:59.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.9.2",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "9.7.6"
},
{
"status": "unaffected",
"version": "9.8.3"
},
{
"status": "unaffected",
"version": "9.9.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Leandro Chaves (brdoors3)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.2 and 9.9.x \u0026lt;= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.2 and 9.9.x \u003c= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T15:20:49.383Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.7.6, 9.8.3, 9.9.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.0.0, 9.7.6, 9.8.3, 9.9.3 or higher."
}
],
"source": {
"advisory": "MMSA-2023-00259",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54740"
],
"discovery": "EXTERNAL"
},
"title": "Improper propagation of permission scheme updates across cluster nodes",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-12247",
"datePublished": "2024-12-05T15:20:49.383Z",
"dateReserved": "2024-12-05T15:06:26.110Z",
"dateUpdated": "2024-12-05T16:58:59.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Mattermost versions 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.2 and 9.9.x \u003c= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.\"}, {\"lang\": \"es\", \"value\": \"Las versiones 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.2 y 9.9.x \u0026lt;= 9.9.2 de Mattermost no logran propagar correctamente las actualizaciones del esquema de permisos entre los nodos del cl\\u00faster, lo que permite que un usuario conserve los permisos antiguos, incluso si se ha actualizado el esquema de permisos.\"}]",
"id": "CVE-2024-12247",
"lastModified": "2024-12-05T16:15:25.243",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"responsibledisclosure@mattermost.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L\", \"baseScore\": 4.6, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 3.4}]}",
"published": "2024-12-05T16:15:25.243",
"references": "[{\"url\": \"https://mattermost.com/security-updates\", \"source\": \"responsibledisclosure@mattermost.com\"}]",
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"responsibledisclosure@mattermost.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-863\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-12247\",\"sourceIdentifier\":\"responsibledisclosure@mattermost.com\",\"published\":\"2024-12-05T16:15:25.243\",\"lastModified\":\"2025-10-01T18:21:08.697\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mattermost versions 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.2 and 9.9.x \u003c= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.\"},{\"lang\":\"es\",\"value\":\"Las versiones 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.2 y 9.9.x \u0026lt;= 9.9.2 de Mattermost no logran propagar correctamente las actualizaciones del esquema de permisos entre los nodos del cl\u00faster, lo que permite que un usuario conserve los permisos antiguos, incluso si se ha actualizado el esquema de permisos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.2,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.7.0\",\"versionEndExcluding\":\"9.7.6\",\"matchCriteriaId\":\"B5C9F963-57DF-41E2-AA46-242317D93786\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.8.0\",\"versionEndExcluding\":\"9.8.3\",\"matchCriteriaId\":\"A37536AB-52C7-4670-AA72-86CD7819CD22\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.9.0\",\"versionEndExcluding\":\"9.9.3\",\"matchCriteriaId\":\"20276949-478F-4F2C-9D07-F9B3C04CADD9\"}]}]}],\"references\":[{\"url\":\"https://mattermost.com/security-updates\",\"source\":\"responsibledisclosure@mattermost.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-12247\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-05T16:58:43.853029Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-05T16:58:49.999Z\"}}], \"cna\": {\"title\": \"Improper propagation of permission scheme updates across cluster nodes\", \"source\": {\"defect\": [\"https://mattermost.atlassian.net/browse/MM-54740\"], \"advisory\": \"MMSA-2023-00259\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Leandro Chaves (brdoors3)\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Mattermost\", \"product\": \"Mattermost\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.7.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.7.5\"}, {\"status\": \"affected\", \"version\": \"9.8.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.8.2\"}, {\"status\": \"affected\", \"version\": \"9.9.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.9.2\"}, {\"status\": \"unaffected\", \"version\": \"10.0.0\"}, {\"status\": \"unaffected\", \"version\": \"9.7.6\"}, {\"status\": \"unaffected\", \"version\": \"9.8.3\"}, {\"status\": \"unaffected\", \"version\": \"9.9.3\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update Mattermost to versions 10.0.0, 9.7.6, 9.8.3, 9.9.3 or higher.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.7.6, 9.8.3, 9.9.3 or higher.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://mattermost.com/security-updates\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mattermost versions 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.2 and 9.9.x \u003c= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eMattermost versions 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.2 and 9.9.x \u0026lt;= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee\", \"shortName\": \"Mattermost\", \"dateUpdated\": \"2024-12-05T15:20:49.383Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-12247\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-05T16:58:59.768Z\", \"dateReserved\": \"2024-12-05T15:06:26.110Z\", \"assignerOrgId\": \"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee\", \"datePublished\": \"2024-12-05T15:20:49.383Z\", \"assignerShortName\": \"Mattermost\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…