CVE-2024-1949

LOW2.6EPSS 0.27%

Mattermost race condition

Published: 2/29/2024Modified: 2/4/2026

Also known as:GHSA-3g35-v53r-gpxcBIT-mattermost-2024-1949CGA-mq3m-fc55-gc7gGO-2024-2588

Description

A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts.

Affected packages (6)

Bitnami/mattermost>= 8.1.0, < 8.1.9, >= 9.4.0, < 9.4.2
Go/github.com/mattermost/mattermost-server>= 9.0.0+incompatible, < 9.4.2+incompatible
Go/github.com/mattermost/mattermost-server/v5from 0
Go/github.com/mattermost/mattermost-server/v6from 0
Go/github.com/mattermost/mattermost/server/v8>= 9.0.0, < 9.4.2
Go/github.com/mattermost/mattermost/server/v8from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	LOW2.6	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

References (5)

ADVISORYhttps://github.com/advisories/GHSA-3g35-v53r-gpxc
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-1949
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://mattermost.com/security-updates
WEBhttps://pkg.go.dev/vuln/GO-2024-2588