CVE-2025-13324
MEDIUM4.3EPSS 0.03%Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation
發布日:2025/12/17修改日:2025/12/30
描述
Mattermost versions 10.11.x < 10.11.5, 11.0.x < 11.0.4, 10.12.x < 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.
受影響套件(8)
- Go/github.com/mattermost/mattermost>= 10.11.0-rc1+incompatible, < 10.11.5+incompatible, >= 10.12.0+incompatible, < 10.12.2+incompatible, >= 11.0.0-alpha.1+incompatible, < 11.0.4+incompatible
- Go/github.com/mattermost/mattermost>= 10.12.0, < 10.12.2
- Go/github.com/mattermost/mattermost-serverfrom 0, < 11.0.4
- Go/github.com/mattermost/mattermost-serverfrom 0, < 11.0.4+incompatible
- Go/github.com/mattermost/mattermost-server/v5from 0
- Go/github.com/mattermost/mattermost-server/v6from 0
- Go/github.com/mattermost/mattermost/server/v8from 0, < 8.0.0-20251031095924-e7e23b94e006
- Go/github.com/mattermost/mattermost/server/v8from 0, < 8.0.0-20251031095924-e7e23b94e006
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
參考連結(7)
- ADVISORYhttps://github.com/advisories/GHSA-x3r8-2hmh-89f5
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-13324
- PATCHhttps://github.com/mattermost/mattermost
- WEBhttps://github.com/mattermost/mattermost/commit/364c2203de00fe0d8424b6b46d6f0eeb02a2539a
- WEBhttps://github.com/mattermost/mattermost/commit/7ccb62db7958abd6a4b21a06c5a4f5367a8f8b1f
- WEBhttps://github.com/mattermost/mattermost/commit/9f54e5cdc3aef412945ff0e6a58338f7b549bdda
- WEBhttps://mattermost.com/security-updates