CVE-2025-1472

MEDIUM4.3EPSS 0.24%

Mattermost Fails to Properly Perform Viewer Role Authorization

發布日:2025/3/19修改日:2025/3/25

也稱為:GHSA-fqrq-xmxj-v47xGO-2025-3534

描述

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

受影響套件(6)

Go/github.com/mattermost/mattermost-server>= 9.11.0, < 9.11.9
Go/github.com/mattermost/mattermost-server>= 9.11.0+incompatible, < 9.11.9+incompatible
Go/github.com/mattermost/mattermost-server/v5from 0
Go/github.com/mattermost/mattermost-server/v6from 0
Go/github.com/mattermost/mattermost/server/v8>= 9.11.0, < 9.11.9
Go/github.com/mattermost/mattermost/server/v8from 0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(4)

ADVISORYhttps://github.com/advisories/GHSA-fqrq-xmxj-v47x
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-1472
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://mattermost.com/security-updates