Mattermost, Improper Access Control, CVE-2024-10670 (Critical)

By /

Listen to this Post

How the mentioned CVE works

This vulnerability resides in the Slack import functionality of the Mattermost collaboration platform. The process designed for migrating workspaces from Slack into Mattermost incorrectly handles the verification state of user email addresses. During a standard account creation, Mattermost would typically send a verification email to confirm the user owns the provided address. However, the Slack import process accepts and trusts the email address data embedded within the imported archive file without performing this crucial ownership check. An attacker can exploit this by crafting a malicious Slack import file that contains user entries with arbitrary, unverified email addresses from domains otherwise restricted by the team’s configuration. When this malicious file is imported, Mattermost creates these user accounts and incorrectly marks their email addresses as “verified.” This allows the attacker to create an account with a verified email from a domain that would normally be blocked, thereby bypassing the team’s email-based access control rules and gaining unauthorized entry.
Platform: Mattermost
Version: 10.5.x <=10.5.10

Vulnerability : Access Control Bypass

Severity: Critical

date: 2024

Prediction: Patch released

What Undercode Say:

Analytics

Check Mattermost version
grep -i version /opt/mattermost/config/config.json
Search for recent import activities in logs
grep -i "import" /opt/mattermost/logs/mattermost.log
List users with verified emails from unexpected domains
psql -d mattermost -c "SELECT Username, Email FROM Users WHERE Email LIKE '%@target-domain.com';"

How Exploit:

1. Attacker obtains a valid Slack export template.

  1. Modifies the `users.json` file, inserting user entries with arbitrary email addresses (e.g., [email protected]).
  2. Packages the modified data into a new Slack import ZIP archive.
  3. Imports the malicious archive into a target Mattermost instance.
  4. Mattermost creates the user accounts, marking the arbitrary emails as verified.
  5. Attacker uses the account to bypass domain restrictions.

Protection from this CVE

Apply vendor patches.

Disable Slack imports.

Review user accounts.

Use network isolation.

Impact:

Unauthorized team access.

Privilege escalation.

Data confidentiality breach.

Policy bypass.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top