CVE-2024-50052

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-50052
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50052.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-50052
Aliases
Downstream
Related
Published
2024-10-29T08:10:17.129Z
Modified
2026-05-18T05:59:01.422428693Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Arbitrary post deletion via Playbooks /ignore-thread endpoint
Details

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.

Database specific 
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "9.10.0"
                },
                {
                    "last_affected": "9.10.2"
                },
                {
                    "introduced": "9.11.0"
                },
                {
                    "last_affected": "9.11.1"
                },
                {
                    "introduced": "9.5.0"
                },
                {
                    "last_affected": "9.5.9"
                }
            ]
        }
    ],
    "cna_assigner": "Mattermost",
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50052.json"
}
References

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost
Events
Introduced
99d819d25d0b16b3faed901b1fe5c41de7655e9c
Fixed
4fdd366df05a110b843b3419002458bc3e5f135e
Introduced
60c5bb46dfa8192efa5a13c746423f0e7696b8bc
Fixed
49df0979aa1393fb3bb598dabf9c4bcc89f65244
Introduced
0bc2ddd42375a75ab14e63f038165150d4f07659
Fixed
cc5085e380c524570cce4dbad1795e4a1773fdf7
Database specific 
{
    "cpe": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "9.5.0"
        },
        {
            "fixed": "9.5.10"
        },
        {
            "introduced": "9.10.0"
        },
        {
            "fixed": "9.10.3"
        },
        {
            "introduced": "9.11.0"
        },
        {
            "fixed": "9.11.2"
        }
    ]
}

Affected versions

@mattermost/client@9.*
@mattermost/client@9.10.0
@mattermost/client@9.11.0
@mattermost/client@9.5.0
@mattermost/types@9.*
@mattermost/types@9.10.0
@mattermost/types@9.11.0
@mattermost/types@9.5.0
v9.*
v9.10.0
v9.10.0-rc3
v9.10.1
v9.10.1-rc1
v9.10.1-rc2
v9.10.1-rc3
v9.10.2
v9.10.2-rc1
v9.10.3-rc1
v9.10.3-rc2
v9.11.0
v9.11.0-rc3
v9.11.1
v9.11.1-rc1
v9.11.2-rc1
v9.11.2-rc2
v9.5.0
v9.5.0-rc3
v9.5.1
v9.5.1-rc1
v9.5.10-rc1
v9.5.10-rc2
v9.5.2
v9.5.3
v9.5.3-rc1
v9.5.3-rc2
v9.5.3-rc3
v9.5.4
v9.5.4-rc1
v9.5.4-rc2
v9.5.5
v9.5.5-rc1
v9.5.6
v9.5.6-rc1
v9.5.6-rc2
v9.5.7
v9.5.7-rc1
v9.5.7-rc2
v9.5.7-rc3
v9.5.8
v9.5.8-rc1
v9.5.8-rc2
v9.5.9
v9.5.9-rc1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50052.json"