GHSA-322v-vh2g-qvpv

Source

https://github.com/advisories/GHSA-322v-vh2g-qvpv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-322v-vh2g-qvpv/GHSA-322v-vh2g-qvpv.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-322v-vh2g-qvpv

Aliases

Related

CGA-46mw-qq3p-2hgf

Published

2025-04-14T09:30:24Z

Modified

2026-01-30T01:58:15.930299Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Mattermost Fails to Restrict Certain Operations on System Admins

Details

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-863"
    ],
    "github_reviewed_at": "2025-04-14T19:07:43Z",
    "severity": "MODERATE",
    "nvd_published_at": "2025-04-14T07:15:14Z"
}

References

Affected packages

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

10.5.0

Fixed

10.5.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-322v-vh2g-qvpv/GHSA-322v-vh2g-qvpv.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

10.4.0

Fixed

10.4.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-322v-vh2g-qvpv/GHSA-322v-vh2g-qvpv.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.11.0

Fixed

9.11.10

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-322v-vh2g-qvpv/GHSA-322v-vh2g-qvpv.json"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.5.0

Fixed

10.5.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-322v-vh2g-qvpv/GHSA-322v-vh2g-qvpv.json"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.4.0

Fixed

10.4.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-322v-vh2g-qvpv/GHSA-322v-vh2g-qvpv.json"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

9.11.0

Fixed

9.11.10

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-322v-vh2g-qvpv/GHSA-322v-vh2g-qvpv.json"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.0-20250227102013-aa4623a93199

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-322v-vh2g-qvpv/GHSA-322v-vh2g-qvpv.json"