Homepage
About Snyk

Improper Access Control Affecting github.com/mattermost/mattermost-plugin-playbooks/server/app package, versions <1.36.1--pre-release >=1.37.0 <1.39.2

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMMATTERMOSTMATTERMOSTPLUGINPLAYBOOKSSERVERAPP-7116811
  • published 27 May 2024
  • disclosed 26 May 2024
  • credit BhaRat
Report a new vulnerability Found a mistake?

Introduced: 26 May 2024

CVE-2024-5272 Open this link in a new tab
CWE-284 Open this link in a new tab

How to fix?

Upgrade github.com/mattermost/mattermost-plugin-playbooks/server/app to version 1.36.1--pre-release, 1.39.2 or higher.

Overview

github.com/mattermost/mattermost-plugin-playbooks/server/app is a package for reliable and repeatable processes using checklists, automation, and retrospectives

Affected versions of this package are vulnerable to Improper Access Control due to improper restrictions on the visibility of webhook events. An attacker with guest access can view sensitive details of playbook runs by subscribing to the custom_playbooks_playbook_run_updated event.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
4.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None