CVE-2025-3228
BaseFortify
Publication date: 2025-06-20
Last updated on: 2025-07-08
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 9.11.0 (inc) to 9.11.16 (exc) |
| mattermost | mattermost_server | From 10.5.0 (inc) to 10.5.6 (exc) |
| mattermost | mattermost_server | From 10.6.0 (inc) to 10.6.6 (exc) |
| mattermost | mattermost_server | From 10.7.0 (inc) to 10.7.3 (exc) |
| mattermost | mattermost_server | 10.8.0 |
| mattermost | mattermost_server | 10.8.0 |
| mattermost | mattermost_server | 10.8.0 |
| mattermost | mattermost_server | 10.8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, and 10.6.x <= 10.6.5 occurs because the software fails to properly retrieve requestorInfo from the playbooks handler for guest users. This flaw allows an attacker to gain access to the playbook run, which they should not normally have permission to access.
How can this vulnerability impact me? :
The vulnerability can allow an attacker, particularly a guest user, to access playbook runs that they are not authorized to view. This unauthorized access could lead to exposure of sensitive operational procedures or information contained within the playbooks, potentially compromising confidentiality.