CVE-2023-50333: 
Chainguard vulnerability analysis and mitigation

CVE-2023-50333 is a security vulnerability discovered in Mattermost that affects session permission management. The vulnerability was disclosed on January 2, 2024, and impacts Mattermost server versions up to (excluding) 8.1.7. The issue occurs when a user is demoted to guest status, where the system fails to properly update the permissions of their current session (NVD).

The vulnerability stems from a failure in the session permission update mechanism when a user is demoted to guest status. It has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. Mattermost's own assessment rated it slightly lower at 3.7 (LOW) with a vector string of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L. The vulnerability is classified under CWE-284 (Improper Access Control) (NVD).

When exploited, this vulnerability allows freshly demoted guests to retain elevated permissions, specifically the ability to change group names, which should not be available to guest users. This represents a privilege escalation issue that could affect system security and access control integrity (NVD).

The vulnerability has been fixed in Mattermost server version 8.1.7. Organizations running affected versions should upgrade to version 8.1.7 or later to mitigate this security issue (Vendor Advisory).