CVE-2024-36492
published 2024-08-01CVE-2024-36492: Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in…
PriorityP432medium6.4CVSS 3.1
AVNACLPRLUINSCCNILAL
EPSS
0.30%
21.3th percentile
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 9.5.0+incompatible < 9.5.7+incompatible | 9.5.7+incompatible |
| github.com | mattermost_mattermost-server | >= 9.7.0+incompatible < 9.7.6+incompatible | 9.7.6+incompatible |
| github.com | mattermost_mattermost-server | >= 9.8.0+incompatible < 9.8.2+incompatible | 9.8.2+incompatible |
| github.com | mattermost_mattermost-server | >= 9.9.0+incompatible < 9.9.1+incompatible | 9.9.1+incompatible |
| github.com | mattermost_mattermost_server_v8 | >= 9.5.0 < 9.5.7 | 9.5.7 |
| github.com | mattermost_mattermost_server_v8 | >= 9.7.0 < 9.7.6 | 9.7.6 |
| github.com | mattermost_mattermost_server_v8 | >= 9.8.0 < 9.8.2 | 9.8.2 |
| github.com | mattermost_mattermost_server_v8 | >= 9.9.0 < 9.9.1 | 9.9.1 |
| mattermost | mattermost | — | — |
| mattermost | mattermost | >= 9.5.0 < 9.5.7 | 9.5.7 |
| mattermost | mattermost | 9.5.0 – 9.5.6 | — |
| mattermost | mattermost | >= 9.7.0 < 9.7.6 | 9.7.6 |
| mattermost | mattermost | 9.7.0 – 9.7.5 | — |
| mattermost | mattermost | >= 9.8.0 < 9.8.2 | 9.8.2 |
| mattermost | mattermost | 9.8.0 – 9.8.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
osv·2024-08-06
CVE-2024-36492 Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
OSV
Mattermost failed to disallow the modification of local users when syncing users in shared channels
osv·2024-08-01
CVE-2024-36492 [MEDIUM] Mattermost failed to disallow the modification of local users when syncing users in shared channels
Mattermost failed to disallow the modification of local users when syncing users in shared channels
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.
GHSA
Mattermost failed to disallow the modification of local users when syncing users in shared channels
ghsa·2024-08-01
CVE-2024-36492 [MEDIUM] CWE-284 Mattermost failed to disallow the modification of local users when syncing users in shared channels
Mattermost failed to disallow the modification of local users when syncing users in shared channels
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-01
Published