CVE-2024-39836Protection Mechanism Failure in Mattermost Mattermost-server

CWE-693Protection Mechanism Failure5 documents4 sources
Severity
6.5MEDIUMNVD
CNA4.8
EPSS
0.5%
top 33.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost
Timeline
PublishedAug 22
Latest updateAug 30

Description

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages4 packages

NVDmattermost/mattermost9.5.09.5.8+3
Gogithub.com/mattermost_mattermost-server9.5.0+incompatible9.5.8+incompatible+3
CVEListV5mattermost/mattermost9.9.09.9.1+3

🔴Vulnerability Details

4
OSV
Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server2024-08-30
OSV
Mattermost allows remote/synthetic users to create sessions, reset passwords2024-08-22
GHSA
Mattermost allows remote/synthetic users to create sessions, reset passwords2024-08-22
CVEList
Munged email address used for password resets and notifications2024-08-22
CVE-2024-39836 — Protection Mechanism Failure | cvebase