CVE-2024-39836
published 2024-08-22CVE-2024-39836: Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or…
PriorityP334medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.26%
17.4th percentile
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 9.10.0+incompatible < 9.10.1+incompatible | 9.10.1+incompatible |
| github.com | mattermost_mattermost-server | >= 9.5.0+incompatible < 9.5.8+incompatible | 9.5.8+incompatible |
| github.com | mattermost_mattermost-server | >= 9.8.0+incompatible < 9.8.3+incompatible | 9.8.3+incompatible |
| github.com | mattermost_mattermost-server | >= 9.9.0+incompatible < 9.9.2+incompatible | 9.9.2+incompatible |
| github.com | mattermost_mattermost_server_v8 | >= 9.10.0 < 9.10.1 | 9.10.1 |
| github.com | mattermost_mattermost_server_v8 | >= 9.5.0 < 9.5.8 | 9.5.8 |
| github.com | mattermost_mattermost_server_v8 | >= 9.8.0 < 9.8.3 | 9.8.3 |
| github.com | mattermost_mattermost_server_v8 | >= 9.9.0 < 9.9.2 | 9.9.2 |
| mattermost | mattermost | — | — |
| mattermost | mattermost | >= 9.10.0 < 9.10.1 | 9.10.1 |
| mattermost | mattermost | >= 9.5.0 < 9.5.8 | 9.5.8 |
| mattermost | mattermost | 9.5.0 – 9.5.7 | — |
| mattermost | mattermost | >= 9.8.0 < 9.8.3 | 9.8.3 |
| mattermost | mattermost | 9.8.0 – 9.8.2 | — |
| mattermost | mattermost | >= 9.9.0 < 9.9.2 | 9.9.2 |
| mattermost | mattermost | 9.9.0 – 9.9.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
osv·2024-08-30
CVE-2024-39836 Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
OSV
Mattermost allows remote/synthetic users to create sessions, reset passwords
osv·2024-08-22
CVE-2024-39836 [MEDIUM] Mattermost allows remote/synthetic users to create sessions, reset passwords
Mattermost allows remote/synthetic users to create sessions, reset passwords
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.
GHSA
Mattermost allows remote/synthetic users to create sessions, reset passwords
ghsa·2024-08-22
CVE-2024-39836 [MEDIUM] CWE-693 Mattermost allows remote/synthetic users to create sessions, reset passwords
Mattermost allows remote/synthetic users to create sessions, reset passwords
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-22
Published