CVE-2024-39839 — Improper Access Control in Mattermost Mattermost-server

CWE-284 — Improper Access Control5 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 55.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedAug 1

Latest updateAug 6

Description

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.5.0 — 9.5.7+3

▶Gogithub.com/mattermost_mattermost-server9.5.0+incompatible — 9.5.7+incompatible+3

▶Gogithub.com/mattermost_mattermost_server_v89.5.0 — 9.5.7+3

▶CVEListV5mattermost/mattermost9.5.0 — 9.5.6+3

🔴Vulnerability Details

OSV

Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server↗2024-08-06

▶

CVEList

Remote username set to an arbitrary string by remote user↗2024-08-01

▶

OSV

Mattermost allows a user on a remote to set their remote username prop to an arbitrary string↗2024-08-01

▶

GHSA

Mattermost allows a user on a remote to set their remote username prop to an arbitrary string↗2024-08-01

▶