CVE-2024-36492

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-36492
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.

6.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References
Link Resource
https://mattermost.com/security-updates Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:9.9.0:*:*:*:*:*:*:*
History

23 Aug 2024, 14:51

Type Values Removed Values Added
First Time Mattermost mattermost
Mattermost
Summary
  • (es) Las versiones de Mattermost 9.9.x &lt;= 9.9.0, 9.5.x &lt;= 9.5.6, 9.7.x &lt;= 9.7.5, 9.8.x &lt;= 9.8.1 no permiten la modificación de usuarios locales al sincronizar usuarios en canales compartidos lo que permite que un control remoto malicioso sobrescriba a un usuario local existente.
CWE NVD-CWE-noinfo
CVSS v2 : unknown
v3 : 7.4 		v2 : unknown
v3 : 6.4
References () https://mattermost.com/security-updates - () https://mattermost.com/security-updates - Vendor Advisory
CPE cpe:2.3:a:mattermost:mattermost:9.9.0:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

01 Aug 2024, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-08-01 15:15

Updated : 2024-08-23 14:51

NVD link : CVE-2024-36492

Mitre link : CVE-2024-36492

CVE.ORG link : CVE-2024-36492

JSON object : View

Products Affected

mattermost

  • mattermost
CWE
NVD-CWE-noinfo CWE-284

Improper Access Control