CVE-2024-39274

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels
References
Link Resource
https://mattermost.com/security-updates Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:9.9.0:*:*:*:*:*:*:*

History

23 Aug 2024, 14:39

Type Values Removed Values Added
CWE NVD-CWE-noinfo
CVSS v2 : unknown
v3 : 8.7
v2 : unknown
v3 : 6.5
CPE cpe:2.3:a:mattermost:mattermost:9.9.0:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
References () https://mattermost.com/security-updates - () https://mattermost.com/security-updates - Vendor Advisory
Summary
  • (es) Las versiones de Mattermost 9.9.x &lt;= 9.9.0, 9.5.x &lt;= 9.5.6, 9.7.x &lt;= 9.7.5 y 9.8.x &lt;= 9.8.1 no validan correctamente que el canal que proviene del mensaje de sincronización es un canal compartido, cuando los canales compartidos están habilitados, lo que permite que un control remoto malicioso agregue usuarios a equipos y canales arbitrarios
First Time Mattermost mattermost
Mattermost

01 Aug 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-01 15:15

Updated : 2024-08-23 14:39


NVD link : CVE-2024-39274

Mitre link : CVE-2024-39274

CVE.ORG link : CVE-2024-39274


JSON object : View

Products Affected

mattermost

  • mattermost
CWE
NVD-CWE-noinfo CWE-284

Improper Access Control