CVE-2024-39777

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.
References
Link Resource
https://mattermost.com/security-updates Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:9.9.0:*:*:*:*:*:*:*

History

23 Aug 2024, 14:36

Type Values Removed Values Added
CPE cpe:2.3:a:mattermost:mattermost:9.9.0:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
First Time Mattermost mattermost
Mattermost
CWE NVD-CWE-noinfo
References () https://mattermost.com/security-updates - () https://mattermost.com/security-updates - Vendor Advisory
Summary
  • (es) Las versiones de Mattermost 9.9.x &lt;= 9.9.0, 9.5.x &lt;= 9.5.6, 9.7.x &lt;= 9.7.5 y 9.8.x &lt;= 9.8.1 no permiten invitaciones no solicitadas para exponer el acceso a canales locales, cuando los canales compartidos están habilitados, lo que permite que un control remoto malicioso envíe una invitación con el ID de un canal local existente, y ese canal local se compartirá sin el consentimiento del administrador local.
CVSS v2 : unknown
v3 : 8.7
v2 : unknown
v3 : 9.6

01 Aug 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-01 15:15

Updated : 2024-08-23 14:36


NVD link : CVE-2024-39777

Mitre link : CVE-2024-39777

CVE.ORG link : CVE-2024-39777


JSON object : View

Products Affected

mattermost

  • mattermost
CWE
NVD-CWE-noinfo CWE-284

Improper Access Control