CVE-2024-39839

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.
References
Link Resource
https://mattermost.com/security-updates Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:9.9.0:*:*:*:*:*:*:*

History

04 Sep 2024, 17:34

Type Values Removed Values Added
Summary
  • (es) Las versiones de Mattermost 9.9.x &lt;= 9.9.0, 9.5.x &lt;= 9.5.6, 9.7.x &lt;= 9.7.5, 9.8.x &lt;= 9.8.1 no permiten que los usuarios establezcan su propio nombre de usuario remoto cuando se comparte. Se habilitaron canales, lo que permite a un usuario en un control remoto configurar su nombre de usuario remoto en una cadena arbitraria, que luego se sincronizaría con el servidor local siempre que el usuario no se hubiera sincronizado antes.
References () https://mattermost.com/security-updates - () https://mattermost.com/security-updates - Vendor Advisory
CPE cpe:2.3:a:mattermost:mattermost_server:9.9.0:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo
First Time Mattermost
Mattermost mattermost Server

01 Aug 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-01 15:15

Updated : 2024-09-04 17:34


NVD link : CVE-2024-39839

Mitre link : CVE-2024-39839

CVE.ORG link : CVE-2024-39839


JSON object : View

Products Affected

mattermost

  • mattermost_server
CWE
NVD-CWE-noinfo CWE-284

Improper Access Control