CVE-2024-41926

Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.
References
Link Resource
https://mattermost.com/security-updates Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:9.9.0:*:*:*:*:*:*:*

History

04 Sep 2024, 16:55

Type Values Removed Values Added
First Time Mattermost
Mattermost mattermost Server
CVSS v2 : unknown
v3 : 2.7
v2 : unknown
v3 : 4.3
References () https://mattermost.com/security-updates - () https://mattermost.com/security-updates - Vendor Advisory
CWE CWE-346
CPE cpe:2.3:a:mattermost:mattermost_server:9.9.0:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Summary
  • (es) Las versiones 9.9.x &lt;= 9.9.0 y 9.5.x &lt;= 9.5.6 de Mattermost no validan el origen de los mensajes de sincronización y solo permiten las ID remotas correctas, lo que permite que un control remoto malicioso establezca valores RemoteId arbitrarios para usuarios sincronizados y, por lo tanto, afirmar que un usuario se sincronizó desde otro control remoto.

01 Aug 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-01 15:15

Updated : 2024-09-04 16:55


NVD link : CVE-2024-41926

Mitre link : CVE-2024-41926

CVE.ORG link : CVE-2024-41926


JSON object : View

Products Affected

mattermost

  • mattermost_server
CWE
CWE-346

Origin Validation Error

CWE-284

Improper Access Control