Lucene search

MattermostCVE-2024-39613

HistorySep 16, 2024 - 7:15 a.m.

CVE-2024-39613

2024-09-1607:15:02

CWE-427

Mattermost

web.nvd.nist.gov

mattermost

desktop app

vulnerability

local attacker

remote code execution

CVSS3

5.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

AI Score

5.9

Confidence

High

EPSS

Percentile

9.6%

JSON

Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user’s machine to cause remote code execution on that machine.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows"
    ],
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "5.8.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "5.9.0"
      }
    ]
  }
]

References

mattermost.com/security-updates