Lucene search

GitHub Advisory DatabaseGHSA-CMC8-222C-VQP9

HistoryAug 01, 2024 - 3:32 p.m.

Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel

2024-08-0115:32:21

CWE-284

GitHub Advisory Database

github.com

mattermost

validation

shared channel

security

software

remote

teams

channels

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

16.8%

JSON

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels

Affected configurations

Vulners

Node

mattermostmattermostMatch9.9.0

mattermostmattermostRange9.8.0–9.8.2

mattermostmattermostRange9.7.0–9.7.6

mattermostmattermostRange9.5.0–9.5.7

VendorProductVersionCPE
mattermostmattermost9.9.0cpe:2.3:a:mattermost:mattermost:9.9.0:*:*:*:*:*:*:*
mattermostmattermost*cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mattermost	mattermost	9.9.0	cpe:2.3:a:mattermost:mattermost:9.9.0:::::::*
mattermost	mattermost	*	cpe:2.3:a:mattermost:mattermost::::::::

References

github.com/advisories/GHSA-cmc8-222c-vqp9

mattermost.com/security-updates

nvd.nist.gov/vuln/detail/CVE-2024-39274

pkg.go.dev/vuln/GO-2024-3028

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

16.8%

JSON

Related for GHSA-CMC8-222C-VQP9