Lucene search

GitHub Advisory DatabaseGHSA-Q22Q-2RRF-M27P

HistoryAug 01, 2024 - 3:32 p.m.

Mattermost allows unsolicited invites to expose access to local channels

2024-08-0115:32:23

CWE-284

GitHub Advisory Database

github.com

mattermost

unsolicited invites

local channels

security vulnerability

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

20.1%

JSON

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.

Affected configurations

Vulners

Node

mattermostmattermostRange9.8.0–9.8.1

mattermostmattermostRange9.7.0–9.7.6

mattermostmattermostRange9.5.0–9.5.7

mattermostmattermostRange9.9.0–9.9.1

VendorProductVersionCPE
mattermostmattermost*cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mattermost	mattermost	*	cpe:2.3:a:mattermost:mattermost::::::::

References

github.com/advisories/GHSA-q22q-2rrf-m27p

mattermost.com/security-updates

nvd.nist.gov/vuln/detail/CVE-2024-39777

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

20.1%

JSON

Related for GHSA-Q22Q-2RRF-M27P