Lucene search

GitHub Advisory DatabaseGHSA-WJ4J-QC2M-FGH7

HistorySep 16, 2024 - 2:37 p.m.

Mattermost Desktop App Uncontrolled Search Path Vulnerability

2024-09-1614:37:28

CWE-427

GitHub Advisory Database

github.com

mattermost

desktop app

uncontrolled

search path

vulnerability

software

remote code execution

local attacker

absolute path.

CVSS3

5.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

AI Score

7.6

Confidence

High

EPSS

Percentile

9.6%

JSON

Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user’s machine to cause remote code execution on that machine.

Affected configurations

Vulners

Node

mattermostmattermost_desktopRange<5.9.0

VendorProductVersionCPE
mattermostmattermost_desktop*cpe:2.3:a:mattermost:mattermost_desktop:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mattermost	mattermost_desktop	*	cpe:2.3:a:mattermost:mattermost_desktop::::::::

References

docs.mattermost.com/about/desktop-app-changelog.html

github.com/advisories/GHSA-wj4j-qc2m-fgh7

mattermost.com/security-updates

nvd.nist.gov/vuln/detail/CVE-2024-39613