Lucene search

MattermostVULNRICHMENT:CVE-2024-39836

HistoryAug 22, 2024 - 6:27 a.m.

CVE-2024-39836 Munged email address used for password resets and notifications

2024-08-2206:27:09

CWE-693

Mattermost

github.com

cve-2024-39836

munged email address

password resets

notifications

mattermost versions

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

17.7%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.

References

mattermost.com/security-updates

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

17.7%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-39836