BIT-mattermost-2024-39839

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/mattermost/BIT-mattermost-2024-39839.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-mattermost-2024-39839

Aliases

Published

2024-09-05T19:14:36.339Z

Modified

2024-09-05T20:11:49.600165Z

Summary

[none]

Details

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.

Database specific

{
    "cpes": [
        "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:mattermost:mattermost_server:9.9.0:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

https://mattermost.com/security-updates

Affected packages

Bitnami / mattermost

Package

Name: mattermost
Purl: pkg:bitnami/mattermost

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

9.5.0

Fixed

9.5.7

Introduced

9.7.0

Fixed

9.7.6

Introduced

9.8.0

Fixed

9.8.2

Type: SEMVER
Events: Introduced

9.9.0

Last affected

9.9.0