CVE-2024-39777

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-39777

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39777.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-39777

Aliases

Published

2024-08-01T15:15:12.370Z

Modified

2026-04-10T05:14:37.865731Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type

GIT

Repo

https://github.com/mattermost/mattermost-server

Events

Introduced

99d819d25d0b16b3faed901b1fe5c41de7655e9c

Fixed

55b24d27c857936c742992b6e3ca94bb2c5c3dac

Introduced

7a9257d35b66fc46a7ac682dc6b720857c630ee9

Fixed

d45148a45866f35884cf8c2bb1c2feab9c61c2df

Introduced

015002180e109f0384c511a01dede846c549ce35

Fixed

33db68643e85d71af769f4bb1c788a085a92ed8c

Introduced

Last affected

4179e17b491ec5292ca6e157d7b216b464bce397

Database specific

{
    "versions": [
        {
            "introduced": "9.5.0"
        },
        {
            "fixed": "9.5.7"
        },
        {
            "introduced": "9.7.0"
        },
        {
            "fixed": "9.7.6"
        },
        {
            "introduced": "9.8.0"
        },
        {
            "fixed": "9.8.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.9.0"
        }
    ]
}

Affected versions

@mattermost/client@9.*

@mattermost/client@9.5.0

@mattermost/client@9.7.0

@mattermost/client@9.8.0

@mattermost/client@9.9.0

@mattermost/types@9.*

@mattermost/types@9.5.0

@mattermost/types@9.7.0

@mattermost/types@9.8.0

@mattermost/types@9.9.0

Other

cloud-2022-07-20-1

cloud-2022-08-10-1

cloud-2022-09-08-1

cloud-2022-10-06-1

cloud-2022-11-11-1

cloud-2022-11-24-1

server/public/v0.*

server/public/v0.0.10

server/public/v0.0.11

server/public/v0.0.12

server/public/v0.0.13

server/public/v0.0.14

server/public/v0.0.15

server/public/v0.0.16

server/public/v0.0.17

server/public/v0.0.18

server/public/v0.0.5

server/public/v0.0.6

server/public/v0.0.7

server/public/v0.0.8

server/public/v0.0.9

server/public/v0.1.0

server/public/v0.1.1

v0.*

v0.5.0

v4.*

v4.10.0-rc1

v4.2.0-rc1

v4.3.0-rc1

v4.4.0-rc1

v4.5.0-rc1

v4.6.0-rc1

v4.6.0-rc2

v4.7.0-rc1

v4.8.0-rc1

v4.9.0-rc1

v5.*

v5.0.0-rc1

v5.1.0-rc1

v5.2.0-rc1

v5.2.0-rc2

v9.*

v9.5.0

v9.5.0-rc3

v9.5.1

v9.5.1-rc1

v9.5.2

v9.5.3

v9.5.3-rc1

v9.5.3-rc2

v9.5.3-rc3

v9.5.4

v9.5.4-rc1

v9.5.4-rc2

v9.5.5

v9.5.5-rc1

v9.5.6

v9.5.6-rc1

v9.5.6-rc2

v9.5.7-rc1

v9.5.7-rc2

v9.7.0

v9.7.0-rc3

v9.7.1

v9.7.2

v9.7.2-rc1

v9.7.3

v9.7.4

v9.7.4-rc1

v9.7.5

v9.7.5-rc1

v9.7.5-rc2

v9.7.6-rc1

v9.7.6-rc2

v9.7.6-rc3

v9.8.0

v9.8.0-rc4

v9.8.1

v9.8.1-rc1

v9.8.1-rc2

v9.8.2-rc1

v9.8.2-rc2

v9.8.2-rc3

v9.9.0

v9.9.0-rc1

v9.9.0-rc2

v9.9.0-rc3

v9.9.0-rc4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39777.json"