CVE-2024-39777

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-39777

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39777.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-39777

Aliases

Published

2024-08-01T15:15:12.370Z

Modified

2026-03-12T06:13:36.922951Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type

GIT

Repo

https://github.com/mattermost/mattermost-server

Events

Introduced

99d819d25d0b16b3faed901b1fe5c41de7655e9c

Fixed

55b24d27c857936c742992b6e3ca94bb2c5c3dac

Introduced

7a9257d35b66fc46a7ac682dc6b720857c630ee9

Fixed

d45148a45866f35884cf8c2bb1c2feab9c61c2df

Introduced

015002180e109f0384c511a01dede846c549ce35

Fixed

33db68643e85d71af769f4bb1c788a085a92ed8c

Introduced

Last affected

4179e17b491ec5292ca6e157d7b216b464bce397

Database specific

{
    "versions": [
        {
            "introduced": "9.5.0"
        },
        {
            "fixed": "9.5.7"
        },
        {
            "introduced": "9.7.0"
        },
        {
            "fixed": "9.7.6"
        },
        {
            "introduced": "9.8.0"
        },
        {
            "fixed": "9.8.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.9.0"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39777.json"