CVE-2024-39839

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-39839

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39839.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-39839

Aliases

Published

2024-08-01T15:15:12.993Z

Modified

2026-04-10T05:14:39.675893Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type

GIT

Repo

https://github.com/mattermost/mattermost-server

Events

Introduced

99d819d25d0b16b3faed901b1fe5c41de7655e9c

Fixed

55b24d27c857936c742992b6e3ca94bb2c5c3dac

Introduced

7a9257d35b66fc46a7ac682dc6b720857c630ee9

Fixed

d45148a45866f35884cf8c2bb1c2feab9c61c2df

Introduced

015002180e109f0384c511a01dede846c549ce35

Fixed

33db68643e85d71af769f4bb1c788a085a92ed8c

Introduced

Last affected

4179e17b491ec5292ca6e157d7b216b464bce397

Database specific

{
    "versions": [
        {
            "introduced": "9.5.0"
        },
        {
            "fixed": "9.5.7"
        },
        {
            "introduced": "9.7.0"
        },
        {
            "fixed": "9.7.6"
        },
        {
            "introduced": "9.8.0"
        },
        {
            "fixed": "9.8.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.9.0"
        }
    ]
}

Affected versions

@mattermost/client@9.*

@mattermost/client@9.5.0

@mattermost/client@9.7.0

@mattermost/client@9.8.0

@mattermost/client@9.9.0

@mattermost/types@9.*

@mattermost/types@9.5.0

@mattermost/types@9.7.0

@mattermost/types@9.8.0

@mattermost/types@9.9.0

Other

cloud-2022-07-20-1

cloud-2022-08-10-1

cloud-2022-09-08-1

cloud-2022-10-06-1

cloud-2022-11-11-1

cloud-2022-11-24-1

server/public/v0.*

server/public/v0.0.10

server/public/v0.0.11

server/public/v0.0.12

server/public/v0.0.13

server/public/v0.0.14

server/public/v0.0.15

server/public/v0.0.16

server/public/v0.0.17

server/public/v0.0.18

server/public/v0.0.5

server/public/v0.0.6

server/public/v0.0.7

server/public/v0.0.8

server/public/v0.0.9

server/public/v0.1.0

server/public/v0.1.1

v0.*

v0.5.0

v4.*

v4.10.0-rc1

v4.2.0-rc1

v4.3.0-rc1

v4.4.0-rc1

v4.5.0-rc1

v4.6.0-rc1

v4.6.0-rc2

v4.7.0-rc1

v4.8.0-rc1

v4.9.0-rc1

v5.*

v5.0.0-rc1

v5.1.0-rc1

v5.2.0-rc1

v5.2.0-rc2

v9.*

v9.5.0

v9.5.0-rc3

v9.5.1

v9.5.1-rc1

v9.5.2

v9.5.3

v9.5.3-rc1

v9.5.3-rc2

v9.5.3-rc3

v9.5.4

v9.5.4-rc1

v9.5.4-rc2

v9.5.5

v9.5.5-rc1

v9.5.6

v9.5.6-rc1

v9.5.6-rc2

v9.5.7-rc1

v9.5.7-rc2

v9.7.0

v9.7.0-rc3

v9.7.1

v9.7.2

v9.7.2-rc1

v9.7.3

v9.7.4

v9.7.4-rc1

v9.7.5

v9.7.5-rc1

v9.7.5-rc2

v9.7.6-rc1

v9.7.6-rc2

v9.7.6-rc3

v9.8.0

v9.8.0-rc4

v9.8.1

v9.8.1-rc1

v9.8.1-rc2

v9.8.2-rc1

v9.8.2-rc2

v9.8.2-rc3

v9.9.0

v9.9.0-rc1

v9.9.0-rc2

v9.9.0-rc3

v9.9.0-rc4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39839.json"