GHSA-q22q-2rrf-m27p

Source

https://github.com/advisories/GHSA-q22q-2rrf-m27p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-q22q-2rrf-m27p/GHSA-q22q-2rrf-m27p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q22q-2rrf-m27p

Aliases

Published

2024-08-01T15:32:23Z

Modified

2024-11-18T16:26:58Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N CVSS Calculator

Summary

Mattermost allows unsolicited invites to expose access to local channels

Details

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.

Database specific

{
    "nvd_published_at": "2024-08-01T15:15:12Z",
    "severity": "CRITICAL",
    "github_reviewed_at": "2024-08-23T18:51:05Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-284"
    ]
}

References

Affected packages

Go

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

9.9.0

Fixed

9.9.1

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

9.5.0

Fixed

9.5.7

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

9.7.0

Fixed

9.7.6

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

9.8.0

Fixed

9.8.1