CVE-2024-39777

Summary

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.9.0affected
MattermostMattermost9.5.0 <= 9.5.6affected
MattermostMattermost9.7.0 <= 9.7.5affected
MattermostMattermost9.8.0 <= 9.8.1affected
MattermostMattermost9.10.0unaffected
MattermostMattermost9.9.1unaffected
MattermostMattermost9.5.7unaffected
MattermostMattermost9.7.6unaffected
MattermostMattermost9.8.2unaffected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References