CVE-2024-39839

Summary

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.9.0affected
MattermostMattermost9.5.0 <= 9.5.6affected
MattermostMattermost9.7.0 <= 9.7.5affected
MattermostMattermost9.8.0 <= 9.8.1affected
MattermostMattermost9.10.0unaffected
MattermostMattermost9.9.1unaffected
MattermostMattermost9.5.7unaffected
MattermostMattermost9.7.6unaffected
MattermostMattermost9.8.2unaffected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References