CVE-2024-39777

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallowunsolicited invites to expose access to local channels, when shared channels are enabled,which allows a maliciousremote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.7 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
MattermostCNA
8.7 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
VendorProductVersion
mattermostmattermost
9.5.6 ≤
𝑥
≤ 9.5.6
mattermostmattermost
9.7.5 ≤
𝑥
≤ 9.7.5
mattermostmattermost
9.8.1 ≤
𝑥
≤ 9.8.1
mattermostmattermost
9.5.0 ≤
𝑥
< 9.5.7
mattermostmattermost
9.7.0 ≤
𝑥
< 9.7.6
mattermostmattermost
9.8.0 ≤
𝑥
< 9.8.2
mattermostmattermost
9.9.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://mattermost.com/security-updates