CVE-2024-39777

EUVD-2024-2628
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.7 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
MattermostCNA
8.7 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
Affected Products (NVD)
VendorProductVersion
mattermostmattermost
9.5.6 ≤
𝑥
≤ 9.5.6
mattermostmattermost
9.7.5 ≤
𝑥
≤ 9.7.5
mattermostmattermost
9.8.1 ≤
𝑥
≤ 9.8.1
mattermostmattermost
9.5.0 ≤
𝑥
< 9.5.7
mattermostmattermost
9.7.0 ≤
𝑥
< 9.7.6
mattermostmattermost
9.8.0 ≤
𝑥
< 9.8.2
mattermostmattermost
9.9.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://mattermost.com/security-updates