CVE-2024-6428

Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MattermostCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
VendorProductVersion
mattermostmattermost
9.5.0 ≤
𝑥
< 9.5.6
mattermostmattermost
9.6.0 ≤
𝑥
< 9.6.3
mattermostmattermost
9.7.0 ≤
𝑥
< 9.7.5
mattermostmattermost
9.8.0 ≤
𝑥
< 9.8.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://mattermost.com/security-updates
https://mattermost.com/security-updates