Headline
GHSA-vg6q-84p8-qvqh: Mattermost allows a user on a remote to set their remote username prop to an arbitrary string
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn’t been synced before.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-39839
Mattermost allows a user on a remote to set their remote username prop to an arbitrary string
Moderate severity GitHub Reviewed Published Aug 1, 2024 to the GitHub Advisory Database • Updated Aug 2, 2024
Package
gomod github.com/mattermost/mattermost/server/v8 (Go)
Affected versions
>= 9.5.0, < 9.5.7
>= 9.7.0, < 9.7.6
>= 9.8.0, < 9.8.2
= 9.9.0
Patched versions
9.5.7
9.7.6
9.8.2
9.9.1
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn’t been synced before.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-39839
- https://mattermost.com/security-updates
Published to the GitHub Advisory Database
Aug 1, 2024