Mattermost allows a user on a remote to set their remote username prop to an arbitrary string

GHSA-vg6q-84p8-qvqh · BIT-mattermost-2024-39839 · CVE-2024-39839 · GO-2024-3024

Published Aug 1, 2024 · Modified Sep 5, 2024

Description

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-39839
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates
WEB https://pkg.go.dev/vuln/GO-2024-3024

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes