cve-2024-39836
Vulnerability from cvelistv5
Published
2024-08-22 06:27
Modified
2024-08-22 16:39
Severity ?
EPSS score ?
Summary
Munged email address used for password resets and notifications
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39836",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T16:39:11.770507Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T16:39:21.881Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.9.1",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.9.2"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
},
{
"status": "unaffected",
"version": "9.8.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.1, 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0 and 9.8.x \u0026lt;= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003ethe munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;they are valid, functional emails.\u003c/span\u003e\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0 and 9.8.x \u003c= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows\u00a0the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when\u00a0they are valid, functional emails."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T06:27:09.829Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00339",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58244"
],
"discovery": "INTERNAL"
},
"title": "Munged email address used for password resets and notifications",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39836",
"datePublished": "2024-08-22T06:27:09.829Z",
"dateReserved": "2024-08-20T16:09:35.902Z",
"dateUpdated": "2024-08-22T16:39:21.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-39836\",\"sourceIdentifier\":\"responsibledisclosure@mattermost.com\",\"published\":\"2024-08-22T07:15:03.960\",\"lastModified\":\"2024-08-23T16:16:18.757\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0 and 9.8.x \u003c= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows\u00a0the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when\u00a0they are valid, functional emails.\"},{\"lang\":\"es\",\"value\":\"Las versiones de Mattermost 9.9.x \u0026lt;= 9.9.1, 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0 y 9.8.x \u0026lt;= 9.8.2 no garantizan que los usuarios remotos/sint\u00e9ticos no puedan crear sesiones ni restablecer contrase\u00f1as, que permite que las direcciones de correo electr\u00f3nico eliminadas, creadas por canales compartidos, se utilicen para recibir notificaciones por correo electr\u00f3nico y restablecer contrase\u00f1as, cuando sean correos electr\u00f3nicos v\u00e1lidos y funcionales.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5},{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]},{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-693\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.5.0\",\"versionEndExcluding\":\"9.5.8\",\"matchCriteriaId\":\"7FEEA8D7-745A-49FF-8B01-CA0D1D820D48\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.8.0\",\"versionEndExcluding\":\"9.8.3\",\"matchCriteriaId\":\"9B9B4EAB-A618-4823-BECD-0BFD3D76A9D2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.9.0\",\"versionEndExcluding\":\"9.9.2\",\"matchCriteriaId\":\"A445A478-E185-49DF-8CDC-F42BBF8577D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.10.0\",\"versionEndExcluding\":\"9.10.1\",\"matchCriteriaId\":\"0CA40F21-914D-4891-A578-02E6F35FE249\"}]}]}],\"references\":[{\"url\":\"https://mattermost.com/security-updates\",\"source\":\"responsibledisclosure@mattermost.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.