VYPR
Critical severityNVD Advisory· Published Aug 1, 2024· Updated Aug 1, 2024

Malicious remote can invite itself to an arbitrary local channel

CVE-2024-39777

Description

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
>= 9.9.0, < 9.9.19.9.1
github.com/mattermost/mattermost/server/v8Go
>= 9.5.0, < 9.5.79.5.7
github.com/mattermost/mattermost/server/v8Go
>= 9.7.0, < 9.7.69.7.6
github.com/mattermost/mattermost/server/v8Go
>= 9.8.0, < 9.8.19.8.1

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.