Bitnami package
mattermost
pkg:bitnami/mattermost
Vulnerabilities (104)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-41162 | — | >= 9.5.0, < 9.5.7 | 9.5.7 | Aug 1, 2024 | Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only. | ||
| CVE-2024-41144 | — | >= 9.5.0, < 9.5.7 | 9.5.7 | Aug 1, 2024 | Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels | ||
| CVE-2024-39839 | — | >= 9.5.0, < 9.5.7 | 9.5.7 | Aug 1, 2024 | Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be | ||
| CVE-2024-39837 | — | >= 9.5.0, < 9.5.7 | 9.5.7 | Aug 1, 2024 | Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled. | ||
| CVE-2024-2447 | — | >= 8.1.0, < 8.1.11 | 8.1.11 | Apr 5, 2024 | Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action. | ||
| CVE-2024-29221 | — | >= 8.1.0, < 8.1.11 | 8.1.11 | Apr 5, 2024 | Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them | ||
| CVE-2024-28949 | — | >= 8.1.0, < 8.1.11 | 8.1.11 | Apr 5, 2024 | Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service. | ||
| CVE-2024-21848 | — | >= 8.1.0, < 8.1.11 | 8.1.11 | Apr 5, 2024 | Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel | ||
| CVE-2024-2445 | — | >= 8.1.0, < 8.1.10 | 8.1.10 | Mar 15, 2024 | Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripti | ||
| CVE-2024-2450 | — | >= 8.1.0, < 8.1.10 | 8.1.10 | Mar 15, 2024 | Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted s | ||
| CVE-2024-2446 | — | >= 8.1.0, < 8.1.10 | 8.1.10 | Mar 15, 2024 | Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages. | ||
| CVE-2024-28053 | — | >= 8.1.0, < 8.1.10 | 8.1.10 | Mar 15, 2024 | Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server. | ||
| CVE-2024-1953 | — | >= 8.1.0, < 8.1.9 | 8.1.9 | Feb 29, 2024 | Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP reques | ||
| CVE-2024-1952 | — | >= 8.1.0, < 8.1.9 | 8.1.9 | Feb 29, 2024 | Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of. | ||
| CVE-2024-1949 | — | >= 8.1.0, < 8.1.9 | 8.1.9 | Feb 29, 2024 | A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts. | ||
| CVE-2024-1942 | — | >= 8.1.0, < 8.1.9 | 8.1.9 | Feb 29, 2024 | Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of. | ||
| CVE-2024-24988 | — | < 8.1.8 | 8.1.8 | Feb 29, 2024 | Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server. | ||
| CVE-2024-23493 | — | < 8.1.9 | 8.1.9 | Feb 29, 2024 | Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of. | ||
| CVE-2024-1402 | — | < 9.6.1 | 9.6.1 | Feb 9, 2024 | Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seein | ||
| CVE-2024-24776 | — | < 9.6.1 | 9.6.1 | Feb 9, 2024 | Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts being leaked to a user without permissions. |
- CVE-2024-41162Aug 1, 2024affected >= 9.5.0, < 9.5.7fixed 9.5.7
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only.
- CVE-2024-41144Aug 1, 2024affected >= 9.5.0, < 9.5.7fixed 9.5.7
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels
- CVE-2024-39839Aug 1, 2024affected >= 9.5.0, < 9.5.7fixed 9.5.7
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be
- CVE-2024-39837Aug 1, 2024affected >= 9.5.0, < 9.5.7fixed 9.5.7
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.
- CVE-2024-2447Apr 5, 2024affected >= 8.1.0, < 8.1.11fixed 8.1.11
Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.
- CVE-2024-29221Apr 5, 2024affected >= 8.1.0, < 8.1.11fixed 8.1.11
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them
- CVE-2024-28949Apr 5, 2024affected >= 8.1.0, < 8.1.11fixed 8.1.11
Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.
- CVE-2024-21848Apr 5, 2024affected >= 8.1.0, < 8.1.11fixed 8.1.11
Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel
- CVE-2024-2445Mar 15, 2024affected >= 8.1.0, < 8.1.10fixed 8.1.10
Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripti
- CVE-2024-2450Mar 15, 2024affected >= 8.1.0, < 8.1.10fixed 8.1.10
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted s
- CVE-2024-2446Mar 15, 2024affected >= 8.1.0, < 8.1.10fixed 8.1.10
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.
- CVE-2024-28053Mar 15, 2024affected >= 8.1.0, < 8.1.10fixed 8.1.10
Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.
- CVE-2024-1953Feb 29, 2024affected >= 8.1.0, < 8.1.9fixed 8.1.9
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP reques
- CVE-2024-1952Feb 29, 2024affected >= 8.1.0, < 8.1.9fixed 8.1.9
Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of.
- CVE-2024-1949Feb 29, 2024affected >= 8.1.0, < 8.1.9fixed 8.1.9
A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts.
- CVE-2024-1942Feb 29, 2024affected >= 8.1.0, < 8.1.9fixed 8.1.9
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.
- CVE-2024-24988Feb 29, 2024affected < 8.1.8fixed 8.1.8
Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.
- CVE-2024-23493Feb 29, 2024affected < 8.1.9fixed 8.1.9
Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of.
- CVE-2024-1402Feb 9, 2024affected < 9.6.1fixed 9.6.1
Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seein
- CVE-2024-24776Feb 9, 2024affected < 9.6.1fixed 9.6.1
Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts being leaked to a user without permissions.
Page 2 of 6