4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39839

GHSA ID

GHSA-vg6q-84p8-qvqh

EPSS Score

0.29967%

CWE

CWE-284

Published

8/1/2024

Updated

8/7/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-39839

CVE-2024-39839: Mattermost allows a user on a remote to set their remote username prop to an arbitrary string

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39839

GHSA ID

GHSA-vg6q-84p8-qvqh

EPSS Score

0.29967%

CWE

CWE-284

Published

8/1/2024

Updated

8/7/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost/server/v8	go	>= 9.5.0, < 9.5.7	9.5.7
github.com/mattermost/mattermost/server/v8	go	>= 9.7.0, < 9.7.6	9.7.6
github.com/mattermost/mattermost/server/v8	go	>= 9.8.0, < 9.8.2	9.8.2
github.com/mattermost/mattermost/server/v8	go	= 9.9.0	9.9.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper access control during user synchronization in shared channels. Key functions would be those handling: 1) User data synchronization between clusters, and 2) Processing of remote user updates. The first vulnerable function likely fails to enforce username modification permissions during sync operations, while the second may accept unvalidated remote user properties. These functions would exist in user management and shared channel service components, consistent with Mattermost's architecture. Confidence is medium due to lack of direct code access, but aligns with CWE-284 and described attack patterns in distributed systems.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions *.*.x <= *.*.*, *.*.x <= *.*.*, *.*.x <= *.*.*, *.*.x <= *.*.* **il to *is*llow us*rs to s*t t**ir own r*mot* us*rn*m*, w**n s**r** ***nn*ls w*r* *n**l**, w*i** *llows * us*r on * r*mot* to s*t t**ir r*mot* us*rn*m* prop to *n *r*

Reasoning

T** vuln*r**ility st*ms *rom improp*r ****ss *ontrol *urin* us*r syn**roniz*tion in s**r** ***nn*ls. K*y *un*tions woul* ** t*os* **n*lin*: *) Us*r **t* syn**roniz*tion **tw**n *lust*rs, *n* *) Pro**ssin* o* r*mot* us*r up**t*s. T** *irst vuln*r**l*

4.3

Basic Information

Concerned about an active attack path?

CVE-2024-39839: Mattermost allows a user on a remote to set their remote username prop to an arbitrary string

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI