Описание
Mattermost allows remote actor to set arbitrary RemoteId values for synced users
Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.
Пакеты
github.com/mattermost/mattermost/server/v8
>= 9.5.0, < 9.5.7
9.5.7
github.com/mattermost/mattermost/server/v8
= 9.9.0
9.9.1
github.com/mattermost/mattermost/server/v8
< 8.0.0-20240604093018-5114c3b7cdb8
8.0.0-20240604093018-5114c3b7cdb8
github.com/mattermost/mattermost
< 5.3.2-0.20240604093018-5114c3b7cdb8
5.3.2-0.20240604093018-5114c3b7cdb8
EPSS
5.1 Medium
CVSS4
2.7 Low
CVSS3
CVE ID
Дефекты
Связанные уязвимости
Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.
Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate ...
EPSS
5.1 Medium
CVSS4
2.7 Low
CVSS3