Mattermost — безопасная платформа для совместной работы, позволяющая объединить ваши команды, инструменты и процессы для ускорения критически важной работы.

Релизный цикл, информация об уязвимостях

Продукт: Mattermost

Вендор: Mattermost

График релизов

Недавние уязвимости Mattermost

Количество 239

CVE-2024-39777

около 1 года назад

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and ...

CVSS3: 8.7

EPSS: Низкий

CVE-2024-39274

около 1 года назад

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels

CVSS3: 8.7

EPSS: Низкий

CVE-2024-39274

около 1 года назад

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and ...

CVSS3: 8.7

EPSS: Низкий

CVE-2024-36492

около 1 года назад

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.

CVSS3: 7.4

EPSS: Низкий

CVE-2024-36492

около 1 года назад

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9. ...

CVSS3: 7.4

EPSS: Низкий

CVE-2024-29977

около 1 года назад

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts

CVSS3: 2.7

EPSS: Низкий

CVE-2024-29977

около 1 года назад

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly va ...

CVSS3: 2.7

EPSS: Низкий

GHSA-rvp5-8mrw-f62x

около 1 года назад

Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working.

CVSS3: 5.3

EPSS: Низкий

GHSA-vmvm-jjvw-qwpw

около 1 года назад

Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison.

CVSS3: 8.1

EPSS: Низкий

GHSA-fc2h-j9fj-rh35

около 1 года назад

Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels.

CVSS3: 3.1

EPSS: Низкий

Уязвимостей на страницу

Уязвимость	CVSS	EPSS	Опубликовано 1
CVE-2024-39777 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and ...	CVSS3: 8.7	0% Низкий	около 1 года назад
CVE-2024-39274 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels	CVSS3: 8.7	0% Низкий	около 1 года назад
CVE-2024-39274 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and ...	CVSS3: 8.7	0% Низкий	около 1 года назад
CVE-2024-36492 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.	CVSS3: 7.4	0% Низкий	около 1 года назад
CVE-2024-36492 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9. ...	CVSS3: 7.4	0% Низкий	около 1 года назад
CVE-2024-29977 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts	CVSS3: 2.7	0% Низкий	около 1 года назад
CVE-2024-29977 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly va ...	CVSS3: 2.7	0% Низкий	около 1 года назад
GHSA-rvp5-8mrw-f62x Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working.	CVSS3: 5.3	0% Низкий	около 1 года назад
GHSA-vmvm-jjvw-qwpw Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison.	CVSS3: 8.1	0% Низкий	около 1 года назад
GHSA-fc2h-j9fj-rh35 Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels.	CVSS3: 3.1	0% Низкий	около 1 года назад

Уязвимостей на страницу