What is the severity of CVE-2024-39836?

CVE-2024-39836 is considered a high-severity vulnerability due to the potential exploitation involving unauthorized session creation and password resets.

How do I fix CVE-2024-39836?

To fix CVE-2024-39836, update your Mattermost installation to version 9.5.8, 9.8.3, 9.9.2, or 9.10.1 or later.

Which versions of Mattermost are affected by CVE-2024-39836?

Mattermost versions 9.9.x up to 9.9.1, 9.5.x up to 9.5.7, 9.10.x up to 9.10.0, and 9.8.x up to 9.8.2 are affected by CVE-2024-39836.

What type of vulnerability is CVE-2024-39836?

CVE-2024-39836 is classified as an access control vulnerability that allows unauthorized users to potentially create sessions and reset passwords.

How can I check if my Mattermost version is affected by CVE-2024-39836?

You can check if your Mattermost version is affected by comparing your current version against the listed vulnerable versions in CVE-2024-39836.

Vulnerability/
CVE-2024-39836

medium

6.5

CWE

693

22/8/2024

23/8/2024

CVE-2024-39836: Munged email address used for password resets and notifications

First published: Thu Aug 22 2024(Updated: )

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.

Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com

Affected Software	Affected Version	How to fix
go/github.com/mattermost/mattermost/server/v8	>=9.8.0<9.8.3	9.8.3
go/github.com/mattermost/mattermost/server/v8	>=9.10.0<9.10.1	9.10.1
go/github.com/mattermost/mattermost/server/v8	>=9.5.0<9.5.8	9.5.8
go/github.com/mattermost/mattermost/server/v8	>=9.9.0<9.9.2	9.9.2
Mattermost	>=9.5.0<9.5.8
Mattermost	>=9.8.0<9.8.3
Mattermost	>=9.9.0<9.9.2
Mattermost	>=9.10.0<9.10.1

Remedy

Update Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher.

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-39836?
CVE-2024-39836 is considered a high-severity vulnerability due to the potential exploitation involving unauthorized session creation and password resets.
How do I fix CVE-2024-39836?
To fix CVE-2024-39836, update your Mattermost installation to version 9.5.8, 9.8.3, 9.9.2, or 9.10.1 or later.
Which versions of Mattermost are affected by CVE-2024-39836?
Mattermost versions 9.9.x up to 9.9.1, 9.5.x up to 9.5.7, 9.10.x up to 9.10.0, and 9.8.x up to 9.8.2 are affected by CVE-2024-39836.
What type of vulnerability is CVE-2024-39836?
CVE-2024-39836 is classified as an access control vulnerability that allows unauthorized users to potentially create sessions and reset passwords.
How can I check if my Mattermost version is affected by CVE-2024-39836?
You can check if your Mattermost version is affected by comparing your current version against the listed vulnerable versions in CVE-2024-39836.

agent/title
agent/weakness
agent/remedy
agent/type
agent/description
agent/first-publish-date
agent/severity
collector/github-advisory-latest
source/GitHub
alias/GHSA-c6vp-jjgv-38wj
alias/CVE-2024-39836
agent/software-canonical-lookup
agent/last-modified-date
agent/references
agent/softwarecombine
agent/event
agent/author
collector/mitre-cve
source/MITRE
collector/github-advisory
agent/trending
agent/source
agent/tags
collector/nvd-cve
source/NVD
agent/software-canonical-lookup-request
collector/nvd-api
package-manager/go
vendor/mattermost
canonical/mattermost
version/mattermost/9.5.0
version/mattermost/9.8.0
version/mattermost/9.9.0
version/mattermost/9.10.0