CVE-2024-36257 - Vulnerability Details - OpenCVE

Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mattermost	Mattermost

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost::::::::
	cpe:2.3:a:mattermost:mattermost:9.8.0:::::::*

No data.

References

Link	Providers
https://mattermost.com/security-updates

History

No history.

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2024-07-03T08:29:10.457Z

Updated: 2024-08-02T03:37:03.658Z

Reserved: 2024-07-01T10:22:11.588Z

Link: CVE-2024-36257

Vulnrichment

Updated: 2024-08-02T03:37:03.658Z

NVD

Status : Modified

Published: 2024-07-03T09:15:06.247

Modified: 2024-11-21T09:21:56.843

Link: CVE-2024-36257

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36257", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2024-07-01T10:22:11.588Z", "datePublished": "2024-07-03T08:29:10.457Z", "dateUpdated": "2024-08-02T03:37:03.658Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"status": "affected", "version": "9.8.0"}, {"lessThanOrEqual": "9.5.5", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"status": "unaffected", "version": "9.9.0"}, {"status": "unaffected", "version": "9.8.1"}, {"status": "unaffected", "version": "9.5.6"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Juho Fors\u00e9n"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, <span style=\"background-color: rgb(255, 255, 255);\">when using shared channels with multiple remote servers connected,</span> fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one <span style=\"background-color: rgb(255, 255, 255);\">.</span> This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. </p>"}], "value": "Mattermost versions 9.5.x <= 9.5.5 and 9.8.0,\u00a0when using shared channels with multiple remote servers connected,\u00a0fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one .\u00a0This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-07-03T08:29:10.457Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost to versions 9.9.0, 9.8.1, 9.5.6 or higher.</p>"}], "value": "Update Mattermost to versions 9.9.0, 9.8.1, 9.5.6 or higher."}], "source": {"advisory": "MMSA-2024-00327", "defect": ["https://mattermost.atlassian.net/browse/MM-57859"], "discovery": "EXTERNAL"}, "title": "Lack of permission check when updating the profile picture of a remote user (shared channels enabled)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "mattermost", "product": "mattermost", "cpes": ["cpe:2.3:a:mattermost:mattermost:9.5.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "9.5.0", "status": "affected", "lessThanOrEqual": "9.5.5", "versionType": "custom"}]}, {"vendor": "mattermost", "product": "mattermost", "cpes": ["cpe:2.3:a:mattermost:mattermost:9.8.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "9.8.0", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T13:14:03.579159Z", "id": "CVE-2024-36257", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T13:37:07.512Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:37:03.658Z"}, "title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:37:03.658Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36257", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-03T13:14:03.579159Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mattermost:mattermost:9.5.0:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "9.5.0", "versionType": "custom", "lessThanOrEqual": "9.5.5"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:mattermost:mattermost:9.8.0:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "9.8.0"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T13:31:19.914Z"}}], "cna": {"title": "Lack of permission check when updating the profile picture of a remote user (shared channels enabled)", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-57859"], "advisory": "MMSA-2024-00327", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Juho Fors\u00e9n"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "9.8.0"}, {"status": "affected", "version": "9.5.0", "versionType": "semver", "lessThanOrEqual": "9.5.5"}, {"status": "unaffected", "version": "9.9.0"}, {"status": "unaffected", "version": "9.8.1"}, {"status": "unaffected", "version": "9.5.6"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 9.9.0, 9.8.1, 9.5.6 or higher.", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost to versions 9.9.0, 9.8.1, 9.5.6 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 9.5.x <= 9.5.5 and 9.8.0,\u00a0when using shared channels with multiple remote servers connected,\u00a0fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one .\u00a0This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A.", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, <span style=\"background-color: rgb(255, 255, 255);\">when using shared channels with multiple remote servers connected,</span> fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one <span style=\"background-color: rgb(255, 255, 255);\">.</span> This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. </p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-07-03T08:29:10.457Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36257", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:37:03.658Z", "dateReserved": "2024-07-01T10:22:11.588Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2024-07-03T08:29:10.457Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*", "matchCriteriaId": "D07BE1B5-9663-4112-9F58-A4BAD0BEC92F", "versionEndExcluding": "9.5.6", "versionStartIncluding": "9.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost:9.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "5A6B8170-2CB1-4691-B1DD-BCD0F46A0A44", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mattermost versions 9.5.x <= 9.5.5 and 9.8.0,\u00a0when using shared channels with multiple remote servers connected,\u00a0fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one .\u00a0This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A."}, {"lang": "es", "value": "Las versiones 9.5.x <= 9.5.5 y 9.8.0 de Mattermost, cuando se utilizan canales compartidos con varios servidores remotos conectados, no verifican que el servidor remoto A que solicita al servidor B que actualice la imagen de perfil de un usuario sea el remoto que realmente tiene el usuario como local. Esto permite que un control remoto malicioso A cambie las im\u00e1genes de perfil de los usuarios que pertenecen a otro servidor remoto C que est\u00e1 conectado al servidor A."}], "id": "CVE-2024-36257", "lastModified": "2024-11-21T09:21:56.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-03T09:15:06.247", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}