CVE-2024-10214 - OpenCVE

Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mattermost	Mattermost

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost::::::::
	cpe:2.3:a:mattermost:mattermost::::::::

No data.

References

Link	Providers
https://mattermost.com/security-updates

History

Tue, 05 Nov 2024 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:mattermost:mattermost::::::::
Vendors & Products		Mattermost Mattermost mattermost

Mon, 28 Oct 2024 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 28 Oct 2024 14:30:00 +0000

Type	Values Removed	Values Added
Description		Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.
Title		Incorrect Session Creation with Desktop SSO
Weaknesses		CWE-303
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2024-10-28T14:12:37.346Z

Updated: 2024-10-28T14:55:50.766Z

Reserved: 2024-10-21T15:43:29.795Z

Link: CVE-2024-10214

Vulnrichment

Updated: 2024-10-28T14:55:46.429Z

NVD

Status : Analyzed

Published: 2024-10-28T15:15:04.020

Modified: 2024-11-05T17:03:22.953

Link: CVE-2024-10214

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-10214", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2024-10-21T15:43:29.795Z", "datePublished": "2024-10-28T14:12:37.346Z", "dateUpdated": "2024-10-28T14:55:50.766Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "9.11.1", "status": "affected", "version": "9.11.0", "versionType": "semver"}, {"lessThanOrEqual": "9.5.9", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"status": "unaffected", "version": "10.0.0"}, {"status": "unaffected", "version": "9.11.2"}, {"status": "unaffected", "version": "9.5.10"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ben Cooke"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.<br></p>"}], "value": "Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-303", "description": "CWE-303: Incorrect Implementation of Authentication Algorithm", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-10-28T14:12:37.346Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost to versions 10.0.0, 9.11.2, 9.5.10 or higher.</p>"}], "value": "Update Mattermost to versions 10.0.0, 9.11.2, 9.5.10 or higher."}], "source": {"advisory": "MMSA-2024-00363", "defect": ["https://mattermost.atlassian.net/browse/MM-59034"], "discovery": "INTERNAL"}, "title": "Incorrect Session Creation with Desktop SSO", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-28T14:55:40.968981Z", "id": "CVE-2024-10214", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-28T14:55:50.766Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-10214", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-28T14:55:40.968981Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-28T14:55:46.429Z"}}], "cna": {"title": "Incorrect Session Creation with Desktop SSO", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-59034"], "advisory": "MMSA-2024-00363", "discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Ben Cooke"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "9.11.0", "versionType": "semver", "lessThanOrEqual": "9.11.1"}, {"status": "affected", "version": "9.5.0", "versionType": "semver", "lessThanOrEqual": "9.5.9"}, {"status": "unaffected", "version": "10.0.0"}, {"status": "unaffected", "version": "9.11.2"}, {"status": "unaffected", "version": "9.5.10"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 10.0.0, 9.11.2, 9.5.10 or higher.", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost to versions 10.0.0, 9.11.2, 9.5.10 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.<br></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-303", "description": "CWE-303: Incorrect Implementation of Authentication Algorithm"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-10-28T14:12:37.346Z"}}}, "cveMetadata": {"cveId": "CVE-2024-10214", "state": "PUBLISHED", "dateUpdated": "2024-10-28T14:55:50.766Z", "dateReserved": "2024-10-21T15:43:29.795Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2024-10-28T14:12:37.346Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B0C83F1-3F21-4A08-805F-2C4A0C569458", "versionEndIncluding": "9.5.9", "versionStartIncluding": "9.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1B4A955-529F-4481-AC3E-60229831C868", "versionEndIncluding": "9.11.1", "versionStartIncluding": "9.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings."}, {"lang": "es", "value": "Las versiones 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 de Mattermost emiten incorrectamente dos sesiones al usar SSO de escritorio: una en el navegador y otra en el escritorio con configuraciones incorrectas."}], "id": "CVE-2024-10214", "lastModified": "2024-11-05T17:03:22.953", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2024-10-28T15:15:04.020", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-303"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}