CVE-2024-37182 - OpenCVE

Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mattermost	Mattermost Desktop

Configuration 1 [-]

cpe:2.3:a:mattermost:mattermost_desktop:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://mattermost.com/security-updates

History

Wed, 07 Aug 2024 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost Desktop
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:mattermost:mattermost_desktop::::::::
Vendors & Products		Mattermost Mattermost mattermost Desktop

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2024-06-14T08:39:19.578Z

Updated: 2024-08-02T03:50:55.403Z

Reserved: 2024-06-14T08:22:33.365Z

Link: CVE-2024-37182

Vulnrichment

Updated: 2024-08-02T03:50:55.403Z

NVD

Status : Analyzed

Published: 2024-06-14T09:15:10.013

Modified: 2024-08-07T16:08:10.810

Link: CVE-2024-37182

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37182", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2024-06-14T08:22:33.365Z", "datePublished": "2024-06-14T08:39:19.578Z", "dateUpdated": "2024-08-02T03:50:55.403Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "5.7.0", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "unaffected", "version": "5.8.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "gee-netics (gee-netics)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes.</p>"}], "value": "Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows\u00a0a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system\u00a0via custom URI schemes."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-06-14T08:39:19.578Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Desktop App to versions 5.8.0 or higher.</p>"}], "value": "Update Mattermost Desktop App to versions 5.8.0 or higher."}], "source": {"advisory": "MMSA-2024-00335", "defect": ["https://mattermost.atlassian.net/browse/MM-58088"], "discovery": "EXTERNAL"}, "title": "Lack of permissions prompting when opening external URLs", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-15T20:34:10.739280Z", "id": "CVE-2024-37182", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-15T20:34:22.877Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:55.403Z"}, "title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:55.403Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37182", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-15T20:34:10.739280Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-15T20:34:18.884Z"}}], "cna": {"title": "Lack of permissions prompting when opening external URLs", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-58088"], "advisory": "MMSA-2024-00335", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "gee-netics (gee-netics)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.7.0"}, {"status": "unaffected", "version": "5.8.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Desktop App to versions 5.8.0 or higher.", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost Desktop App to versions 5.8.0 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows\u00a0a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system\u00a0via custom URI schemes.", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-06-14T08:39:19.578Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37182", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:50:55.403Z", "dateReserved": "2024-06-14T08:22:33.365Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2024-06-14T08:39:19.578Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_desktop:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD0EF005-DAA6-4271-800A-EDBF6768D148", "versionEndIncluding": "5.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows\u00a0a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system\u00a0via custom URI schemes."}, {"lang": "es", "value": "Las versiones de la aplicaci\u00f3n de escritorio Mattermost <= 5.7.0 no solicitan permiso correctamente al abrir URL externas, lo que permite a un atacante remoto obligar a una v\u00edctima a trav\u00e9s de Internet a ejecutar programas arbitrarios en el sistema de la v\u00edctima mediante esquemas de URI personalizados."}], "id": "CVE-2024-37182", "lastModified": "2024-08-07T16:08:10.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.7, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2024-06-14T09:15:10.013", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-693"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}