Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine.
Fixes

Solution

Update Mattermost Desktop App to version 5.9.0 or higher.


Workaround

No workaround given by the vendor.

References
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00076}

epss

{'score': 0.00081}


Fri, 20 Sep 2024 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost Desktop
CPEs cpe:2.3:a:mattermost:mattermost_desktop:*:*:*:*:*:*:*:*
Vendors & Products Mattermost
Mattermost mattermost Desktop

Mon, 16 Sep 2024 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 16 Sep 2024 07:00:00 +0000

Type Values Removed Values Added
Description Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine.
Title RCE in desktop app in Windows by local attacker
Weaknesses CWE-427
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2024-09-16T13:05:12.477Z

Reserved: 2024-09-10T08:20:38.471Z

Link: CVE-2024-39613

cve-icon Vulnrichment

Updated: 2024-09-16T13:05:07.850Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-16T07:15:02.373

Modified: 2024-09-20T13:59:01.117

Link: CVE-2024-39613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.