CVE-2024-45833 - OpenCVE

Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mattermost	Mattermost Mobile

Configuration 1 [-]

cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://mattermost.com/security-updates

History

Mon, 23 Sep 2024 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost Mobile
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:mattermost:mattermost_mobile::::::::
Vendors & Products		Mattermost Mattermost mattermost Mobile

Mon, 16 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Sep 2024 07:00:00 +0000

Type	Values Removed	Values Added
Description		Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..
Title		Mobile password gets saved in dictionary under conditions
Weaknesses		CWE-693
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 4.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2024-09-16T06:41:47.347Z

Updated: 2024-09-16T13:04:55.732Z

Reserved: 2024-09-10T08:20:38.452Z

Link: CVE-2024-45833

Vulnrichment

Updated: 2024-09-16T13:04:50.005Z

NVD

Status : Analyzed

Published: 2024-09-16T07:15:03.663

Modified: 2024-09-23T13:43:42.073

Link: CVE-2024-45833

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45833", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2024-09-10T08:20:38.452Z", "datePublished": "2024-09-16T06:41:47.347Z", "dateUpdated": "2024-09-16T13:04:55.732Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "2.18.0", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "unaffected", "version": "2.19.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "@lolcabanon"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..</p>"}], "value": "Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u00a0password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character.."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-09-16T06:41:47.347Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Mobile Apps to versions 2.19.0 or higher.</p>"}], "value": "Update Mattermost Mobile Apps to versions 2.19.0 or higher."}], "source": {"advisory": "MMSA-2024-00314", "defect": ["https://mattermost.atlassian.net/browse/MM-56932"], "discovery": "EXTERNAL"}, "title": "Mobile password gets saved in dictionary under conditions", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-16T13:04:05.356788Z", "id": "CVE-2024-45833", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-16T13:04:55.732Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45833", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-16T13:04:05.356788Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-16T13:04:50.005Z"}}], "cna": {"title": "Mobile password gets saved in dictionary under conditions", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-56932"], "advisory": "MMSA-2024-00314", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "@lolcabanon"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.18.0"}, {"status": "unaffected", "version": "2.19.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Mobile Apps to versions 2.19.0 or higher.", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost Mobile Apps to versions 2.19.0 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u00a0password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-09-16T06:41:47.347Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45833", "state": "PUBLISHED", "dateUpdated": "2024-09-16T13:04:55.732Z", "dateReserved": "2024-09-10T08:20:38.452Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2024-09-16T06:41:47.347Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6284015-4B02-4ACD-A910-C8B6FAFE540E", "versionEndExcluding": "2.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u00a0password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character.."}, {"lang": "es", "value": "Las versiones <=2.18.0 de Mattermost Mobile Apps no pueden deshabilitar el autocompletado durante el inicio de sesi\u00f3n al escribir la contrase\u00f1a y se selecciona la contrase\u00f1a visible, lo que permite que la contrase\u00f1a se guarde en el diccionario cuando el usuario tiene Swiftkey como teclado predeterminado, el enmascaramiento est\u00e1 desactivado y la contrase\u00f1a contiene un car\u00e1cter especial."}], "id": "CVE-2024-45833", "lastModified": "2024-09-23T13:43:42.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2024-09-16T07:15:03.663", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-693"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}