Our news and updates

In Harbor versions prior to 2.9.5 and 2.10.3 a medium severity vulnerability CVE-2024-22278 was detected. This vulnerability allows authenticated users to modify configurations. To fix this problem, users should upgrade to versions 2.9.5, 2.10.3 or 2.11.0. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-22278.

In Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 a medium severity vulnerability CVE-2024-39839 was detected. This vulnerability allows a remote user set their username to anything they want, which can then be synced to the local server if they haven’t been synced before. To fix this problem, users should upgrade Mattermost to versions 9.9.1, 9.5.7, 9.7.6, and 9.8.2 and later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-39839.

In Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 a low severity vulnerability CVE-2024-29977 was detected. This vulnerability allows attackers to create arbitrary reactions on any posts in shared channels due to improper validation of synced reactions. To fix this problem, users should upgrade Mattermost to versions 9.9.1 and 9.5.7 and later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-29977.

In OpenShift versions that use github.com/containers/image library a high severity vulnerability CVE-2024-3727 was detected. This vulnerability allows attackers to perform unintended actions on behalf of the victim user, such as accessing resources, exhausting system resources, or traversing local file paths. To address this issue users should upgrade to versions 5.30.1 or 5.29.3. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-3727.

In Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, and 9.8.x <= 9.8.1 a high severity vulnerability CVE-2024-36492 was detected. This vulnerability allows a malicious remote attacker to overwrite an existing local user by exploiting the system’s failure to disallow the modification of local users when syncing users in shared channels. To fix this problem, users should upgrade Mattermost to versions 9.9.1, 9.5.7, 9.7.6, and 9.8.2 and later. For more details, https://avd.aquasec.com/nvd/2024/cve-2024-36492.

In Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, and 9.8.x <= 9.8.1 a high severity vulnerability CVE-2024-39777 was detected. This vulnerability allows attackers to share local channels without admin consent by sending unsolicited invites with the ID of an existing local channel. To fix this problem, users should upgrade Mattermost to versions 9.9.1, 9.5.7, 9.7.6, and 9.8.2 and later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-39777.

In Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 a medium severity vulnerability CVE-2024-41144 was detected. The application doesn’t validate synced posts correctly when shared channels are enabled, letting a malicious user create, update, or delete posts in any channel. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-41144.

In Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, and 9.8.x <= 9.8.1 a medium severity vulnerability CVE-2024-41162 was detected. This product doesn’t prevent remote modification of local channels when shared channels are enabled, allowing a malicious user to make any local channel read-only. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-41162.

In Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, and 9.8.x <= 9.8.1 a high severity vulnerability CVE-2024-39274 was detected. This vulnerability allows remote attackers to add users to arbitrary teams and channels. To fix this problem, users should upgrade Mattermost to versions 9.9.1, 9.5.7, 9.7.6, and 9.8.2 and later. For more details, https://avd.aquasec.com/nvd/2024/cve-2024-39274.