CVE-2024-39830

MEDIUM Year: 2024
CVSS v3 Score
5.9
Medium
Weakness Type
CWE-287
View all →

Vulnerability Description

Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison.

Related Vulnerabilities

CVE-2013-3096

MEDIUM
CVSS:5.9(Medium)

D-Link DIR865L v1.03 suffers from an "Unauthenticated Hardware Linking" vulnerability.

CWE-2872013

CVE-2013-5123

MEDIUM
CVSS:5.9(Medium)

The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.

CWE-2872013

CVE-2014-10067

MEDIUM
CVSS:5.9(Medium)

paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacke...

CWE-2872014

CVE-2016-2124

MEDIUM
CVSS:5.9(Medium)

A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required.

CWE-2872016

CVE-2017-12196

MEDIUM
CVSS:5.9(Medium)

undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header match...

CWE-2872017

CVE-2017-14117

MEDIUM
CVSS:5.9(Medium)

The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG599 devices, when IP Passthrough mode is not used, configures an unauthenticated proxy service on WAN TCP port 49152, which allows remo...

CWE-2872017