CVE-2024-1402Uncontrolled Resource Consumption in Mattermost Mattermost-server

CWE-400Uncontrolled Resource ConsumptionCWE-20Improper Input Validation6 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.4%
top 39.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost+1 more
Timeline
PublishedFeb 9
Latest updateJun 28

Description

Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

Gogithub.com/mattermost_mattermost-server9.1.0+incompatible9.1.5+incompatible+1
NVDmattermost/mattermost_server9.0.09.1.4+2
CVEListV5mattermost/mattermost8.1.7+2

🔴Vulnerability Details

4
OSV
Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server2024-06-28
GHSA
Mattermost vulnerable to denial of service via large number of emoji reactions2024-02-09
CVEList
Denial of service in mattermost mobile apps and server via emoji reactions2024-02-09
OSV
Mattermost vulnerable to denial of service via large number of emoji reactions2024-02-09

📋Vendor Advisories

1
Red Hat
kernel: blk-iocost: do not WARN if iocg was already offlined2024-05-30
CVE-2024-1402 — Uncontrolled Resource Consumption | cvebase