CVE-2024-1953 — Uncontrolled Resource Consumption in Mattermost Mattermost-server

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling5 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 67.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedFeb 29

Latest updateJun 28

Description

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server8.1.0 — 8.1.9+3

▶Gogithub.com/mattermost_mattermost-server9.2.0+incompatible — 9.2.5+incompatible+2

▶Gogithub.com/mattermost_mattermost_server_v89.4.0 — 9.4.2+3

▶CVEListV5mattermost/mattermost9.4.0 — 9.4.1+3

🔴Vulnerability Details

OSV

Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server↗2024-06-28

▶

OSV

Mattermost fails to limit the number of role names↗2024-02-29

▶

CVEList

CVE-2024-1953: Mattermost versions 8↗2024-02-29

▶

GHSA

Mattermost fails to limit the number of role names↗2024-02-29

▶