CVE-2024-24988 — Uncontrolled Resource Consumption in Mattermost Mattermost-server

CWE-400 — Uncontrolled Resource Consumption5 documents4 sources

Severity

6.5MEDIUMNVD

CNA4.3

EPSS

0.4%

top 39.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedFeb 29

Latest updateJun 28

Description

Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.0.0 — 9.1.5+2

▶Gogithub.com/mattermost_mattermost-server9.2.0+incompatible — 9.2.5+incompatible+1

▶Gogithub.com/mattermost_mattermost_server_v89.3.0 — 9.3.1+1

▶CVEListV5mattermost/mattermost9.2.4+2

🔴Vulnerability Details

OSV

Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server↗2024-06-28

▶

CVEList

Excessive resource consumption when sending long emoji names in user custom status↗2024-02-29

▶

GHSA

Mattermost denial of service through long emoji value↗2024-02-29

▶

OSV

Mattermost denial of service through long emoji value↗2024-02-29

▶