CVE-2024-36250Incorrect Implementation of Authentication Algorithm in Server

CWE-303Incorrect Implementation of Authentication AlgorithmCWE-294Authentication Bypass by Capture-replay3 documents3 sources
Severity
4.8MEDIUMNVD
CNA3.1
EPSS
0.3%
top 47.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mattermost ServerMattermost
Timeline
PublishedNov 9

Description

Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail to protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within ~30 seconds

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages2 packages

NVDmattermost/mattermost_server9.5.09.5.11+1
CVEListV5mattermost/mattermost9.11.09.11.2+1

🔴Vulnerability Details

2
CVEList
MFA Code Replay2024-11-09
GHSA
GHSA-8ww9-xwc2-p9cc: Mattermost versions 92024-11-09
CVE-2024-36250 — Mattermost Server vulnerability | cvebase