CVE-2024-4183 — Uncontrolled Resource Consumption in Mattermost Mattermost-server

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling6 documents5 sources

Severity

6.5MEDIUMNVD

CNA4.3

EPSS

0.2%

top 61.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Mattermost Server Mattermost

Timeline

PublishedApr 26

Latest updateJun 5

Description

Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDmattermost/mattermost_server8.1.0 — 8.1.12+3

▶Gogithub.com/mattermost_mattermost-server9.6.0-rc1 — 9.6.1+7

▶CVEListV5mattermost/mattermost9.6.0 — 8.1.10+3

🔴Vulnerability Details

OSV

Mattermost fails to limit the number of active sessions in github.com/mattermost/mattermost-server↗2024-06-05

▶

OSV

Mattermost fails to limit the number of active sessions↗2024-04-26

▶

GHSA

Mattermost fails to limit the number of active sessions↗2024-04-26

▶

CVEList

CVE-2024-4183: Mattermost versions 8↗2024-04-26

▶

📋Vendor Advisories

Red Hat

mattermost: fail to limit the number of active sessions↗2024-04-26

▶