CVE-2024-45843 — Server-Side Request Forgery in Server
Severity
5.4MEDIUMNVD
CNA3.1
EPSS
0.3%
top 48.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 26
Description
Mattermost versions 9.5.x <= 9.5.8 fail to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, which allows an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5