CVE-2022-1337

Summary

The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost6.4 < 6.4.2affected
MattermostMattermost6.3 < 6.3.5affected
MattermostMattermost6.2 < 6.2.5affected
MattermostMattermost5.37 < 5.37.9affected

Weaknesses

  • CWE-400: CWE-400 Uncontrolled Resource Consumption

Workarounds

Disable the image proxy or use an external proxy.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References