CVE-2022-2406

Summary

The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows an authenticated attacker to crash the server by importing large files via the Slack import REST API.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermostunspecified <= 6.3.8affected
MattermostMattermost6.4.xaffected
MattermostMattermost6.7.x 6.7.0affected
MattermostMattermost6.5.x <= 6.5.1affected
MattermostMattermost6.6.x <= 6.6.1affected

Weaknesses

  • CWE-400: CWE-400 Uncontrolled Resource Consumption

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References