CVE-2024-1953

Summary

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.4.0 <= 9.4.1affected
MattermostMattermost9.3.0affected
MattermostMattermost9.2.0 <= 9.2.4affected
MattermostMattermost8.1.0 <= 8.1.8affected
MattermostMattermost9.5unaffected
MattermostMattermost9.4.2unaffected
MattermostMattermost9.3.1unaffected
MattermostMattermost9.2.5unaffected
MattermostMattermost8.1.9unaffected

Weaknesses

  • CWE-400: CWE-400: Uncontrolled Resource Consumption

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References