CVE-2024-1953
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Mattermost | Mattermost | 9.4.0 <= 9.4.1 | affected |
| Mattermost | Mattermost | 9.3.0 | affected |
| Mattermost | Mattermost | 9.2.0 <= 9.2.4 | affected |
| Mattermost | Mattermost | 8.1.0 <= 8.1.8 | affected |
| Mattermost | Mattermost | 9.5 | unaffected |
| Mattermost | Mattermost | 9.4.2 | unaffected |
| Mattermost | Mattermost | 9.3.1 | unaffected |
| Mattermost | Mattermost | 9.2.5 | unaffected |
| Mattermost | Mattermost | 8.1.9 | unaffected |
Weaknesses
- CWE-400: CWE-400: Uncontrolled Resource Consumption
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.