CVE-2024-2446

Summary

Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.4.0 <= 9.4.2affected
MattermostMattermost9.3.0 <= 9.3.1affected
MattermostMattermost9.2.0 <= 9.2.5affected
MattermostMattermost8.1.0 <= 8.1.9affected
MattermostMattermost9.5.0unaffected
MattermostMattermost9.4.3unaffected
MattermostMattermost9.3.2unaffected
MattermostMattermost9.2.6unaffected
MattermostMattermost8.1.10unaffected

Weaknesses

  • CWE-400: CWE-400: Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References