CVE-2024-28949

Summary

Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.5.0 <= 9.5.1affected
MattermostMattermost9.4.0 <= 9.4.3affected
MattermostMattermost9.3.0 <= 9.3.2affected
MattermostMattermost8.1.0 <= 8.1.10affected
MattermostMattermost9.6.0unaffected
MattermostMattermost9.5.2unaffected
MattermostMattermost9.4.4unaffected
MattermostMattermost9.3.3unaffected
MattermostMattermost8.1.11unaffected

Weaknesses

  • CWE-400: CWE-400: Uncontrolled Resource Consumption

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References