CVE-2024-4183

Summary

Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.6.0 <= 8.1.10affected
MattermostMattermost9.5.0 <= 9.5.2affected
MattermostMattermost9.4.0 <= 9.4.4affected
MattermostMattermost8.1.0 <= 8.1.11affected
MattermostMattermost9.7.0 <= 8.1.11unaffected
MattermostMattermost9.6.1unaffected
MattermostMattermost9.5.3unaffected
MattermostMattermost9.4.5unaffected
MattermostMattermost8.1.12unaffected

Weaknesses

  • CWE-400: CWE-400: Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References