CVE-2017-18888

Aliases:GHSA-v2vm-hq26-5jv6GO-2025-4203
Advisory lineage Upstream: 0 Downstream: 1
Modified
Published: 19 Jun 2020, 18:10
Last modified:05 Aug 2024, 21:37

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
0.28% LOW
0% probability -0.14%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

19 Jun 2020, 18:10
Published
Vulnerability first disclosed
05 Aug 2024, 21:37
Last Modified
Vulnerability information updated

Description

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts.

CVSS Metrics

  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • v2.0HIGHScore: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.28% Percentile: 51%

Techniques & Countermeasures

  • CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

    The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Affected Systems

  • github.com/mattermostmattermost-server

    < 4.1.2 | ≥ 4.2.0-rc1, < 4.2.1 | ≥ 4.3.0-rc1, < 4.3.0 | ≥ 4.3.0-rc1+incompatible, < 4.3.0+incompatible

  • mattermostmattermost_server

    < 4.1.2 | ≥ 4.2.0, < 4.2.1 | 4.3.0:rc1 | 4.3.0:rc2 | 4.3.0:rc3 | 4.3.0:rc4

References (5)