CVE-2024-48872

Aliases:GHSA-826h-p4c3-477pGO-2024-3338
Advisory lineage Upstream: 0 Downstream: 1
Analyzed
Published: 16 Dec 2024, 08:01
Last modified:16 Dec 2024, 16:04

Vulnerability Summary

Overall Risk (default)
low
19/100
CVSS Score
4.8 MEDIUM
v3.1 (cve.org)
EPSS Score
0.08% LOW
0% probability +0.04%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

16 Dec 2024, 08:01
Published
Vulnerability first disclosed
16 Dec 2024, 16:04
Last Modified
Vulnerability information updated

Description

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests

CVSS Metrics

  • v3.1MEDIUMScore: 4.8CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 0.08% Percentile: 25%

Techniques & Countermeasures

  • CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

    The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Affected Systems

  • github.com/mattermostmattermost-server

    ≥ 10.1.0+incompatible, < 10.1.3+incompatible

  • github.com/mattermost/mattermost-serverv5

    all

  • github.com/mattermost/mattermost-serverv6

    all

  • github.com/mattermost/mattermost/serverv8

    ≥ 10.1.0, < 10.1.3 | ≥ 10.0.0, < 10.0.3 | ≥ 9.11.0, < 9.11.5 | ≥ 9.5.0, < 9.5.13 | all

  • mattermostmattermost

    ≥ 10.1.0, ≤ 10.1.2 | ≥ 10.0.0, ≤ 10.0.2 | ≥ 9.11.0, ≤ 9.11.4 | ≥ 9.5.0, ≤ 9.5.12

  • mattermostmattermost_server

    ≥ 9.5.0, < 9.5.13 | ≥ 9.11.0, < 9.11.5 | ≥ 10.0.0, < 10.0.3 | ≥ 10.1.0, < 10.1.3

References (4)