CVE-2024-54083

Aliases:GHSA-69pr-78gv-7c6hGO-2024-3337
Advisory lineage Upstream: 0 Downstream: 1
Analyzed
Published: 16 Dec 2024, 08:02
Last modified:16 Dec 2024, 16:04

Vulnerability Summary

Overall Risk (default)
medium
26/100
CVSS Score
6.5 MEDIUM
v3.1 (cve.org)
EPSS Score
0.52% LOW
1% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

16 Dec 2024, 08:02
Published
Vulnerability first disclosed
16 Dec 2024, 16:04
Last Modified
Vulnerability information updated

Description

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.

CVSS Metrics

  • v3.1MEDIUMScore: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.52% Percentile: 67%

Techniques & Countermeasures

  • CWE-1287Improper Validation of Specified Type of Input

    The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

Affected Systems

  • github.com/mattermostmattermost-server

    ≥ 10.1.0+incompatible, < 10.1.3+incompatible

  • github.com/mattermost/mattermost-serverv5

    all

  • github.com/mattermost/mattermost-serverv6

    all

  • github.com/mattermost/mattermost/serverv8

    ≥ 10.1.0, < 10.1.3 | ≥ 10.0.0, < 10.0.3 | ≥ 9.11.0, < 9.11.5 | ≥ 9.5.0, < 9.5.13 | all

  • mattermostmattermost

    ≥ 10.1.0, ≤ 10.1.2 | ≥ 10.0.0, ≤ 10.0.2 | ≥ 9.11.0, ≤ 9.11.4 | ≥ 9.5.0, ≤ 9.5.12

  • mattermostmattermost_server

    ≥ 9.5.0, < 9.5.13 | ≥ 9.11.0, < 9.11.5 | ≥ 10.0.0, < 10.0.3 | ≥ 10.1.0, < 10.1.3

References (4)