CVE-2024-54682

Aliases:GHSA-v647-h8jj-fw5rGO-2024-3340
Advisory lineage Upstream: 0 Downstream: 1
Analyzed
Published: 16 Dec 2024, 08:03
Last modified:16 Dec 2024, 16:03

Vulnerability Summary

Overall Risk (default)
medium
26/100
CVSS Score
6.5 MEDIUM
v3.1 (cve.org)
EPSS Score
0.2% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

16 Dec 2024, 08:03
Published
Vulnerability first disclosed
16 Dec 2024, 16:03
Last Modified
Vulnerability information updated

Description

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.

CVSS Metrics

  • v3.1MEDIUMScore: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • v3.1MEDIUMScore: 4.9CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.20% Percentile: 42%

Techniques & Countermeasures

  • CWE-409Improper Handling of Highly Compressed Data (Data Amplification)

    The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Affected Systems

  • github.com/mattermostmattermost-server

    ≥ 10.1.0+incompatible, < 10.1.3+incompatible

  • github.com/mattermost/mattermost-serverv5

    all

  • github.com/mattermost/mattermost-serverv6

    all

  • github.com/mattermost/mattermost/serverv8

    ≥ 10.1.0, < 10.1.3 | ≥ 10.0.0, < 10.0.3 | ≥ 9.11.0, < 9.11.5 | ≥ 9.5.0, < 9.5.13 | all

  • mattermostmattermost

    ≥ 10.1.0, ≤ 10.1.2 | ≥ 10.0.0, ≤ 10.0.2 | ≥ 9.11.0, ≤ 9.11.4 | ≥ 9.5.0, ≤ 9.5.12

  • mattermostmattermost_server

    ≥ 9.5.0, < 9.5.13 | ≥ 9.11.0, < 9.11.5 | ≥ 10.0.0, < 10.0.3 | ≥ 10.1.0, < 10.1.3

References (4)