Lucene search

MattermostCVELIST:CVE-2024-3872

HistoryApr 16, 2024 - 9:05 a.m.

CVE-2024-3872

2024-04-1609:05:04

CWE-400

Mattermost

www.cve.org

mattermost

mobile app

vulnerability

deeplink

parsing

crash

freeze

remote attacker

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

AI Score

4.5

Confidence

High

EPSS

Percentile

9.0%

JSON

Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "2.13.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "2.14.0"
      }
    ]
  }
]

References

mattermost.com/security-updates

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

AI Score

4.5

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-3872