GitHub Advisory DatabaseGHSA-32H7-7J94-8FC2Mattermost vulnerable to denial of service via large number of emoji reactions
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.3 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.0%
Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post.Β Fetching posts with huge amounts of reactions results in Uncontrolled Resource Consumption.
Affected configurations
References
github.com/advisories/GHSA-32h7-7j94-8fc2
github.com/mattermost/mattermost/commit/64cb0ca8af2dbda1afcddd1604460591a4799b81
github.com/mattermost/mattermost/commit/6d2440de9fd774b67e65e3aac4ab8b6ef9aba2d8
github.com/mattermost/mattermost/commit/81190e2da128a6985914ea7023a69ac400513fc4
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2024-1402
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.3 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.0%