Lucene search

K

GoogleOSV:GHSA-8F99-G2PJ-X8W3

HistoryApr 26, 2024 - 9:30 a.m.

Mattermost crashes web clients via a malformed custom status

2024-04-2609:30:34

Google

osv.dev

12

mattermost

custom status

vulnerability

json parsing

web clients

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

AI Score

4.5

Confidence

High

EPSS

0

Percentile

9.0%

Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users’ web clients via a malformed custom status.

References

github.com/mattermost/mattermost

github.com/mattermost/mattermost/commit/41333a0babf565453d89287549bec1e546e75ce7

github.com/mattermost/mattermost/commit/6cbab0f7ece104681f73dd12c75d9f22d567125e

github.com/mattermost/mattermost/commit/a99dadd80c57d376185ca06f8f70919a6f135bc6

github.com/mattermost/mattermost/commit/f84f8ed65f6a5faba974426424b684635455a527

mattermost.com/security-updates

nvd.nist.gov/vuln/detail/CVE-2024-4182

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

AI Score

4.5

Confidence

High

EPSS

0

Percentile

9.0%

Related for OSV:GHSA-8F99-G2PJ-X8W3

redhatcve1 cvelist1 vulnrichment1 github1 nvd1 osv1 cve1 veracode1