Lucene search

MattermostVULNRICHMENT:CVE-2024-3872

HistoryApr 16, 2024 - 9:05 a.m.

CVE-2024-3872

2024-04-1609:05:04

CWE-400

Mattermost

github.com

cve-2024-3872

mattermost

mobile app

regular expression

polynomial complexity

deeplinks

unauthenticated

remote attacker

freeze

crash

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

AI Score

7.1

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*"
    ],
    "vendor": "mattermost",
    "product": "mattermost_mobile",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "semver",
        "lessThanOrEqual": "2.13.0"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

mattermost.com/security-updates

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

AI Score

7.1

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-3872