CVE-2024-4182
MEDIUM4.3EPSS 0.19%Mattermost crashes web clients via a malformed custom status
Published: 4/26/2024Modified: 6/5/2024
Description
Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.
Affected packages (2)
- Go/github.com/mattermost/mattermost-server>= 8.1.0, < 8.1.12
- Go/github.com/mattermost/mattermost-server>= 8.1.0+incompatible, < 8.1.12+incompatible, >= 9.4.0+incompatible, < 9.4.5+incompatible, >= 9.5.0+incompatible, < 9.5.3+incompatible, >= 9.6.0-rc1+incompatible, < 9.6.1+incompatible
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
References (8)
- ADVISORYhttps://github.com/advisories/GHSA-8f99-g2pj-x8w3
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-4182
- PATCHhttps://github.com/mattermost/mattermost
- WEBhttps://github.com/mattermost/mattermost/commit/41333a0babf565453d89287549bec1e546e75ce7
- WEBhttps://github.com/mattermost/mattermost/commit/6cbab0f7ece104681f73dd12c75d9f22d567125e
- WEBhttps://github.com/mattermost/mattermost/commit/a99dadd80c57d376185ca06f8f70919a6f135bc6
- WEBhttps://github.com/mattermost/mattermost/commit/f84f8ed65f6a5faba974426424b684635455a527
- WEBhttps://mattermost.com/security-updates