Lucene search

MattermostCVELIST:CVE-2022-2406

HistoryJul 14, 2022 - 5:23 p.m.

CVE-2022-2406 Malicious imports can lead to Denial of Service

2022-07-1417:23:55

CWE-400

Mattermost

www.cve.org

cve-2022-2406

mattermost

slack import

denial of service

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.2%

JSON

The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows an authenticated attacker to crash the server by importing large files via the Slack import REST API.

CNA Affected

[
  {
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "6.3.8",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6.4.x"
      },
      {
        "status": "affected",
        "version": "6.7.x 6.7.0"
      },
      {
        "lessThanOrEqual": "6.5.1",
        "status": "affected",
        "version": "6.5.x",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "6.6.1",
        "status": "affected",
        "version": "6.6.x",
        "versionType": "custom"
      }
    ]
  }
]

References

mattermost.com/security-updates/

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.2%

JSON

Related for CVELIST:CVE-2022-2406