Lucene search

MattermostCVELIST:CVE-2024-45843

HistorySep 26, 2024 - 8:03 a.m.

CVE-2024-45843 Weak SSRF Filtering

2024-09-2608:03:41

CWE-918

Mattermost

www.cve.org

cve-2024-45843

weak ssrf filtering

mattermost

oracle cloud

alibaba

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

Percentile

14.7%

JSON

Mattermost versions 9.5.x <= 9.5.8 fail to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, which allows an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "9.5.8",
        "status": "affected",
        "version": "9.5.0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "9.11.0"
      },
      {
        "status": "unaffected",
        "version": "9.5.9"
      }
    ]
  }
]

References

mattermost.com/security-updates

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

Percentile

14.7%

JSON

Related for CVELIST:CVE-2024-45843