Lucene search

GitHub Advisory DatabaseGHSA-59HF-MPF8-PQJH

HistorySep 26, 2024 - 9:31 a.m.

Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events

2024-09-2609:31:42

CWE-400

GitHub Advisory Database

github.com

mattermost

embeds

metadata

websockets

permalinks

dos

pseudo version

pkg.go.dev

software

exploited

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.9

Confidence

High

JSON

Mattermost does not strip embeds from metadata when broadcasting posted events.

This allows users to include arbitrary embeds in posts, which are then broadcasted via websockets. This can be exploited in many ways, for example to create permalinks with fully customizable content or to trigger a client Side Denial of Service (DoS) by sending a permalink with a non-string message.

The advisory metadata references the appropriate go pseudo version available from pkg.go.dev

Affected configurations

Vulners

Node

mattermostmattermostRange<8.0.0-20240806094731-69a8b3df0f9f

VendorProductVersionCPE
mattermostmattermost*cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mattermost	mattermost	*	cpe:2.3:a:mattermost:mattermost::::::::

References

github.com/advisories/GHSA-59hf-mpf8-pqjh

github.com/c0rydoras/cves/tree/main/CVE-2024-47003

github.com/mattermost/mattermost/commit/69a8b3df0f9fd3a7a5b792ec678b6191618d039b

github.com/mattermost/mattermost/pull/27763

mattermost.com/security-updates

nvd.nist.gov/vuln/detail/CVE-2024-47003

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.9

Confidence

High

JSON

Related for GHSA-59HF-MPF8-PQJH