Lucene search

[email protected]NVD:CVE-2024-39810

HistoryAug 22, 2024 - 7:15 a.m.

CVE-2024-39810

2024-08-2207:15:03

CWE-400

[email protected]

web.nvd.nist.gov

mattermost

elasticsearch

ca path

unauthorized access

application crashes

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

14.1%

JSON

Mattermost versions 9.5.x <= 9.5.7 and 9.10.x <= 9.10.0 fail to time limit and size limit the CA path file in the ElasticSearch configuration which allows a System Role with access to the Elasticsearch system console to add any file as a CA path field, such as /dev/zero and, after testing the connection, cause the application to crash.

Affected configurations

Nvd

Node

mattermostmattermostRange9.5.0–9.5.8

mattermostmattermostRange9.10.0–9.10.1

VendorProductVersionCPE
mattermostmattermost*cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mattermost	mattermost	*	cpe:2.3:a:mattermost:mattermost::::::::

References

mattermost.com/security-updates

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

14.1%

JSON

Related for NVD:CVE-2024-39810

vulnrichment1 osv1 cve1 veracode1 cvelist1