Lucene search

GoogleOSV:GHSA-59HF-MPF8-PQJH

HistorySep 26, 2024 - 9:31 a.m.

Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events

2024-09-2609:31:42

Google

osv.dev

mattermost

broadcast

embeds

metadata

websocket

exploit

permalinks

denial of service

advisory

version

software

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

JSON

Mattermost does not strip embeds from metadata when broadcasting posted events.

This allows users to include arbitrary embeds in posts, which are then broadcasted via websockets. This can be exploited in many ways, for example to create permalinks with fully customizable content or to trigger a client Side Denial of Service (DoS) by sending a permalink with a non-string message.

The advisory metadata references the appropriate go pseudo version available from pkg.go.dev

References

github.com/c0rydoras/cves/tree/main/CVE-2024-47003

github.com/mattermost/mattermost

github.com/mattermost/mattermost/commit/69a8b3df0f9fd3a7a5b792ec678b6191618d039b

github.com/mattermost/mattermost/pull/27763

mattermost.com/security-updates

nvd.nist.gov/vuln/detail/CVE-2024-47003

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

JSON

Related for OSV:GHSA-59HF-MPF8-PQJH