GoogleOSV:GHSA-WJ37-MPQ9-XRCMMattermost fails to limit the number of active sessions
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.
References
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/86920d641760552c5aafa5e1d14c93bd30039bc4
github.com/mattermost/mattermost/commit/9d81eee979aee93374bff8ba6714d805e12ffb03
github.com/mattermost/mattermost/commit/b45c3dac4c160992a1ce757ade968e8f5ec506c1
github.com/mattermost/mattermost/commit/bc699e6789cf3ba1544235087897699aaa639e7d
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2024-4183
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%