CVE-2024-1402 Denial of service in mattermost mobile apps and server via emoji reactions

2024-02-0915:09:18

CWE-400

Mattermost

github.com

denial of service

mattermost

mobile apps

server

emoji reactions

custom emojis

attack

overloading

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

6.6 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.1%

JSON

Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "8.1.7",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.1.4",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.2.3",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "9.3.0"
      },
      {
        "status": "unaffected",
        "version": "9.2.4"
      },
      {
        "status": "unaffected",
        "version": "9.1.5"
      },
      {
        "status": "unaffected",
        "version": "8.1.8"
      }
    ]
  }
]