CVE-2024-4182 – github.com/mattermost/mattermost-server

Package

Manager: go
Name: github.com/mattermost/mattermost-server
Vulnerable Version: >=8.1.0 <8.1.12 || >=9.4.0 <9.4.5 || >=9.5.0 <9.5.3 || >=9.6.0-rc1 <9.6.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

EPSS: 0.00193 pctl0.41491

Details

Mattermost crashes web clients via a malformed custom status Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.

Metadata

Created: 2024-04-26T09:30:34Z
Modified: 2024-04-26T19:11:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-8f99-g2pj-x8w3/GHSA-8f99-g2pj-x8w3.json
CWE IDs: ["CWE-754"]
Alternative ID: GHSA-8f99-g2pj-x8w3
Finding: F002
Auto approve: 1