CVE-2024-4183 – github.com/mattermost/mattermost-server

Package

Manager: go
Name: github.com/mattermost/mattermost-server
Vulnerable Version: >=9.6.0-rc1 <9.6.1 || >=9.5.0 <9.5.3 || >=9.4.0 <9.4.5 || >=8.1.0 <8.1.12

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00174 pctl0.39193

Details

Mattermost fails to limit the number of active sessions Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.

Metadata

Created: 2024-04-26T09:30:34Z
Modified: 2025-05-12T21:48:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-wj37-mpq9-xrcm/GHSA-wj37-mpq9-xrcm.json
CWE IDs: ["CWE-400", "CWE-770"]
Alternative ID: GHSA-wj37-mpq9-xrcm
Finding: F002
Auto approve: 1