CVE-2023-5522 - OpenCVE

Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Mattermost	Mattermost

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost::::::android::*
	cpe:2.3:a:mattermost:mattermost::::::iphone_os::*

References

Link	Resource
https://mattermost.com/security-updates	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Mattermost

Published: 2023-10-17T09:41:14.833Z

Updated: 2023-10-17T09:41:14.833Z

Reserved: 2023-10-11T12:14:11.518Z

Link: CVE-2023-5522

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-17T10:15:10.427

Modified: 2023-10-24T18:56:18.113

Link: CVE-2023-5522

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-5522", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2023-10-11T12:14:11.518Z", "datePublished": "2023-10-17T09:41:14.833Z", "dateUpdated": "2023-10-17T09:41:14.833Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThan": "2.8.0", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "unaffected", "version": "2.8.0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "\u0160imon \u010cech\u00e1\u010dek"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to s<span style=\"background-color: rgb(255, 255, 255);\">end a post with </span><span style=\"background-color: rgb(255, 255, 255);\">hundreds of emojis to a channel and</span> freeze the mobile app of users when viewing that particular channel. </p>"}], "value": "Mattermost Mobile fails to limit\u00a0the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and\u00a0freeze the mobile app of users when viewing that particular channel.\u00a0\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2023-10-17T09:41:14.833Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Mobile to versions 2.8.0 or higher.</p>"}], "value": "Update Mattermost Mobile to versions 2.8.0 or higher.\n\n"}], "source": {"advisory": "MMSA-2023-00226", "defect": ["https://mattermost.atlassian.net/browse/MM-53106"], "discovery": "EXTERNAL"}, "title": "Mobile app freezes when receiving a post with hundreds of emojis", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:android:*:*", "matchCriteriaId": "5CDF40BF-82EB-4109-A6A8-BE16F18604DB", "versionEndExcluding": "2.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "98266404-FB76-4221-8E3B-AC6C018F3CD8", "versionEndExcluding": "2.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mattermost Mobile fails to limit\u00a0the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and\u00a0freeze the mobile app of users when viewing that particular channel.\u00a0\n\n"}, {"lang": "es", "value": "Mattermost Mobile no limita la cantidad m\u00e1xima de elementos Markdown en una publicaci\u00f3n, lo que permite a un atacante enviar una publicaci\u00f3n con cientos de emojis a un canal y congelar la aplicaci\u00f3n m\u00f3vil de los usuarios cuando ven ese canal en particular."}], "id": "CVE-2023-5522", "lastModified": "2023-10-24T18:56:18.113", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2023-10-17T10:15:10.427", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}