CVE-2024-28949 - OpenCVE

Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://mattermost.com/security-updates

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Mattermost

Published: 2024-04-05T08:14:09.878Z

Updated: 2024-04-05T08:14:09.878Z

Reserved: 2024-04-03T10:03:48.285Z

Link: CVE-2024-28949

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-04-05T09:15:09.497

Modified: 2024-04-05T12:40:52.763

Link: CVE-2024-28949

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-28949", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2024-04-03T10:03:48.285Z", "datePublished": "2024-04-05T08:14:09.878Z", "dateUpdated": "2024-04-05T08:14:09.878Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "9.5.1", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"lessThanOrEqual": "9.4.3", "status": "affected", "version": "9.4.0", "versionType": "semver"}, {"lessThanOrEqual": "9.3.2", "status": "affected", "version": "9.3.0", "versionType": "semver"}, {"lessThanOrEqual": "8.1.10", "status": "affected", "version": "8.1.0", "versionType": "semver"}, {"status": "unaffected", "version": "9.6.0"}, {"status": "unaffected", "version": "9.5.2"}, {"status": "unaffected", "version": "9.4.4"}, {"status": "unaffected", "version": "9.3.3"}, {"status": "unaffected", "version": "8.1.11"}]}], "credits": [{"lang": "en", "type": "finder", "value": "vultza (vultza)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.</p>"}], "value": "Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-04-05T08:14:09.878Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.</p>"}], "value": "Update Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.\n\n"}], "source": {"advisory": "MMSA-2023-00274", "defect": ["https://mattermost.atlassian.net/browse/MM-55198"], "discovery": "EXTERNAL"}, "title": "DoS via a large number of User Preferences", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}