CVE-2024-39810

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.5.x through 9.5.7 Mattermost versions 9.10.x through 9.10.0

Description The issue arises from the failure to time limit and size limit the CA path file in the ElasticSearch configuration. This allows a System Role with access to the Elasticsearch system console to add any file as a CA path field. For example, adding /dev/zero and then testing the connection can cause the application to crash.

Recommendations For Mattermost versions 9.5.x through 9.5.7, restrict access to the Elasticsearch system console to prevent exploitation. For Mattermost versions 9.10.x through 9.10.0, limit the size and time of the CA path file in the ElasticSearch configuration to prevent abuse. As a temporary workaround, consider disabling access to the ElasticSearch configuration until a patch is available.