PT-2024-29588 · Mattermost · Mattermost
Vultza
·
Published
2024-04-26
·
Updated
2024-06-05
·
CVE-2024-4183
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 8.1.x before 8.1.12
Mattermost versions 9.4.x before 9.4.5
Mattermost versions 9.5.x before 9.5.3
Mattermost versions 9.6.x before 9.6.1
Description
The issue is related to the failure to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the "getSessions API" after flooding the sessions table.
Recommendations
For versions 8.1.x before 8.1.12, update to version 8.1.12 or later.
For versions 9.4.x before 9.4.5, update to version 9.4.5 or later.
For versions 9.5.x before 9.5.3, update to version 9.5.3 or later.
For versions 9.6.x before 9.6.1, update to version 9.6.1 or later.
As a temporary workaround, consider restricting access to the "getSessions API" to minimize the risk of exploitation.
Fix
DoS
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mattermost