CVE-2024-1953
Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server
4.3
MEDIUM
CVSS 3.1
EPSS 0.13%
Description
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.
How to fix CVE-2024-1953
To remediate CVE-2024-1953, upgrade the affected package to a fixed version below.
- —upgrade to 8.1.9 or later
- —upgrade to 9.2.5+incompatible or later
- —no fix listed
- —no fix listed
- —upgrade to 9.4.2 or later
- —no fix listed
Is CVE-2024-1953 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- >= 8.1.0, < 8.1.9, >= 9.2.0, < 9.2.5, >= 9.4.0, < 9.4.2 | >= 9.3.0, <= 9.3.0
- >= 9.2.0+incompatible, < 9.2.5+incompatible, >= 9.3.0+incompatible, < 9.3.1+incompatible, >= 9.4.0+incompatible, < 9.4.2+incompatible
- from 0
- from 0
- >= 9.4.0, < 9.4.2
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |