CVE-2024-2446

Description

Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.

How to fix CVE-2024-2446

To remediate CVE-2024-2446, upgrade the affected package to a fixed version below.

Bitnami/mattermost—upgrade to 8.1.10 or later

Is CVE-2024-2446 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 8.1.0, < 8.1.10, >= 9.2.0, < 9.2.6, >= 9.3.0, < 9.3.2, >= 9.4.0, < 9.4.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References (2)

WEBmattermost.com/security-updates
WEBnvd.nist.gov/vuln/detail/CVE-2024-2446