CGA-r5x3-gwqr-87xj

Published 4 months ago

Last updated 4 months ago

Package

mattermost-10.0

Latest Update
Not affected

Severity

4.3

Medium

CVSS V3

Summary

Mattermost fails to limit the number of role names

Description

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.

Updates

Status
Fixed version
Impact
Updated
Not affected
—
This vulnerability relates to v8.1.x of mattermost, which is several releases old. The componentVersion is also being flagged incorrectly here by some scanners. A bug has been filed upstream against Syft, and the maintainers have confirmed it's a scanner issue. See: https://github.com/anchore/syft/issues/2980.

Sep 25, 2024

Under investigation
—
—

Sep 24, 2024

2 updates