CVE-2024-54083 - Vulnerability Details - OpenCVE

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://mattermost.com/security-updates

History

Mon, 16 Dec 2024 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Dec 2024 08:15:00 +0000

Type	Values Removed	Values Added
Description		Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.
Title		DoS via lack of type validation in Calls
Weaknesses		CWE-1287
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2024-12-16T08:02:19.214Z

Updated: 2024-12-16T16:04:03.406Z

Reserved: 2024-12-11T10:11:03.771Z

Link: CVE-2024-54083

Vulnrichment

Updated: 2024-12-16T16:03:59.750Z

NVD

Status : Received

Published: 2024-12-16T08:15:05.317

Modified: 2024-12-16T08:15:05.317

Link: CVE-2024-54083

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-54083", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2024-12-11T10:11:03.771Z", "datePublished": "2024-12-16T08:02:19.214Z", "dateUpdated": "2024-12-16T16:04:03.406Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "10.1.2", "status": "affected", "version": "10.1.0", "versionType": "semver"}, {"lessThanOrEqual": "10.0.2", "status": "affected", "version": "10.0.0", "versionType": "semver"}, {"lessThanOrEqual": "9.11.4", "status": "affected", "version": "9.11.0", "versionType": "semver"}, {"lessThanOrEqual": "9.5.12", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"status": "unaffected", "version": "10.2.0"}, {"status": "unaffected", "version": "2.22.0"}, {"status": "unaffected", "version": "10.1.3"}, {"status": "unaffected", "version": "10.0.3"}, {"status": "unaffected", "version": "9.11.5"}, {"status": "unaffected", "version": "9.5.13"}]}], "credits": [{"lang": "en", "type": "finder", "value": "c0rydoras (c0rydoras)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of <span style=\"background-color: rgb(255, 255, 255);\">callProps</span> which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.</p>"}], "value": "Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of\u00a0callProps\u00a0which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1287", "description": "CWE-1287: Improper Validation of Specified Type of Input", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-12-16T08:02:19.214Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost to versions 10.2.0, 2.22.0, 10.1.3, 10.0.3, 9.11.5, 9.5.13 or higher.</p>"}], "value": "Update Mattermost to versions 10.2.0, 2.22.0, 10.1.3, 10.0.3, 9.11.5, 9.5.13 or higher."}], "source": {"advisory": "MMSA-2024-00388", "defect": ["https://mattermost.atlassian.net/browse/MM-61165"], "discovery": "EXTERNAL"}, "title": "DoS via lack of type validation in Calls", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-16T16:03:33.303704Z", "id": "CVE-2024-54083", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-16T16:04:03.406Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-54083", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-16T16:03:33.303704Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-16T16:03:59.750Z"}}], "cna": {"title": "DoS via lack of type validation in Calls", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-61165"], "advisory": "MMSA-2024-00388", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "c0rydoras (c0rydoras)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "10.1.0", "versionType": "semver", "lessThanOrEqual": "10.1.2"}, {"status": "affected", "version": "10.0.0", "versionType": "semver", "lessThanOrEqual": "10.0.2"}, {"status": "affected", "version": "9.11.0", "versionType": "semver", "lessThanOrEqual": "9.11.4"}, {"status": "affected", "version": "9.5.0", "versionType": "semver", "lessThanOrEqual": "9.5.12"}, {"status": "unaffected", "version": "10.2.0"}, {"status": "unaffected", "version": "2.22.0"}, {"status": "unaffected", "version": "10.1.3"}, {"status": "unaffected", "version": "10.0.3"}, {"status": "unaffected", "version": "9.11.5"}, {"status": "unaffected", "version": "9.5.13"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 10.2.0, 2.22.0, 10.1.3, 10.0.3, 9.11.5, 9.5.13 or higher.", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost to versions 10.2.0, 2.22.0, 10.1.3, 10.0.3, 9.11.5, 9.5.13 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of\u00a0callProps\u00a0which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of <span style=\"background-color: rgb(255, 255, 255);\">callProps</span> which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1287", "description": "CWE-1287: Improper Validation of Specified Type of Input"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-12-16T08:02:19.214Z"}}}, "cveMetadata": {"cveId": "CVE-2024-54083", "state": "PUBLISHED", "dateUpdated": "2024-12-16T16:04:03.406Z", "dateReserved": "2024-12-11T10:11:03.771Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2024-12-16T08:02:19.214Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}