CVE-2022-2406

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-2406
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2406.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-2406
Published
2022-07-14T18:15:08.367Z
Modified
2026-04-10T04:45:14.082089Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows an authenticated attacker to crash the server by importing large files via the Slack import REST API.

References

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
a030ae538b9cd373b4e0aa808fc426b82ed24937
Introduced
86a797bc64e7448dbfaa670ed6b8fd7b437e97c3
Last affected
c4ab2024ae2ceb9d122484d23eab926289d553c6
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
e05e0f9379e1324618601e3ba6111d78710e6319
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
3161c1a186595cc371830c4e651002377d4e77cc
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
714d065986fa9f6163b417d9760bf707cc237c71
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.3.8"
        },
        {
            "introduced": "6.4.0"
        },
        {
            "last_affected": "6.5.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.6.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.6.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.7.0"
        }
    ]
}

Affected versions

Other
cloud-2020-11-24
cloud-2020-12-08
cloud-2020-12-18
cloud-2021-01-12
cloud-2021-01-26
cloud-2021-02-10
cloud-2021-02-24
cloud-2021-02-25-1
cloud-2021-03-12-1
cloud-2021-03-23-1
cloud-2021-04-22-1
cloud-2021-05-05-1
cloud-2021-05-21-1
cloud-2021-06-02-1
cloud-2021-06-16-1
cloud-2021-07-01-1
cloud-2021-07-15-1
cloud-2021-07-29-1
cloud-2021-08-12-1
cloud-2021-09-29-1
cloud-2021-10-12-1
cloud-2021-10-27-1
cloud-2021-11-09-1
cloud-2021-11-11-1
cloud-2021-11-23-1
cloud-2021-11-25-1
cloud-2021-11-30-1
cloud-2021-12-08-1
cloud-2022-03-02-1
cloud-2022-03-31-1
cloud-2022-04-28-1
v0.*
v0.5.0
v4.*
v4.10.0-rc1
v4.2.0-rc1
v4.3.0-rc1
v4.4.0-rc1
v4.5.0-rc1
v4.6.0-rc1
v4.6.0-rc2
v4.7.0-rc1
v4.8.0-rc1
v4.9.0-rc1
v5.*
v5.0.0-rc1
v5.1.0-rc1
v5.2.0-rc1
v5.2.0-rc2
v6.*
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.3.8
v6.5.0
v6.5.1
v6.6.0
v6.6.1
v6.7.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2406.json"