GHSA-59hf-mpf8-pqjh

Suggest an improvement
Source
https://github.com/advisories/GHSA-59hf-mpf8-pqjh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-59hf-mpf8-pqjh/GHSA-59hf-mpf8-pqjh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-59hf-mpf8-pqjh
Aliases
Published
2024-09-26T09:31:42Z
Modified
2024-10-10T15:57:39.409487Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events
Details

Mattermost does not strip embeds from metadata when broadcasting posted events.

This allows users to include arbitrary embeds in posts, which are then broadcasted via websockets. This can be exploited in many ways, for example to create permalinks with fully customizable content or to trigger a client Side Denial of Service (DoS) by sending a permalink with a non-string message.

The advisory metadata references the appropriate go pseudo version available from pkg.go.dev

Database specific
{
    "nvd_published_at": "2024-09-26T08:15:06Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-27T22:01:15Z"
}
References

Affected packages

Go / github.com/mattermost/mattermost/server/v8

Package

Name
github.com/mattermost/mattermost/server/v8
View open source insights on deps.dev
Purl
pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.0.0-20240806094731-69a8b3df0f9f