GHSA-wj37-mpq9-xrcm

Source

https://github.com/advisories/GHSA-wj37-mpq9-xrcm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-wj37-mpq9-xrcm/GHSA-wj37-mpq9-xrcm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wj37-mpq9-xrcm

Aliases

CVE-2024-4183
GO-2024-2798

Published

2024-04-26T09:30:34Z

Modified

2024-06-05T16:43:15.711523Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Mattermost fails to limit the number of active sessions

Details

Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.

Database specific

{
    "nvd_published_at": "2024-04-26T09:15:12Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-26T19:10:41Z"
}

References

Affected packages

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.6.0-rc1

Fixed

9.6.1

Database specific

{
    "last_known_affected_version_range": "<= 9.6.0"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.5.0

Fixed

9.5.3

Database specific

{
    "last_known_affected_version_range": "<= 9.5.2"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.4.0

Fixed

9.4.5

Database specific

{
    "last_known_affected_version_range": "<= 9.4.4"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

8.1.0

Fixed

8.1.12

Database specific

{
    "last_known_affected_version_range": "<= 8.1.11"
}