CVE-2024-54682

Dec. 16, 2024, 8:15 a.m.

6.5
Medium

Description

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.

Product(s) Impacted

Product Versions
Mattermost
  • ['10.1.x <= 10.1.2', '10.0.x <= 10.0.2', '9.11.x <= 9.11.4', '9.5.x <= 9.5.12']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

References

https://mattermost.com/security-updates

Tags

responsibledisclosure@mattermost.com
CWE-409
2024-12-16
CVE-2024-54682

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Dec. 16, 2024, 8:15 a.m.
Last Modified: Dec. 16, 2024, 8:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

responsibledisclosure@mattermost.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.