CVE-2024-4183: Mattermost fails to limit the number of active sessions
Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.
References
- github.com/advisories/GHSA-wj37-mpq9-xrcm
- github.com/mattermost/mattermost
- github.com/mattermost/mattermost/commit/86920d641760552c5aafa5e1d14c93bd30039bc4
- github.com/mattermost/mattermost/commit/9d81eee979aee93374bff8ba6714d805e12ffb03
- github.com/mattermost/mattermost/commit/b45c3dac4c160992a1ce757ade968e8f5ec506c1
- github.com/mattermost/mattermost/commit/bc699e6789cf3ba1544235087897699aaa639e7d
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2024-4183
Detect and mitigate CVE-2024-4183 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →