CVE-2024-1953: Mattermost fails to limit the number of role names

February 29, 2024 (updated December 13, 2024)

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.

References

github.com/advisories/GHSA-vm9m-57jr-4pxh
github.com/mattermost/mattermost
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2024-1953
pkg.go.dev/vuln/GO-2024-2594

Code Behaviors & Features

Detect and mitigate CVE-2024-1953 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →