File Size Limitations in Mattermost Lead to Potential Denial of Service Vulnerability
CVE-2024-54682

6.5MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 16 December 2024

Summary

CVE-2024-54682 identifies a critical vulnerability in Mattermost that affects specific versions of its communication platform. The issue arises from the absence of enforced file size limits during the import of Slack files. This oversight permits a team administrator to import a maliciously crafted zip file, known as a zip bomb, potentially leading to a Denial of Service (DoS). By exploiting this vulnerability, an attacker could overwhelm the server, significantly degrading or disabling service for users. Organizations utilizing affected versions of Mattermost should prioritize updating their software to mitigate this risk.

Affected Version(s)

Mattermost 10.1.0 <= 10.1.2

Mattermost 10.0.0 <= 10.0.2

Mattermost 9.11.0 <= 9.11.4

References

https://mattermost.com/security-updates

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 16, 2024
Vulnerability Reserved
Dec 11, 2024

Credit

vultza (vultza)