Vulnerability-Lookup

CNVD-2024-26109

Vulnerability from cnvd - Published: 2024-06-07

Title

Mattermost Mobile不受控制的资源消耗漏洞

Description

Mattermost Mobile是一款团队协作和通讯工具，支持跨平台使用。 Mattermost Mobile存在不受控制的资源消耗漏洞，攻击者可利用该漏洞通过发送非常大的代码块并使移动应用程序崩溃。

Severity

中

Patch Name

Mattermost Mobile不受控制的资源消耗漏洞的补丁

Patch Description

Mattermost Mobile是一款团队协作和通讯工具，支持跨平台使用。 Mattermost Mobile存在不受控制的资源消耗漏洞，攻击者可利用该漏洞通过发送非常大的代码块并使移动应用程序崩溃。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://mattermost.com/security-updates/

Reference

https://cxsecurity.com/cveshow/CVE-2024-24975/

Impacted products

Name
Mattermost Mattermost Mobile <=2.12.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-24975"
    }
  },
  "description": "Mattermost Mobile\u662f\u4e00\u6b3e\u56e2\u961f\u534f\u4f5c\u548c\u901a\u8baf\u5de5\u5177\uff0c\u652f\u6301\u8de8\u5e73\u53f0\u4f7f\u7528\u3002\n\nMattermost Mobile\u5b58\u5728\u4e0d\u53d7\u63a7\u5236\u7684\u8d44\u6e90\u6d88\u8017\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u53d1\u9001\u975e\u5e38\u5927\u7684\u4ee3\u7801\u5757\u5e76\u4f7f\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u5d29\u6e83\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://mattermost.com/security-updates/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-26109",
  "openTime": "2024-06-07",
  "patchDescription": "Mattermost Mobile\u662f\u4e00\u6b3e\u56e2\u961f\u534f\u4f5c\u548c\u901a\u8baf\u5de5\u5177\uff0c\u652f\u6301\u8de8\u5e73\u53f0\u4f7f\u7528\u3002\r\n\r\nMattermost Mobile\u5b58\u5728\u4e0d\u53d7\u63a7\u5236\u7684\u8d44\u6e90\u6d88\u8017\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u53d1\u9001\u975e\u5e38\u5927\u7684\u4ee3\u7801\u5757\u5e76\u4f7f\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u5d29\u6e83\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Mattermost Mobile\u4e0d\u53d7\u63a7\u5236\u7684\u8d44\u6e90\u6d88\u8017\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Mattermost Mattermost Mobile \u003c=2.12.0"
  },
  "referenceLink": "https://cxsecurity.com/cveshow/CVE-2024-24975/",
  "serverity": "\u4e2d",
  "submitTime": "2024-03-15",
  "title": "Mattermost Mobile\u4e0d\u53d7\u63a7\u5236\u7684\u8d44\u6e90\u6d88\u8017\u6f0f\u6d1e"
}

CVE-2024-24975 (GCVE-0-2024-24975)

Vulnerability from cvelistv5 – Published: 2024-03-15 09:07 – Updated: 2024-08-01 23:36

Title

Denial of Service for mobile app users due to automatic code highlighting

Summary

Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a very large code block and crash the mobile app.

Severity ?

3.5 (Low)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

Mattermost

References

URL

Tags

https://mattermost.com/security-updates

Impacted products

	Vendor	Product	Version
	Mattermost	Mattermost Mobile	Unaffected: 2.13.0 Affected: 0 , ≤ 2.12.0 (semver)

Credits

Gian Klug (coderion)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mattermost_mobile",
            "vendor": "mattermost",
            "versions": [
              {
                "lessThanOrEqual": "2.12.0",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-24975",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-22T14:23:59.354672Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:43:22.998Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:36:21.260Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://mattermost.com/security-updates"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mattermost Mobile",
          "vendor": "Mattermost",
          "versions": [
            {
              "status": "unaffected",
              "version": "2.13.0"
            },
            {
              "lessThanOrEqual": "2.12.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Gian Klug (coderion)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003elimit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a\u0026nbsp;\u003c/span\u003every large code block and crash the mobile app.\u003cbr\u003e"
            }
          ],
          "value": "Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to\u00a0limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a\u00a0very large code block and crash the mobile app.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-15T09:07:13.379Z",
        "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "shortName": "Mattermost"
      },
      "references": [
        {
          "url": "https://mattermost.com/security-updates"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.13.0 or higher.\u003c/p\u003e"
            }
          ],
          "value": "Update Mattermost Mobile Apps to versions 2.13.0 or higher.\n\n"
        }
      ],
      "source": {
        "advisory": "MMSA-2023-00277",
        "defect": [
          "https://mattermost.atlassian.net/browse/MM-55257"
        ],
        "discovery": "EXTERNAL"
      },
      "title": " Denial of Service for mobile app users due to automatic code highlighting",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
    "assignerShortName": "Mattermost",
    "cveId": "CVE-2024-24975",
    "datePublished": "2024-03-15T09:07:13.379Z",
    "dateReserved": "2024-03-14T09:38:07.486Z",
    "dateUpdated": "2024-08-01T23:36:21.260Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2024-26109

CVE-2024-24975 (GCVE-0-2024-24975)

Tags

Sightings

Nomenclature