GHSA-8f99-g2pj-x8w3

Source

https://github.com/advisories/GHSA-8f99-g2pj-x8w3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-8f99-g2pj-x8w3/GHSA-8f99-g2pj-x8w3.json

Aliases

CVE-2024-4182

Published

2024-04-26T09:30:34Z

Modified

2024-04-26T19:26:47.065768Z

Summary

Mattermost crashes web clients via a malformed custom status

Details

Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.

References

Affected packages

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

8.1.0

Fixed

8.1.12

Database specific

{
    "last_known_affected_version_range": "<= 8.1.11"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.4.0

Fixed

9.4.5

Database specific

{
    "last_known_affected_version_range": "<= 9.4.4"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.5.0

Fixed

9.5.3

Database specific

{
    "last_known_affected_version_range": "<= 9.5.2"
}

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

9.6.0-rc1

Fixed

9.6.1

Database specific

{
    "last_known_affected_version_range": "<= 9.6.0"
}