CVE-2024-4182: Mattermost crashes web clients via a malformed custom status
Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users’ web clients via a malformed custom status.
References
- github.com/advisories/GHSA-8f99-g2pj-x8w3
- github.com/mattermost/mattermost
- github.com/mattermost/mattermost/commit/41333a0babf565453d89287549bec1e546e75ce7
- github.com/mattermost/mattermost/commit/6cbab0f7ece104681f73dd12c75d9f22d567125e
- github.com/mattermost/mattermost/commit/a99dadd80c57d376185ca06f8f70919a6f135bc6
- github.com/mattermost/mattermost/commit/f84f8ed65f6a5faba974426424b684635455a527
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2024-4182
Code Behaviors & Features
Detect and mitigate CVE-2024-4182 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →