CVE-2023-48268: Denial of Service via Board Import Zip Bomb
First published: Mon Nov 27 2023(Updated: )
Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb).
Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/mattermost/mattermost-server/v6 | <7.8.13 | 7.8.13 |
| go/github.com/mattermost/mattermost/server/v8 | <8.1.4 | 8.1.4 |
| go/github.com/mattermost/mattermost/server/v8 | >=9.0.0<9.0.2 | 9.0.2 |
| go/github.com/mattermost/mattermost/server/v8 | >=9.1.0<9.1.1 | 9.1.1 |
| Mattermost Mattermost | <=7.8.12 | |
| Mattermost Mattermost | >=8.0.0<=8.1.3 | |
| Mattermost Mattermost | >=9.0.0<=9.0.1 | |
| Mattermost Mattermost | =9.1.0 |
Remedy
Update Mattermost Server to versions 9.1.1, 9.0.2, 7.8.13, 8.1.4 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-48268?
CVE-2023-48268 is a vulnerability in Mattermost that allows an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a specially crafted zip bomb during board import in Mattermost Boards.
How does the Denial of Service via Board Import Zip Bomb vulnerability work?
The vulnerability occurs because Mattermost fails to limit the amount of data extracted from compressed archives during board import, allowing an attacker to consume excessive resources by importing a specially crafted zip bomb.
What is the severity of CVE-2023-48268?
CVE-2023-48268 has a severity level of medium with a CVSS score of 4.3.
Which versions of Mattermost are affected by CVE-2023-48268?
Mattermost versions 7.8.13, 8.1.4, 9.0.0 to 9.0.2, and 9.1.0 to 9.1.1 are affected by CVE-2023-48268.
How can I fix CVE-2023-48268?
To fix CVE-2023-48268, update your Mattermost installation to version 7.8.13, 8.1.4, 9.0.2, or 9.1.1.
- collector/github-advisory-latest
- alias/GHSA-j4c3-3h73-74m9
- alias/CVE-2023-48268
- collector/nvd-api
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/remedy
- agent/severity
- agent/title
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- package-manager/go
- vendor/mattermost
- canonical/mattermost mattermost
- version/mattermost mattermost/7.8.12
- version/mattermost mattermost/8.0.0
- version/mattermost mattermost/8.1.3
- version/mattermost mattermost/9.0.0
- version/mattermost mattermost/9.0.1
- version/mattermost mattermost/9.1.0