CVE-2023-49809: Todo plugin gets crashed and disabled by member
First published: Tue Dec 12 2023(Updated: )
Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled.
Credit: responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mattermost | <=8.1.5 | |
| Mattermost | >=9.0.0<=9.1.0 |
Remedy
Update Mattermost Server to versions 8.1.6, 9.2.0 or higher
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-49809?
CVE-2023-49809 is classified as a denial-of-service vulnerability affecting Mattermost.
How do I fix CVE-2023-49809?
To mitigate CVE-2023-49809, users should upgrade to Mattermost Server version 9.1.0 or later.
What specific issue does CVE-2023-49809 cause?
CVE-2023-49809 allows a simple member to crash the Mattermost server by sending a request with a null request body to the /add endpoint.
Who is affected by CVE-2023-49809?
CVE-2023-49809 affects Mattermost Server versions up to 8.1.5 and between 9.0.0 and 9.1.0.
What happens when CVE-2023-49809 is exploited?
Exploiting CVE-2023-49809 can disable the plugin after repeated crashes caused by null requests.
- agent/type
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/author
- agent/references
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/title
- agent/description
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- vendor/mattermost
- canonical/mattermost
- version/mattermost/8.1.5
- version/mattermost/9.0.0
- version/mattermost/9.1.0