First published: Mon Nov 06 2023(Updated: )
Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items.
Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com
Affected Software | Affected Version | How to fix |
---|---|---|
Mattermost Mattermost | <=7.8.11 | |
Mattermost Mattermost | >=8.0.0<=8.0.3 | |
Mattermost Mattermost | >=8.1.0<=8.1.2 | |
Mattermost Mattermost | =9.0.0 | |
go/github.com/mattermost/mattermost/server/v8 | =9.0.0 | 9.0.1 |
go/github.com/mattermost/mattermost/server/v8 | >=8.1.0<8.1.3 | 8.1.3 |
go/github.com/mattermost/mattermost/server/v8 | >=8.0.0<8.0.4 | 8.0.4 |
go/github.com/mattermost/mattermost-server/v6 | <7.8.12 | 7.8.12 |
<=7.8.11 | ||
>=8.0.0<=8.0.3 | ||
>=8.1.0<=8.1.2 | ||
=9.0.0 |
Update Mattermost Server to versions 7.8.12, 8.0.4, 8.1.3, 9.0.1 or higher.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2023-5969.
The title of the vulnerability is 'Denial of Service via Link Preview in /api/v4/redirect_location'.
The vulnerability occurs when Mattermost fails to properly sanitize the request to /api/v4/redirect_location, allowing an attacker to fill up the memory due to caching large items.
The severity of CVE-2023-5969 is medium with a CVSS score of 5.3.
To fix CVE-2023-5969, update Mattermost to version 9.0.1, 8.1.3, 8.0.4, or 7.8.12 depending on the affected version.