CVE-2024-45843: Weak SSRF Filtering
First published: Thu Sep 26 2024(Updated: )
Mattermost versions 9.5.x <= 9.5.8 fail to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, which allows an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba.
Credit: responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mattermost | >=9.5.0<9.5.9 |
Remedy
Update Mattermost to versions 9.11.0, 9.5.9 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-45843?
CVE-2024-45843 is classified as a medium severity vulnerability due to its potential for SSRF attacks.
How do I fix CVE-2024-45843?
To fix CVE-2024-45843, upgrade Mattermost to version 9.5.9 or later which addresses the SSRF issue.
Which versions of Mattermost are affected by CVE-2024-45843?
CVE-2024-45843 affects Mattermost versions 9.5.0 to 9.5.8 inclusive.
What type of vulnerability is CVE-2024-45843?
CVE-2024-45843 is a Server-Side Request Forgery (SSRF) vulnerability.
Can CVE-2024-45843 be exploited in public cloud environments?
Yes, CVE-2024-45843 can be exploited if Mattermost is deployed in Oracle Cloud or Alibaba without the proper denylist in place.
- agent/remedy
- agent/title
- agent/weakness
- agent/references
- agent/description
- agent/type
- agent/first-publish-date
- agent/author
- agent/event
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/mattermost
- canonical/mattermost
- version/mattermost/9.5.0