CVE-2024-47003: DoS via non-string message using permalink embed
First published: Thu Sep 26 2024(Updated: )
Mattermost does not strip `embeds` from `metadata` when broadcasting `posted` events. This allows users to include arbitrary embeds in posts, which are then broadcasted via websockets. This can be exploited in many ways, for example to create permalinks with fully customizable content or to trigger a client Side Denial of Service (DoS) by sending a permalink with a non-string message. The advisory metadata references the appropriate go pseudo version available from pkg.go.dev
Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mattermost Mattermost Server | >=9.5.0<9.5.9 | |
| Mattermost Mattermost Server | =9.11.0 | |
| Mattermost Mattermost Server | =9.11.0-rc1 | |
| Mattermost Mattermost Server | =9.11.0-rc2 | |
| Mattermost Mattermost Server | =9.11.0-rc3 | |
| go/github.com/mattermost/mattermost/server/v8 | <8.0.0-20240806094731-69a8b3df0f9f | 8.0.0-20240806094731-69a8b3df0f9f |
Remedy
Update Mattermost to versions 10.0.0, 9.11.1, 9.5.9 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://mattermost.com/security-updates
- https://nvd.nist.gov/vuln/detail/CVE-2024-47003
- https://github.com/mattermost/mattermost/pull/27763
- https://github.com/mattermost/mattermost/commit/69a8b3df0f9fd3a7a5b792ec678b6191618d039b
- https://github.com/c0rydoras/cves/tree/main/CVE-2024-47003
- https://github.com/advisories/GHSA-59hf-mpf8-pqjh (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-47003?
CVE-2024-47003 has a moderate severity rating due to the potential for arbitrary content embedding in posts.
How do I fix CVE-2024-47003?
To fix CVE-2024-47003, upgrade to Mattermost Server version 8.0.0-20240806094731-69a8b3df0f9f or later.
Which versions of Mattermost are affected by CVE-2024-47003?
CVE-2024-47003 affects Mattermost Server versions 9.5.0 to 9.5.9 and version 9.11.0.
What type of attack can CVE-2024-47003 enable?
CVE-2024-47003 can enable users to create permalinks with customizable content through arbitrary embeds in posts.
Can CVE-2024-47003 be exploited through websockets?
Yes, CVE-2024-47003 can be exploited via websockets, allowing the broadcast of malicious embeds.
- agent/remedy
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-59hf-mpf8-pqjh
- alias/CVE-2024-47003
- agent/last-modified-date
- agent/severity
- agent/author
- agent/references
- agent/description
- collector/nvd-cve
- agent/softwarecombine
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/github-advisory
- agent/trending
- agent/tags
- agent/source
- vendor/mattermost
- canonical/mattermost mattermost server
- version/mattermost mattermost server/9.5.0
- version/mattermost mattermost server/9.11.0
- version/mattermost mattermost server/9.11.0-rc1
- version/mattermost mattermost server/9.11.0-rc2
- version/mattermost mattermost server/9.11.0-rc3
- package-manager/go