Miggo Logo
Miggo Vulnerability Database
CVE-2024-1949

CVE-2024-1949:
Mattermost race condition

2.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-1949
GHSA ID
GHSA-3g35-v53r-gpxc
EPSS Score
0.36424%
CWE
CWE-200
Published
2/29/2024
Updated
12/13/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/mattermost/mattermost/server/v8go>= 9.0.0, < 9.4.29.4.2
github.com/mattermost/mattermost/server/v8go< 8.1.98.1.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description and associated CWEs indicate a race condition between post creation and deletion operations. However, without access to the specific code changes in the patched versions (8.1.9 and 9.4.2) or commit diffs, it's impossible to definitively identify the exact vulnerable functions. The vulnerability likely involves interaction between post creation and deletion logic, potentially in functions handling post persistence or permission checks, but insufficient information exists to pinpoint specific functions/paths with high confidence. The lack of GitHub patch/commit information significantly limits the ability to correlate the described race condition with concrete code implementations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*** *on*ition in M*tt*rmost v*rsions *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llows *n *ut**nti**t** *tt**k*r to **in un*ut*oriz** ****ss to in*ivi*u*l posts' *ont*nts vi* **r**ully tim** post *r**tion w*il* *not**r us*r **l*t*s posts.

Reasoning

T** vuln*r**ility **s*ription *n* *sso*i*t** *W*s in*i**t* * r*** *on*ition **tw**n post *r**tion *n* **l*tion op*r*tions. *ow*v*r, wit*out ****ss to t** sp**i*i* *o** ***n**s in t** p*t**** v*rsions (*.*.* *n* *.*.*) or *ommit *i**s, it's impossi*l*