Miggo Logo
Miggo Vulnerability Database
CVE-2024-1953

CVE-2024-1953:
Mattermost fails to limit the number of role names

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-1953
GHSA ID
GHSA-vm9m-57jr-4pxh
EPSS Score
0.33799%
CWE
CWE-400
Published
2/29/2024
Updated
12/13/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/mattermost/mattermost/server/v8go>= 9.4.0, < 9.4.29.4.2
github.com/mattermost/mattermost/server/v8go>= 9.3.0, < 9.3.19.3.1
github.com/mattermost/mattermost/server/v8go>= 9.2.0, < 9.2.59.2.5
github.com/mattermost/mattermost/server/v8go< 8.1.98.1.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing input validation on API endpoints handling role name requests, but the provided information contains no code references, commit diffs, or specific function names. While the vulnerability likely exists in role query handling functions (e.g., API handlers processing role parameters), the advisory lacks technical details to identify exact functions. The CWEs (400/770) suggest missing resource limits, but without patch details or code context, we cannot confidently name specific vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions *.*.x ***or* *.*.*, *.*.x ***or* *.*.*, *.*.*, *n* *.*.x ***or* *.*.* **il to limit t** num**r o* rol* n*m*s r*qu*st** *rom t** *PI, *llowin* *n *ut**nti**t** *tt**k*r to **us* t** s*rv*r to run out o* m*mory *n* *r*s* *y issuin*

Reasoning

T** vuln*r**ility st*ms *rom missin* input v*li**tion on *PI *n*points **n*lin* rol* n*m* r*qu*sts, *ut t** provi*** in*orm*tion *ont*ins no *o** r***r*n**s, *ommit *i**s, or sp**i*i* *un*tion n*m*s. W*il* t** vuln*r**ility lik*ly *xists in rol* qu*r