Miggo Logo
Miggo Vulnerability Database
CVE-2024-4182

CVE-2024-4182: Mattermost crashes web clients via a malformed custom status

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-4182
GHSA ID
GHSA-8f99-g2pj-x8w3
EPSS Score
0.41743%
CWE
CWE-754
Published
4/26/2024
Updated
4/26/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/mattermost/mattermost-servergo>= 8.1.0, <= 8.1.118.1.12
github.com/mattermost/mattermost-servergo>= 9.4.0, <= 9.4.49.4.5
github.com/mattermost/mattermost-servergo>= 9.5.0, <= 9.5.29.5.3
github.com/mattermost/mattermost-servergo>= 9.6.0-rc1, <= 9.6.09.6.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key gaps:

  1. User.IsValid in user.go failed to validate custom status data integrity before persistence. The patch added ValidateCustomStatus() checks here to reject invalid JSON.
  2. The webapp selector in custom_status.ts used JSON.parse without try-catch blocks. The patch added error handling to prevent crashes when parsing corrupted data. Both functions directly contributed to the improper handling of exceptional conditions (CWE-754).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions *.*.*, *.*.x ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.** **il to **n*l* JSON p*rsin* *rrors in *ustom st*tus v*lu*s, w*i** *llows *n *ut**nti**t** *tt**k*r to *r*s* ot**r us*rs' w** *li*nts vi* * m*l*orm** *ustom st*

Reasoning

T** vuln*r**ility st*ms *rom two k*y **ps: *. **Us*r.IsV*li*** in us*r.*o **il** to v*li**t* *ustom st*tus **t* int**rity ***or* p*rsist*n**. T** p*t** ***** V*li**t**ustomSt*tus() ****ks **r* to r*j**t inv*li* JSON. *. **T** w***pp s*l**tor** in *us