Miggo Logo
Miggo Vulnerability Database
CVE-2024-4183

CVE-2024-4183: Mattermost fails to limit the number of active sessions

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-4183
GHSA ID
GHSA-wj37-mpq9-xrcm
EPSS Score
0.39502%
CWE
CWE-400
Published
4/26/2024
Updated
4/26/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/mattermost/mattermost-servergo>= 9.6.0-rc1, <= 9.6.09.6.1
github.com/mattermost/mattermost-servergo>= 9.5.0, <= 9.5.29.5.3
github.com/mattermost/mattermost-servergo>= 9.4.0, <= 9.4.49.4.5
github.com/mattermost/mattermost-servergo>= 8.1.0, <= 8.1.118.1.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing session limit enforcement and rate-limiting. The patch adds 1) a maxSessionsLimit constant, 2) session revocation logic in limitNumberOfSessions, and 3) rate-limiting for the /sessions endpoint. The vulnerable functions are those responsible for session creation (CreateSession, newSession) and session retrieval (GetSessions) which lacked these protections. The commit diffs show these functions were modified to add limit checks, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions *.*.x ***or* *.*.**, *.*.x ***or* *.*.*, *.*.x ***or* *.*.*, *.*.x ***or* *.*.* **il to limit t** num**r o* **tiv* s*ssions, w*i** *llows *n *ut**nti**t** *tt**k*r to *r*s* t** s*rv*r vi* r*p**t** r*qu*sts to t** **tS*ssions *PI *

Reasoning

T** vuln*r**ility st*ms *rom missin* s*ssion limit *n*or**m*nt *n* r*t*-limitin*. T** p*t** ***s *) * `m*xS*ssionsLimit` *onst*nt, *) s*ssion r*vo**tion lo*i* in `limitNum**rO*S*ssions`, *n* *) r*t*-limitin* *or t** `/s*ssions` *n*point. T** vuln*r**
CVE-2024-4183: Mattermost Session Flood DoS | Miggo