CVE-2022-4019 - Vulnerability Details - OpenCVE

Description

A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.

Published: 2022-11-23

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mattermost

Playbooks Plugin

unaffected

Version	Status	Constraints
`1.0.0`	affected	≤ 7.1.3
`7.1.4`	unaffected	≤ 7.1.*
`7.2.0`	affected	< 7.2.1
`7.3.0`	affected	< 7.3.1
`7.4.0`	unaffected	—

Configuration 1 [-]

cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update Mattermost to version v7.1.4, 7.2.1, 7.3.1, 7.4.0 or higher.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-51398	A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00391.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://hackerone.com/reports/1685979
https://mattermost.com/security-updates/

History

Sat, 07 Dec 2024 00:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Mattermost Mattermost

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2022-11-23T05:32:15.495Z

Updated: 2024-12-06T23:07:36.133Z

Reserved: 2022-11-16T11:55:40.576Z

Link: CVE-2022-4019

Vulnrichment

Updated: 2024-08-03T01:27:54.186Z

NVD

Status : Modified

Published: 2022-11-23T06:15:09.223

Modified: 2024-11-21T07:34:27.490

Link: CVE-2022-4019

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-770

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-4019", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "requesterUserId": "0a729610-c22f-40e3-9816-673e47743f12", "dateReserved": "2022-11-16T11:55:40.576Z", "datePublished": "2022-11-23T05:32:15.495Z", "dateUpdated": "2024-12-06T23:07:36.133Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Playbooks Plugin", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "7.1.3", "status": "affected", "version": "1.0.0", "versionType": "semver"}, {"lessThanOrEqual": "7.1.*", "status": "unaffected", "version": "7.1.4", "versionType": "semver"}, {"lessThan": "7.2.1", "status": "affected", "version": "7.2.0", "versionType": "semver"}, {"lessThan": "7.3.1", "status": "affected", "version": "7.3.0", "versionType": "semver"}, {"status": "unaffected", "version": "7.4.0"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "vultza (vultza)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.</span><br>"}], "value": "A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.\n"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2022-11-23T05:32:15.495Z"}, "references": [{"url": "https://mattermost.com/security-updates/"}, {"url": "https://hackerone.com/reports/1685979"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update Mattermost to version v7.1.4, 7.2.1, 7.3.1, 7.4.0 or higher."}], "value": "Update Mattermost to version v7.1.4, 7.2.1, 7.3.1, 7.4.0 or higher."}], "source": {"advisory": "MMSA-2022-00118", "discovery": "EXTERNAL"}, "title": "Authenticated user could send multiple requests containing a large payload to a Playbooks API and can crash a Mattermost server", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:27:54.186Z"}, "title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates/", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/1685979", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-06T22:52:33.734157Z", "id": "CVE-2022-4019", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-06T23:07:36.133Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates/", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/1685979", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:27:54.186Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-4019", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-06T22:52:33.734157Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-06T22:52:35.243Z"}}], "cna": {"title": "Authenticated user could send multiple requests containing a large payload to a Playbooks API and can crash a Mattermost server", "source": {"advisory": "MMSA-2022-00118", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "vultza (vultza)"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Playbooks Plugin", "versions": [{"status": "affected", "version": "1.0.0", "versionType": "semver", "lessThanOrEqual": "7.1.3"}, {"status": "unaffected", "version": "7.1.4", "versionType": "semver", "lessThanOrEqual": "7.1.*"}, {"status": "affected", "version": "7.2.0", "lessThan": "7.2.1", "versionType": "semver"}, {"status": "affected", "version": "7.3.0", "lessThan": "7.3.1", "versionType": "semver"}, {"status": "unaffected", "version": "7.4.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to version v7.1.4, 7.2.1, 7.3.1, 7.4.0 or higher.", "supportingMedia": [{"type": "text/html", "value": "Update Mattermost to version v7.1.4, 7.2.1, 7.3.1, 7.4.0 or higher.", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates/"}, {"url": "https://hackerone.com/reports/1685979"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.\n", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2022-11-23T05:32:15.495Z"}}}, "cveMetadata": {"cveId": "CVE-2022-4019", "state": "PUBLISHED", "dateUpdated": "2024-12-06T23:07:36.133Z", "dateReserved": "2022-11-16T11:55:40.576Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2022-11-23T05:32:15.495Z", "requesterUserId": "0a729610-c22f-40e3-9816-673e47743f12", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*", "matchCriteriaId": "BE1073F4-FDE8-4875-951A-D87150D54A12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.\n"}, {"lang": "es", "value": "Una vulnerabilidad de Denegaci\u00f3n de Servicio (DoS) en el complemento Mattermost Playbooks permite que un usuario autenticado bloquee el servidor a trav\u00e9s de m\u00faltiples solicitudes grandes a uno de los endpoints de la API de Playbooks."}], "id": "CVE-2022-4019", "lastModified": "2024-11-21T07:34:27.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-23T06:15:09.223", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/1685979"}, {"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/1685979"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates/"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}