CVE-2023-5522 - Vulnerability Details - OpenCVE

Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00085.

Key SSVC decision points have not yet been added.

Vendors	Products
Mattermost	Mattermost

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost::::::android::*
	cpe:2.3:a:mattermost:mattermost::::::iphone_os::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-57835	Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel.

Fixes

Solution

Update Mattermost Mobile to versions 2.8.0 or higher.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://mattermost.com/security-updates

History

No history.

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2023-10-17T09:41:14.833Z

Updated: 2024-09-05T19:58:49.574Z

Reserved: 2023-10-11T12:14:11.518Z

Link: CVE-2023-5522

Vulnrichment

Updated: 2024-08-02T07:59:44.863Z

NVD

Status : Modified

Published: 2023-10-17T10:15:10.427

Modified: 2024-11-21T08:41:56.090

Link: CVE-2023-5522

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5522", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2023-10-11T12:14:11.518Z", "datePublished": "2023-10-17T09:41:14.833Z", "dateUpdated": "2024-09-05T19:58:49.574Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThan": "2.8.0", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "unaffected", "version": "2.8.0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "\u0160imon \u010cech\u00e1\u010dek"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to s<span style=\"background-color: rgb(255, 255, 255);\">end a post with </span><span style=\"background-color: rgb(255, 255, 255);\">hundreds of emojis to a channel and</span> freeze the mobile app of users when viewing that particular channel. </p>"}], "value": "Mattermost Mobile fails to limit\u00a0the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and\u00a0freeze the mobile app of users when viewing that particular channel.\u00a0\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2023-10-17T09:41:14.833Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Mobile to versions 2.8.0 or higher.</p>"}], "value": "Update Mattermost Mobile to versions 2.8.0 or higher.\n\n"}], "source": {"advisory": "MMSA-2023-00226", "defect": ["https://mattermost.atlassian.net/browse/MM-53106"], "discovery": "EXTERNAL"}, "title": "Mobile app freezes when receiving a post with hundreds of emojis", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:59:44.863Z"}, "title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-05T19:57:57.382239Z", "id": "CVE-2023-5522", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T19:58:49.574Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:59:44.863Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-5522", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-05T19:57:57.382239Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T19:58:16.110Z"}}], "cna": {"title": "Mobile app freezes when receiving a post with hundreds of emojis", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-53106"], "advisory": "MMSA-2023-00226", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "\u0160imon \u010cech\u00e1\u010dek"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "0", "lessThan": "2.8.0", "versionType": "semver"}, {"status": "unaffected", "version": "2.8.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Mobile to versions 2.8.0 or higher.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost Mobile to versions 2.8.0 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Mattermost Mobile fails to limit\u00a0the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and\u00a0freeze the mobile app of users when viewing that particular channel.\u00a0\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to s<span style=\"background-color: rgb(255, 255, 255);\">end a post with </span><span style=\"background-color: rgb(255, 255, 255);\">hundreds of emojis to a channel and</span> freeze the mobile app of users when viewing that particular channel. </p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2023-10-17T09:41:14.833Z"}}}, "cveMetadata": {"cveId": "CVE-2023-5522", "state": "PUBLISHED", "dateUpdated": "2024-09-05T19:58:49.574Z", "dateReserved": "2023-10-11T12:14:11.518Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2023-10-17T09:41:14.833Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:android:*:*", "matchCriteriaId": "5CDF40BF-82EB-4109-A6A8-BE16F18604DB", "versionEndExcluding": "2.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "98266404-FB76-4221-8E3B-AC6C018F3CD8", "versionEndExcluding": "2.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mattermost Mobile fails to limit\u00a0the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and\u00a0freeze the mobile app of users when viewing that particular channel.\u00a0\n\n"}, {"lang": "es", "value": "Mattermost Mobile no limita la cantidad m\u00e1xima de elementos Markdown en una publicaci\u00f3n, lo que permite a un atacante enviar una publicaci\u00f3n con cientos de emojis a un canal y congelar la aplicaci\u00f3n m\u00f3vil de los usuarios cuando ven ese canal en particular."}], "id": "CVE-2023-5522", "lastModified": "2024-11-21T08:41:56.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-17T10:15:10.427", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}