CVE-2024-24975 - Vulnerability Details - OpenCVE

Description

Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a very large code block and crash the mobile app.

Published: 2024-03-15

Score: 3.5 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mattermost

Mattermost Mobile

unaffected

Version	Status	Constraints
`2.13.0`	unaffected	—
`0`	affected	≤ 2.12.0

Configuration 1 [-]

cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update Mattermost Mobile Apps to versions 2.13.0 or higher.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-22338	Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a very large code block and crash the mobile app.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00118.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://mattermost.com/security-updates

History

Tue, 21 Jan 2025 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost Mobile
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:mattermost:mattermost_mobile::::::::
Vendors & Products		Mattermost Mattermost mattermost Mobile

Subscriptions

Mattermost Mattermost Mobile

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2024-03-15T09:07:13.379Z

Updated: 2024-08-01T23:36:21.260Z

Reserved: 2024-03-14T09:38:07.486Z

Link: CVE-2024-24975

Vulnrichment

Updated: 2024-08-01T23:36:21.260Z

NVD

Status : Analyzed

Published: 2024-03-15T09:15:06.843

Modified: 2025-01-21T18:41:23.220

Link: CVE-2024-24975

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24975", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2024-03-14T09:38:07.486Z", "datePublished": "2024-03-15T09:07:13.379Z", "dateUpdated": "2024-08-01T23:36:21.260Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost Mobile", "vendor": "Mattermost", "versions": [{"status": "unaffected", "version": "2.13.0"}, {"lessThanOrEqual": "2.12.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Gian Klug (coderion)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to <span style=\"background-color: rgb(255, 255, 255);\">limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a </span>very large code block and crash the mobile app.<br>"}], "value": "Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to\u00a0limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a\u00a0very large code block and crash the mobile app.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-03-15T09:07:13.379Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Mobile Apps to versions 2.13.0 or higher.</p>"}], "value": "Update Mattermost Mobile Apps to versions 2.13.0 or higher.\n\n"}], "source": {"advisory": "MMSA-2023-00277", "defect": ["https://mattermost.atlassian.net/browse/MM-55257"], "discovery": "EXTERNAL"}, "title": " Denial of Service for mobile app users due to automatic code highlighting", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24975", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-22T14:23:59.354672Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost_mobile", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.12.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:43:22.998Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:36:21.260Z"}, "title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:36:21.260Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24975", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-22T14:23:59.354672Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost_mobile", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.12.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-22T14:25:07.562Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": " Denial of Service for mobile app users due to automatic code highlighting", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-55257"], "advisory": "MMSA-2023-00277", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Gian Klug (coderion)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost Mobile", "versions": [{"status": "unaffected", "version": "2.13.0"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.12.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Mobile Apps to versions 2.13.0 or higher.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost Mobile Apps to versions 2.13.0 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to\u00a0limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a\u00a0very large code block and crash the mobile app.\n", "supportingMedia": [{"type": "text/html", "value": "Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to <span style=\"background-color: rgb(255, 255, 255);\">limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a </span>very large code block and crash the mobile app.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-03-15T09:07:13.379Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24975", "state": "PUBLISHED", "dateUpdated": "2024-08-01T23:36:21.260Z", "dateReserved": "2024-03-14T09:38:07.486Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2024-03-15T09:07:13.379Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*", "matchCriteriaId": "32530A99-A4F0-4A6A-8978-B3BAE560327C", "versionEndExcluding": "2.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to\u00a0limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a\u00a0very large code block and crash the mobile app.\n"}, {"lang": "es", "value": "El consumo incontrolado de recursos en las versiones de Mattermost Mobile anteriores a la 2.13.0 no limita el tama\u00f1o del bloque de c\u00f3digo que ser\u00e1 procesado por el resaltador de sintaxis, lo que permite a un atacante enviar un bloque de c\u00f3digo muy grande y bloquear la aplicaci\u00f3n m\u00f3vil."}], "id": "CVE-2024-24975", "lastModified": "2025-01-21T18:41:23.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-15T09:15:06.843", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}