CVE-2024-4183 - Vulnerability Details - OpenCVE

Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00174.

Key SSVC decision points have not yet been added.

Vendors	Products
Mattermost	Mattermost Server

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-1321	Mattermost fails to limit the number of active sessions
Github GHSA	GHSA-wj37-mpq9-xrcm	Mattermost fails to limit the number of active sessions

Fixes

Solution

Update Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://mattermost.com/security-updates
https://nvd.nist.gov/vuln/detail/CVE-2024-4183
https://www.cve.org/CVERecord?id=CVE-2024-4183

History

Mon, 12 May 2025 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost Server
Weaknesses		CWE-770
CPEs		cpe:2.3:a:mattermost:mattermost_server::::::::
Vendors & Products		Mattermost Mattermost mattermost Server

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2024-04-26T08:25:47.088Z

Updated: 2024-08-01T20:33:52.871Z

Reserved: 2024-04-25T14:18:54.310Z

Link: CVE-2024-4183

Vulnrichment

Updated: 2024-08-01T20:33:52.871Z

NVD

Status : Analyzed

Published: 2024-04-26T09:15:12.717

Modified: 2025-05-12T13:42:25.250

Link: CVE-2024-4183

Redhat

Severity : Low

Publid Date: 2024-04-26T00:00:00Z

Links: CVE-2024-4183 - Bugzilla

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-4183", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2024-04-25T14:18:54.310Z", "datePublished": "2024-04-26T08:25:47.088Z", "dateUpdated": "2024-08-01T20:33:52.871Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "8.1.10", "status": "affected", "version": "9.6.0", "versionType": "semver"}, {"lessThanOrEqual": "9.5.2", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"lessThanOrEqual": "9.4.4", "status": "affected", "version": "9.4.0", "versionType": "semver"}, {"lessThanOrEqual": "8.1.11", "status": "affected", "version": "8.1.0", "versionType": "semver"}, {"lessThanOrEqual": "8.1.11", "status": "unaffected", "version": "9.7.0", "versionType": "semver"}, {"status": "unaffected", "version": "9.6.1"}, {"status": "unaffected", "version": "9.5.3"}, {"status": "unaffected", "version": "9.4.5"}, {"status": "unaffected", "version": "8.1.12"}]}], "credits": [{"lang": "en", "type": "finder", "value": "vultza (vultza)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.</p>"}], "value": "Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-04-26T08:25:47.088Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.</p>"}], "value": "Update Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.\n\n"}], "source": {"advisory": "MMSA-2023-00279", "defect": ["https://mattermost.atlassian.net/browse/MM-55319"], "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4183", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-29T17:36:22.940094Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "9.6.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "9.4.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "8.1.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:54:30.447Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:33:52.871Z"}, "title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:33:52.871Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4183", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-29T17:36:22.940094Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "9.6.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "9.4.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "8.1.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T17:41:18.404Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"source": {"defect": ["https://mattermost.atlassian.net/browse/MM-55319"], "advisory": "MMSA-2023-00279", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "vultza (vultza)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "9.6.0", "versionType": "semver", "lessThanOrEqual": "8.1.10"}, {"status": "affected", "version": "9.5.0", "versionType": "semver", "lessThanOrEqual": "9.5.2"}, {"status": "affected", "version": "9.4.0", "versionType": "semver", "lessThanOrEqual": "9.4.4"}, {"status": "affected", "version": "8.1.0", "versionType": "semver", "lessThanOrEqual": "8.1.11"}, {"status": "unaffected", "version": "9.7.0", "versionType": "semver", "lessThanOrEqual": "8.1.11"}, {"status": "unaffected", "version": "9.6.1"}, {"status": "unaffected", "version": "9.5.3"}, {"status": "unaffected", "version": "9.4.5"}, {"status": "unaffected", "version": "8.1.12"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-04-26T08:25:47.088Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4183", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:33:52.871Z", "dateReserved": "2024-04-25T14:18:54.310Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2024-04-26T08:25:47.088Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "78A6C1F3-95B8-4231-B5D8-C8BB65EA9BFB", "versionEndExcluding": "8.1.12", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "3AB75A52-8C4A-44EC-AC33-B97F122FC6CA", "versionEndExcluding": "9.4.5", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4846F2D-56D5-4D24-BF0D-2075072A6ADF", "versionEndExcluding": "9.5.3", "versionStartIncluding": "9.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4540F56-1DA0-407F-A909-335D8DF3193C", "versionEndExcluding": "9.6.1", "versionStartIncluding": "9.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.\n\n"}, {"lang": "es", "value": "Las versiones de Mattermost 8.1.x anteriores a 8.1.12, 9.6.x anteriores a 9.6.1, 9.5.x anteriores a 9.5.3, 9.4.x anteriores a 9.4.5 no limitan el n\u00famero de sesiones activas, lo que permite que un atacante autenticado falle el servidor a trav\u00e9s de solicitudes repetidas a la API getSessions despu\u00e9s de inundar la tabla de sesiones."}], "id": "CVE-2024-4183", "lastModified": "2025-05-12T13:42:25.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-26T09:15:12.717", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "mattermost: fail to limit the number of active sessions", "id": "2277346", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2277346"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-400", "details": ["Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.", "A flaw was found in Mattermost, where it fails to limit the number of active sessions. This flaw allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table."], "name": "CVE-2024-4183", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/acm-grafana-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-docs-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-scanner-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-scanner-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2024-04-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-4183\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-4183\nhttps://mattermost.com/security-updates"], "threat_severity": "Low"}