CVE-2025-0476 - Vulnerability Details - OpenCVE

Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00143.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Fixes

Solution

Update Mattermost Mobile Apps to versions 2.23.0 or higher.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://mattermost.com/security-updates

History

Thu, 16 Jan 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 16 Jan 2025 00:00:00 +0000

Type	Values Removed	Values Added
Description		Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment
Title		Mobile crash via file with specially crafted filename
Weaknesses		CWE-1287
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2025-01-15T23:44:45.934Z

Updated: 2025-01-16T14:22:23.004Z

Reserved: 2025-01-14T20:51:53.990Z

Link: CVE-2025-0476

Vulnrichment

Updated: 2025-01-16T14:22:18.518Z

NVD

Status : Received

Published: 2025-01-16T00:15:25.217

Modified: 2025-01-16T00:15:25.217

Link: CVE-2025-0476

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-0476", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2025-01-14T20:51:53.990Z", "datePublished": "2025-01-15T23:44:45.934Z", "dateUpdated": "2025-01-16T14:22:23.004Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "2.22.0", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "unaffected", "version": "2.23.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "lsibilev"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment"}], "value": "Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1287", "description": "CWE-1287: Improper Validation of Specified Type of Input", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-01-15T23:44:45.934Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Mobile Apps to versions 2.23.0 or higher.</p>"}], "value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher."}], "source": {"advisory": "MMSA-2024-00405", "defect": ["https://mattermost.atlassian.net/browse/MM-61752"], "discovery": "EXTERNAL"}, "title": "Mobile crash via file with specially crafted filename", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-16T14:22:07.409471Z", "id": "CVE-2025-0476", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-16T14:22:23.004Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0476", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-16T14:22:07.409471Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-16T14:22:18.518Z"}}], "cna": {"title": "Mobile crash via file with specially crafted filename", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-61752"], "advisory": "MMSA-2024-00405", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "lsibilev"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.22.0"}, {"status": "unaffected", "version": "2.23.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher.", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost Mobile Apps to versions 2.23.0 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment", "supportingMedia": [{"type": "text/html", "value": "Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1287", "description": "CWE-1287: Improper Validation of Specified Type of Input"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-01-15T23:44:45.934Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0476", "state": "PUBLISHED", "dateUpdated": "2025-01-16T14:22:23.004Z", "dateReserved": "2025-01-14T20:51:53.990Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2025-01-15T23:44:45.934Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}