CVE-2024-48872
MEDIUM4.8EPSS 0.08%Mattermost Race Condition vulnerability
Published: 12/16/2024Modified: 12/18/2024
Description
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests
Affected packages (5)
- Go/github.com/mattermost/mattermost-server>= 9.5.0+incompatible, < 9.5.13+incompatible, >= 9.11.0+incompatible, < 9.11.5+incompatible, >= 10.0.0+incompatible, < 10.0.3+incompatible, >= 10.1.0+incompatible, < 10.1.3+incompatible
- Go/github.com/mattermost/mattermost-server/v5from 0
- Go/github.com/mattermost/mattermost-server/v6from 0
- Go/github.com/mattermost/mattermost/server/v8>= 10.1.0, < 10.1.3
- Go/github.com/mattermost/mattermost/server/v8from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |