CVE-2024-48872 | THREATINT

Description

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests

PUBLISHED Reserved 2024-12-11 | Published 2024-12-16 | Updated 2024-12-16 | Assigner Mattermost

MEDIUM: 4.8CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Product status

Default status

unaffected

10.1.0 (semver)

affected

10.0.0 (semver)

affected

9.11.0 (semver)

affected

9.5.0 (semver)

affected

10.2.0

unaffected

10.1.3

unaffected

10.0.3

unaffected

9.11.5

unaffected

9.5.13

unaffected

Credits

Roman Shchekin (qtros) finder

References

mattermost.com/security-updates

cve.org (CVE-2024-48872)

nvd.nist.gov (CVE-2024-48872)