Moderate severityNVD Advisory· Published Dec 16, 2024· Updated Dec 16, 2024
Bypass of "Max failed attempts" restriction via race condition
CVE-2024-48872
Description
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 10.1.0, < 10.1.3 | 10.1.3 |
github.com/mattermost/mattermost/server/v8Go | >= 10.0.0, < 10.0.3 | 10.0.3 |
github.com/mattermost/mattermost/server/v8Go | >= 9.11.0, < 9.11.5 | 9.11.5 |
github.com/mattermost/mattermost/server/v8Go | >= 9.5.0, < 9.5.13 | 9.5.13 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
>= 10.1.0, < 10.1.3+ 1 more
- (no CPE)range: >= 10.1.0, < 10.1.3
- (no CPE)range: < 0.0.20241218T202206-1.1
- Range: 10.1.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-826h-p4c3-477pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-48872ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.