CVE-2024-1953: 
Chainguard vulnerability analysis and mitigation

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 contain a vulnerability where the system fails to limit the number of role names requested from the API. This vulnerability was disclosed on February 29, 2024, and allows an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request (NVD, CVE Mitre).

The vulnerability has been assigned CVE-2024-1953 and received a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption). The vulnerability specifically relates to the API's handling of role name requests, where the lack of proper request size limitations can lead to resource exhaustion (NVD).

When exploited, this vulnerability can result in a denial of service condition through server memory exhaustion and subsequent crash. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (NVD).

Users should upgrade to Mattermost versions 8.1.9, 9.2.5, or 9.4.2 or later, depending on their current version track. These releases contain fixes for the vulnerability (Vendor Advisory).