CVE-2024-28053: 
vulnerability analysis and mitigation

A resource exhaustion vulnerability was identified in Mattermost Server versions 8.1.x before 8.1.10. The vulnerability was assigned CVE-2024-28053 and was disclosed on March 15, 2024. The affected software fails to properly limit the size of payloads that can be read and parsed (NVD).

The vulnerability stems from a failure to implement proper payload size limitations in the server's email handling functionality. This weakness is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and requiring low privileges (NVD).

When exploited, this vulnerability allows an attacker to send a very large email payload that can cause the Mattermost server to crash, resulting in a denial of service condition. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed in Mattermost Server version 8.1.10. Organizations running affected versions should upgrade to version 8.1.10 or later to mitigate this vulnerability (Vendor Advisory).