CVE-2022-2406

MEDIUM

Mattermost <= 6.7.0 - Authenticated Denial of Service via Slack Import REST API

Title source: llm
STIX 2.1

Description

The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows an authenticated attacker to crash the server by importing large files via the Slack import REST API.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_misc
https://mattermost.com/security-updates/

Scores

CVSS v3 4.3
EPSS 0.0043
EPSS Percentile 62.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-770 CWE-400
Status published
Products (4)
mattermost/mattermost 6.6.0
mattermost/mattermost 6.6.1
mattermost/mattermost 6.7.0
mattermost/mattermost < 6.3.8
Published Jul 14, 2022
Tracked Since Feb 18, 2026