cve-2023-4106
Vulnerability from cvelistv5
Published
2023-08-11 06:12
Modified
2024-10-01 20:21
Severity ?
EPSS score ?
Summary
Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Mattermost | Mattermost |
Version: 0 ≤ 7.8.7 Version: 0 ≤ 7.9.5 Version: 0 ≤ 7.10.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:11.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T20:20:46.702396Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T20:21:07.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.8"
},
{
"status": "unaffected",
"version": "7.9.6"
},
{
"status": "unaffected",
"version": "7.10.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Eva Sarafianou"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to\u0026nbsp;view, join, edit, export and archive public playbooks.\u003c/p\u003e"
}
],
"value": "Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to\u00a0view, join, edit, export and archive public playbooks.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-11T06:12:11.064Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.8, 7.9.5, 7.10.4 or higher. Otherwise, update the Playbooks plugin to version\u0026nbsp;v1.37.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.8, 7.9.5, 7.10.4 or higher. Otherwise, update the Playbooks plugin to version\u00a0v1.37.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00181",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52475"
],
"discovery": "INTERNAL"
},
"title": "A guest user can perform various actions on public playbooks",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-4106",
"datePublished": "2023-08-11T06:12:11.064Z",
"dateReserved": "2023-08-02T15:06:14.198Z",
"dateUpdated": "2024-10-01T20:21:07.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-4106\",\"sourceIdentifier\":\"responsibledisclosure@mattermost.com\",\"published\":\"2023-08-11T07:15:09.853\",\"lastModified\":\"2024-11-21T08:34:24.353\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to\u00a0view, join, edit, export and archive public playbooks.\\n\\n\"},{\"lang\":\"es\",\"value\":\"Mattermost no comprueba si el usuario solicitante es un invitado antes de realizar diferentes acciones en los libros de reproducci\u00f3n p\u00fablicos, por lo que un invitado puede ver, unirse, editar, exportar y archivar libros de reproducci\u00f3n p\u00fablicos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.8.0\",\"versionEndExcluding\":\"7.8.8\",\"matchCriteriaId\":\"DD009FA6-13F6-4278-BFD6-FEF7EB0CBE76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.9.0\",\"versionEndExcluding\":\"7.9.6\",\"matchCriteriaId\":\"48DD3C64-F6CE-486D-8AAF-DFB842C458A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.10.0\",\"versionEndExcluding\":\"7.10.4\",\"matchCriteriaId\":\"2033E504-EE27-49CC-8E76-5776450E1CD6\"}]}]}],\"references\":[{\"url\":\"https://mattermost.com/security-updates\",\"source\":\"responsibledisclosure@mattermost.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://mattermost.com/security-updates\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.