CVE-2023-47858

🗓️ 02 Jan 2024 09:54:25Reported by MattermostType

cve🔗 web.nvd.nist.gov👁 222 Views🌐 WEB

Mattermost fails to properly verify permissions, allowing unauthorized access to archived public channels

Reporter	Title	Published	Views	Family All 21
Chainguard	CVE-2023-47858 vulnerabilities	1 May 202507:14	–	cgr
Circl	CVE-2023-47858	2 Jan 202411:26	–	circl
CNNVD	Mattermost Security Vulnerabilities	2 Jan 202400:00	–	cnnvd
Cvelist	CVE-2023-47858 Details of archived public channels are leaked to members of another team	2 Jan 202409:54	–	cvelist
EUVD	EUVD-2024-0444	3 Oct 202520:07	–	euvd
Github Security Blog	Mattermost viewing archived public channels permissions vulnerability	2 Jan 202412:30	–	github
NVD	CVE-2023-47858	2 Jan 202410:15	–	nvd
OSV	BIT-MATTERMOST-2023-47858	6 Mar 202410:58	–	osv
OSV	CGA-2G4P-XJM7-MQ6H	31 Mar 202516:00	–	osv
OSV	CGA-4M9J-264V-7MR3	24 Jun 202414:34	–	osv

NVD

Node

mattermost mattermost_serverRange<8.1.7

mattermost mattermost_serverRange9.0.0–9.0.5

mattermost mattermost_serverRange9.1.0–9.1.4

mattermost mattermost_serverRange9.2.0–9.2.3

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "9.2.2",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.1.3",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.0.4",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "8.1.6",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "8.1.7"
      },
      {
        "status": "unaffected",
        "version": "9.0.5"
      },
      {
        "status": "unaffected",
        "version": "9.1.4"
      },
      {
        "status": "unaffected",
        "version": "9.2.3"
      }
    ]
  }
]

Source	Link
mattermost	www.mattermost.com/security-updates

Parameter	Position	Path	Description	CWE
team-id	path	/api/v4/teams/<team-id>/channels/deleted	Permissions check bypass allows a member of one team to view archived public channels of another team	CWE-284

21 Nov 2024 08:30Current

4.5Medium risk

Vulners AI Score4.5

CVSS 3.14.3

EPSS0.0019

SSVC

CWE-284