Lucene search

MattermostCVELIST:CVE-2023-27263

HistoryFeb 27, 2023 - 2:44 p.m.

CVE-2023-27263 IDOR: Accessing playbook runs via the Playbooks Runs API

2023-02-2714:44:52

CWE-862

Mattermost

www.cve.org

idor

playbooks runs api

missing permissions check

mattermost security

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

27.0%

JSON

A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "Playbooks"
    ],
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "7.5.1",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "7.4.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "7.1.4",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

References

mattermost.com/security-updates/

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

27.0%

JSON

Related for CVELIST:CVE-2023-27263