Lucene search

MattermostCVELIST:CVE-2023-2784

HistoryJun 16, 2023 - 8:41 a.m.

CVE-2023-2784 Apps Framework allows install requests from regular members via an internal path

2023-06-1608:41:59

CWE-862

Mattermost

www.cve.org

cve-2023-2784

mattermost

install requests

security

4.2 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L

0.0005 Low

EPSS

Percentile

17.7%

JSON

Mattermost fails to verify if the requestor is a sysadmin or not, before allowing install requests to the Apps allowing a regular user send install requests to the Apps.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost App Framework",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "7.8.4",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "7.9.3",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "7.10.0"
      },
      {
        "status": "unaffected",
        "version": "v7.8.5"
      },
      {
        "status": "unaffected",
        "version": "v7.9.4"
      },
      {
        "status": "unaffected",
        "version": "v7.10.1"
      }
    ]
  }
]

References

mattermost.com/security-updates

4.2 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L

0.0005 Low

EPSS

Percentile

17.7%

JSON

Related for CVELIST:CVE-2023-2784