CVE-2023-4107 Incorrect authorization allows a user manager to update a system admin

2023-08-1106:12:21

CWE-863

Mattermost

www.cve.org

mattermost

authorization

vulnerability

user manager

update

admin details

6.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

6.8 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.0%

JSON

Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin’s details such as email, first name and last name.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "7.8.7",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "7.9.5",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "7.10.3",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "7.8.8"
      },
      {
        "status": "unaffected",
        "version": "7.9.6"
      },
      {
        "status": "unaffected",
        "version": "7.10.4"
      }
    ]
  }
]