Lucene search

MattermostCVELIST:CVE-2023-6547

HistoryDec 12, 2023 - 8:22 a.m.

CVE-2023-6547 Playbooks access/modification by removed team member

2023-12-1208:22:41

CWE-284

Mattermost

www.cve.org

mattermost

validation

team membership

user access

modification

security vulnerability

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

14.2%

JSON

Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "8.1.5",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.2.1",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "8.1.6"
      },
      {
        "status": "unaffected",
        "version": "9.2.2"
      }
    ]
  }
]

References

mattermost.com/security-updates