Lucene search

GoogleOSV:BIT-MATTERMOST-2023-4478

HistoryMar 06, 2024 - 10:59 a.m.

BIT-mattermost-2023-4478

2024-03-0610:59:17

Google

osv.dev

mattermost

signup

vulnerability

attackers

inactive users

system admin

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

6.8 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Mattermost fails to restrict which parameters’ values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.

CPENameOperatorVersion
mattermostlt7.10.5
mattermostge8.0.0
mattermostle8.0.0
mattermostge7.9.0
mattermostlt7.8.9

Name	Operator	Version
mattermost	lt	7.10.5
mattermost	ge	8.0.0
mattermost	le	8.0.0
mattermost	ge	7.9.0
mattermost	lt	7.8.9

References

mattermost.com/security-updates

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

6.8 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for OSV:BIT-MATTERMOST-2023-4478