Lucene search

Veracode Vulnerability DatabaseVERACODE:44923

HistoryJan 03, 2024 - 9:09 a.m.

Insufficient Authorization

2024-01-0309:09:19

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

insufficient authorization

websocket

broadcast vulnerability

channel.

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.2%

JSON

github.com/mattermost/mattermost/ is vulnerable to Insufficient Authorization. The vulnerability is caused due to insufficient scoping of WebSocket responses to authorised users, resulting in Websocket responses being broadcasted to everyone in the channel.

CPENameOperatorVersion
github.com/mattermost/mattermostlev8.1.6-rc1
github.com/mattermost/mattermostlev8.1.6-rc1

CPE	Name	Operator	Version
	github.com/mattermost/mattermost	le	v8.1.6-rc1
	github.com/mattermost/mattermost	le	v8.1.6-rc1

References

github.com/mattermost/mattermost/commit/851515be222160bee0a495c0d411056b19ed4111

mattermost.com/security-updates

mattermost.com/security-updates/

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.2%

JSON

Related for VERACODE:44923