CVE-2023-5193

2023-09-2910:15:10

CWE-863

[email protected]

web.nvd.nist.gov

mattermost

post retrieval

vulnerability

cve-2023-5193

nvd

system role

permission

dm conversation

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

3.6 Low

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.0%

JSON

Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.

Affected configurations

NVD

Node

mattermostmattermostRange7.0.0–7.8.10

mattermostmattermostRange8.0.0–8.0.2

mattermostmattermostRange8.1.0–8.1.1

CPENameOperatorVersion
mattermost:mattermostmattermostlt7.8.10
mattermost:mattermostmattermostlt8.0.2
mattermost:mattermostmattermostlt8.1.1

CPE	Name	Operator	Version
mattermost:mattermost	mattermost	lt	7.8.10
mattermost:mattermost	mattermost	lt	8.0.2
mattermost:mattermost	mattermost	lt	8.1.1

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "8.0.1",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "7.8.9",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "8.1.0"
      },
      {
        "status": "unaffected",
        "version": "8.0.2"
      },
      {
        "status": "unaffected",
        "version": "8.1.1"
      },
      {
        "status": "unaffected",
        "version": "7.8.10"
      }
    ]
  }
]