CVE-2023-2784 - OpenCVE

Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Mattermost	Mattermost

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost::::::::
	cpe:2.3:a:mattermost:mattermost::::::::
	cpe:2.3:a:mattermost:mattermost:7.10.0:::::::*

References

Link	Resource
https://mattermost.com/security-updates	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Mattermost

Published: 2023-06-16T08:41:59.270Z

Updated: 2023-06-16T08:41:59.270Z

Reserved: 2023-05-18T10:27:20.883Z

Link: CVE-2023-2784

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-06-16T09:15:09.787

Modified: 2023-06-23T19:38:31.707

Link: CVE-2023-2784

JSON object: View

Redhat Information

No data.

CWE

CWE-862

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-2784", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2023-05-18T10:27:20.883Z", "datePublished": "2023-06-16T08:41:59.270Z", "dateUpdated": "2023-06-16T08:41:59.270Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost App Framework", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "7.8.4", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "7.9.3", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "affected", "version": "7.10.0"}, {"status": "unaffected", "version": "v7.8.5"}, {"status": "unaffected", "version": "v7.9.4"}, {"status": "unaffected", "version": "v7.10.1"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Rohitesh Gupta"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps. "}], "value": "Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps. "}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2023-06-16T08:41:59.270Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Server to versions v7.8.5, v7.9.4, v7.10.1 or higher.</p>"}], "value": "Update Mattermost Server to versions v7.8.5, v7.9.4, v7.10.1 or higher.\n\n"}], "source": {"advisory": "MMSA-2023-00152", "defect": ["https://mattermost.atlassian.net/browse/MM-49876"], "discovery": "INTERNAL"}, "title": "Apps Framework allows install requests from regular members via an internal path", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*", "matchCriteriaId": "970C833F-3F25-43E1-B7AE-717BF35F998F", "versionEndIncluding": "7.8.4", "versionStartIncluding": "7.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB584691-CB58-4D9A-B475-4078ED1984F3", "versionEndIncluding": "7.9.3", "versionStartIncluding": "7.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost:7.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "980D0FB9-D2FF-4C31-BC92-07073A8F4BB3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps. "}], "id": "CVE-2023-2784", "lastModified": "2023-06-23T19:38:31.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2023-06-16T09:15:09.787", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}