CVE-2023-3577Server-Side Request Forgery in Server

CWE-918Server-Side Request ForgeryCWE-362Race Condition4 documents4 sources
Severity
4.3MEDIUMNVD
CNA3.5
EPSS
0.2%
top 58.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mattermost ServerMattermost
Timeline
PublishedJul 17

Description

Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDmattermost/mattermost_server7.8.07.8.7+1
CVEListV5mattermost/mattermost7.9.6+2

🔴Vulnerability Details

2
CVEList
Limited blind SSRF to localhost/intranet in interactive dialog implementation2023-07-17
GHSA
GHSA-qq52-64c9-pcw8: Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited2023-07-17
CVE-2023-3577 — Server-Side Request Forgery in Server | cvebase