CVE-2023-6547Improper Access Control in Mattermost

CWE-284Improper Access Control3 documents3 sources
Severity
5.4MEDIUMNVD
CNA3.7
EPSS
0.3%
top 44.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MattermostMattermost Server
Timeline
PublishedDec 12

Description

Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

CVEListV5mattermost/mattermost8.1.5+1
NVDmattermost/mattermost_server9.2.09.2.1+1

🔴Vulnerability Details

2
GHSA
GHSA-4gj5-jpg2-r4vj: Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissi2023-12-12
CVEList
Playbooks access/modification by removed team member2023-12-12
CVE-2023-6547 — Improper Access Control in Mattermost | cvebase