CVE-2023-2193 - OpenCVE

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mattermost	Mattermost

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost:7.1.7:::::::*
	cpe:2.3:a:mattermost:mattermost:7.7.3:::::::*
	cpe:2.3:a:mattermost:mattermost:7.8.2:::::::*
	cpe:2.3:a:mattermost:mattermost:7.9.1:::::::*

No data.

References

Link	Providers
https://mattermost.com/security-updates/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2023-04-20T08:17:04.731Z

Updated: 2024-08-02T06:12:20.643Z

Reserved: 2023-04-20T08:16:27.253Z

Link: CVE-2023-2193

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-04-20T09:15:10.603

Modified: 2023-05-02T18:13:54.933

Link: CVE-2023-2193

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2193", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2023-04-20T08:16:27.253Z", "datePublished": "2023-04-20T08:17:04.731Z", "dateUpdated": "2024-08-02T06:12:20.643Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "7.1.7", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "7.7.3", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "7.8.2", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "7.9.1", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "unaffected", "version": "7.10"}, {"status": "unaffected", "version": "7.9.3"}, {"status": "unaffected", "version": "7.8.4"}, {"status": "unaffected", "version": "7.7.5"}, {"status": "unaffected", "version": "7.1.9"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "whitehattushu"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.<br>"}], "value": "Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2023-04-20T08:17:04.731Z"}, "references": [{"url": "https://mattermost.com/security-updates/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update Mattermost to version v7.10, v7.9.3, v7.8.4, v7.7.5, v7.1.9 or higher.<br>"}], "value": "Update Mattermost to version v7.10, v7.9.3, v7.8.4, v7.7.5, v7.1.9 or higher.\n"}], "source": {"advisory": "MMSA-2023-00157", "defect": ["https://mattermost.atlassian.net/browse/MM-50219"], "discovery": "EXTERNAL"}, "title": "Oauth authorization codes do not expire when deauthorizing an oauth2 app", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:12:20.643Z"}, "title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost:7.1.7:*:*:*:*:*:*:*", "matchCriteriaId": "CDC735BF-4F80-4591-9723-502F85272A9C", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost:7.7.3:*:*:*:*:*:*:*", "matchCriteriaId": "987578BB-343E-4CA2-858E-9D99D6DD00FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost:7.8.2:*:*:*:*:*:*:*", "matchCriteriaId": "13CE80DF-3961-4B2A-AF44-9FB269AB0A2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost:7.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "271F0B4B-922D-4D29-AEDC-CBB12531744C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.\n"}], "id": "CVE-2023-2193", "lastModified": "2023-05-02T18:13:54.933", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2023-04-20T09:15:10.603", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates/"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}