CVE-2023-4107 - Vulnerability Details - OpenCVE

Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Mattermost	Mattermost

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost::::::::
	cpe:2.3:a:mattermost:mattermost::::::::
	cpe:2.3:a:mattermost:mattermost::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2228	Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.
Github GHSA	GHSA-6xjj-v76v-fwpj	Mattermost does not validate requesting user permissions before updating admin details

Fixes

Solution

Update Mattermost Server to versions 7.8.8, 7.9.6, 7.10.4 or higher.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://mattermost.com/security-updates

History

Fri, 11 Oct 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2023-08-11T06:12:21.977Z

Updated: 2024-10-11T16:52:17.516Z

Reserved: 2023-08-02T15:27:32.294Z

Link: CVE-2023-4107

Vulnrichment

Updated: 2024-08-02T07:17:12.064Z

NVD

Status : Modified

Published: 2023-08-11T07:15:09.963

Modified: 2024-11-21T08:34:24.487

Link: CVE-2023-4107

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4107", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2023-08-02T15:27:32.294Z", "datePublished": "2023-08-11T06:12:21.977Z", "dateUpdated": "2024-10-11T16:52:17.516Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "7.8.7", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "7.9.5", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "7.10.3", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "unaffected", "version": "7.8.8"}, {"status": "unaffected", "version": "7.9.6"}, {"status": "unaffected", "version": "7.10.4"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Pyae Phyo (pyae_phyo)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.</p>"}], "value": "Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2023-08-11T06:12:21.977Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Server to versions 7.8.8, 7.9.6, 7.10.4 or higher.</p>"}], "value": "Update Mattermost Server to versions 7.8.8, 7.9.6,\u00a07.10.4 or higher.\n\n"}], "source": {"advisory": "MMSA-2023-00207", "defect": ["https://mattermost.atlassian.net/browse/MM-53091"], "discovery": "EXTERNAL"}, "title": "Incorrect authorization allows a user manager to update a system admin", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:12.064Z"}, "title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "mattermost", "product": "mattermost", "cpes": ["cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.8.0", "status": "affected", "lessThan": "7.8.8", "versionType": "custom"}, {"version": "7.9.0", "status": "affected", "lessThan": "7.9.6", "versionType": "custom"}, {"version": "7.10.0", "status": "affected", "lessThan": "7.10.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-11T16:50:49.740745Z", "id": "CVE-2023-4107", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-11T16:52:17.516Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:12.064Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4107", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-11T16:50:49.740745Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "7.8.0", "lessThan": "7.8.8", "versionType": "custom"}, {"status": "affected", "version": "7.9.0", "lessThan": "7.9.6", "versionType": "custom"}, {"status": "affected", "version": "7.10.0", "lessThan": "7.10.4", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-11T16:52:11.959Z"}}], "cna": {"title": "Incorrect authorization allows a user manager to update a system admin", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-53091"], "advisory": "MMSA-2023-00207", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Pyae Phyo (pyae_phyo)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.8.7"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.9.5"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.10.3"}, {"status": "unaffected", "version": "7.8.8"}, {"status": "unaffected", "version": "7.9.6"}, {"status": "unaffected", "version": "7.10.4"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Server to versions 7.8.8, 7.9.6,\u00a07.10.4 or higher.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost Server to versions 7.8.8, 7.9.6, 7.10.4 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2023-08-11T06:12:21.977Z"}}}, "cveMetadata": {"cveId": "CVE-2023-4107", "state": "PUBLISHED", "dateUpdated": "2024-10-11T16:52:17.516Z", "dateReserved": "2023-08-02T15:27:32.294Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2023-08-11T06:12:21.977Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD009FA6-13F6-4278-BFD6-FEF7EB0CBE76", "versionEndExcluding": "7.8.8", "versionStartIncluding": "7.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*", "matchCriteriaId": "48DD3C64-F6CE-486D-8AAF-DFB842C458A6", "versionEndExcluding": "7.9.6", "versionStartIncluding": "7.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*", "matchCriteriaId": "2033E504-EE27-49CC-8E76-5776450E1CD6", "versionEndExcluding": "7.10.4", "versionStartIncluding": "7.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.\n\n"}, {"lang": "es", "value": "Mattermost no valida correctamente los permisos de usuario solicitados al actualizar un administrador del sistema, lo que permite a un administrador de usuarios actualizar los datos de un administrador del sistema, como el correo electr\u00f3nico, el nombre y los apellidos."}], "id": "CVE-2023-4107", "lastModified": "2024-11-21T08:34:24.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.5, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-11T07:15:09.963", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}