CVE-2023-4478 - OpenCVE

Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mattermost	Mattermost Server

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server:8.0.0:::::::*

No data.

References

Link	Providers
https://mattermost.com/security-updates

History

No history.

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2023-08-25T09:06:06.310Z

Updated: 2024-08-02T07:31:05.857Z

Reserved: 2023-08-22T11:45:27.863Z

Link: CVE-2023-4478

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-08-25T10:15:09.687

Modified: 2023-08-31T17:44:40.807

Link: CVE-2023-4478

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4478", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2023-08-22T11:45:27.863Z", "datePublished": "2023-08-25T09:06:06.310Z", "dateUpdated": "2024-08-02T07:31:05.857Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "7.8.8", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "7.10.4", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "unaffected", "version": "7.8.9"}, {"status": "unaffected", "version": "7.10.5"}, {"status": "unaffected", "version": "8.0.1 "}, {"status": "affected", "version": "8.0.0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "0AQD (0aqd)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.</p>"}], "value": "Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2023-08-25T09:06:06.310Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Server to versions 7.8.9, 7.10.5, 8.0.1 or higher.</p>"}], "value": "Update Mattermost Server to versions 7.8.9, 7.10.5, 8.0.1 or higher.\n\n"}], "source": {"advisory": "MMSA-2023-00225", "defect": ["https://mattermost.atlassian.net/browse/MM-53426"], "discovery": "EXTERNAL"}, "title": "Parameter tampering in the registration resulting in blocked accounts to be created", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:31:05.857Z"}, "title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F550344-4A29-4354-9AB9-9E9168B81908", "versionEndExcluding": "7.8.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "78A07BB1-20D2-41B4-9823-B3EF8CDFC997", "versionEndExcluding": "7.10.5", "versionStartIncluding": "7.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "E47E76CA-0C92-4039-8448-D6618DF531CD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.\n\n"}, {"lang": "es", "value": "Mattermost no restringe los valores de los par\u00e1metros que toma de la solicitud durante el registro, lo que permite a un atacante registrar a los usuarios como inactivos, bloque\u00e1ndoles as\u00ed el acceso posterior a Mattermost sin que el administrador del sistema active sus cuentas."}], "id": "CVE-2023-4478", "lastModified": "2023-08-31T17:44:40.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2023-08-25T10:15:09.687", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}