CVE-2023-5339 - Vulnerability Details - OpenCVE

Description

Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged.

Published: 2023-10-17

Score: 4.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mattermost

Mattermost

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.4.0
`5.5.0`	unaffected	—

Configuration 1 [-]

cpe:2.3:a:mattermost:mattermost_desktop:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update Mattermost Desktop to versions 5.5.0 or higher.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-57656	Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00073.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://mattermost.com/security-updates

History

No history.

Subscriptions

Mattermost Mattermost Desktop

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2023-10-17T09:30:41.612Z

Updated: 2024-09-05T19:46:10.145Z

Reserved: 2023-10-02T12:42:09.725Z

Link: CVE-2023-5339

Vulnrichment

Updated: 2024-08-02T07:52:08.626Z

NVD

Status : Modified

Published: 2023-10-17T10:15:10.343

Modified: 2024-11-21T08:41:33.933

Link: CVE-2023-5339

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5339", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2023-10-02T12:42:09.725Z", "datePublished": "2023-10-17T09:30:41.612Z", "dateUpdated": "2024-09-05T19:46:10.145Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "5.4.0", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "unaffected", "version": "5.5.0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Patrice Kolb"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost <span style=\"background-color: rgb(255, 255, 255);\">Desktop </span>fails to set an appropriate log level <span style=\"background-color: rgb(255, 255, 255);\">during initial run after fresh installation</span> resulting in logging all keystrokes<span style=\"background-color: rgb(255, 255, 255);\"> including password entry</span> being logged. </p>"}], "value": "Mattermost Desktop\u00a0fails to set an appropriate log level during initial run after fresh installation\u00a0resulting in logging all keystrokes\u00a0including password entry\u00a0being logged.\u00a0\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2023-10-17T09:30:41.612Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Desktop to versions 5.5.0 or higher.</p>"}], "value": "Update Mattermost Desktop to versions 5.5.0 or higher.\n\n"}], "source": {"advisory": "MMSA-2023-00235", "defect": ["https://mattermost.atlassian.net/browse/MM-54169"], "discovery": "EXTERNAL"}, "title": "Mattermost Desktop logs all keystrokes during initial run after fresh installation\u00a0", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:52:08.626Z"}, "title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-05T19:46:00.484187Z", "id": "CVE-2023-5339", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T19:46:10.145Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:52:08.626Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-5339", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-05T19:46:00.484187Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T19:46:06.812Z"}}], "cna": {"title": "Mattermost Desktop logs all keystrokes during initial run after fresh installation\u00a0", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-54169"], "advisory": "MMSA-2023-00235", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Patrice Kolb"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.4.0"}, {"status": "unaffected", "version": "5.5.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Desktop to versions 5.5.0 or higher.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost Desktop to versions 5.5.0 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Mattermost Desktop\u00a0fails to set an appropriate log level during initial run after fresh installation\u00a0resulting in logging all keystrokes\u00a0including password entry\u00a0being logged.\u00a0\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost <span style=\"background-color: rgb(255, 255, 255);\">Desktop </span>fails to set an appropriate log level <span style=\"background-color: rgb(255, 255, 255);\">during initial run after fresh installation</span> resulting in logging all keystrokes<span style=\"background-color: rgb(255, 255, 255);\"> including password entry</span> being logged. </p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2023-10-17T09:30:41.612Z"}}}, "cveMetadata": {"cveId": "CVE-2023-5339", "state": "PUBLISHED", "dateUpdated": "2024-09-05T19:46:10.145Z", "dateReserved": "2023-10-02T12:42:09.725Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2023-10-17T09:30:41.612Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_desktop:*:*:*:*:*:*:*:*", "matchCriteriaId": "C2017F67-0DD3-4A9A-89F3-7C48FF9D4868", "versionEndIncluding": "5.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mattermost Desktop\u00a0fails to set an appropriate log level during initial run after fresh installation\u00a0resulting in logging all keystrokes\u00a0including password entry\u00a0being logged.\u00a0\n\n"}, {"lang": "es", "value": "Mattermost Desktop no puede establecer un nivel de registro apropiado durante la ejecuci\u00f3n inicial despu\u00e9s de una nueva instalaci\u00f3n, lo que provoca que se registren todas las pulsaciones de teclas, incluida la entrada de contrase\u00f1a."}], "id": "CVE-2023-5339", "lastModified": "2024-11-21T08:41:33.933", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-17T10:15:10.343", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}]}