CVE-2023-2788

EPSS 0.07%
Veröffentlicht 16.06.2023 09:15:09
Zuletzt bearbeitet 21.11.2024 07:59:17
Quelle responsibledisclosure@mattermo
Teams Watchlist Login
Unerledigt Login

Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mattermost ≫ Mattermost Version >= 7.1.0 <= 7.1.9

Mattermost ≫ Mattermost Version >= 7.8.0 <= 7.8.4

Mattermost ≫ Mattermost Version >= 7.9.0 <= 7.9.3

Mattermost ≫ Mattermost Version7.10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.211

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	1.2	5.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
responsibledisclosure@mattermost.com	6.2	0.7	5.5	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://mattermost.com/security-updates/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-2788

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-2788

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-2788

EUVD