CVE-2023-6727

Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://mattermost.com/security-updates	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::

History

15 Dec 2023, 14:43

Type	Values Removed	Values Added
CPE		cpe:2.3:a:mattermost:mattermost_server::::::::
Summary		(es) Mattermost no realiza comprobaciones de autorización correctas al crear una acción del playbook, lo que permite a los usuarios sin acceso al playbook crear acciones del playbook. Si la acción del playbook creada es publicar un mensaje en un canal basado en palabras clave específicas en una publicación, se puede filtrar cierta información del playbook, como el nombre.
First Time		Mattermost Mattermost mattermost Server
References	~~() https://mattermost.com/security-updates -~~	() https://mattermost.com/security-updates - Issue Tracking, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~3.1~~	v2 : unknown v3 : 4.3
CWE		NVD-CWE-noinfo

12 Dec 2023, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-12 11:15

Updated : 2023-12-15 14:43

NVD link : CVE-2023-6727

Mitre link : CVE-2023-6727

CVE.ORG link : CVE-2023-6727

JSON object : View

Products Affected

mattermost

mattermost_server

CWE

NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2023-6727", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.6}]}, "published": "2023-12-12T11:15:07.140", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "responsibledisclosure@mattermost.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked.\u00a0\n\n"}, {"lang": "es", "value": "Mattermost no realiza comprobaciones de autorizaci\u00f3n correctas al crear una acci\u00f3n del playbook, lo que permite a los usuarios sin acceso al playbook crear acciones del playbook. Si la acci\u00f3n del playbook creada es publicar un mensaje en un canal basado en palabras clave espec\u00edficas en una publicaci\u00f3n, se puede filtrar cierta informaci\u00f3n del playbook, como el nombre."}], "lastModified": "2023-12-15T14:43:08.920", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6FA74D02-6508-49A3-960F-22B84B6E5B51", "versionEndIncluding": "8.1.5"}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D00348C4-CEE7-474E-BBDC-4A66D6BBA4C8", "versionEndIncluding": "9.2.1", "versionStartIncluding": "9.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "responsibledisclosure@mattermost.com"}