CVE-2023-2193: Oauth authorization codes do not expire when deauthorizing an oauth2 app
First published: Thu Apr 20 2023(Updated: )
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.
Credit: responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mattermost Mattermost | =7.1.7 | |
| Mattermost Mattermost | =7.7.3 | |
| Mattermost Mattermost | =7.8.2 | |
| Mattermost Mattermost | =7.9.1 |
Remedy
Update Mattermost to version v7.10, v7.9.3, v7.8.4, v7.7.5, v7.1.9 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Mattermost vulnerability?
The vulnerability ID for this Mattermost vulnerability is CVE-2023-2193.
What is the severity rating of CVE-2023-2193?
CVE-2023-2193 has a severity rating of 9.1 (critical).
Which versions of Mattermost are affected by CVE-2023-2193?
Mattermost versions 7.1.7, 7.7.3, 7.8.2, and 7.9.1 are affected by CVE-2023-2193.
What is the impact of CVE-2023-2193?
CVE-2023-2193 allows an attacker possessing an authorization code to generate an access token.
How can I fix CVE-2023-2193 in Mattermost?
To fix CVE-2023-2193 in Mattermost, upgrade to a version that has the security patch applied.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/title
- agent/references
- agent/severity
- agent/weakness
- agent/tags
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- vendor/mattermost
- canonical/mattermost mattermost
- version/mattermost mattermost/7.1.7
- version/mattermost mattermost/7.7.3
- version/mattermost mattermost/7.8.2
- version/mattermost mattermost/7.9.1