CVE-2023-2784: Apps Framework allows install requests from regular members via an internal path
First published: Fri Jun 16 2023(Updated: )
Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps.
Credit: responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mattermost Mattermost | >=7.8.0<=7.8.4 | |
| Mattermost Mattermost | >=7.9.0<=7.9.3 | |
| Mattermost Mattermost | =7.10.0 |
Remedy
Update Mattermost Server to versions v7.8.5, v7.9.4, v7.10.1 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this Mattermost vulnerability?
The vulnerability ID is CVE-2023-2784.
What is the severity rating of CVE-2023-2784?
The severity rating of CVE-2023-2784 is medium with a score of 6.5.
How does Mattermost verify if the requestor is a sysadmin?
Mattermost fails to verify if the requestor is a sysadmin before allowing install requests to the Apps.
What versions of Mattermost are affected by CVE-2023-2784?
Versions 7.8.0 to 7.8.4, 7.9.0 to 7.9.3, and 7.10.0 of Mattermost are affected by CVE-2023-2784.
How can I fix the issue in Mattermost?
To fix the issue, it is recommended to update Mattermost to a version that is not affected by CVE-2023-2784.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/last-modified-date
- agent/severity
- agent/title
- agent/remedy
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/tags
- agent/event
- vendor/mattermost
- canonical/mattermost mattermost
- version/mattermost mattermost/7.8.0
- version/mattermost mattermost/7.8.4
- version/mattermost mattermost/7.9.0
- version/mattermost mattermost/7.9.3
- version/mattermost mattermost/7.10.0