First published: Mon Nov 06 2023(Updated: )
Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin
Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/mattermost/mattermost/server/v8 | =9.0.0 | 9.0.1 |
go/github.com/mattermost/mattermost/server/v8 | >=8.1.0<8.1.3 | 8.1.3 |
go/github.com/mattermost/mattermost/server/v8 | >=8.0.0<8.0.4 | 8.0.4 |
go/github.com/mattermost/mattermost-server/v6 | <7.8.12 | 7.8.12 |
Mattermost Mattermost | <=7.8.11 | |
Mattermost Mattermost | >=8.0.0<=8.0.3 | |
Mattermost Mattermost | >=8.1.0<=8.1.2 | |
<=7.8.11 | ||
>=8.0.0<=8.0.3 | ||
>=8.1.0<=8.1.2 |
Update Mattermost Server to versions 7.8.12, 8.0.4, 8.1.3 or higher. Alternatively, upgrade the Calls plugin to 0.17.1 or higher.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-5967 is medium, with a severity value of 4.3.
CVE-2023-5967 affects Mattermost by allowing an attacker to crash the Calls plugin through a denial of service attack.
To exploit CVE-2023-5967, an attacker can send a request to the Calls plugin without a User Agent header, causing a panic and crashing the plugin.
To fix CVE-2023-5967, upgrade Mattermost to version 7.8.12, 8.0.4, 8.1.3, or 9.0.1 depending on your current version.
More information about CVE-2023-5967 can be found at the following references: [Mattermost Security Updates](https://mattermost.com/security-updates), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-5967), and [GitHub Advisories](https://github.com/advisories/GHSA-xvq6-h898-wcj8).