First published: Mon Nov 06 2023(Updated: )
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.
Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com
Affected Software | Affected Version | How to fix |
---|---|---|
Mattermost Mattermost | <=7.8.11 | |
Mattermost Mattermost | >=8.0.0<=8.0.3 | |
Mattermost Mattermost | >=8.1.0<=8.1.2 | |
Mattermost Mattermost | =9.0.0 | |
go/github.com/mattermost/mattermost/server/v8 | =9.0.0 | 9.0.1 |
go/github.com/mattermost/mattermost/server/v8 | >=8.1.0<8.1.3 | 8.1.3 |
go/github.com/mattermost/mattermost/server/v8 | >=8.0.0<8.0.4 | 8.0.4 |
go/github.com/mattermost/mattermost-server/v6 | <7.8.12 | 7.8.12 |
<=7.8.11 | ||
>=8.0.0<=8.0.3 | ||
>=8.1.0<=8.1.2 | ||
=9.0.0 |
Update Mattermost Server to versions 7.8.12, 8.0.4, 8.1.3, 9.0.1 or higher.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-5968 is medium with a score of 4.9.
Mattermost fails to properly sanitize the user object, resulting in the password hash being included in the response body.
Mattermost versions 9.0.0, 8.1.0 to 8.1.3, 8.0.0 to 8.0.4, and 7.8.12 are affected by CVE-2023-5968.
To fix CVE-2023-5968 in Mattermost, upgrade to version 9.0.1.
More information about CVE-2023-5968 can be found at the following references: [Mattermost Security Updates](https://mattermost.com/security-updates), [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-5968), [GitHub Advisory](https://github.com/advisories/GHSA-r67m-mf7v-qp7j).