What is the severity of CVE-2023-5968?

The severity of CVE-2023-5968 is medium with a score of 4.9.

How does Mattermost fail to sanitize the user object when updating the username in CVE-2023-5968?

Mattermost fails to properly sanitize the user object, resulting in the password hash being included in the response body.

Which versions of Mattermost are affected by CVE-2023-5968?

Mattermost versions 9.0.0, 8.1.0 to 8.1.3, 8.0.0 to 8.0.4, and 7.8.12 are affected by CVE-2023-5968.

How can I fix CVE-2023-5968 in Mattermost?

To fix CVE-2023-5968 in Mattermost, upgrade to version 9.0.1.

Where can I find more information about CVE-2023-5968?

More information about CVE-2023-5968 can be found at the following references: [Mattermost Security Updates](https://mattermost.com/security-updates), [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-5968), [GitHub Advisory](https://github.com/advisories/GHSA-r67m-mf7v-qp7j).

Vulnerability/
CVE-2023-5968

medium

4.9

CWE

116 200

EPSS

0.049%

6/11/2023

12/9/2024

CVE-2023-5968: Password hash in response body after username update

First published: Mon Nov 06 2023(Updated: )

Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.

Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com

Affected Software	Affected Version	How to fix
Mattermost Mattermost	<=7.8.11
Mattermost Mattermost	>=8.0.0<=8.0.3
Mattermost Mattermost	>=8.1.0<=8.1.2
Mattermost Mattermost	=9.0.0
go/github.com/mattermost/mattermost/server/v8	=9.0.0	9.0.1
go/github.com/mattermost/mattermost/server/v8	>=8.1.0<8.1.3	8.1.3
go/github.com/mattermost/mattermost/server/v8	>=8.0.0<8.0.4	8.0.4
go/github.com/mattermost/mattermost-server/v6	<7.8.12	7.8.12

Remedy

Update Mattermost Server to versions 7.8.12, 8.0.4, 8.1.3, 9.0.1 or higher.

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-5968?
The severity of CVE-2023-5968 is medium with a score of 4.9.
How does Mattermost fail to sanitize the user object when updating the username in CVE-2023-5968?
Mattermost fails to properly sanitize the user object, resulting in the password hash being included in the response body.
Which versions of Mattermost are affected by CVE-2023-5968?
Mattermost versions 9.0.0, 8.1.0 to 8.1.3, 8.0.0 to 8.0.4, and 7.8.12 are affected by CVE-2023-5968.
How can I fix CVE-2023-5968 in Mattermost?
To fix CVE-2023-5968 in Mattermost, upgrade to version 9.0.1.
Where can I find more information about CVE-2023-5968?
More information about CVE-2023-5968 can be found at the following references: [Mattermost Security Updates](https://mattermost.com/security-updates), [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-5968), [GitHub Advisory](https://github.com/advisories/GHSA-r67m-mf7v-qp7j).

collector/nvd-api
collector/nvd-cve
collector/github-advisory-latest
alias/GHSA-r67m-mf7v-qp7j
alias/CVE-2023-5968
collector/github-advisory
agent/author
agent/type
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
agent/references
agent/tags
agent/severity
agent/remedy
agent/title
agent/weakness
agent/description
agent/event
collector/epss-latest
source/FIRST
agent/epss
collector/mitre-cve
source/MITRE
vendor/mattermost
canonical/mattermost mattermost
version/mattermost mattermost/7.8.11
version/mattermost mattermost/8.0.0
version/mattermost mattermost/8.0.3
version/mattermost mattermost/8.1.0
version/mattermost mattermost/8.1.2
version/mattermost mattermost/9.0.0
package-manager/go