CVE-2023-1775 MEDIUM

CVE-2023-1775: Unsanitized events sent over Websocket to regular users in a High Availability environment

Vendor Mattermost

Product Mattermost

Weakness CWE-200 · Info exposure

Published March 31, 2023

Last update December 6, 2024

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.

Key dates

02Disclosure timeline

March 31, 2023 CVE published

December 6, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-1775 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

04Related CVE

CVE-2026-42333 quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations CVE-2020-3259 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability CVE-2022-2401 Team members could access sensitive information of other users via an API call CVE-2023-31280 Exposure of Sensitive Information to an Unauthorized Actor CVE-2022-23504 TYPO3 contains Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration

Identifiers

CVE CVE-2023-1775

CWE CWE-200

CVSS 4.3 / MEDIUM

Affected versions

Vendor Mattermost

Product Mattermost

Affected ≥ 3.3.0 and ≤ 7.7.1

Vendor Mattermost

Product Mattermost

Affected ≥ 3.3.0 and ≤ 7.1.5

Vendor Mattermost

Product Mattermost

Affected ≥ 3.3.0 and < 7.8.0