Moderate severityNVD Advisory· Published Mar 31, 2023· Updated Dec 6, 2024

Unsanitized events sent over Websocket to regular users in a High Availability environment

CVE-2023-1775

Description

When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/mattermost/mattermost-serverGo	>= 3.3.0, < 7.1.6	7.1.6
github.com/mattermost/mattermost-serverGo	>= 7.7.0, < 7.7.2	7.7.2
github.com/mattermost/mattermost-serverGo	>= 7.1.0, < 7.1.6	7.1.6
github.com/mattermost/mattermost-server/v5Go	>= 5.0.0, < 7.1.6	7.1.6
github.com/mattermost/mattermost-server/v6Go	>= 6.0.0, < 7.1.6	7.1.6

Affected products

Mattermost/Mattermostv5
Range: 3.3.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-8jhh-3jf2-pfwrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-1775ghsaADVISORY
github.com.mattermost/mattermost-serverghsaPACKAGE
mattermost.com/security-updatesghsaWEB
mattermost.com/security-updates/mitre

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000