Moderate severityNVD Advisory· Published Nov 6, 2023· Updated Sep 12, 2024
Password hash in response body after username update
CVE-2023-5968
Description
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-server/v6Go | >= 5.4.0-rc1, < 7.8.12 | 7.8.12 |
github.com/mattermost/mattermost/server/v8Go | >= 8.0.0, < 8.0.4 | 8.0.4 |
github.com/mattermost/mattermost/server/v8Go | >= 8.1.0, < 8.1.3 | 8.1.3 |
github.com/mattermost/mattermost/server/v8Go | >= 9.0.0, < 9.0.1 | 9.0.1 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20230825233148-f787fd63368a | 8.0.0-20230825233148-f787fd63368a |
github.com/mattermost/mattermost-server/v6Go | < 5.3.2-0.20230825233148-f787fd63368a | 5.3.2-0.20230825233148-f787fd63368a |
github.com/mattermost/mattermost-server/v5Go | < 5.3.2-0.20230825233148-f787fd63368a | 5.3.2-0.20230825233148-f787fd63368a |
github.com/mattermost/mattermost-serverGo | < 5.3.2-0.20230825233148-f787fd63368a | 5.3.2-0.20230825233148-f787fd63368a |
Affected products
1- Range: 0
Patches
1698f4a97da56Sanitize user in update user response (#24362) (#24566)
2 files changed · +5 −1
server/channels/app/user.go+2 −0 modified@@ -1285,6 +1285,8 @@ func (a *App) UpdateUser(c request.CTX, user *model.User, sendNotifications bool }(user.Id) } + newUser.Sanitize(map[string]bool{}) + return newUser, nil }
server/channels/app/user_test.go+3 −1 modified@@ -205,6 +205,7 @@ func TestUpdateUser(t *testing.T) { require.Nil(t, err) require.NotNil(t, u) require.Less(t, u.LastPictureUpdate, iLastPictureUpdate) + require.Empty(t, u.Password) }) t.Run("fails if profile picture is updated when user has custom profile picture and username is changed", func(t *testing.T) { @@ -1731,11 +1732,12 @@ func TestPatchUser(t *testing.T) { }) t.Run("Patch username with a new username", func(t *testing.T) { - _, err := th.App.PatchUser(th.Context, testUser.Id, &model.UserPatch{ + u, err := th.App.PatchUser(th.Context, testUser.Id, &model.UserPatch{ Username: model.NewString(model.NewId()), }, true) require.Nil(t, err) + require.Empty(t, u.Password) }) }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-r67m-mf7v-qp7jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-5968ghsaADVISORY
- github.com/mattermost/mattermost/commit/698f4a97da564e2c1f2bf1fbd01755cefa3b7881ghsaWEB
- github.com/mattermost/mattermost/pull/24362ghsaWEB
- github.com/mattermost/mattermost/pull/24566ghsaWEB
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.