CVE-2023-1831

Summary

Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 7.7.2affected
MattermostMattermost0 <= 7.8.1affected
MattermostMattermost0 <= 7.9.0affected
MattermostMattermost7.7.3unaffected
MattermostMattermost7.8.2unaffected
MattermostMattermost7.9.1unaffected

Weaknesses

  • CWE-200: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References