CVE-2023-2788

Summary

Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 7.1.9affected
MattermostMattermost0 <= 7.8.4affected
MattermostMattermost0 <= 7.9.3affected
MattermostMattermost7.10.0affected
MattermostMattermost7.1.10unaffected
MattermostMattermost7.8.5unaffected
MattermostMattermost7.9.4unaffected
MattermostMattermost7.10.1unaffected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References