CVE-2023-6547

Summary

Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team. 

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 8.1.5affected
MattermostMattermost0 <= 9.2.1affected
MattermostMattermost8.1.6unaffected
MattermostMattermost9.2.2unaffected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References