CVE-2023-1775

Source
https://cve.org/CVERecord?id=CVE-2023-1775
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-1775.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-1775
Aliases
Published
2023-03-31T11:26:21.640Z
Modified
2026-07-08T07:34:17.141576845Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Unsanitized events sent over Websocket to regular users in a High Availability environment
Details

When running in a High Availability configuration, Mattermost fails to sanitize some of the userupdated and postdeleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "3.3.0"
                },
                {
                    "last_affected": "7.7.1"
                },
                {
                    "introduced": "3.3.0"
                },
                {
                    "last_affected": "7.1.5"
                },
                {
                    "introduced": "3.3.0"
                },
                {
                    "fixed": "7.8.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/1xxx/CVE-2023-1775.json",
    "cna_assigner": "Mattermost",
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Database specific
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "cpe": [
        "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:mattermost:mattermost_server:7.7.1:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.1.6"
        },
        {
            "introduced": "7.7.1"
        },
        {
            "last_affected": "7.7.1"
        }
    ]
}

Affected versions

7.*
7.7.1
Other
cloud-2022-06-29-1
v0.*
v0.5.0
v4.*
v4.10.0-rc1
v4.2.0-rc1
v4.3.0-rc1
v4.4.0-rc1
v4.5.0-rc1
v4.6.0-rc1
v4.6.0-rc2
v4.7.0-rc1
v4.8.0-rc1
v4.9.0-rc1
v5.*
v5.0.0-rc1
v5.1.0-rc1
v5.2.0-rc1
v5.2.0-rc2
v7.*
v7.1.0
v7.1.1
v7.1.2
v7.1.3
v7.1.4
v7.1.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-1775.json"