GHSA-r67m-mf7v-qp7j

Source

https://github.com/advisories/GHSA-r67m-mf7v-qp7j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-r67m-mf7v-qp7j/GHSA-r67m-mf7v-qp7j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r67m-mf7v-qp7j

Aliases

CVE-2023-5968

Published

2023-11-06T18:30:19Z

Modified

2025-07-22T17:17:20Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Mattermost password hash disclosure vulnerability

Details

Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.

Database specific

{
    "nvd_published_at": "2023-11-06T16:15:42Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2023-11-08T14:58:02Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-116",
        "CWE-200"
    ]
}

References

Affected packages

Go / github.com/mattermost/mattermost-server/v6

Package

Name: github.com/mattermost/mattermost-server/v6; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server/v6

Affected ranges

Type: SEMVER
Events: Introduced

5.4.0-rc1

Fixed

7.8.12

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

8.0.0

Fixed

8.0.4

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

8.1.0

Fixed

8.1.3

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0

Fixed

9.0.1

Affected versions

9.*

9.0.0

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.0-20230825233148-f787fd63368a

Go / github.com/mattermost/mattermost-server/v6

Package

Name: github.com/mattermost/mattermost-server/v6; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server/v6

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.3.2-0.20230825233148-f787fd63368a

Go / github.com/mattermost/mattermost-server/v5

Package

Name: github.com/mattermost/mattermost-server/v5; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server/v5

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.3.2-0.20230825233148-f787fd63368a

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.3.2-0.20230825233148-f787fd63368a