CVE-2023-5968

Description

Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. 

How to fix CVE-2023-5968

To remediate CVE-2023-5968, upgrade the affected package to a fixed version below.

• Go/github.com/mattermost/mattermost-server—upgrade to 5.3.2-0.20230825233148-f787fd63368a or later
• —upgrade to 5.3.2-0.20230825233148-f787fd63368a or later
• —upgrade to 7.8.12 or later
• —upgrade to 8.0.4 or later

Is CVE-2023-5968 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 5.3.2-0.20230825233148-f787fd63368a
• from 0, < 5.3.2-0.20230825233148-f787fd63368a
• >= 5.4.0-rc1, < 7.8.12
• >= 8.0.0, < 8.0.4

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-5968
• PATCHgithub.com/mattermost/mattermost
• WEBgithub.com/mattermost/mattermost/commit/698f4a97da564e2c1f2bf1fbd01755cefa3b7881
• WEBgithub.com/mattermost/mattermost/pull/24362
• WEB