CVE Catalog

CVE-2023-3584

LowCVSS 3.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

21th percentile — higher than 21% of all known CVEs

Summary

Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request. This allows an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.

Risk Assessment

An attacker could exploit this vulnerability to create unauthorized teams, potentially leading to uncontrolled access to organizational resources.

Recommendation

It is recommended to update Mattermost to the latest version that fixes the authorization check for the POST /api/v4/teams request.

Original NVD description (English source)

Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS