CVE-2023-2515

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-2515
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-2515.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-2515
Aliases
Published
2023-05-12T08:53:44.111Z
Modified
2026-05-28T04:08:53.114174685Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Privilege escalation to system admin via personal access tokens
Details

Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/2xxx/CVE-2023-2515.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "7.1.7"
                },
                {
                    "last_affected": "7.7.3"
                },
                {
                    "last_affected": "7.8.2"
                },
                {
                    "last_affected": "7.9.1"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cwe_ids": [
        "CWE-863"
    ],
    "cna_assigner": "Mattermost"
}
References

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8cf21b2ca06ebc4f26bf6ddd892650f370dd2bd3
Introduced
87cbeafd363557615354cdf622adf3929f73e561
Fixed
c01c4a46b1bad277c57528b7288e4bb313b87360
Introduced
f14c24391ca84740d90a29ec8b67579326eaa236
Fixed
bfaf0fd3d8434d403c61556eb2dd1be0d9965071
Introduced
c4d8c1450ab2b9538bbc2690ca1ee865567a5888
Fixed
2a75f997ee6cbff3047b7215073d1659ea1f98c0
Database specific 
{
    "cpe": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.1.8"
        },
        {
            "introduced": "7.2.0"
        },
        {
            "fixed": "7.7.4"
        },
        {
            "introduced": "7.8.0"
        },
        {
            "fixed": "7.8.3"
        },
        {
            "introduced": "7.9.0"
        },
        {
            "fixed": "7.9.2"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

Other
cloud-2022-06-29-1
cloud-2022-07-20-1
cloud-2022-08-10-1
cloud-2022-09-08-1
cloud-2022-10-06-1
cloud-2022-11-11-1
cloud-2022-11-24-1
v0.*
v0.5.0
v4.*
v4.10.0-rc1
v4.2.0-rc1
v4.3.0-rc1
v4.4.0-rc1
v4.5.0-rc1
v4.6.0-rc1
v4.6.0-rc2
v4.7.0-rc1
v4.8.0-rc1
v4.9.0-rc1
v5.*
v5.0.0-rc1
v5.1.0-rc1
v5.2.0-rc1
v5.2.0-rc2
v7.*
v7.1.0
v7.1.1
v7.1.2
v7.1.3
v7.1.4
v7.1.5
v7.1.6
v7.1.7
v7.7.0
v7.7.1
v7.7.2
v7.7.3
v7.8.0
v7.8.1
v7.8.2
v7.9.0
v7.9.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-2515.json"