Insufficient Session Expiration in Mattermost Server - CVE-2017-18905

 

Insufficient Session Expiration in Mattermost Server - CVE-2017-18905

Published: June 19, 2020 / Updated: July 17, 2020


Vulnerability identifier: #VU30176
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-18905
CWE-ID: CWE-613
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Mattermost, Inc.
Affected software:
Mattermost Server

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.


How to mitigate CVE-2017-18905

Install update from vendor's website.

Sources