Improper Certificate Validation in Mattermost Server - CVE-2017-18909

 

Improper Certificate Validation in Mattermost Server - CVE-2017-18909

Published: June 19, 2020 / Updated: August 8, 2020


Vulnerability identifier: #VU34211
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-18909
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Mattermost, Inc.
Affected software:
Mattermost Server

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.


How to mitigate CVE-2017-18909

Install update from vendor's website.

Sources