CVE-2023-3615— Lack of server certificate validation in websockets connection
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-3615
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Lack of server certificate validation in websockets connection
Source: NVD (National Vulnerability Database)
Vulnerability Description
Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
证书验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Mattermost 信任管理问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Mattermost是美国Mattermost公司的一个开源协作平台。 Mattermost iOS存在安全漏洞,该漏洞源于在初始化TLS连接时无法正确验证服务器证书,从而允许攻击者拦截WebSockets连接。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Mattermost | Mattermost iOS app | 0 ~ 2.5.0 | - |
II. Public POCs for CVE-2023-3615
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-3615
请登录查看更多情报信息。
Same Patch Batch · Mattermost · 2023-07-17 · 13 CVEs total
| CVE-2023-3581 | 6.2 MEDIUM | WebSockets accept connections from HTTPS origin |
| CVE-2023-3591 | 4.8 MEDIUM | Lack of previous password reset tokens on new token creation |
| CVE-2023-3582 | 4.3 MEDIUM | Lack of channel membership check when linking a board to a channel |
| CVE-2023-3585 | 4.3 MEDIUM | channel DoS by sharing a boards link |
| CVE-2023-3614 | 4.3 MEDIUM | Denial of Service via specially crafted gif image |
| CVE-2023-3593 | 4.3 MEDIUM | Server crash via a specially crafted markdown input |
| CVE-2023-3586 | 4.2 MEDIUM | Disabling publicly-shared boards does not disable existing publicly available board links |
| CVE-2023-3577 | 3.5 LOW | Limited blind SSRF to localhost/intranet in interactive dialog implementation |
| CVE-2023-3613 | 3.5 LOW | Guest accounts invited and added to channels by Welcomebot plugin |
| CVE-2023-3584 | 3.1 LOW | Member can create team with team override scheme |
| CVE-2023-3590 | 3.1 LOW | Deleted attachments in Boards remain accessible |
| CVE-2023-3587 | 2.7 LOW | Inconsistent state in UI after boards permission change by system admin |
IV. Related Vulnerabilities
Same vendor: Mattermost
- CVE-2026-3590
Race Condition in Guest Magic Link Authentication Allows Tok - CVE-2026-28741
CSRF Protection Bypass Allows Updating a User's Authenticati - CVE-2026-27769
Connected Workspaces: Malicious remote server can manipulate - CVE-2026-24661
Unbounded Request Body Read in MS Teams Plugin {{/changes}} - CVE-2026-21388
Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}
Same weakness: CWE-295
V. Comments for CVE-2023-3615
No comments yet