CVE-2022-1385

Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.

CVSS v3 3.7 LOW
CVSS v2.0 5.8 MEDIUM

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://hackerone.com/reports/1486820	Exploit Third Party Advisory
https://mattermost.com/security-updates/	Vendor Advisory
https://hackerone.com/reports/1486820	Exploit Third Party Advisory
https://mattermost.com/security-updates/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:40

Type	Values Removed	Values Added
References	~~() https://hackerone.com/reports/1486820 - Exploit, Third Party Advisory~~	() https://hackerone.com/reports/1486820 - Exploit, Third Party Advisory
References	~~() https://mattermost.com/security-updates/ - Vendor Advisory~~	() https://mattermost.com/security-updates/ - Vendor Advisory
CVSS	v2 : ~~5.8~~ v3 : ~~4.6~~	v2 : 5.8 v3 : 3.7

Information

Published : 2022-04-19 21:15

Updated : 2024-11-21 06:40

NVD link : CVE-2022-1385

Mitre link : CVE-2022-1385

CVE.ORG link : CVE-2022-1385

JSON object : View

Products Affected

mattermost

mattermost_server

CWE

CWE-664

Improper Control of a Resource Through its Lifetime

CWE-668

Exposure of Resource to Wrong Sphere

{"id": "CVE-2022-1385", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}]}, "published": "2022-04-19T21:15:14.103", "references": [{"url": "https://hackerone.com/reports/1486820", "tags": ["Exploit", "Third Party Advisory"], "source": "responsibledisclosure@mattermost.com"}, {"url": "https://mattermost.com/security-updates/", "tags": ["Vendor Advisory"], "source": "responsibledisclosure@mattermost.com"}, {"url": "https://hackerone.com/reports/1486820", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://mattermost.com/security-updates/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "description": [{"lang": "en", "value": "CWE-664"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels."}, {"lang": "es", "value": "Mattermost versiones 6.4.x y anteriores no invalidan apropiadamente las invitaciones por correo electr\u00f3nico pendientes cuando la acci\u00f3n es llevada a cabo desde la consola del sistema, lo que permite a usuarios invitados accidentalmente unirse al espacio de trabajo y acceder a la informaci\u00f3n de los equipos y canales p\u00fablicos"}], "lastModified": "2024-11-21T06:40:37.390", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4F225C4-48B7-456B-ABD4-1FD2ADD47668", "versionEndExcluding": "6.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "responsibledisclosure@mattermost.com"}