CVE-2022-1332 — Sensitive Information Exposure in Mattermost

CWE-200 — Sensitive Information Exposure CWE-269 — Improper Privilege Management6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 67.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mattermost Github.com Mattermost Mattermost-server V5 Github.com Mattermost Mattermost-server V6 +1 more

Timeline

PublishedApr 13

Latest updateAug 21

Description

One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server5.37.0 — 5.37.9+3

▶Gogithub.com/mattermost_mattermost-server_v5< 5.37.9

▶Gogithub.com/mattermost_mattermost-server_v66.0.0 — 6.2.5+2

▶CVEListV5mattermost/mattermost6.4 — 6.4.2+3

🔴Vulnerability Details

OSV

Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server↗2024-08-21

▶

GHSA

Improper Privilege Management in Mattermost↗2022-04-14

▶

OSV

Improper Privilege Management in Mattermost↗2022-04-14

▶

CVEList

Restricted custom admin role can bypass the restrictions and view the server logs and server config.json file contents↗2022-04-13

▶