CVE-2022-1384 — Use of Obsolete Function in Mattermost Mattermost-server V6

CWE-477 — Use of Obsolete Function CWE-862 — Missing Authorization5 documents4 sources

Severity

8.8HIGHNVD

CNA4.7

EPSS

0.3%

top 44.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server V6 Mattermost Server Mattermost

Timeline

PublishedApr 19

Latest updateAug 21

Description

Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDmattermost/mattermost_server< 6.5.0

▶Gogithub.com/mattermost_mattermost-server_v66.4.0 — 6.5.0

▶CVEListV5mattermost/mattermostunspecified — 6.4

🔴Vulnerability Details

OSV

Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server↗2024-08-21

▶

GHSA

Insecure plugin handling in Mattermost↗2022-04-20

▶

OSV

Insecure plugin handling in Mattermost↗2022-04-20

▶

CVEList

Authorized users are allowed to install old plugin versions from the Marketplace↗2022-04-19

▶