CVE-2022-1385 — Improper Control of a Resource Through its Lifetime in Mattermost

CWE-664 — Improper Control of a Resource Through its Lifetime CWE-668 — Resource Exposure CWE-59 — Link Following6 documents5 sources

Severity

4.6MEDIUMNVD

CNA3.7CISA7.8

EPSS

0.2%

top 61.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mattermost Github.com Mattermost Mattermost-server V6 Mattermost Server

Timeline

PublishedApr 19

Latest updateAug 21

Description

Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages3 packages

▶CVEListV5mattermost/mattermostunspecified — 6.5.0

▶NVDmattermost/mattermost_server< 6.5.0

▶Gogithub.com/mattermost_mattermost-server_v6< 6.5.0

🔴Vulnerability Details

OSV

Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server↗2024-08-21

▶

GHSA

Improper Control of a Resource Through its Lifetime in Mattermost↗2022-04-20

▶

OSV

Improper Control of a Resource Through its Lifetime in Mattermost↗2022-04-20

▶

CVEList

Invitation Email is resent as a Reminder after invalidating pending email invites↗2022-04-19

▶

📋Vendor Advisories

CISA

Microsoft Windows AppX Deployment Extensions Privilege Escalation Vulnerability↗2022-05-23

▶