CVE-2022-2401 — Sensitive Information Exposure in Mattermost Mattermost-server V6

CWE-200 — Sensitive Information Exposure5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 44.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server V6 Mattermost Server Mattermost

Timeline

PublishedJul 14

Latest updateAug 21

Description

Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDmattermost/mattermost_server6.4.0 — 6.5.2+4

▶Gogithub.com/mattermost_mattermost-server_v66.4.0 — 6.5.2+3

▶CVEListV5mattermost/mattermost6.x — 6.3.8+3

🔴Vulnerability Details

OSV

Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server↗2024-08-21

▶

GHSA

Mattermost users could access some sensitive information via API call↗2022-07-15

▶

OSV

Mattermost users could access some sensitive information via API call↗2022-07-15

▶

CVEList

Team members could access sensitive information of other users via an API call↗2022-07-14

▶