Lucene search

MattermostCVELIST:CVE-2022-2408

HistoryJul 14, 2022 - 5:25 p.m.

CVE-2022-2408 Guest accounts can list all public channels

2022-07-1417:25:20

CWE-200

Mattermost

www.cve.org

mattermost

guest accounts

channel listing

security vulnerability

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.7%

JSON

The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels.

CNA Affected

[
  {
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "6.3.8",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6.4.x"
      },
      {
        "status": "affected",
        "version": "6.7.x 6.7.0"
      },
      {
        "lessThanOrEqual": "6.5.1",
        "status": "affected",
        "version": "6.5.x",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "6.6.1",
        "status": "affected",
        "version": "6.6.x",
        "versionType": "custom"
      }
    ]
  }
]

References

mattermost.com/security-updates/

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.7%

JSON

Related for CVELIST:CVE-2022-2408