Lucene search

GitHub Advisory DatabaseGHSA-FXWJ-V664-WV5G

HistoryApr 20, 2022 - 12:00 a.m.

Improper Control of a Resource Through its Lifetime in Mattermost

2022-04-2000:00:30

CWE-664

CWE-668

GitHub Advisory Database

github.com

mattermost

email invitations

workspace security

public channels

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

24.8%

JSON

Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.

Affected configurations

Vulners

Node

github.com\/mattermost\/mattermostserver\/v6Range<6.5.0

CPENameOperatorVersion
github.com/mattermost/mattermost-server/v6lt6.5.0

CPE	Name	Operator	Version
	github.com/mattermost/mattermost-server/v6	lt	6.5.0

References

github.com/advisories/GHSA-fxwj-v664-wv5g

hackerone.com/reports/1486820

mattermost.com/security-updates/

nvd.nist.gov/vuln/detail/CVE-2022-1385

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

24.8%

JSON

Related for GHSA-FXWJ-V664-WV5G