CVE-2022-1385

Exploit

EPSS 0.2%
Published 19.04.2022 21:15:14
Last modified 21.11.2024 06:40:37
Source responsibledisclosure@mattermo
Teams watchlist Login
Open Login

Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.

Affected products Warnungen 0 Metrics 4 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Mattermost ≫ Mattermost Server Version < 6.5.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.2%	0.427

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.6	2.1	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N
responsibledisclosure@mattermost.com	3.7	1.2	2.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE-664 Improper Control of a Resource Through its Lifetime

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://mattermost.com/security-updates/

Vendor Advisory

https://hackerone.com/reports/1486820

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2022-1385

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-1385

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-1385

EUVD