CVE-2022-1385

Exploit

EPSS 0.2%
Veröffentlicht 19.04.2022 21:15:14
Zuletzt bearbeitet 21.11.2024 06:40:37
Quelle responsibledisclosure@mattermo
Teams Watchlist Login
Unerledigt Login

Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mattermost ≫ Mattermost Server Version < 6.5.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.427

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.6	2.1	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N
responsibledisclosure@mattermost.com	3.7	1.2	2.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE-664 Improper Control of a Resource Through its Lifetime

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://mattermost.com/security-updates/

Vendor Advisory

https://hackerone.com/reports/1486820

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2022-1385

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-1385

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-1385

EUVD