CVE-2022-1384 - OpenCVE

Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Mattermost	Mattermost Server

Configuration 1 [-]

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*

References

Link	Resource
https://mattermost.com/security-updates/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Mattermost

Published: 2022-04-19T20:26:28

Updated: 2022-04-19T20:26:28

Reserved: 2022-04-18T00:00:00

Link: CVE-2022-1384

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-04-19T21:15:14.047

Modified: 2022-04-27T17:36:56.747

Link: CVE-2022-1384

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "6.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."}], "descriptions": [{"lang": "en", "value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-477", "description": "CWE-477 Use of Obsolete Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T20:26:28", "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://mattermost.com/security-updates/"}], "solutions": [{"lang": "en", "value": "Update Mattermost to version v6.5 or higher"}], "source": {"advisory": "MMSA-2022-0095", "defect": ["https://mattermost.atlassian.net/browse/MM-41885"], "discovery": "INTERNAL"}, "title": "Authorized users are allowed to install old plugin versions from the Marketplace", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "responsibledisclosure@mattermost.com", "ID": "CVE-2022-1384", "STATE": "PUBLIC", "TITLE": "Authorized users are allowed to install old plugin versions from the Marketplace"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Mattermost", "version": {"version_data": [{"version_affected": "<=", "version_value": "6.4"}]}}]}, "vendor_name": "Mattermost"}]}}, "credit": [{"lang": "eng", "value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-477 Use of Obsolete Function"}]}]}, "references": {"reference_data": [{"name": "https://mattermost.com/security-updates/", "refsource": "MISC", "url": "https://mattermost.com/security-updates/"}]}, "solution": [{"lang": "en", "value": "Update Mattermost to version v6.5 or higher"}], "source": {"advisory": "MMSA-2022-0095", "defect": ["https://mattermost.atlassian.net/browse/MM-41885"], "discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "assignerShortName": "Mattermost", "cveId": "CVE-2022-1384", "datePublished": "2022-04-19T20:26:28", "dateReserved": "2022-04-18T00:00:00", "dateUpdated": "2022-04-19T20:26:28", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4F225C4-48B7-456B-ABD4-1FD2ADD47668", "versionEndExcluding": "6.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities."}, {"lang": "es", "value": "Mattermost versiones 6.4.x y anteriores, no comprueban apropiadamente la versi\u00f3n del plugin cuando es instalado un plugin desde el Marketplace, lo que permite a un usuario autenticado y autorizado instalar y explotar una versi\u00f3n antigua del plugin desde el Marketplace que podr\u00eda tener vulnerabilidades conocidas"}], "id": "CVE-2022-1384", "lastModified": "2022-04-27T17:36:56.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2022-04-19T21:15:14.047", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates/"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-477"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}