CVE-2022-2401 - OpenCVE

Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Mattermost	Mattermost Server

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server:6.6.0:::::::*
	cpe:2.3:a:mattermost:mattermost_server:6.6.1:::::::*
	cpe:2.3:a:mattermost:mattermost_server:6.7.0:::::::*

References

Link	Resource
https://mattermost.com/security-updates/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Mattermost

Published: 2022-07-14T17:20:49

Updated: 2022-07-14T17:20:49

Reserved: 2022-07-14T00:00:00

Link: CVE-2022-2401

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-07-14T18:15:08.313

Modified: 2022-07-20T11:34:39.460

Link: CVE-2022-2401

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "Mattermost", "vendor": "Mattermost", "versions": [{"status": "affected", "version": "6.7.x 6.7.0"}, {"lessThanOrEqual": "6.3.8", "status": "affected", "version": "6.x", "versionType": "custom"}, {"lessThanOrEqual": "6.5.1", "status": "affected", "version": "6.5.x", "versionType": "custom"}, {"lessThanOrEqual": "6.6.1", "status": "affected", "version": "6.6.x", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Thanks to Elias Nahum for contributing to this improvement under the Mattermost responsible disclosure policy."}], "descriptions": [{"lang": "en", "value": "Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-14T17:20:49", "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://mattermost.com/security-updates/"}], "solutions": [{"lang": "en", "value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."}], "source": {"advisory": "MMSA-2022-00108", "defect": ["https://mattermost.atlassian.net/browse/MM-44568"], "discovery": "INTERNAL"}, "title": "Team members could access sensitive information of other users via an API call", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "responsibledisclosure@mattermost.com", "ID": "CVE-2022-2401", "STATE": "PUBLIC", "TITLE": "Team members could access sensitive information of other users via an API call"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Mattermost", "version": {"version_data": [{"version_affected": "<=", "version_name": "6.x", "version_value": "6.3.8"}, {"version_affected": "<=", "version_name": "6.5.x", "version_value": "6.5.1"}, {"version_affected": "<=", "version_name": "6.6.x", "version_value": "6.6.1"}, {"version_affected": "=", "version_name": "6.7.x", "version_value": "6.7.0"}]}}]}, "vendor_name": "Mattermost"}]}}, "credit": [{"lang": "eng", "value": "Thanks to Elias Nahum for contributing to this improvement under the Mattermost responsible disclosure policy."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://mattermost.com/security-updates/", "refsource": "MISC", "url": "https://mattermost.com/security-updates/"}]}, "solution": [{"lang": "en", "value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."}], "source": {"advisory": "MMSA-2022-00108", "defect": ["https://mattermost.atlassian.net/browse/MM-44568"], "discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "assignerShortName": "Mattermost", "cveId": "CVE-2022-2401", "datePublished": "2022-07-14T17:20:49", "dateReserved": "2022-07-14T00:00:00", "dateUpdated": "2022-07-14T17:20:49", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D311744-6A53-4DD9-BE49-46E72BE1FB32", "versionEndExcluding": "6.3.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "06ABE3B1-53EA-42AB-B986-E5A660677075", "versionEndExcluding": "6.5.2", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:6.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "5144C178-AA3E-43CC-80E2-77BC8689FE7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:6.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "667E1ED7-7A47-4021-A158-23425C9F6E2D", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:6.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "13763CA7-57C3-4EBE-96D6-C244B5FE2704", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs."}, {"lang": "es", "value": "Una divulgaci\u00f3n de informaci\u00f3n sin restricciones de todos los usuarios en Mattermost versiones 6.7.0 y anteriores, permite a miembros del equipo acceder a determinada informaci\u00f3n confidencial mediante el acceso directo a las API"}], "id": "CVE-2022-2401", "lastModified": "2022-07-20T11:34:39.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2022-07-14T18:15:08.313", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates/"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}