CVE-2022-1332

One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents.

Published: Apr 13, 2022
Updated: May 9, 2024
CVE: CVE-2022-1332
GHSA: GHSA-qggc-pj29-j27m
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-200
CWE-269

Affected Software
References

Software	From	Fixed in
mattermost / mattermost_server	6.2.0	6.2.5
mattermost / mattermost_server	6.4.0	6.4.2
mattermost / mattermost_server	6.3.0	6.3.5
mattermost / mattermost_server	5.37.0	5.37.9
github.com/mattermost/mattermost-server/v6	6.4.0	6.4.2
github.com/mattermost/mattermost-server/v6	6.3.0	6.3.5
github.com/mattermost/mattermost-server/v6	6.0.0	6.2.5
github.com/mattermost/mattermost-server/v5	-	5.37.9

https://mattermost.com/security-updates/

Vulnerability Database

289,871

CVE-2022-1332