CVE-2022-1332

Summary

One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost6.4 < 6.4.2affected
MattermostMattermost6.3 < 6.3.5affected
MattermostMattermost6.2 < 6.2.5affected
MattermostMattermost5.37 < 5.37.9affected

Weaknesses

  • CWE-200: CWE-200 Information Exposure

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References