CVE-2022-2366

Summary

Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost6.7.x 6.7.0affected
MattermostMattermost6.x <= 6.3.8affected
MattermostMattermost6.5.x <= 6.5.1affected
MattermostMattermost6.6.x <= 6.6.1affected

Weaknesses

  • CWE-276: CWE-276 Incorrect Default Permissions

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References