CVE-2022-2408

Summary

The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermostunspecified <= 6.3.8affected
MattermostMattermost6.4.xaffected
MattermostMattermost6.7.x 6.7.0affected
MattermostMattermost6.5.x <= 6.5.1affected
MattermostMattermost6.6.x <= 6.6.1affected

Weaknesses

  • CWE-200: CWE-200 Information Exposure

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References