CVE-2022-1385

CVSS v2.0

5.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 6.4.x and earlier

Description The issue arises from the failure to properly invalidate pending email invitations when the action is performed from the system console. This allows accidentally invited users to join the workspace and access information from public teams and channels. The problem is related to improper control of a resource through its lifetime in Mattermost.

Recommendations For Mattermost versions 6.4.x and earlier, consider restricting access to public teams and channels until a proper fix is applied to prevent accidentally invited users from accessing sensitive information. As a temporary workaround, manually invalidate pending email invitations to prevent unauthorized access.

Exploit

Fix

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-664CWE-668

Related Identifiers

BIT-MATTERMOST-2022-1385

CVE-2022-1385

GHSA-FXWJ-V664-WV5G

GO-2022-0599

Affected Products

Mattermost

CVE-2022-1385

Weakness Enumeration

Related Identifiers

Affected Products

References · 9