CVE-2022-1384

HIGH8.8EPSS 0.33%

Insecure plugin handling in Mattermost

Published: 4/20/2022Modified: 8/21/2024

Also known as:GHSA-32rp-q37p-jg6wBIT-mattermost-2022-1384GO-2022-0576

Description

Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.

Affected packages (5)

Bitnami/mattermostfrom 0, < 6.5.0
Go/github.com/mattermost/mattermost-serverfrom 0
Go/github.com/mattermost/mattermost-server/v5from 0
Go/github.com/mattermost/mattermost-server/v6>= 6.4.0, < 6.5.0
Go/github.com/mattermost/mattermost-server/v6>= 6.4.0, < 6.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://github.com/advisories/GHSA-32rp-q37p-jg6w
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-1384
PATCHgithub.com/mattermost/mattermost-server
WEBhttps://mattermost.com/security-updates
WEBhttps://mattermost.com/security-updates/