CVE-2022-1385

MEDIUM4.6EPSS 0.17%

Improper Control of a Resource Through its Lifetime in Mattermost

發布日:2022/4/20修改日:2024/8/21

也稱為:GHSA-fxwj-v664-wv5gBIT-mattermost-2022-1385GO-2022-0599

描述

Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.

受影響套件(5)

Bitnami/mattermostfrom 0, < 6.5.0
Go/github.com/mattermost/mattermost-serverfrom 0
Go/github.com/mattermost/mattermost-server/v5from 0
Go/github.com/mattermost/mattermost-server/v6from 0, < 6.5.0
Go/github.com/mattermost/mattermost-server/v6from 0, < 6.5.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

參考連結(6)

ADVISORYhttps://github.com/advisories/GHSA-fxwj-v664-wv5g
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-1385
PATCHhttps://github.com/mattermost/mattermost-server
WEBhttps://hackerone.com/reports/1486820
WEBhttps://mattermost.com/security-updates
WEBhttps://mattermost.com/security-updates/