CVE-2022-1332

MEDIUM

Mattermost Server 5.37.0-5.37.8 and 6.4.0-6.4.1 - Authenticated Privilege Escalation via API

Title source: llm
STIX 2.1

Description

One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_misc
https://mattermost.com/security-updates/

Scores

CVSS v3 4.3
EPSS 0.0013
EPSS Percentile 31.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-269 CWE-200
Status published
Products (3)
mattermost/mattermost-server 0 - 5.37.9Go
mattermost/mattermost-server 6.4.0 - 6.4.2Go
mattermost/mattermost_server 5.37.0 - 5.37.9
Published Apr 13, 2022
Tracked Since Feb 18, 2026