nvd-json-data-feeds/CVE-2022/CVE-2022-13xx/CVE-2022-1385.json

{
  "id": "CVE-2022-1385",
  "sourceIdentifier": "responsibledisclosure@mattermost.com",
  "published": "2022-04-19T21:15:14.103",
  "lastModified": "2024-11-21T06:40:37.390",
  "vulnStatus": "Modified",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels."
    },
    {
      "lang": "es",
      "value": "Mattermost versiones 6.4.x y anteriores no invalidan apropiadamente las invitaciones por correo electr\u00f3nico pendientes cuando la acci\u00f3n es llevada a cabo desde la consola del sistema, lo que permite a usuarios invitados accidentalmente unirse al espacio de trabajo y acceder a la informaci\u00f3n de los equipos y canales p\u00fablicos"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "responsibledisclosure@mattermost.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 2.5
      },
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
          "baseScore": 4.6,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 2.5
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "baseScore": 5.8,
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE"
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.6,
        "impactScore": 4.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "responsibledisclosure@mattermost.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-664"
        }
      ]
    },
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-668"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "6.5.0",
              "matchCriteriaId": "F4F225C4-48B7-456B-ABD4-1FD2ADD47668"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://hackerone.com/reports/1486820",
      "source": "responsibledisclosure@mattermost.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://mattermost.com/security-updates/",
      "source": "responsibledisclosure@mattermost.com",
      "tags": [
        "Vendor Advisory"
      ]
    },
    {
      "url": "https://hackerone.com/reports/1486820",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://mattermost.com/security-updates/",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}
bootstrap 2023-04-24 12:24:31 +02:00			`{`
			`"id": "CVE-2022-1385",`
			`"sourceIdentifier": "responsibledisclosure@mattermost.com",`
			`"published": "2022-04-19T21:15:14.103",`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"lastModified": "2024-11-21T06:40:37.390",`
			`"vulnStatus": "Modified",`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"cveTags": [],`
bootstrap 2023-04-24 12:24:31 +02:00			`"descriptions": [`
			`{`
			`"lang": "en",`
			`"value": "Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels."`
			`},`
			`{`
			`"lang": "es",`
			`"value": "Mattermost versiones 6.4.x y anteriores no invalidan apropiadamente las invitaciones por correo electr\u00f3nico pendientes cuando la acci\u00f3n es llevada a cabo desde la consola del sistema, lo que permite a usuarios invitados accidentalmente unirse al espacio de trabajo y acceder a la informaci\u00f3n de los equipos y canales p\u00fablicos"`
			`}`
			`],`
			`"metrics": {`
			`"cvssMetricV31": [`
			`{`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"source": "responsibledisclosure@mattermost.com",`
			`"type": "Secondary",`
bootstrap 2023-04-24 12:24:31 +02:00			`"cvssData": {`
			`"version": "3.1",`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",`
			`"baseScore": 3.7,`
			`"baseSeverity": "LOW",`
bootstrap 2023-04-24 12:24:31 +02:00			`"attackVector": "NETWORK",`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"attackComplexity": "HIGH",`
bootstrap 2023-04-24 12:24:31 +02:00			`"privilegesRequired": "LOW",`
			`"userInteraction": "REQUIRED",`
			`"scope": "UNCHANGED",`
			`"confidentialityImpact": "LOW",`
			`"integrityImpact": "LOW",`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"availabilityImpact": "NONE"`
bootstrap 2023-04-24 12:24:31 +02:00			`},`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"exploitabilityScore": 1.2,`
bootstrap 2023-04-24 12:24:31 +02:00			`"impactScore": 2.5`
			`},`
			`{`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"source": "nvd@nist.gov",`
			`"type": "Primary",`
bootstrap 2023-04-24 12:24:31 +02:00			`"cvssData": {`
			`"version": "3.1",`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",`
			`"baseScore": 4.6,`
			`"baseSeverity": "MEDIUM",`
bootstrap 2023-04-24 12:24:31 +02:00			`"attackVector": "NETWORK",`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"attackComplexity": "LOW",`
bootstrap 2023-04-24 12:24:31 +02:00			`"privilegesRequired": "LOW",`
			`"userInteraction": "REQUIRED",`
			`"scope": "UNCHANGED",`
			`"confidentialityImpact": "LOW",`
			`"integrityImpact": "LOW",`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"availabilityImpact": "NONE"`
bootstrap 2023-04-24 12:24:31 +02:00			`},`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"exploitabilityScore": 2.1,`
bootstrap 2023-04-24 12:24:31 +02:00			`"impactScore": 2.5`
			`}`
			`],`
			`"cvssMetricV2": [`
			`{`
			`"source": "nvd@nist.gov",`
			`"type": "Primary",`
			`"cvssData": {`
			`"version": "2.0",`
			`"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"baseScore": 5.8,`
bootstrap 2023-04-24 12:24:31 +02:00			`"accessVector": "NETWORK",`
			`"accessComplexity": "MEDIUM",`
			`"authentication": "NONE",`
			`"confidentialityImpact": "PARTIAL",`
			`"integrityImpact": "PARTIAL",`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"availabilityImpact": "NONE"`
bootstrap 2023-04-24 12:24:31 +02:00			`},`
			`"baseSeverity": "MEDIUM",`
			`"exploitabilityScore": 8.6,`
			`"impactScore": 4.9,`
			`"acInsufInfo": false,`
			`"obtainAllPrivilege": false,`
			`"obtainUserPrivilege": false,`
			`"obtainOtherPrivilege": false,`
			`"userInteractionRequired": true`
			`}`
			`]`
			`},`
			`"weaknesses": [`
			`{`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"source": "responsibledisclosure@mattermost.com",`
			`"type": "Secondary",`
bootstrap 2023-04-24 12:24:31 +02:00			`"description": [`
			`{`
			`"lang": "en",`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"value": "CWE-664"`
bootstrap 2023-04-24 12:24:31 +02:00			`}`
			`]`
			`},`
			`{`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"source": "nvd@nist.gov",`
			`"type": "Primary",`
bootstrap 2023-04-24 12:24:31 +02:00			`"description": [`
			`{`
			`"lang": "en",`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`"value": "CWE-668"`
bootstrap 2023-04-24 12:24:31 +02:00			`}`
			`]`
			`}`
			`],`
			`"configurations": [`
			`{`
			`"nodes": [`
			`{`
			`"operator": "OR",`
			`"negate": false,`
			`"cpeMatch": [`
			`{`
			`"vulnerable": true,`
			`"criteria": "cpe:2.3:a:mattermost:mattermost_server::::::::",`
			`"versionEndExcluding": "6.5.0",`
			`"matchCriteriaId": "F4F225C4-48B7-456B-ABD4-1FD2ADD47668"`
			`}`
			`]`
			`}`
			`]`
			`}`
			`],`
			`"references": [`
			`{`
			`"url": "https://hackerone.com/reports/1486820",`
			`"source": "responsibledisclosure@mattermost.com",`
			`"tags": [`
			`"Exploit",`
			`"Third Party Advisory"`
			`]`
			`},`
			`{`
			`"url": "https://mattermost.com/security-updates/",`
			`"source": "responsibledisclosure@mattermost.com",`
			`"tags": [`
			`"Vendor Advisory"`
			`]`
Auto-Update: 2024-11-23T15:09:04.070866+00:00 2024-11-23 15:12:23 +00:00			`},`
			`{`
			`"url": "https://hackerone.com/reports/1486820",`
			`"source": "af854a3a-2127-422b-91ae-364da2661108",`
			`"tags": [`
			`"Exploit",`
			`"Third Party Advisory"`
			`]`
			`},`
			`{`
			`"url": "https://mattermost.com/security-updates/",`
			`"source": "af854a3a-2127-422b-91ae-364da2661108",`
			`"tags": [`
			`"Vendor Advisory"`
			`]`
bootstrap 2023-04-24 12:24:31 +02:00			`}`
			`]`
			`}`