CVE-2022-1384 – github.com/mattermost/mattermost-server/v6

Package

Manager: go
Name: github.com/mattermost/mattermost-server/v6
Vulnerable Version: >=6.4.0 <6.5.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00326 pctl0.54932

Details

Insecure plugin handling in Mattermost Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.

Metadata

Created: 2022-04-20T00:00:30Z
Modified: 2022-04-28T21:12:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-32rp-q37p-jg6w/GHSA-32rp-q37p-jg6w.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-32rp-q37p-jg6w
Finding: F039
Auto approve: 1