CVE-2022-1385 – github.com/mattermost/mattermost-server/v6

Package

Manager: go
Name: github.com/mattermost/mattermost-server/v6
Vulnerable Version: >=0 <6.5.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00203 pctl0.42576

Details

Improper Control of a Resource Through its Lifetime in Mattermost Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.

Metadata

Created: 2022-04-20T00:00:30Z
Modified: 2022-04-28T19:49:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-fxwj-v664-wv5g/GHSA-fxwj-v664-wv5g.json
CWE IDs: ["CWE-664", "CWE-668"]
Alternative ID: GHSA-fxwj-v664-wv5g
Finding: F067
Auto approve: 1