CVE-2022-1384 - Vulnerability Details - OpenCVE

Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00326.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mattermost	Mattermost Server

Configuration 1 [-]

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-1604	Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.
Github GHSA	GHSA-32rp-q37p-jg6w	Insecure plugin handling in Mattermost

Fixes

Solution

Update Mattermost to version v6.5 or higher

Workaround

No workaround given by the vendor.

References

Link	Providers
https://mattermost.com/security-updates/

History

Fri, 06 Dec 2024 23:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2022-04-19T20:26:28

Updated: 2024-12-06T23:09:22.478Z

Reserved: 2022-04-18T00:00:00

Link: CVE-2022-1384

Vulnrichment

Updated: 2024-08-03T00:03:06.265Z

NVD

Status : Modified

Published: 2022-04-19T21:15:14.047

Modified: 2024-11-21T06:40:37.257

Link: CVE-2022-1384

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "6.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."}], "descriptions": [{"lang": "en", "value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-477", "description": "CWE-477 Use of Obsolete Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T20:26:28", "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://mattermost.com/security-updates/"}], "solutions": [{"lang": "en", "value": "Update Mattermost to version v6.5 or higher"}], "source": {"advisory": "MMSA-2022-0095", "defect": ["https://mattermost.atlassian.net/browse/MM-41885"], "discovery": "INTERNAL"}, "title": "Authorized users are allowed to install old plugin versions from the Marketplace", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "responsibledisclosure@mattermost.com", "ID": "CVE-2022-1384", "STATE": "PUBLIC", "TITLE": "Authorized users are allowed to install old plugin versions from the Marketplace"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Mattermost", "version": {"version_data": [{"version_affected": "<=", "version_value": "6.4"}]}}]}, "vendor_name": "Mattermost"}]}}, "credit": [{"lang": "eng", "value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-477 Use of Obsolete Function"}]}]}, "references": {"reference_data": [{"name": "https://mattermost.com/security-updates/", "refsource": "MISC", "url": "https://mattermost.com/security-updates/"}]}, "solution": [{"lang": "en", "value": "Update Mattermost to version v6.5 or higher"}], "source": {"advisory": "MMSA-2022-0095", "defect": ["https://mattermost.atlassian.net/browse/MM-41885"], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:03:06.265Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://mattermost.com/security-updates/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-06T22:52:58.546800Z", "id": "CVE-2022-1384", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-06T23:09:22.478Z"}}]}, "cveMetadata": {"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "assignerShortName": "Mattermost", "cveId": "CVE-2022-1384", "datePublished": "2022-04-19T20:26:28", "dateReserved": "2022-04-18T00:00:00", "dateUpdated": "2024-12-06T23:09:22.478Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates/", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:03:06.265Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-1384", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-06T22:52:58.546800Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-06T22:52:59.853Z"}}], "cna": {"title": "Authorized users are allowed to install old plugin versions from the Marketplace", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-41885"], "advisory": "MMSA-2022-0095", "discovery": "INTERNAL"}, "credits": [{"lang": "en", "value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "6.4"}]}], "solutions": [{"lang": "en", "value": "Update Mattermost to version v6.5 or higher"}], "references": [{"url": "https://mattermost.com/security-updates/", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-477", "description": "CWE-477 Use of Obsolete Function"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2022-04-19T20:26:28"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-41885"], "advisory": "MMSA-2022-0095", "discovery": "INTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "6.4", "version_affected": "<="}]}, "product_name": "Mattermost"}]}, "vendor_name": "Mattermost"}]}}, "solution": [{"lang": "en", "value": "Update Mattermost to version v6.5 or higher"}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://mattermost.com/security-updates/", "name": "https://mattermost.com/security-updates/", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-477 Use of Obsolete Function"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-1384", "STATE": "PUBLIC", "TITLE": "Authorized users are allowed to install old plugin versions from the Marketplace", "ASSIGNER": "responsibledisclosure@mattermost.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-1384", "state": "PUBLISHED", "dateUpdated": "2024-12-06T23:09:22.478Z", "dateReserved": "2022-04-18T00:00:00", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2022-04-19T20:26:28", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4F225C4-48B7-456B-ABD4-1FD2ADD47668", "versionEndExcluding": "6.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities."}, {"lang": "es", "value": "Mattermost versiones 6.4.x y anteriores, no comprueban apropiadamente la versi\u00f3n del plugin cuando es instalado un plugin desde el Marketplace, lo que permite a un usuario autenticado y autorizado instalar y explotar una versi\u00f3n antigua del plugin desde el Marketplace que podr\u00eda tener vulnerabilidades conocidas"}], "id": "CVE-2022-1384", "lastModified": "2024-11-21T06:40:37.257", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-19T21:15:14.047", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates/"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-477"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}