CVE-2022-2401 - Vulnerability Details - OpenCVE

Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00326.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mattermost	Mattermost Server

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server:6.6.0:::::::*
	cpe:2.3:a:mattermost:mattermost_server:6.6.1:::::::*
	cpe:2.3:a:mattermost:mattermost_server:6.7.0:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-6283	Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.
Github GHSA	GHSA-7ggc-5r84-xf54	Mattermost users could access some sensitive information via API call

Fixes

Solution

Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://mattermost.com/security-updates/

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00395}`	epss `{'score': 0.00418}`

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00287}`	epss `{'score': 0.00395}`

Fri, 06 Dec 2024 23:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2022-07-14T17:20:49

Updated: 2024-12-06T23:08:34.889Z

Reserved: 2022-07-14T00:00:00

Link: CVE-2022-2401

Vulnrichment

Updated: 2024-08-03T00:39:07.272Z

NVD

Status : Modified

Published: 2022-07-14T18:15:08.313

Modified: 2024-11-21T07:00:55.007

Link: CVE-2022-2401

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Mattermost", "vendor": "Mattermost", "versions": [{"status": "affected", "version": "6.7.x 6.7.0"}, {"lessThanOrEqual": "6.3.8", "status": "affected", "version": "6.x", "versionType": "custom"}, {"lessThanOrEqual": "6.5.1", "status": "affected", "version": "6.5.x", "versionType": "custom"}, {"lessThanOrEqual": "6.6.1", "status": "affected", "version": "6.6.x", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Thanks to Elias Nahum for contributing to this improvement under the Mattermost responsible disclosure policy."}], "descriptions": [{"lang": "en", "value": "Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-14T17:20:49", "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://mattermost.com/security-updates/"}], "solutions": [{"lang": "en", "value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."}], "source": {"advisory": "MMSA-2022-00108", "defect": ["https://mattermost.atlassian.net/browse/MM-44568"], "discovery": "INTERNAL"}, "title": "Team members could access sensitive information of other users via an API call", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "responsibledisclosure@mattermost.com", "ID": "CVE-2022-2401", "STATE": "PUBLIC", "TITLE": "Team members could access sensitive information of other users via an API call"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Mattermost", "version": {"version_data": [{"version_affected": "<=", "version_name": "6.x", "version_value": "6.3.8"}, {"version_affected": "<=", "version_name": "6.5.x", "version_value": "6.5.1"}, {"version_affected": "<=", "version_name": "6.6.x", "version_value": "6.6.1"}, {"version_affected": "=", "version_name": "6.7.x", "version_value": "6.7.0"}]}}]}, "vendor_name": "Mattermost"}]}}, "credit": [{"lang": "eng", "value": "Thanks to Elias Nahum for contributing to this improvement under the Mattermost responsible disclosure policy."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://mattermost.com/security-updates/", "refsource": "MISC", "url": "https://mattermost.com/security-updates/"}]}, "solution": [{"lang": "en", "value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."}], "source": {"advisory": "MMSA-2022-00108", "defect": ["https://mattermost.atlassian.net/browse/MM-44568"], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:39:07.272Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://mattermost.com/security-updates/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-06T22:52:47.302845Z", "id": "CVE-2022-2401", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-06T23:08:34.889Z"}}]}, "cveMetadata": {"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "assignerShortName": "Mattermost", "cveId": "CVE-2022-2401", "datePublished": "2022-07-14T17:20:49", "dateReserved": "2022-07-14T00:00:00", "dateUpdated": "2024-12-06T23:08:34.889Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates/", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:39:07.272Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-2401", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-06T22:52:47.302845Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-06T22:52:48.713Z"}}], "cna": {"title": "Team members could access sensitive information of other users via an API call", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-44568"], "advisory": "MMSA-2022-00108", "discovery": "INTERNAL"}, "credits": [{"lang": "en", "value": "Thanks to Elias Nahum for contributing to this improvement under the Mattermost responsible disclosure policy."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "6.7.x 6.7.0"}, {"status": "affected", "version": "6.x", "versionType": "custom", "lessThanOrEqual": "6.3.8"}, {"status": "affected", "version": "6.5.x", "versionType": "custom", "lessThanOrEqual": "6.5.1"}, {"status": "affected", "version": "6.6.x", "versionType": "custom", "lessThanOrEqual": "6.6.1"}]}], "solutions": [{"lang": "en", "value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."}], "references": [{"url": "https://mattermost.com/security-updates/", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Information Exposure"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2022-07-14T17:20:49"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Thanks to Elias Nahum for contributing to this improvement under the Mattermost responsible disclosure policy."}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-44568"], "advisory": "MMSA-2022-00108", "discovery": "INTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "6.x", "version_value": "6.3.8", "version_affected": "<="}, {"version_name": "6.5.x", "version_value": "6.5.1", "version_affected": "<="}, {"version_name": "6.6.x", "version_value": "6.6.1", "version_affected": "<="}, {"version_name": "6.7.x", "version_value": "6.7.0", "version_affected": "="}]}, "product_name": "Mattermost"}]}, "vendor_name": "Mattermost"}]}}, "solution": [{"lang": "en", "value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://mattermost.com/security-updates/", "name": "https://mattermost.com/security-updates/", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-2401", "STATE": "PUBLIC", "TITLE": "Team members could access sensitive information of other users via an API call", "ASSIGNER": "responsibledisclosure@mattermost.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-2401", "state": "PUBLISHED", "dateUpdated": "2024-12-06T23:08:34.889Z", "dateReserved": "2022-07-14T00:00:00", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2022-07-14T17:20:49", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D311744-6A53-4DD9-BE49-46E72BE1FB32", "versionEndExcluding": "6.3.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "06ABE3B1-53EA-42AB-B986-E5A660677075", "versionEndExcluding": "6.5.2", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:6.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "5144C178-AA3E-43CC-80E2-77BC8689FE7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:6.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "667E1ED7-7A47-4021-A158-23425C9F6E2D", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:6.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "13763CA7-57C3-4EBE-96D6-C244B5FE2704", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs."}, {"lang": "es", "value": "Una divulgaci\u00f3n de informaci\u00f3n sin restricciones de todos los usuarios en Mattermost versiones 6.7.0 y anteriores, permite a miembros del equipo acceder a determinada informaci\u00f3n confidencial mediante el acceso directo a las API"}], "id": "CVE-2022-2401", "lastModified": "2024-11-21T07:00:55.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-14T18:15:08.313", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates/"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}