cve-2022-2366
Vulnerability from cvelistv5
Published
2022-07-11 14:08
Modified
2024-12-06 23:08
Severity ?
EPSS score ?
Summary
Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers.
References
▼ | URL | Tags | |
---|---|---|---|
responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Mattermost | Mattermost |
Version: 6.7.x 6.7.0 Version: 6.x < Version: 6.5.x < Version: 6.6.x < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:32:09.696Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://mattermost.com/security-updates/" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2022-2366", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-12-06T22:52:50.416614Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-12-06T23:08:46.139Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "Mattermost", "vendor": "Mattermost", "versions": [ { "status": "affected", "version": "6.7.x 6.7.0" }, { "lessThanOrEqual": "6.3.8", "status": "affected", "version": "6.x", "versionType": "custom" }, { "lessThanOrEqual": "6.5.1", "status": "affected", "version": "6.5.x", "versionType": "custom" }, { "lessThanOrEqual": "6.6.1", "status": "affected", "version": "6.6.x", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Thanks to Adam Pritchard for contributing to this improvement under the Mattermost responsible disclosure policy." } ], "descriptions": [ { "lang": "en", "value": "Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-11T14:08:50", "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://mattermost.com/security-updates/" } ], "source": { "advisory": " MMSA-2022-00109", "defect": [ "https://mattermost.atlassian.net/browse/MM-42379" ], "discovery": "EXTERNAL" }, "title": "Incorrect defaults can cause attackers to bypass rate limitations ", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "responsibledisclosure@mattermost.com", "ID": "CVE-2022-2366", "STATE": "PUBLIC", "TITLE": "Incorrect defaults can cause attackers to bypass rate limitations " }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Mattermost", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "6.x", "version_value": "6.3.8" }, { "version_affected": "\u003c=", "version_name": "6.5.x", "version_value": "6.5.1" }, { "version_affected": "\u003c=", "version_name": "6.6.x", "version_value": "6.6.1" }, { "version_affected": "=", "version_name": "6.7.x", "version_value": "6.7.0" } ] } } ] }, "vendor_name": "Mattermost" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks to Adam Pritchard for contributing to this improvement under the Mattermost responsible disclosure policy." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-276 Incorrect Default Permissions" } ] } ] }, "references": { "reference_data": [ { "name": "https://mattermost.com/security-updates/", "refsource": "MISC", "url": "https://mattermost.com/security-updates/" } ] }, "source": { "advisory": " MMSA-2022-00109", "defect": [ "https://mattermost.atlassian.net/browse/MM-42379" ], "discovery": "EXTERNAL" } } } }, "cveMetadata": { "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "assignerShortName": "Mattermost", "cveId": "CVE-2022-2366", "datePublished": "2022-07-11T14:08:50", "dateReserved": "2022-07-11T00:00:00", "dateUpdated": "2024-12-06T23:08:46.139Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2022-2366\",\"sourceIdentifier\":\"responsibledisclosure@mattermost.com\",\"published\":\"2022-07-12T14:15:15.743\",\"lastModified\":\"2024-11-21T07:00:50.860\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers.\"},{\"lang\":\"es\",\"value\":\"Una configuraci\u00f3n incorrecta por defecto del encabezado IP confiable en Mattermost versiones 6.7.0 y anteriores, permite a atacantes omitir algunas de las limitaciones de velocidad presentes o usar IPs manipuladas para el registro de auditor\u00eda por medio de la manipulaci\u00f3n de los encabezados de petici\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.3.9\",\"matchCriteriaId\":\"6D311744-6A53-4DD9-BE49-46E72BE1FB32\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.4.0\",\"versionEndExcluding\":\"6.5.2\",\"matchCriteriaId\":\"06ABE3B1-53EA-42AB-B986-E5A660677075\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6.0\",\"versionEndExcluding\":\"6.6.2\",\"matchCriteriaId\":\"73084053-CBD7-499B-9CDF-2DD26CA85FF6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:6.7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"13763CA7-57C3-4EBE-96D6-C244B5FE2704\"}]}]}],\"references\":[{\"url\":\"https://mattermost.com/security-updates/\",\"source\":\"responsibledisclosure@mattermost.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://mattermost.com/security-updates/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.