4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-1332

GHSA ID

GHSA-qggc-pj29-j27m

EPSS Score

0.33338%

CWE

CWE-200

Published

4/14/2022

Updated

2/2/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-1332

CVE-2022-1332:
Improper Privilege Management in Mattermost

One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents. Per the Mattermost security updates page, versions 6.4.2, 6.3.5, 6.2.5, and 5.37.9 contain patches for this issue

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-1332

GHSA ID

GHSA-qggc-pj29-j27m

EPSS Score

0.33338%

CWE

CWE-200

Published

4/14/2022

Updated

2/2/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost-server/v6	go	>= 6.4.0, < 6.4.2	6.4.2
github.com/mattermost/mattermost-server/v6	go	>= 6.3.0, < 6.3.5	6.3.5
github.com/mattermost/mattermost-server/v6	go	>= 6.0.0, < 6.2.5	6.2.5
github.com/mattermost/mattermost-server/v5	go	< 5.37.9	5.37.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability describes improper privilege management in API endpoints related to server logs and config.json access. Given Mattermost's architecture: 1) Log and config endpoints would logically exist in api4 package (version 6.x) 2) The CWE-269 indicates missing authorization checks 3) The pattern matches known security patterns where controller functions implement endpoint handlers 4) 'getLogs' and 'getConfig' are standard API names for these resources 5) The vulnerability specifically mentions custom admin role bypass, implying these functions lacked granular permission checks introduced in patched versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

On* o* t** *PI in M*tt*rmost v*rsion *.*.* *n* **rli*r **ils to prop*rly prot**t t** p*rmissions, w*i** *llows t** *ut**nti**t** m*m**rs wit* r*stri*t** *ustom **min rol* to *yp*ss t** r*stri*tions *n* vi*w t** s*rv*r lo*s *n* s*rv*r *on*i*.json *il*

Reasoning

T** vuln*r**ility **s*ri**s improp*r privil*** m*n***m*nt in *PI *n*points r*l*t** to s*rv*r lo*s *n* *on*i*.json ****ss. *iv*n M*tt*rmost's *r**it**tur*: *) Lo* *n* *on*i* *n*points woul* lo*i**lly *xist in *pi* p**k*** (v*rsion *.x) *) T** *W*-***

4.3

Basic Information

Concerned about an active attack path?

CVE-2022-1332: Improper Privilege Management in Mattermost

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-1332:
Improper Privilege Management in Mattermost

Vulnerability Intelligence
Miggo AI